Here is a quick tip on routing all traffic from a single inside local address to single inside global address in Cisco IOS using PAT. This has been tested on a Cisco 1941 ISR G2 router running on the 15.2(T) firmware. This tip is helpful for those that overlook the fact that static 1:1 NAT is not the only option for routing the inside global address to an inside global address.
Take the following scenario: you are issued a /28 subnet of IPv4 addresses from your ISP, and you run a mail server in your DMZ that has a reverse PTR record for one of the inside global addresses in the /28. The topology is as follows:
- Inside Global Network (from ISP): 172.16.0.160/28
- LAN: 192.168.1/24
- DMZ: 192.168.2/24
- Mail Server (inside local): 192.168.2.15
- Inside Global PTR: 172.16.0.162 (mail.example.tld)
The trick to this is setting up an ip nat pool using a single inside global IP address:
|
1 |
router(config)#ip nat pool ISP162 172.16.0.162 172.16.0.162 netmask 255.255.255.240 |
The next step is to setup a standard access-list for the inside local address of the mail server in the DMZ:
|
1 |
router(config)#access-list 10 permit 192.168.2.15 |
Next, we will configure nat overload (PAT) to perform the translation (and write and save the configuration to the startup config):
|
1 2 3 4 |
router(config)#ip nat inside source list 10 pool ISP162 overload router(config)#do wr router(config)#do cop r s ; lazy way of copy running-config statup-config ;-) |
A quick test of the configuration change from a shell on the mail server to confirm (Linux or UNIX with curl installed):
|
1 2 |
mail ~ # curl whatismyip.akamai.com 172.16.0.162 |
Success!