Warning: Invalid argument supplied for foreach() in /home/techrecipes/public_html/wp-content/themes/techrecipes/header.php on line 77

Cisco: How to Configure NAT [Network Address Translation]

This brief tutorial will show you how to configure NAT overload or how to enable Internet access to multiple PCs of your LAN using only one public IP address. This type of NAT can easily be used at home when you have a Cisco 800 series xDSL router.


The first step is to define the addresses that will need to be NAT’d. This is done using a standard access-list:

access-list 1 permit your_lan_address_range

Example: access-list 1 permit 192.168.1.0

Now that we have defined the addresses that are allowed to use the NAT address, we will enable the actual NAT:

ip nat inside source list access-list number interface overload

Example: ip nat inside source list 1 dialer0 overload

This command states that it will use the addresses from the access-list we defined in Step 1 and NAT it to the Public IP address on the interface (e.g., serial 0, dialer 0, ethernet 1). The overload keyword specifies that multiple LAN addresses can be NAT’d to that address. The router uses the TCP and UDP ports of the hosts [LAN addresses] to translate the public IP address back to the originating local host address.

The last steps we need to configure are to tell the router which are our inside and outside addresses. This is achieved using the following commands:

For the inside
conf t
interface ethernet | fastethernet number
ip nat inside

For the outside (assume we are dealing with an xDSL router)
conf t
interface dialer0
ip nat outside

Now that NAT is configured, we can check to see which addresses are being used by using the show ip nat translations commands.

The Conversation

Follow the reactions below and share your own thoughts.

  • wilson

    how i can configure the router if the isp tell me a ip that change evry moment that i restart my router, and i want to use the port 7717 with my cpu because i have a softwre client/server.

    • Daniel Yuraitis

      if you go to dyn-dns.com you can sign up for one free domain name e.g. yourdomain.homeip.net or yourdomain.homelinux.com. This domain name will be mapped out to your ip address each time it changes through either a software client on your server or through your router (mine is a Speedstream router and it had an option in the gui for dyn-dns where you simply enter your dyn-dns username and password)
      each time your ip address changes the dns entry for it will be updated by the client and you will be able to access the ever changing ip adress from the outside by using the domain name.

      • Daniel Yuraitis

        sorry i meant http://www.dyndns.com/ if you go to the link i added earlier it will take you somewhere different

      • Dervil Spider

        hello im making a grand theft auto sanandrease mulitplayer server and i want to now how to make it public its up and running but no one can see orf add my server because its not in the internet or hosted part of samp i need some help i need to get my server pubioc so myt friends can play with me please reply

    • Wisedec

      1) config NAT on router like this http://wisedec.com/configuring-nat-on-cisco-routers.html
      2) sign up for one free domain name http://www.dyndns.com/
      3) Add to your config this commands
      no ip nat inside source list 1 interface fastethernet 1 overload
      ip nat inside source static 10.10.10.10 interface fastethernet 0

      where 10.10.10.10 is address your cpu

      • Anonymous

        config NAT on router like this http://wisedec.com/configuring-nat-on-cisco-rou
        2) sign up for one free domain name http://www.dyndns.com/
        3) Add to your config this commands
        no ip nat inside source list 1 interface fastethernet 1 overload
        ip nat inside source static 10.10.10.10 interface fastethernet 0

        where 10.10.10.10 is address your cpu

  • Anonymous

    Hello fellow, have problems with my vpn + Nat. I can connect to my other side of vpn (site to to site) but my local host cannot get to internet. Anybody can help? see below for my configurations. I ommited some portions of my live IPs for obvious reason please hlp out

    ———————————————————————–
    Cisco Router and Security Device Manager (SDM) is installed on this device.
    This feature requires the one-time use of the username “cisco”
    with the password “cisco”. The default username and password have a privilege le
    vel of 15.

    Please change these publicly known initial credentials using SDM or the IOS CLI.

    Here are the Cisco IOS commands.

    username privilege 15 secret 0
    no username cisco

    Replace and with the username and password you want to use
    .

