How to configure NAT on a Cisco router with multiple vlans

Configuring NAT for multiple Vlans on a Cisco router is a challenge that many inexperienced Cisco network engineers have had to contend with at one stage of their careers or the other. While NAT implementation is really not a big deal, its successful implementation on a Cisco router configured for multiple vlans can give you a grief, if you do not know what you are doing.

In my previous post, I shared with us on how to configure dhcp on a Cisco router with multiple vlans. You can find it here. In this post, using a slightly modified version of the previous network topology, I will share with us on how to configure NAT for multiple vlans on a Cisco router.

Network topology

nat for multiple vlans

Objective

Our objective in this lab is to configure NAT for the three vlans represented in the network topology. We can NAT all three vlans to one public IP or to separate public IPs. For this demonstration, each vlan will be NATed to the public IP on the WAN interface of the router.

Public IPs to be used in the NAT for multiple vlans

Vlan 10: private subnet=192.168.10.0/24. Public IP=1.1.1.2

Vlan 20: private subnet=192.168.20.0/24. Public IP=1.1.1.2

Vlan 30: private subnet=192.168.30.0/24. Public IP=1.1.1.2

 

You may also like: How to redistribute static routes into eigrp using Cisco Packet Tracer

 

Configuring NAT for multiple vlans

First, we create three access-lists to match the private subnets.

Router(config)#access-list 10 permit 192.168.10.0 0.0.0.255

Router(config)#access-list 20 permit 192.168.20.0 0.0.0.255

Router(config)#access-list 30 permit 192.168.30.0 0.0.0.255

Next, we create pools for the vlans.

Router(config)#ip nat pool timigate 1.1.1.1.2 1.1.1.2 netmask 255.255.255.252

 

Configure the NAT statement. Each statement will reference corresponding access-list and NAT pool for that vlan. See below.

Router(config)#ip nat inside source list 10 pool timigate overload

Router(config)#ip nat inside source list 20 pool timigate overload

Router(config)#ip nat inside source list 30 pool timigate overload

The final step is to define the inside and outside interfaces. This is where most people run into trouble. They use the physical interface instead of the sub-interfaces. Where sub-interfaces are used for vlans, these sub-interfaces must be defined and used as the NAT inside interfaces. See below.

Router(config)#int f0/1

Router(config-if)#ip nat outside

Router(config)#int f0/0.10

Router(config-subif)#ip nat inside

Router(config-subif)#int f0/0.20

Router(config-subif)#ip nat inside

Router(config-subif)#int f0/0.30

Router(config-subif)#ip nat inside

Router(config-subif)#

Verification

To verify that NAT is working as it should, we turn on debug on the router, using the debug ip nat command. After that, we run a ping from the computers on the LAN to the ISP router. The output below will be displayed on the core router.

debug ip nat in nat for multiple vlans

 

From the output above, we can see the source address 192.168.10.3 being translated to 1.1.1.2 as it heads out to destination 1.1.1.1 and on the second link we see the reverse process of 1.1.1.1 going to destination 1.1.1.2 before it gets directed to 192.168.10.3

 

Spread the love

Timigate

Ashioma Michael, a BSc (Computer Science)., MTCNA, CCNA, and CCNP holder with many years of industry-proven experience in network design, implementation and optimization. He has tutored and guided many professionals towards obtaining their Cisco certifications. Mike works as a senior network engineer with one of the leading internet service providers in West Africa.

Leave a Reply

Your email address will not be published. Required fields are marked *