Configuring NAT Using Cisco SDM
Objective:
- Configure NAT for given network requirements using SDM
Cisco gives you plenty of flexibility when setting up NAT on a Cisco router. Now, anytime you are reading technical documentation and come across the word “flexibility,” your mind should naturally translate this to “complexity.” Thankfully, Cisco hid many of the configuration details behind the beautiful SDM interface.
TIP
For the ICND1 exam, Cisco expects you to be able to configure NAT using the Cisco Security Device Manager (SDM) graphic interface. For the ICND2 and CCNA exams, Cisco expects you to be able to configure NAT using the command-line interface.
Configuring NAT Overload
NAT overload (also known as PAT) is required for just about any business that provides Internet access to its internal users. As discussed previously, this version of NAT allows you to share (overload) a single public IP address among many internal private IP addresses. Because of its common use, Cisco categorizes this as Basic NAT in the SDM interface. However, if you see the command-line equivalent to the Basic NAT overload configuration, you’ll realize it’s anything but “basic”! When we’re done with the SDM, I’ll show you the commands it generated as a “sneak peek” at the ICND2 exam.
To access the NAT configuration window in the SDM, click the Configure link and choose NAT from the Tasks sidebar. The window shown in Figure 20.5 appears. To configure NAT overload, choose the Basic NAT radio button and click the Launch the selected task button. After the initial introductory screen, you’re asked to select the outside and inside interfaces for NAT, as shown in Figure 20.6. The interface you select in the dropdown box should connect to your ISP.
In this example, the Ethernet 1/0 interface connects to a local ISP. The range of IP addresses that you select using the checkbox represents internal IP address ranges. In this example, our internal network is represented by 172.30.2.0 to 172.30.2.255. If I were to translate the options shown in Figure 20.6 into a simple English statement, I would say, “Use NAT overload to translate any internal IP address starting with 172.30.2 to whatever IP address is assigned to the Ethernet 0/1 interface.”
As soon as you click the Next button, you’re done. Seriously! That’s how simple Cisco makes the NAT overload configuration using the SDM GUI. The last thing you’ll see is a summary screen verifying the options you’ve selected, as shown in Figure 20.7. When you click Finish, SDM delivers the configuration commands to the router, and your network should be NAT-enabled.
I know you’re thinking, “That was way too easy.” Me too. Let’s take a quick look at some select pieces of the running configuration just to make sure we really know what is happening behind the scenes:
NAT_ROUTER#show run Building configuration... Current configuration : 1160 bytes ! interface FastEthernet0/0 ip address 172.30.2.77 255.255.255.0 ip nat inside ! interface Ethernet1/0 ip address 68.110.171.98 255.255.255.224 ip nat outside
The first thing you’ll notice is the ip nat inside and ip nat outside commands under the FastEthernet0/0 and Ethernet1/0 interfaces. The function of these commands is simple. They tell the router what interface connects to the outside world (your ISP) and what interface(s) connect to the inside world (your internal network). Keep in mind that you can have multiple inside interfaces without any difficulty. Having multiple outside interfaces can cause the router some confusion (which is why the Cisco SDM allows you to elect only a single outside interface). Let’s move on a little further in the running configuration:
! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 172.30.2.0 0.0.0.255 ! ip nat inside source list 1 interface Ethernet1/0 overload
These commands are what I consider the “power commands” of NAT. Here’s the idea: the first section represents an access list that allows the Cisco router to identify the internal network IP addresses (172.30.2.0/24 in this case). The access list is then utilized in the nat command below it. That one command is what puts this whole configuration in motion. The best way to understand that command is to imagine it as a conversation between you and the router. Trust me— the more you configure Cisco routers, the more conversations like this you will have:
You: I want to do NAT (ip nat). Router: That’s nice. Where would you like to NAT from? You: The inside of my network to the outside (inside). Router: Great! What interface would you like to use for the outside IP address? You: I’d like to use Ethernet1/0 (interface Ethernet1/0). Router: How would you like to use it?
You: I’d like all internal IP addresses to share the single IP address on Ethernet 1/0 (overload). That’s the story! As the router puts these commands into action, all users in the 172.30.2.0/24 range are provided with Internet access.