    For more information about SDM please follow the instructions in the QUICK START

    GUIDE for your router or go to http://www.cisco.com/go/sdm
    ———————————————————————–

    User Access Verification

    Username: Tutu
    Password:
    IKOYI#sh run
    Building configuration…

    Current configuration : 4717 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname IKO
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 $1$I0iE$8pVL1AcDSoFbiIRp.sgv8/
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    !
    !
    ip cef
    !
    !
    ip domain name yourdomain.com
    ip name-server 196.207.15.42
    !
    !
    !
    crypto pki trustpoint TP-self-signed-145630655
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-145630655
    revocation-check none
    rsakeypair TP-self-signed-145630655
    !
    !
    crypto pki certificate chain TP-self-signed-145630655
    certificate self-signed 01
    3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31343536 33303635 35301E17 0D303930 33303630 32333233
    345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3134 35363330
    36353530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    EE0D2291 66CCB6E7 54CBA7CE 9F40BEE8 29735E6F FFC917BC 7F981F6A 54DECBED
    60EB601B 6277B41A 5DF2E424 71FC057D 408BF779 212FC646 D39746C8 D2D57A28
    9658AED8 C0351113 A54DA1BF FF2D3A8F D478B751 E298E0E2 5C879BB9 015AED71
    AAEB99EA B98777AF 002CD08B ACD91B5B CB0327A5 05847A8B 18EDB7E0 3722AB9D
    02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
    11041830 16821449 4B4F5949 2E796F75 72646F6D 61696E2E 636F6D30 1F060355
    1D230418 30168014 8A9EFB00 CF24755D 76965DF2 A5AEC3ED 8C72D41C 301D0603
    551D0E04 1604148A 9EFB00CF 24755D76 965DF2A5 AEC3ED8C 72D41C30 0D06092A
    864886F7 0D010104 05000381 81009EA2 829BBA41 C9CDE377 CDE88735 621BE1F4
    DAD6CE7E 58C38786 638B5D2F 6A23A0FB 5C37538D 337EE2C0 9BCD65F1 6D9D24BA
    29A73A47 A13D08F2 097F3FB7 46708287 523C1ACE 5C4855B6 612FE99C A6DC6567
    6D3ABD6B EE73ED5D C9F1530E 3F55865E 6A7A8578 87EF7DD5 E387FB66 D75BCFD4
    EEBD7327 A6F437EE 82A0FFCA 41B8
    quit
    username administrator privilege 15 secret 5 $1$nEox$0hYI/8hL2wG4BbmWtM55t.
    username femi privilege 15 password 0 ok femi
    username rama privilege 15 secret 5 $1$N42C$8miusbsth9k.SzizkaE520
    !
    !
    !
    crypto isakmp policy 7
    encr aes
    hash md5
    authentication pre-share
    !
    crypto isakmp policy 70
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key kamasutral address 41.219.xx.xx no-xauth
    !
    !
    crypto ipsec transform-set BUKKY esp-aes esp-sha-hmac
    !
    crypto map VPN-MAP 10 ipsec-isakmp
    set peer 41.219.xx.xx
    set transform-set BUKKY
    match address INT-TRAFFIC
    !
    !
    !
    interface FastEthernet0/0
    description LAN$ES_LAN$$ETH-LAN$
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description WAN $ETH-WAN$
    ip address 41.219.xx.xx 255.255.255.248
    ip access-group 100 out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPN-MAP
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 41.219.xx.xx
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool BUK 41.219.xx.xx 41.219.xx.xx netmask 255.255.255.248
    ip nat inside source list 100 interface FastEthernet0/1 overload
    !
    ip access-list extended INT-TRAFFIC
    permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 100 permit ip 192.168.0.0 0.0.0.255 any
    !
    !
    control-plane
    !
    !
    banner login ^C
    ———————————————————————–
    Cisco Router and Security Device Manager (SDM) is installed on this device.
    This feature requires the one-time use of the username “cisco”
    with the password “cisco”. The default username and password have a privilege le
    vel of 15.

    Please change these publicly known initial credentials using SDM or the IOS CLI.

    Here are the Cisco IOS commands.

    username privilege 15 secret 0
    no username cisco

    Replace and with the username and password you want to use
    .

    For more information about SDM please follow the instructions in the QUICK START

    GUIDE for your router or go to http://www.cisco.com/go/sdm
    ———————————————————————–
    ^C
    !
    line con 0
    password Tutu
    login
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    password Tutu
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    !
    end

    IKO#

    • uk4sz

      It seems to me You forget about ‘ip domain lookup’ command.

  • Anonymous
  • Ogstudent

    hi …
    i am trying to give a weight to my diferente pool nat created 
    my question is how can i do that

    example idea

    i have 3 pools nat 
       nat 1
       nat 2
      nat 3

    and i have to give some specific weight to that dif nat poll creted say 50 20 30%
    hos is possible 

  • abeud simiyu

    fantastic

  • bragir

    Finally a simple description how to setup basic nat.
    Only problem i ran into when testing was that the access-list definition, I had to use
    access-list 1 permit 192.168.1.0 0.0.0.255