Setting up NAT for a small office - very easy!

NAT is known as the technology that is helping IPv4 hold on for dear life. It works by translating private IP addresses to internet routable addresses since private IP addresses are not routable on the internet. IPv4 has three classes of private IP addresses and you can find more detail about them in RFC 1918. These private IPv4 addresses are typically used for internal devices like your Servers, PCs, Laptops, Tablets, Cell Phone, Printers, etc.. For these devices to access the internet they will have to be translated to routable addresses for processing on the internet.

This post will take a ten-thousand foot view at how to configure NAT for a small office with a single exit point to the internet. This is a typical setup, and is mostly done with ADSL connections to an ISP, yet we love Cisco and will use commands for a Cisco 3725 router for the heck of it. Note that the commands may differ in other model/series devices but the concept will be the same.

There is some terminology that you should know when talking about NAT.

• Inside Local	Typically the private IP you want to translate
  Inside Global	The address that is routable on the internet and is authorized to be used by you
  Outside Local	The target host you are trying to reach (for e.g. browsing to google.com will make your target google's IP address)
  Outside Global	The address the target host will use when replying to your initial request

Diagram showing the host PC on network 10.0.1.0/24 and a router with IP x.x.x.1/30 facing the internet cloud. I've used x.x.x.1/30 because almost every routable IPv4 IP is assigned to someone somewhere.  Substitute as you see fit.

Setting up NAT for your internal network requires a few steps but we'll take a 1000 foot view here:

1. First, define which interfaces will be connected to the inside and outside of your network
1. Typically the LAN interface is inside and the internet facing interface is outside (implied for security reasons)
2. You will need to identify which traffic should be subject to the NAT policy using an ACL or route-map (Inside local addresses)
3.  You also need to identify which interface or pool of addresses will be your NAT IP (Inside Global address)

This procedure requires some planning and understanding. Yet once you have all the info you need documented/illustrated you then head to the command line to get the job done:

#### the following command enters global configuration mode which allows you to do the configs for NAT ####

!

config t

!

!

#### the following configures the internal interface and sets it as the inside NAT interface ####

!

interface fa0/0

description FE TO PC1

ip address 10.0.1.1 255.255.255.0

ip nat inside

no shut

exit

!

!

#### the following configures the outside interface and sets it as the outside NAT interface ####

!

interface s1/0

description SERIAL TO INTERNET

ip addre x.x.x.1 255.255.255.252

ip nat outside

no shut

exit

!

!

#### the following ACL identifies what traffic will be subjected to the NAT policy ####

!

ip access-list extended NAT_LIST

permit ip 10.0.1.0 0.0.0.255 any

!

!

#### the following command globally enables the NAT policy and specifies the outgoing interface (Inside Global) ####

#### the OVERLOAD command at the end tells the router to enable Port Address Translation (PAT) (for multiple devices) ####

!

ip nat inside source list NAT_LIST  interface s1/0 OVERLOAD

!

#### the following command gives the router a default route which will be needed for unknown targets/destinations ####

!

ip route 0.0.0.0 0.0.0.0  x.x.x.2

!

With all configurations done correctly your internal network will be able to reach the internet using the routable IP address (inside global).

Thanks....