Logo

EcoRouter

EcoNAT

EcoQOE

EcoBypass

English

NAT settings EcoRouter Documentation / NAT settings

NAT (Network Address Translation) i is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Along with the addresses of the sender/receiver, the TCP or UDP ports of the sender/receiver can also be changed. NAT is most often used to provide a single public IP address to many local users with private addresses. And also to provide access from the LAN to the WAN, that is, to enable devices with private addresses to send/receive data from the global network (from devices with public addresses). When using NAT, the topology of the internal network is hidden and access from the external network can be limited.

There are two types of the NAT:

  • source NAT (SNAT),
  • destination NAT (DNAT),

and three basic concepts of address translation (in the case of EcoRouter):

  • static NAT,
  • dynamic NAT,
  • NAT with overload (PAT).

Source NAT is the most common type of NAT, the essence of the mechanism of which is to translate the source IP address of the packet from the internal network to the external and reverse translation of the destination address of the packet path from the external network to the internal one. A frequent application scenario: providing access from the LAN to the WAN.

Destination NAT is a type of NAT, the essence of the mechanism of operation is the translation of the destination IP address of the packet going from the external network to the internal and reverse translation of the source address in the packet going from the internal network to the external one. A frequent scenario of application: provision of access from outside to any services provided by servers located in the LAN network.

Static NAT - one-to-one static translation - substitution of one pre-defined IP address for another, also pre-defined. The rule for such a substitution is stored in the translation table for an unlimited amount of time or as long as the corresponding router configuration remains.

Dynamic NAT is an ambiguous one-to-one translation, that is, substitution of one of the predefined IP addresses for the first free of the designated range (pool). The rule for such a substitution is stored in the translation table as long as the internal and external hosts continue to exchange data. If there is no traffic for a certain time, the rule is deleted and the address is released, that is, it is returned to the pool.

NAT with overload (PAT) is a many-to-one translation, that is, substitution of several predetermined internal addresses for the same external one. The rule about such substitution except the addresses themselves contains the TCP/UDP source port, which is used to identify traffic for belonging to an internal host.

In the table below the description of NAT settings commands for the EcoRouter is presented.

CommandDescription
ip nat inside
The command is entered in the interface configuration mode (config-if). As a result of this command, the interface is marked as the "internal NAT interface," which means that all traffic that enters this interface is marked as "possibly to translation"
ip nat outside
The command is entered in the interface configuration mode (config-if). As a result of this command, the interface is marked as the "external NAT interface", which means that all traffic intended to exit through this interface and labeled as "possibly to translation" will be translated
ip nat source static A.B.C.D Q.W.E.R [vrf]
The command is entered in the configuration mode (config). As a result of this command, static address-to-address translation will be created. The vrf parameter is optional. Without specifying a specific vrf the rule for default vrf will be created
ip nat source static network A.B.C.D Q.W.E.R mask [vrf]
The command is entered in the configuration mode (config). As a result of this command, several static address-to-address translations will be created for two equal ranges of addresses. The number of translations is determined by the mask parameter (subnet mask). The vrf parameter is optional. Without specifying a specific vrf the rule for default vrf will be created
ip nat source static A.B.C.D interface <IF_NAME> [vrf]
The command is entered in the configuration mode (config). As a result of this command, static address-to-address translation will be created. The address, that is assigned to the interface specified in the command, will be taken as inside global address. The vrf parameter is optional. Without specifying a specific vrf the rule for default vrf will be created
ip nat pool <POOL_NAME> <RANGE>

The command is entered in the configuration mode (config). As a result of this command, an address pool will be created, which can be used to specify dynamic translation rules. The range of addresses can be specified via a hyphen and comma separated: 1.1.1.1-1.1.1.10,2.2.2.2,3.3.3.5-3.3.4.5

ip nat source dynamic inside pool <POOL_NAME> overload A.B.C.D
[vrf]

The command is entered in the configuration mode (config). As a result of this command, dynamic many-to-one translations will be created for packets from the LAN, source IP of which will match the range of addresses defined by the pool. The lifetime of the translation after the last packet passed is 300 seconds. The address specified after the overload keyword will be used for translation as inside global address. The vrf parameter is optional. Without specifying a specific vrf the rule for default vrf will be created

ip nat source dynamic inside pool <POOL_NAME> overload interface <IF_NAME> [vrf]

The command is entered in the configuration mode (config). As a result of this command, dynamic many-to-one translations will be created for packets from the LAN, source IP of which will match the range of addresses defined by the pool. The lifetime of the translation after the last packet passed is 300 seconds. The address assigned to interface specified by the command will be used for translation as inside global address. The vrf parameter is optional. Without specifying a specific vrf the rule for default vrf will be created

