Networking

Learn to configure Cisco IOS NAT on a stick

David Davis explains "NAT on a stick" and what it can do for a network administrator. It's not a common Cisco router configuration, but it is a tool that you will want to understand in case you ever have a situation that calls for it.

A well known NAT configuration is called "NAT on a stick." Besides having a funny name, NAT on a stick can be very useful to network administrators. In this article, learn what NAT on a stick is and how it can help you.

What is Network Address Translation?

Network Address Translation (NAT) is used to translate IP addresses from one network into IP addresses for another network. NAT is performed by a router and is commonly used to translate private IP addresses used in homes and businesses into the public IP addresses that are used on the Internet.

When configuring NAT, there are a number of terms and concepts you need to know. For example: the difference between inside local, inside global, outside local, outside global, NAT vs. PAT, and "NAT overload." You can learn about these terms and how NAT works, in my article, "Set up NAT using the Cisco IOS." Additionally, you should take a look at the "Cisco IOS NAT order of Operations."

I don't recommend that you configure NAT on a stick until you have a good understanding of NAT. I recommend that you try one of the easier NAT configurations prior to NAT on a stick.

For more information on NAT, see the Cisco Systems white paper, "How NAT Works," in TechRepublic's white paper directory.

What is NAT on a stick?

First, the "stick" is just a single router interface. As NAT is typically performed between two router interfaces, NAT on a stick is used to describe a NAT configuration where a single router interface is used and NAT is performed. Thus, we are really talking about NAT on a single-router interface (but that's not as catchy, is it?).

For NAT to work, a packet has to be sent from an inside NAT interface to an outside NAT interface. This is still true with NAT on a stick, but we are able to get around having only a single interface because we use a virtual interface to accomplish the same task. You use a policy-based route (PBR) to route and NAT the traffic between the virtual interface, which is a Cisco IOS loopback interface, and the physical interface.

Prior to configuring NAT on a stick, you should make sure that your Cisco IOS supports this feature. To do this, you can use the Cisco IOS Feature Navigator.

How can NAT on a stick help you?

NAT on a stick is not what I would consider a common configuration. However, I have seen it listed on Cisco certification exam objectives; I have heard Cisco instructors talk about it; and I have had readers ask me questions about it. So, even though you won't find NAT on a stick in use on most enterprise networks, I think that it is important that you know what it is, how it can help you, and that it is yet another tool available to you, should you need it.

While there are a number of options for using NAT on a stick, here is a scenario in which I've seen it in use. (I have selected this scenario because it is based on the official Cisco documentation on this topic where you can go to find more information.)

You have a LAN with a number of computers, a single Cisco router with one Ethernet interface, and a cable DSL modem. Your ISP has given you a single IP address plus a block of two other IP addresses on a different network. Usually, you would get around this by using NAT (actually PAT or NAT overload) with a home/SMB router such as Linksys, Netgear, D-Link, or Belkin. But let's say that you want to use a Cisco router only, and unfortunately, all you have is a 2501 (single Ethernet and Serial interface). The DSL modem is just a bridge (not a router) and the Cisco router cannot be connected directly to the cable modem because the router only has one LAN interface. You put a small hub in between the DSL modem and the 2501 Cisco router.

While this might sound like a wild scenario to some, and we all agree that you just need to buy more hardware -- I don't want to leave out any possible option that you could consider for using the Cisco IOS to solve a problem. Should this configuration be used on the Internet in production? No. Is it valuable to know how to configure NAT on a stick? Absolutely!

How do you configure NAT on a stick?

The sample configuration below for NAT on a stick is based on the following details: The local LAN is the 192.168.1.0 network. You are given one useable IP address on this network from the ISP, plus a block of two IP addresses on the 192.168.2.0 network. This network has access to the DSL modem. The 10.0.0.0 network is the LAN where you will have as many devices as you want and the devices on that LAN will rely on NAT on a stick.

