Chapter 2
Cisco 1710 Security Router Configuration
Configuration Example
78-12696-01
In this example, we want NAT to allow certain devices on the inside to originate
communication with devices on the outside by translating their internal addresses
to valid outside addresses or a pool of addresses. The pool in this example is
defined as the range of addresses 172.16.10.1 through 172.16.10.63.
In order to accomplish this translation, we need to use dynamic NAT. With
dynamic NAT, the translation table in the router is initially empty and gets
populated once traffic that needs to be translated passes through the router. (This
is opposed to static NAT, in which a translation is statically configured and is
placed in the translation table without the need for any traffic.)
In this example, we can configure NAT to translate each inside device address to
a unique valid outside address, or to translate each inside device address to the
same valid outside address. The second method is known as overloading. An
example of how to configure each method is given here.
To begin, configure the Fast Ethernet interface with an IP address and as a "NAT
inside" interface.
interface FastEthernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
Then configure the Ethernet interface with an IP address and as a "NAT outside"
interface.
interface Ethernet 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
To handle the case in which each inside address is translated to its own unique
outside address, define a NAT pool named "no-overload" with a range of
addresses from 172.16.10.0 to 172.16.10.63
ip nat pool no-overload 172.16.10.0 172.16.10.63 prefix 24
Define access list 7 to permit packets with source addresses ranging from
10.10.10.0 through 10.10.10.31 and from 10.10.20.0 through 10.10.20.31.
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
Configuring Network Address Translation
Cisco 1710 Security Router Software Configuration Guide
2-11