Use the show ip nat translations command to display translation table in EcoRouter:

ecorouter#show ip nat translations
 Static translations: 
 Source              Translated          VRF
 3.3.3.3             4.4.4.4             default  
 PAT translations: 
      Source                 Translated             Destination             IF 
 Time: 5s, Protocol: ICMP, VRF: default
 IN:  10.10.10.10            20.20.20.21            20.20.20.20             N/A
 OUT: 20.20.20.20            20.20.20.21            20.20.20.21             N/A
 Time: 3s, Protocol: TCP, VRF: default
 IN:  10.10.10.10:171        20.20.20.21:35005      20.20.20.20:35091       N/A
 OUT: 20.20.20.20:35091      20.20.20.21:35005      20.20.20.21:35005       N/A

The functionality of NAT port forwarding implies static forwarding of NAT ports (opening ports behind NAT) for organizing remote static access to equipment in the local network through NAT. This functionality allows you to create static (always existing and operating in different directions of traffic transmission) NAT rules for specific source and destination IP addresses, and also specify which TCP/UDP ports this translation is provided for. To create such rules, use the following configuration mode command:

ip nat source static <tcp/udp> <IP src> <port src> <IP dst> <port dst>

The parameters for this command are described in the table below. All parameters are required!

ParameterDescription
tcp или udpКлючевые слова для указания транспортного протокола
IP srcSource IP address
port srcSource L4 port. A range of ports can be specified, for which you need to specify the start and end values separated by spaces. The size of the source and destination port ranges must be the same (see example below)
IP dstDestination IP address
port dstDestination L4 port. A range of ports can be specified, for which you need to specify the start and end values separated by spaces. The size of the source and destination port ranges must be the same (see example below)

The example of NAT port forwarding and dynamic PAT is below.

Configuring PAT:

ecorouter(config)#ip nat pool TEST 10.0.0.0-10.0.0.254
ecorouter(config)#ip nat source dynamic inside pool TEST overload interface wan
 
ecorouter(config)#interface wan
 ecorouter(config-if)# ip address 77.0.0.1/30
 ecorouter(config-if)# ip nat outside

ecorouter(config)#interface lan
 ecorouter(config-if)# ip address 10.0.0.1/24
 ecorouter(config-if)# ip nat inside

 

The task of organizing remote access to the server's LAN with the address 10.0.0.2 can be solved by creating a static NAT rule and defining specific TCP/UDP ports. The rule that allows connecting to the LAN server from the WAN side, when trying to connect to TCP to the address 77.0.0.1 and L4 port 2222, will look like this:

ecorouter(config)#ip nat source static tcp 10.0.0.2 22 77.0.0.1 2222

Rule with a range of ports example:

ip nat source static tcp 10.0.0.1 100 300 7.0.0.1 400 600

Example of the static source NAT configuration

EcoRouter configuration:

Ports and interfaces settings:

ecorouter(config)#port te0
ecorouter(config-port)#service-instance si0
ecorouter(config-service-instance)#encapsulation untagged
 
ecorouter(confige)#port te1
ecorouter(config-port)#service-instance si1
ecorouter(config-service-instance)#encapsulation untagged

ecorouter(config)#interface in
ecorouter(config-if)#ip address 10.10.10.1/24
ecorouter(config-if)#ip nat inside
ecorouter(config-if)#connect port te0 service-instance si0
 
ecorouter(config)#interface out
ecorouter(config-if)#ip address 20.20.20.1/24
ecorouter(config-if)#ip nat outside
ecorouter(config-if)#connect port te1 service-instance si1            

Setting the static translation:

ecorouter(config)#ip nat source static 10.10.10.10 20.20.20.21

Example of the static source PAT configuration

EcoRouter configuration.

Ports and interfaces configuration:

ecorouter(config)#port te0
ecorouter(config-port)#service-instance si0
ecorouter(config-service-instance)#encapsulation untagged
 
ecorouter(confige)#port te1
ecorouter(config-port)#service-instance si1
ecorouter(config-service-instance)#encapsulation untagged

ecorouter(config)#interface in
ecorouter(config-if)#ip address 10.10.10.1/24
ecorouter(config-if)#ip nat inside
ecorouter(config-if)#connect port te0 service-instance si0
 
ecorouter(config)#interface out
ecorouter(config-if)#ip address 20.20.20.1/24
ecorouter(config-if)#ip nat outside
ecorouter(config-if)#connect port te1 service-instance si1            

Creating the address pool for incoming traffic:

ecorouter(config)#ip nat pool POOL 10.10.10.0-10.10.10.20

Configuring the translation rules:

ecorouter(config)#ip nat source dynamic inside pool POOL overload 20.20.20.21