Simple Cisco NAT Concepts – Nat Pools and Static Nat —

I thought I’d go over these two concepts really quickly.

NAT Pools – When you are overloading a single IP, the truth is that you are using the ports available on that IP to send and recieve traffic and that’s translating to IP’s on the inside.

Once you have even a few pc’s you can see from the translation table that many many ports are used, and while these connections tend to get torn down quickly, it’s still quite possible to run out. It really just depends on how many active clients you have to nat.

To overcome this, you can create a pool of external IP’s to overload. The router will simply move to the next IP when the first has too many ports full.

Lets use the same lab as our last NAT example. NATLAB01

Router0 is using as it’s interface. It’s gateway is, which is on Router1.

If we are using that same lab.. we need to remove the nat command we issued earlier.

WORKRTR(config)#no ip nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload

if you have active connections you will be asked to kill those connections, and nat will of course.. stop.

to nat overload, first we need to create a nat pool. In this example, I want to make ip’s thru available in my pool.

WORKRTR(config)#ip nat pool OUTSIDE_PUBLIC netmask

and now we simply create our nat using the same ACL we made in our last example.

WORKRTR(config)#ip nat inside source list INSIDE_NAT_ADDRESSES pool OUTSIDE_PUBLIC overload

We can now see in in the translations tables the nats being created.

WORKRTR#sho ip nat translations
Pro Inside global Inside local Outside local Outside global

I can’t really create the traffic in my lab to make this jump to the next IP however 😀

Static Nat

This is also really useful to you, if you have an IP that it’s internal and you want to map that IP completley 1 to 1 to another ip on the other side of the router (publicly, for example) you may follow the next example to accomplish this.

In our diagram you see on the Inside a Server which is IP and we want to make this server publicly available as On our router we as seen before specify on the interface which is inside and which is outside. And then we pass the following command:

WORKRTR(config)#ip nat inside source static

Now on our other server on the outside we can test access via ping.


Pinging with 32 bytes of data:

Reply from bytes=32 time=1ms TTL=126
Reply from bytes=32 time=0ms TTL=126
Reply from bytes=32 time=11ms TTL=126
Reply from bytes=32 time=12ms TTL=126

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 12ms, Average = 6ms

Also if you wanted to only do certain ports, for example, just port 80, you can do so in this way:

WORKRTR(config)#ip nat inside source static tcp 80 80

Or perhaps I wanted to send traffic that would normally go to port 3389 to some wild port so that it would mitigate an attack directed towards rdp:

WORKRTR(config)#ip nat inside source static tcp 3389 12658

Simple Cisco NAT Concepts – Nat Overload —

Hey howdy. Yeah another one of these.. This is sort of a quick Natting guide for Cisco Routers.

In the Cisco world you have 3 basic types of NAT, Static, Dynamic and Overload. Obviously these are more for me than you 😀 and you should look to cisco for documentation.

Nat Overload – this you are familiar with, and the concept is easy, if you are given a small or a single public IP and you want to use NAT to allow access to the public internet from your local IPs that are not public addresses, you can generally accomplish this with NAT Overload.

To accomplish this we start with identifying which interface is “inside” and which is “outside” on our router.

Here is my diagram I made:


The blue on the left is the “inside” (int gi0/0) and the right is considered “outside” (int gi0/1) and our router0 is considered your gateway to the internet. The other Router in play here is merely to simulate the internet. I’ve placed a webserver behind it, and that server is also running DNS.

On Router 0 we need to configure the interfaces as Inside or Outside.

WORKRTR#conf t
WORKRTR(config)#int gi 0/0
WORKRTR(config-if)#ip nat inside
WORKRTR(config)#int gi 0/1
WORKRTR(config-if)#ip nat outside

Now we need to create a Standard Access List to specify which IP ranges we want to allow from the “inside”.

WORKRTR(config)#ip access-list standard INSIDE_NAT_ADDRESSES

We now use that access list with the following command to start the process.