Remember -- the Cisco IOS loopback interface is the virtual interface that helps us get around the "one interface only" issue. Here is what you need to do:

Configure Interfaces with NAT statements and IP policy routing

interface Loopback0
 ip address 10.0.1.1 255.255.255.252
 ip nat outside

interface Ethernet0
 ip address 192.168.1.2 255.255.255.0 secondary
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
 ip policy route-map nat-loop

Configure your NAT pools

ip nat pool external 192.168.2.2 192.168.2.3 prefix-length 29
ip nat inside source list 10 pool external overload

Ensure that you have IP Routes

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.2.0 255.255.255.0 Ethernet0

Create ACLs for NAT and the Policy Routing

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 102 permit ip any 192.168.2.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

Create the Route Map that is applied to the Ethernet interface

route-map Nat-loop permit 10
 match ip address 102
 set interface loopback0

With this configuration, the PC clients, assigned with 10.0.0.x network IP addresses will be NATed when their traffic arrives on the Ethernet0 interface. That NATing will use the 192.168.2.x pool.

You should note that you will have to configure the router's primary Ethernet IP as the default gateway for all PCs in the NAT network. Also, you will also have to do ONE of the following:

1. Have the ISP or any other router on the other side of the NAT network create a static route for your 192.168.2.0/29, pointing to your router's 192.168.1.2 IP address

2. Have your router advertise that network (in #1) via a dynamic routing protocol like RIP, OSPF, or EIGRP

This configuration is based on the example provided in Cisco's official Network Address Translation on a Stick documentation. Please review it if you have questions on this example as it has a diagram and debug steps.

In Conclusion

NAT on a Stick is one of the many tools that a network admin may need to employ in certain situations. If nothing else, it is a configuration that you should recognize by name if you are asked about it on certification exams or by colleagues. For some admins, it is an irreplaceable tool.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

8 comments
sagar.santras
sagar.santras

it very halpfull , i am thank for all you sopport you r my guru ( techer ) my email id :- sagar.santras@gamil.com & sagar.santras@hotmail.com

jadeblasi
jadeblasi

I do not get the NAT pool. If we assume that in the example the 192.168.1.0 network is a public, routable network, then wouldn't 192.168.2.0/29 be as well? Why would the ISP give you those IPs and provide a route if they are already giving you 192.168.1.0/30. Wouldn't it make more sense to use the loopback as the inside NAT interface, set the 192.168.1.2 IP to the primary IP on ethernet0 and do a ip nat inside source list 10 interface ethernet0 overload?

sunny
sunny

I really enjoy the article ?Set up NAT using the Cisco IOS? and I have learn few things from it. It will help me achieve my CCNA. But I have one question understanding figure B of that article. In above figure the gateway address that is mentioned is 10.10.10.10 which will be on different network. Is it has to be 10.1.x..x? May be I am not understanding right, but it should be the private IP address as PC has. Am I right or wrong? In that case Inside global will be Private IP address of Router?s Ethernet Port. If you can clear my confusion, I will really appreciate. Sunil Shah

ddavis
ddavis

Thanks for your comment. Yes, it is safe to assume that if 192.168.1.0 was public then 192.168.2.0/29 would be too. I will clarify this in the article. Concerning configuring it differently, as you suggested, YES, this sounds like a good alternate config compared to what Cisco suggested. In fact, I found this config at: http://www.groupstudy.com/archives/ccielab/200107/msg00325.html ========================================== interface Loopback1 ip address 172.16.1.1 255.255.255.0 no ip directed-broadcast ip nat inside ip policy route-map nat ! interface Ethernet0 ip address 172.16.2.1 255.255.255.0 secondary ip address 75.102.181.33 255.255.255.0 no ip directed-broadcast ip nat outside ! ip nat inside source list 1 interface Ethernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 Loopback1 ! access-list 1 permit 172.16.0.0 0.0.255.255 route-map nat permit 10 set ip next-hop 75.102.181.1 ===================================== Is that what you are talking about? I haven't tested it but it looks interesting. Again, thanks for the comments and thanks for reading TechRepublic!

ddavis
ddavis

You are correct. In Figure B of that article there is a mistake on PC's IP address. The PC's IP address should be 10.10.10.1

Crikey
Crikey

I am a novice by any means but do some Cisco configuring cause I work as a one IT staff. To Dummy this down a little for me, the commentors are saying the Outside was a Private non-routeable IP and should be NATed a Public IP and the inside was given a Public IP and should be Private? Other then that this is how NAT on Stick for a single ethernet interface would be done? Is Nat on a Stick more secure?

bagaumer
bagaumer

I think the application here is to add an additional layer of security via NAT on a Stick. All IP is inherently "routable" but rfc 1918 discusses prive IP vs. public IP, In this example I'm sure we are talking about an extranet or something internal were the Network admin wants to control access into the network and maintain control over IP allocation for administration and design.

Editor's Picks