NOTE
Keep in mind that this is an introductory explanation of the NAT syntax. This configuration is discussed fully in Chapter 21, “Command-Line NAT Implementation.”
Providing Internet access to the company through NAT overload is just one piece of the networking puzzle. Most companies have internal servers that need not only access to the Internet but access from the Internet. These are typically email servers, web servers, or FTP servers, to name just a few. Fortunately for your business, NAT provides a natural firewall between you and the Internet. Because private addresses are unreachable from the Internet, your internal
network is protected from the outside world.
NOTE
Don’t get a false sense of security by running NAT! Although NAT does protect your internal network from being reached directly from the Internet, it is not flawless network security. If one of the hosts on your internal network becomes infected with a virus or worm, it can initiate connections through the NAT gate way and allow return traffic (which could potentially be malicious) back into your network.
The problem with this natural firewall is that it also makes your internal servers unreachable from the Internet. To solve this, we can use static NAT mappings. The SDM gives you a couple methods of setting up NAT mappings: configuring the mappings at the same time as NAT overload (using the Advanced NAT selection on the Create NAT Configuration tab) or adding them individually from the Edit NAT Configuration tab. We’ll talk about both methods here, starting with the Advanced NAT selection.
Advanced NAT Wizard
The Advanced NAT configuration wizard, shown in Figure 20.8, is most useful when you are setting up NAT overload and static NAT mappings at the same time. This section assumes that you did not work through the Basic NAT wizard previously (although the Advanced NAT wizard will still function if you previously completed the Basic NAT wizard).
To start the Advanced NAT wizard, simply select its radio button and click the Launch the selected task button. After you see the introductory page, the wizard asks you to identify the interface connected to your ISP, just as it did in the Basic NAT wizard. However, at this point you start to see something different: the wizard also asks if you are using any additional public IP addresses, as shown in Figure 20.9. Many organizations that run their own internal servers purchase additional, dedicated IP addresses for those servers.
If your organization is using more IP addresses than what is assigned to the outside interface of your router, click the Add button and enter them one by one. If you do not have additional IP addresses, don’t worry! We can do some really great stuff with the one IP address assigned to your router’s outside interface (we’ll talk about that in just a moment). In Figure 20.9, I have added the IP addresses 200.1.1.1 and 200.1.1.2 so that I can use them later in the configuration. We’ll assume that our “virtual company” owns these two IP addresses.
After clicking the Next button, you’re prompted to identify networks that connect to your internal network. In our case, we already went through the Basic NAT wizard and performed this step. Thankfully, Cisco SDM is smart enough to pick up on this and label the previously selected ranges as Designated, as shown in Figure 20.10. You can add ranges of IP addresses that are not listed by using the Add Networks button.
After clicking the Next button, we come to the window allowing us to configure our static NAT mappings. This is where the real action happens. We are initially given a blank window showing public-to-private IP address mappings. After you click the Add button, the Add Address Translation Rule window appears, as shown in Figure 20.11.
From here, we can make our static NAT mappings. The simplest way to do this is to translate a single public IP address to a single private IP address. To accomplish this, you can type in the private IP address you would like to use and select the public IP address from the dropdown box, as shown in Figure 20.12.
In Figure 20.12, I am planning on mapping the internal IP address 172.30.2.50 to the public IP address 200.1.1.1. However, before I do, I want you to notice the other option that is available: IP address of Ethernet1/0. If your organization has only a single IP address and that IP address is assigned to the router’s outside interface, this selection allows you to use that IP address and map it to internal servers on your network. There are some restrictions when doing this, but we’ll talk about those in just a moment. For now, I’ll click the OK button, and the public-to-private mapping is made, as shown in Figure 20.13.
I want to make a key statement at this point: Based on what I have just done, the full public IP address 200.1.1.1 is mapped to the private IP address 172.30.2.50. This means that if someone on the Internet accesses 200.1.1.1 on TCP port 80 (HTTP), that will forward into 172.30.2.50 on TCP port 80. Likewise, if someone on the Internet accesses 200.1.1.1 on TCP port 21 (FTP), that will forward into 172.30.2.50 on TCP port 21. It is a full mapping between the public address 200.1.1.1 and the private address 172.30.2.50. In contrast to a full mapping, I will configure a specific NAT port mapping.