WORKRTR(config)#ip nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload

We can check our work from the router

WORKRTR#sho ip nat translations
Pro Inside global Inside local Outside local Outside global

And one of the PC’s

Pinging with 32 bytes of data:
Reply from bytes=32 time=0ms TTL=126
Reply from bytes=32 time=0ms TTL=126
Reply from bytes=32 time=0ms TTL=126
Reply from bytes=32 time=0ms TTL=126

Cisco Extended ACL’s —

I used to be mystified by Access Lists on Cisco devices.. but I’m feeling pretty comfy with them now.

Essentially an Access Lists is a Matching Filter List. It’s got two options, Permit and Deny.

Here is my Lab. It’s actually similar to something I’m already working on but the names have been changed to protect the innocent.

I have 3 VLANS, 85, 86 and 87. The vlans I do not want talking to each other, except for a single Server on 85 I want 86 to see.


Access lists are actually really easy to set up. First you configure, then you apply to an interface, and you specify in what directions you want to match your traffic to the ACL, either in or out.

Lets start with our configuration with VLAN 86.

I’ve made interfaces on the router for each vlan, and while i could have made a trunk and some sub interfaces I didn’t bother here, since it’s a lab.

ROUTER#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 YES manual up up
GigabitEthernet0/1 YES manual up up
FastEthernet0/0/0 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES unset up down
FastEthernet0/0/2 unassigned YES unset up down
FastEthernet0/0/3 unassigned YES unset up down
Vlan1 unassigned YES unset administratively down down
Vlan85 unassigned YES unset down down
Vlan87 YES manual up up

I’ve made some vlans on the switch and have applied static IPs to the various workstations and a single server.

The goal is to not allow traffic from any vlan to any other vlan, except for a single server.

ACL’s are processed from the top down, and once packets meet any criteria as they are processed thru the list they are sent along according to the rule they matched. So as an example. If sequence 5 tells the router to allow packets from to reach network then those are allowed if the next sequence tells it to deny from which would match up with the rest of the source IPs on that subnet.  Also.. if you had those sequences switched this rule would be ignored.

To create an access list first you configure and then you apply.

Lets start with VLAN 87.

We simply want to block any IP from from reaching any address or address.

on our cli we need to start with giving the acl a name, and specifying that it’s an extended list.

Router(config)#ip access-list extended VLAN87

Note, if you start putting in rules with no sequence number, you will simply start at 10 and then increment to the next 10, so 10, 20, so on.

However, if you specify the sequence number first, you can choose where your entry lands on your list. I personally like separating them to give me room for later changes.

The command is simple, it’s
Sequence# – the numbers are always observed as 10, 20, 30 and so one in increments of 10, but if you put one in as 31 then it will become 40 and 40 will move down.
deny or allow
protocol, ip means everything.. otherwise port number or name if it’s recognized.
Source IP network or host or any
Destination network or host or any

It’s also work noting that the item that looks like a subnet there is actually wildcard bits, which.. is a curve, but you will learn fast, essentially if it changes how many bits can change.

Router(config-ext-nacl)#10 deny ip
Router(config-ext-nacl)#20 deny ip
Router(config-ext-nacl)#30 permit ip any any

Note that I’ve placed an “any any” at the end. If your access list is only made of denials, it will simply deny everything because of the explicit and hidden “deny deny” that is at the end. If you only need to allow certain address then please of course do that.

Once completed we can see it and my two other ACL’s I’ve created:

Router(config)#do sho ip access-lists
Extended IP access list VLAN86
10 permit ip host
20 deny ip
30 deny ip
40 permit ip any any
Extended IP access list VLAN87
10 deny ip
20 deny ip
30 permit ip any any
Extended IP access list VLAN85
10 permit ip host any
20 deny ip
30 deny ip
40 permit ip any any

Now we need to apply the ACL’s to our interfaces. You have to specify whether or not this filter should be applied on an interface on traffic that the router is sending to (out) or receiving from (in) other devices.

This is how we apply the VLAN86 acl to int gi0/1

Router(config)#int gi 0/1
Router(config-if)#ip access-group VLAN86 in

We repeat as necessary for our other ACL’s