There are times when we are required to configure NAT Static outside feature on cisco devices.
Below scenario will help in understanding the requirement of “ip nat outside source static” command.
An existing customer has office location “Site A” which accesses Internet and business applications through the Gateway Router R1 (192.168.123.1). H1 and H2 are hosts which need to access a remote Server (IP = 100.100.100.1) via Gateway Router R1. Default Route is enough for these end systems to reach outside network through default Gateway.
This is where NAT command reference of “IP nat outside source static” comes to play.
Let’s see approach of how H1 and H2 users can access both Servers without performing much change in network.
Basic config on R1, H1 ,H2 and R2 Devices –
R1(config-if)#ip address 192.168.123.1 255.255.255.0
Note – Routers are configured as hosts for testing purpose –
H1(config-if)#ip address 192.168.123.2 255.255.255.0
H1(config-if)#exit
H1(config)#no ip routing
H1(config)#ip default-gateway 192.168.123.1
H2(config-if)#ip address 192.168.123.3 255.255.255.0
H2(config-if)#exit
H2(config)#no ip routing
H2(config)#ip default-gateway 192.168.123.1
R2(config-if)#ip address 192.168.123.100 255.255.255.0
R2(config)#interface FastEthernet0/1
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#exit
R2(config)#ip route 10.100.100.0 255.255.255.0 192.168.23.3
Now it’s time to configure R2 and perform NAT such that both the remote Servers S1 and S2 may be reachable. The approach will be to change the IP address of S2 Server from 100.100.100.1 to 192.168.123.4 with help of NAT on R2 where Hosts H1 and H2 will think they are communicating with Server S2 (IP address NATted to 192.168.123.4) on LAN Subnet.
This is how R2 outside NAT configuration will look like –
R2(config-if)#ip nat inside
R2(config)#interface FastEthernet0/1
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip nat outside source static 100.100.100.1 192.168.123.4 add-route
Note – keyword here is “add-route” along with nat outside static command. “add-route” will include route for destination 192.168.123.4 towards WAN Side i.e. pointing towards real S2 IP.
The configuration is substantiated by below command –
Pro Inside global Inside local Outside local Outside global— — — 192.168.123.4 100.100.100.1
Let’s ping Servers from H1 and H2 (For H1 and H2 the Server IPs will be S1 =100.100.100.1 and S2 = 192.168.123.4)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.123.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/69/112 msH1#ping 100.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/76/165 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.123.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 49/63/103 msH2#ping 100.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 55/67/163 ms
Pro Inside global Inside local Outside local Outside global
— — — 192.168.123.4 100.100.100.1
icmp 192.168.123.3:16 192.168.123.3:16 192.168.123.4:16 100.100.100.1:16
icmp 192.168.123.2:6 192.168.123.2:6 192.168.123.4:6 100.100.100.1:6
Related- Static vs Dynamic NAT- NAT Types
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)