Port mappings allow you to map individual ports on public IP addresses to individual ports on private IP addresses. This allows you to use each public IP address to its maximum potential. For example, my company might have an internal email server (which needs at least TCP port 25), an internal web server (needing at least TCP port 80), and an internal FTP server (needing at least TCP port 21). However, at this time my company has only a single public IP address of 200.1.1.2 (pretend that you never saw the other 200.1.1.1 IP address I just configured). I could use singleport mappings to map 200.1.1.2 TCP port 25 to the email server, 200.1.1.2 TCP port 80 to the web server, and 200.1.1.2 TCP port 21 to the FTP server! All with just one public IP address.
Here’s how we can make it happen: Click the Add button to create a new NAT mapping. Just like before, enter the private IP address you’d like to map, and choose a public IP address from the drop-down menu. In this case, I’ll use 172.30.2.10 as the internal email server and 200.1.1.2 as the public IP address (my final configuration window is shown in Figure 20.10). This time, we’ll specify the service in the Additional Information section. Thankfully, Cisco SDM is so amazing that it already has a prebuilt mapping just for email servers! All I need to do is choose E-mail server from the Type of Server drop-down, as shown in Figure 20.14.
The wizard also gives me the option to use an alternative port for receiving email. If my server is not using the standard TCP port 25 (SMTP) for receiving email, I can enter that here. Otherwise, I just need to click OK, and I’m good to go. The final mapping is displayed in the Advanced NAT wizard window, shown in Figure 20.15. Notice that port 25 is designated next to the public and private IP address. This is just a port mapping rather than a full IP address mapping.
NOTE
The Cisco router supports only individual NAT port mappings for the IP address assigned to the outside interface. You cannot fully map the outside interface IP address to an internal server because it is partially used for communication by the Cisco router.
We can now perform another two port mappings on the same 200.1.1.2 IP address, reusing it for the web and FTP servers. The Cisco SDM has built in Web Server selection under the Type of Server drop-down (just as it did for the email server previously). Rather than wasting space showing that configuration, let me show you something more interesting: the FTP server mapping. Again, I’ll click the Add button to create a new mapping.
I’ll map the public IP address 200.1.1.2 to the internal FTP server address 172.30.2.11. This time, I’ll choose Other under the Type of Server drop-down box (the Cisco SDM doesn’t have a prebuilt FTP server mapping—yet). If you look at Figure 20.16, you’ll notice that the SDM interface now gives us the opportunity to enter a value for the Original Port (received on the public IP address) and a value for the Translated Port (received on the private IP address). Most of the time, these
values are the same, as shown in the Figure 20.16. Now, when 200.1.1.2 receives a request on TCP port 21, it translates it to 172.30.2.11 on TCP port 21.
You could also perform port redirection by specifying a different port in either the Original Port or Translated Port fields. For example, if I entered 2100 in the Original Port field and kept 21 in the Translated Port field, the router would redirect (translate) requests received on 200.1.1.2 TCP port 2100 to 172.30.2.11 TCP port 21. You might be thinking, “Why on Earth would someone do this?!” There are plenty of reasons. Perhaps the network administrator did not want to use the well-known port number TCP 21 for the FTP server for security reasons.
It could also be that port 21 on 200.1.1.2 was already used for another FTP server. Using TCP port 2100 would now allow you to run two FTP servers off a single public IP address! It doesn’t get much better than that! Well, I suppose it could. Because 65,535 TCP ports are defined, we could theoretically run 65,535 FTP servers off a single IP address. Now we’re talkin’!
