Configuring Dynamic NAT, Inside Global Address
Overloading, and TCP Load Distribution
This section explains how to configure dynamic NAT using inside global address overloading
as well as TCP load distribution.
Dynamic NAT maps an illegal inside IP address to any legally registered, globally routable
IP address from an identified pool of addresses. Before trying to configure dynamic NAT, you
should enable IP routing on your router and configure the appropriate IP addresses and subnet
masks on each interface.
Again, let’s start the configuration process in global configuration mode, assuming you have
only one interface on the router connected to your inside network and one connected to your
outside network. In this example, a PC using the illegal inside IP address of 10.1.2.25 needs to
access data on the Internet. When the NAT border router receives a packet going to the outside
network from IP address 10.1.2.25, the NAT border router will choose an available globally
routable IP address from the address pool and translate the source IP address to the legally
usable address of 200.1.1.26. Do this by following these steps:
1. NAT translations from the inside local network to the inside global network take place
after routing. Therefore, any access lists or policy routing will have been applied before the
translation occurs. You will create an access list to specify the IP addresses to translate. In
this example, you have a rather large network using the 10.1.0.0/16 IP address range, so the
following command will be used to create a standard IP access list that contains a wildcard
mask for the last two octets:
BorderRouter(config)#access-list 2 permit 10.1.0.0 0.0.255.255
2. Now that you have an access list, which defines that packets coming from 10.1.2.25 will
be translated, you need to define the actual pool of addresses that are routable on the
Internet. This is the range of legal IP addresses that your ISP allocated to you for your use.
You might have been given only 254 IP addresses for your 1,000 PCs and servers in the
network, but because all your PCs aren’t on the Internet at any given time, this might be
enough. If it isn’t, you need to use another solution, such as configuring inside global
address overloading. Before you begin configuring your pool of addresses, you need to
decide on a name. In this case, you will call your address pool InternetIPPool. To
define the 254 IP addresses your ISP gave you (200.1.1.1 to 200.1.1.254 with the subnet
mask 255.255.255.0), use the following command:
BorderRouter(config)# ip nat pool InternetIPPool 200.1.1.1 200.1.1.254
➥netmask 255.255.255.0
To configure the router to utilize individual TCP ports, thus enabling an IP
address to be used more than once, add the parameter overload after the NAT
pool name.
3. At this point, you need to associate access list 2 (which you created in step 1) with the IP
NAT pool InternetIPPool you created in step 2. To do this, use the following command:
BorderRouter(config)#ip nat inside source list 2 pool InternetIPPool
4. To enable NAT, you must first select the interface that connects your inside network to the
router or internal route processor. To configure Ethernet 0 as a NAT inside interface, use
the following commands from global configuration mode:
BorderRouter(config)#interface ethernet0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
5. Next, you need to configure serial 0 as the NAT interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface serial0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
There is another option when configuring dynamic NAT. You can use an
interface instead of a pool of IP addresses. This is useful when you might not
know the IP address of the outside interface—for example, when using DHCP
on the outside interface. You still configure an access list that defines the traffic
to NAT and defines which interfaces are inside and outside, but there is no
ip nat pool command. In addition, the command to configure the NAT is
slightly different: ip nat inside source list list-number interface
outside-interface overload. The overload parameter is not required but is
highly recommended because many inside hosts will be using the outside
interfaces’ IP address for their link to the outside network.