Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5130
Views
0
Helpful
6
Replies

NAT configuration for router on a stick - small business

Go to solution
rival9217
Level 1
Level 1

‎08-05-2015 08:03 AM - edited ‎03-08-2019 01:14 AM

I was going to include this in my other discussions but decided against it as I have marked them as answered and wanted to avoid any confusion.

In short, I wanted to know step by step (command-wise) how to NAT router on a stick for a small business (with a windows server for DHCP and DNS) - internet access is the only thing users will need - there will be no connecting networks or anything.

I don't know if the ISP is suppose to give you any additional IP's or not and again, I do know the commands for NAT but I was just hoping someone would know off the top of their head on how this is done and what the commands to be entered are.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rival9217
Level 1
Level 1
In response to rival9217

‎08-08-2015 06:01 PM

So after a little digging on this site I think I fond what I was looking for. I'm actually surprised at the amount of friends/co-workers I have in the IT field who have never configured NAT overload (PAT) on a CISCO ASA before (because they are much smarter than me when It comes to networking I was just a little surprised).

First, I found out that the ISP will completely work with you on how you want the setup to be - meaning, If you want them to provide DHCP for your or not. The reason I mention this is because for a small business, I would prefer to have a windows server manage the DHCP and DNS (with the DNS addresses of course coming from the ISP as well). I know the router could run DHCP and DNS but for a small business I would prefer to have a server manage it.

The static route to be set would have to be for the ISP router THIS is the address that I would use for default gateway on my server as well, so in short I would run the following command on my router to set the default route:

ip route 0.0.0.0 0.0.0.0 2.2.2.1 (with 2.2.2.1 being the ISP router) OR I would simply set the "default gateway" with ISP'S IP.

From there, I could proceed to NAT overload (PAT) by doing the following (note: I retrieved all the following info from this article online: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html)

Set the fast ethernet 0/0 interface as the inside interface:

R1# configure terminal
R1(config)# interface fastethernet0/0
R1(config-if)# ip nat inside

Next step is to set the serial interface S0/0 as the outside interface:

R1(config-if)# interface serial0/0
R1(config-if)# ip nat outside
R1(config-if)# exit

now need to create an Access Control List (ACL) that will include local (private) hosts or network(s). This ACL will later on be applied to the NAT service command, effectively controlling the hosts that will be able to access the Internet. You can use standard or extended access lists depending on your requirements:

R1(config)# access-list 100 remark == [Control NAT Service]==
R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

The above command instructs the router to allow the 192.168.0.0/24 network to reach any destination. Note that Cisco router standard and extended ACLs always use wildcards (0.0.0.255).

extended ACLs always use wildcards (0.0.0.255).

All that's left now is to enablee NAT overload and bind it to the outside interface previously selected:

R1(config)# ip nat inside source list 100 interface serial 0/0 overload

From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to the Internet. AND THAT'S IT!!

Now, I will have to learn how to use an additional firewall if I don't intend to use an ASA for the setup (All the above is done on a standard router) but that's going to have to be something I need to look into, I also know the commands for setting up PAT on an ASA.

-------------------------------------------------------------

​The following is additional info relating to how to look into the way your PAT setup is working:

Verifying NAT Overload operation

Viewing the NAT translation table can sometimes reveal a lot of important information on your network's activity. Here you'll be able to identify traffic that's not supposed to be routed to the Internet or traffic that seems suspicious.

As packets start traversing the router it will gradually build up its NAT/PAT translation table as shown below:

R1# show ip nat translations
Pro Inside global           Inside local            Outside local         Outside global
udp 200.2.2.1:53427  192.168.0.6:53427      74.200.84.4:53        74.200.84.4:53
udp 200.2.2.1:53427  192.168.0.6:53427      195.170.0.1:53        195.170.0.1:53
tcp 200.2.2.1:53638   192.168.0.6:53638      64.233.189.99:80    64.233.189.99:80
tcp 200.2.2.1:57585   192.168.0.7:57585      69.65.106.48:110    69.65.106.48:110
tcp 200.2.2.1:57586   192.168.0.7:57586      69.65.106.48:110    69.65.106.48:110

As shown, the first 2 translations directed to 74.200.84.4 & 195.170.0.1 are DNS requests from internal host 192.168.0.6. The third entry seems to be an http request to a web server with IP address 64.233.189.99.