NOTE
I (Jeremy) use this port redirection feature quite a bit for Microsoft’s Remote Desktop Protocol (RDP). At my office, I have five servers running that I often need to access no matter where I am in the world. The RDP protocol allows me to access the desktop as if I were sitting directly at the server console. By default, RDP uses TCP port 3389. If I were to use only this port, it would require five public IP addresses to access each server. Instead, I set up the following port mappings:
- Public IP:3389 → Primary Server:3389
- Public IP:3390 → Email Server:3389
- Public IP:3391 → CallManager Server:3389
- Public IP:3392 → DNS Server:3389
- Public IP:3393 → FTP Server:3389
By doing this, I can use just a single IP address, yet access any server using RDP just by specifying a dif ferent port number.
Take a look at Figure 20.17 for a final view of all our NAT mappings, including the web server. After we click the Next button, we see a configuration summary screen showing all the mappings we’ve set up. Click Finish to end the Advanced NAT wizard and deliver the configuration to the router.
Edit NAT Configuration
Now we come to the second way to configure static NAT mappings using SDM: through the Edit NAT Configuration tab, shown in Figure 20.18.
This window is most useful if you have already set up Basic NAT (NAT overload) on the router and want to make changes to your NAT configuration in some way. Just by glancing around the configuration window shown in Figure 20.18, you can see quite a few options at your disposal:
- Designate NAT Interfaces: Opens a configuration window allowing you to allocate or reallocate which interfaces on your router connect to the inside or outside networks.
- Address Pool: Allows you to create one or more pools of IP addresses that you can use for dynamic NAT (using NAT from one group of IP addresses to another; see the description earlier in this chapter).
- Translation Timeouts: Opens a configuration window that lets you set time limits for memory-resident idle NAT entries. For example, if someone opens a Telnet session through the NAT router and does not enter information, the router maintains the mapping in the NAT table for 86400 seconds by default. After this amount of time, the NAT entry is removed, and the Telnet session terminates.
- Add: Opens a window allowing you to add static or dynamic NAT mappings.
- Edit: Opens a window allowing you to edit the selected NAT mapping.
- Delete: Removes the selected NAT mapping. You might also notice the Clone selected Entry on Add checkbox at the bottom of the window. If checked, this prepopulates the new NAT entry window (opened by clicking the Add button) with whatever entry you have selected. For example, let’s say I wanted to create another static NAT mapping for our web server. I would like to map 200.1.1.2 TCP port 443 (HTTPS) to 172.30.2.12 port 443. Because I already have an entry mapping port 80 to this web server, I could check the Clone selected Entry on Add checkbox, select the current TCP port 80 mapping in the list, and click the Add button. The window shown in Figure 20.19 appears.
Nice! The Static radio button is already checked, the IP addresses have already been entered, and the correct interfaces are selected. All I have to do is change the Original Port and Translated Port fields to 443 and click OK. So easy a sea snail could do it! While we’re here, let’s talk about the configuration options in this window:
- Static/Dynamic: Choose the style of NAT you want to apply.
- Direction: This selector has caused plenty more confusion than it’s worth. Your choices in the drop-down box are From inside to outside and From outside to inside. The common misunderstanding is that this selector makes the translation a one-way street. The truth is that regardless of the direction you choose, the mapping is always two-way. For example, let’s say I create a map by choosing From inside to outside and map the inside IP address 172.30.2.12 to the outside IP address 200.1.1.2. When the server 172.30.2.12 accesses the Internet, it is seen as 200.1.1.2. Likewise, if someone on the Internet accesses 200.1.1.2, he or she reaches the server at 172.30.2.12. It’s a two-way translation. The good news is that you can always choose which direction makes more sense to you—outside-in or inside-out. This selector also gives you more flexibility when performing dynamic NAT.
- Inside IP Address/Network Mask: The inside address or pool of addresses you want to translate.
- Outside Interface(s)/Type: Allows you to enter the individual IP address or interface you want to translate. If the Type drop-down box has the IP address selected (shown in Figure 20.15), the IP address field can be modified. If the Type drop-down box has the interface selected, the Interface field can be modified.
- Redirect Port/Original Port/Translated Port: Allows you to choose the protocol and port numbers you want to translate.
After I click the OK button, the new static NAT translation is added. As I mentioned earlier, the Edit NAT Configuration tab is the best place to make changes to an existing NAT setup.