Configuring NAT for multiple Vlans on a Cisco router is a challenge that many inexperienced Cisco network engineers have had to contend with at one stage of their careers or the other. While NAT implementation is really not a big deal, its successful implementation on a Cisco router configured for multiple vlans can give you a grief, if you do not know what you are doing.
In my previous post, I shared with us on how to configure dhcp on a Cisco router with multiple vlans. You can find it here. In this post, using a slightly modified version of the previous network topology, I will share with us on how to configure NAT for multiple vlans on a Cisco router.
Network topology
Objective
Our objective in this lab is to configure NAT for the three vlans represented in the network topology. We can NAT all three vlans to one public IP or to separate public IPs. For this demonstration, each vlan will be NATed to the public IP on the WAN interface of the router.
Public IPs to be used in the NAT for multiple vlans
Vlan 10: private subnet=192.168.10.0/24. Public IP=1.1.1.2
Vlan 20: private subnet=192.168.20.0/24. Public IP=1.1.1.2
Vlan 30: private subnet=192.168.30.0/24. Public IP=1.1.1.2
You may also like: How to redistribute static routes into eigrp using Cisco Packet Tracer
Configuring NAT for multiple vlans
First, we create three access-lists to match the private subnets.
Router(config)#access-list 10 permit 192.168.10.0 0.0.0.255
Router(config)#access-list 20 permit 192.168.20.0 0.0.0.255
Router(config)#access-list 30 permit 192.168.30.0 0.0.0.255
Next, we create pools for the vlans.
Router(config)#ip nat pool timigate 1.1.1.1.2 1.1.1.2 netmask 255.255.255.252
Configure the NAT statement. Each statement will reference corresponding access-list and NAT pool for that vlan. See below.
Router(config)#ip nat inside source list 10 pool timigate overload
Router(config)#ip nat inside source list 20 pool timigate overload
Router(config)#ip nat inside source list 30 pool timigate overload
The final step is to define the inside and outside interfaces. This is where most people run into trouble. They use the physical interface instead of the sub-interfaces. Where sub-interfaces are used for vlans, these sub-interfaces must be defined and used as the NAT inside interfaces. See below.
Router(config)#int f0/1
Router(config-if)#ip nat outside
Router(config)#int f0/0.10
Router(config-subif)#ip nat inside
Router(config-subif)#int f0/0.20
Router(config-subif)#ip nat inside
Router(config-subif)#int f0/0.30
Router(config-subif)#ip nat inside
Router(config-subif)#
Verification
To verify that NAT is working as it should, we turn on debug on the router, using the debug ip nat command. After that, we run a ping from the computers on the LAN to the ISP router. The output below will be displayed on the core router.
From the output above, we can see the source address 192.168.10.3 being translated to 1.1.1.2 as it heads out to destination 1.1.1.1 and on the second line we see the reverse process of 1.1.1.1 going to destination 1.1.1.2 before it gets directed to 192.168.10.3
Below is my video on YouTube for your reference.
If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also, subscribe to my YouTube channel, like my Facebook page and follow me on Twitter.