Looking at the fourth and fifth translation entry, you should identify them as pop3 requests to an external server, possibly generated by an email client.

Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time.

Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc., you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections running through the router can put some serious stress on the CPU.

In these cases, we might need to clear the IP NAT table completely to free up resources.
This is easily done using the following command:

R1# clear ip nat translation * 
Assuming no request has been sent right after the command was entered, the NAT translation table should be empty:

R1# show ip nat translations
Pro Inside global ...........Inside local .....Outside local .......Outside global

Lastly, you can obtain statistics on the overload NAT service. This will show you the amount of current translations tracked by our NAT table, plus a lot more:

R1# show ip nat statistics
Total active translations: 200 (0 static, 200 dynamic; 200 extended)
Outside interfaces:
Serial 0/0
Inside interfaces:
FastEthernet0/0
Hits: 163134904 Misses: 0
CEF Translated packets: 161396861, CEF Punted packets: 3465356
Expired translations: 2453616
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 100 interface serial 0/0 refcount 195
Appl doors: 0
Normal doors: 0
Queued Packets: 0

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-05-2015 05:12 PM

Hello,

Can you please explain more closely what you mean by NAT router on a stick? Do you want the router to perform inter-VLAN routing and NAT on top of it, or do you want to do a NAT configuration in which a single interface is both inside and outside?

A very simple diagram of your topology explaining where the inside networks are and where the WAN interface is would be extremely helpful.

Best regards,
Peter

 

0 Helpful

Go to solution
rival9217
Level 1
Level 1
In response to Peter Paluch

‎08-05-2015 06:14 PM

Please explain the difference - I'm guessing I want it on a single interface as I will have 3 sub-interfaces - now if by "interface" you DO mean a sub-interface, then no, I want all 3 sub-interfaces I setup to be able to reach the internet.

My topology is as simple as: a router (ASA) hooked up to the demark point that is connected to a trunk port on a switch and has 3 sub-interfaces going out one physical interface to 3 separate vlans on a switch: 1 server on one of the vlans (my DHCP and DNS server), 10 PC's on another vlan, & 2 printers on the 3rd vlan. I simply just want outside internet access available throughout the entire network.

Also, would PAT need to be used at all?

If you need more info let me know.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to rival9217

‎08-06-2015 04:03 AM

Hi,

So if I am reading you correctly, your topology is something like this?

Switch with 3 VLANs <-- trunk --> ASA <---> WAN

Is there no standalone router there? Is the ASA the only box performing routing?

If so, what ASA OS version are you running?

Best regards,
Peter

0 Helpful

Go to solution
rival9217
Level 1
Level 1
In response to Peter Paluch

‎08-06-2015 08:50 AM

No standalone router - ASA is the only router to be used.

Version: ASA5510 Firewall cluster currently at ios version 8.2.4

0 Helpful

Go to solution
rival9217
Level 1
Level 1
In response to rival9217

‎08-08-2015 06:01 PM

So after a little digging on this site I think I fond what I was looking for. I'm actually surprised at the amount of friends/co-workers I have in the IT field who have never configured NAT overload (PAT) on a CISCO ASA before (because they are much smarter than me when It comes to networking I was just a little surprised).

First, I found out that the ISP will completely work with you on how you want the setup to be - meaning, If you want them to provide DHCP for your or not. The reason I mention this is because for a small business, I would prefer to have a windows server manage the DHCP and DNS (with the DNS addresses of course coming from the ISP as well). I know the router could run DHCP and DNS but for a small business I would prefer to have a server manage it.

The static route to be set would have to be for the ISP router THIS is the address that I would use for default gateway on my server as well, so in short I would run the following command on my router to set the default route:

ip route 0.0.0.0 0.0.0.0 2.2.2.1 (with 2.2.2.1 being the ISP router) OR I would simply set the "default gateway" with ISP'S IP.

