I ran into someone today that really didn’t understand how to set up NAT/PAT on an IOS router. Not a big deal if you don’t work with IOS routers very often, but if you intend to have a career in networking you probably should know how to set it up. So, the basic reason for NAT/PAT is to conserve public address space meaning addresses that are allowed to be routable across the internet. If you visit this site regularly you probably already know that IPv4 is being exhausted. Network Address Translation (NAT) was designed to keep the IP address space exhaustion at bay while a new (IPv6) solution was developed. At any rate, I felt compelled to show a basic configuration of how to configure it on an IOS router. Specifically, the example below shows you how to configure Port Address Translation (PAT) on an IOS router:


NAT_Router# sh run int f0
!
! interface f0 is the "internet facing" interface
!
interface FastEthernet0
description Internet facing
ip address dhcp
ip nat outside
duplex auto
speed auto
end

NAT_Router#sh run int vlan 11
!
! interface vlan 11 is the "internal facing" interface
!
interface Vlan11
description Internal facing
ip address 192.168.1.1 255.255.255.0
ip nat inside
end

NAT_Router#sh access-list NAT_ACL
!
! this ACL tells the router what to PAT
!
Extended IP access list NAT_ACL
10 permit ip 192.168.1.0 0.0.0.255 any
NAT_Router#sh run | in ip nat
!
! this is the line that tells the router which public address/interface to use
!
ip nat inside source list NAT_ACL interface FastEthernet0 overload
!
! this line configures Port Forwarding (see the text below)
!
ip nat inside source static tcp 192.168.1.50 80 interface FastEthernet0 80
NAT_Router#


There you have it. Not challenging really. You basically have to define the inside and outside PAT interfaces, define the ACL that tells the router what to PAT and what interface to PAT on (notice the “internet facing” interface is set for DHCP). You may have also noticed that I have Port Forwarding configured as well. Port Forwarding allows all traffic on a specific port for the “ip nat outside” interface to be forwarded to a specific internal IP address. The example shows how to set up Port Forwarding for an internal web server. So, any web traffic (TCP port 80) that enters the “Internet facing” interface gets forwarded to 192.168.1.50. If you’re confused, feel free to leave a comment and I’ll be happy to explain.

–Tim

Before I decided to start blogging, my Apache installation was SSL-aware. I decided against adding that feature while rebuilding it for my blogging purposes. So, I now have to make some changes to my router.

Why modify my router when I only upgraded my server you ask? Well, SSL web traffic communicates via port 443 instead of the standard (non-encrypted) port 80. Since my web-server will no longer be accepting port 443 connections, it’s time to modify my router config to patch these holes. Here is the line that needs to be changed:

ip nat inside source static tcp x.x.x.x 443 interface FastEthernet0 443

That line basically says any traffic with a destination port of 443 on my FastEthernet0 interface gets forwarded to the IP address x.x.x.x with destination port 443. This is commonly know as port forwarding. The way to remove this line in IOS is to prepend no to the front of the line above in global config mode:

no ip nat inside source static tcp x.x.x.x 443 interface FastEthernet0 443

That takes care of the port mapping side of things, but there is still more clean up work. I also had a named ACL configured on the internet facing interface of my router permitting port 443 traffic. It looks something like this:


ip access-list extended FIREWALL_ACL
!
! Other ACE entries here...
!
permit tcp any any eq 443 log
permit tcp any any eq www log
!
! More ACE entries...
!


When I built this ACL, I wanted the ability to remove specific lines of the code. Standard and Extended ACLs offer little flexibly during modification. Naturally, a named ACL was the appropriate choice. Now, I only have to remove the offending line. Here are the commands:


config t
ip access-list extended FIREWALL_ACL
no permit tcp any any eq 443 log
end
wr mem


At this point, I’m all set. I’m only allowing port 80 traffic in my ACL and my unneeded port map has been removed.

-Tim