From there, I could proceed to NAT overload (PAT) by doing the following (note: I retrieved all the following info from this article online: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html)

Set the fast ethernet 0/0 interface as the inside interface:

R1# configure terminal
R1(config)# interface fastethernet0/0
R1(config-if)# ip nat inside

Next step is to set the serial interface S0/0 as the outside interface:

R1(config-if)# interface serial0/0
R1(config-if)# ip nat outside
R1(config-if)# exit

now need to create an Access Control List (ACL) that will include local (private) hosts or network(s). This ACL will later on be applied to the NAT service command, effectively controlling the hosts that will be able to access the Internet. You can use standard or extended access lists depending on your requirements:

R1(config)# access-list 100 remark == [Control NAT Service]==
R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

The above command instructs the router to allow the 192.168.0.0/24 network to reach any destination. Note that Cisco router standard and extended ACLs always use wildcards (0.0.0.255).

extended ACLs always use wildcards (0.0.0.255).

All that's left now is to enablee NAT overload and bind it to the outside interface previously selected:

R1(config)# ip nat inside source list 100 interface serial 0/0 overload

From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to the Internet. AND THAT'S IT!!

Now, I will have to learn how to use an additional firewall if I don't intend to use an ASA for the setup (All the above is done on a standard router) but that's going to have to be something I need to look into, I also know the commands for setting up PAT on an ASA.

-------------------------------------------------------------

​The following is additional info relating to how to look into the way your PAT setup is working:

Verifying NAT Overload operation

Viewing the NAT translation table can sometimes reveal a lot of important information on your network's activity. Here you'll be able to identify traffic that's not supposed to be routed to the Internet or traffic that seems suspicious.

As packets start traversing the router it will gradually build up its NAT/PAT translation table as shown below:

R1# show ip nat translations
Pro Inside global           Inside local            Outside local         Outside global
udp 200.2.2.1:53427  192.168.0.6:53427      74.200.84.4:53        74.200.84.4:53
udp 200.2.2.1:53427  192.168.0.6:53427      195.170.0.1:53        195.170.0.1:53
tcp 200.2.2.1:53638   192.168.0.6:53638      64.233.189.99:80    64.233.189.99:80
tcp 200.2.2.1:57585   192.168.0.7:57585      69.65.106.48:110    69.65.106.48:110
tcp 200.2.2.1:57586   192.168.0.7:57586      69.65.106.48:110    69.65.106.48:110

As shown, the first 2 translations directed to 74.200.84.4 & 195.170.0.1 are DNS requests from internal host 192.168.0.6. The third entry seems to be an http request to a web server with IP address 64.233.189.99.

Looking at the fourth and fifth translation entry, you should identify them as pop3 requests to an external server, possibly generated by an email client.

Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time.

Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc., you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections running through the router can put some serious stress on the CPU.

In these cases, we might need to clear the IP NAT table completely to free up resources.
This is easily done using the following command:

R1# clear ip nat translation * 
Assuming no request has been sent right after the command was entered, the NAT translation table should be empty:

R1# show ip nat translations
Pro Inside global ...........Inside local .....Outside local .......Outside global

Lastly, you can obtain statistics on the overload NAT service. This will show you the amount of current translations tracked by our NAT table, plus a lot more:

R1# show ip nat statistics
Total active translations: 200 (0 static, 200 dynamic; 200 extended)
Outside interfaces:
Serial 0/0
Inside interfaces:
FastEthernet0/0
Hits: 163134904 Misses: 0
CEF Translated packets: 161396861, CEF Punted packets: 3465356
Expired translations: 2453616
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 100 interface serial 0/0 refcount 195
Appl doors: 0
Normal doors: 0
Queued Packets: 0

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to rival9217

‎08-11-2015 06:06 AM

Hi,

Thanks for sharing your solution with us!

Yes, I can confirm myself that I do not lay my hands at ASA boxes if not absolutely necessary. There's something strange about them - their config line is rather clumsy, NAT/PAT configuration is cumbersome, their default behavior as to allowed/disallowed packet flows was never quite clear to me even after trying to wrap my head around the available docs. I appreciate therefore that you have shared the guide with us here.

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents