Cisco IOS IP Masquerade (NAT Overload)

Running network address translation (NAT) on a Cisco router is actually quite simple; this page only covers the "overload" method. Doing this requires a few things:

  • A Cisco rouer with IOS that supports NAT (IOS Reference)
  • Basic knowledge of how to use a Cisco router with the command line
  • A functional network (duh)
  • At least two network interfaces (one public, one private)

You can get Cisco routers for a pretty good price off of eBay if you don't have one. All you need are at least two interfaces; ethernet, serial, etc., and sufficent RAM. RAM usage will vary with your network size and usage patterns as reflexive access list entries (if you use them) and NAT tables are formed.

I highly recommend Cisco routers; a 2600 series router is a great starting point, you can find them on eBay pretty easily, and there's all kinds of add on card for them. If you're looking for a little more punch, a 3600 series is good. Yes, these things are pricey, maybe overkill for a home network, but they are well worth it. For even more fun, pair these routers with a VLAN capable managed switch, such as the Cisco Catalyst.

First we need to define our network layout in terms of internal and external interfaces. External interfaces are outsite our NAT network, and internal interfaces are part of the NAT network. In this example, let's say we have Ethernet0/0 and FastEthernet1/0. E0/0 is to our ISP and Fa1/0 is for our private network.

We need to do a few things on our router:

  • Configure interfaces
  • Set up NAT in overload mode
  • Create reflexive access lists (optional, but advised)

Configure Interfaces

! Enable routing
ip routing

! Classless and subnet-zero routing
ip classless
ip subnet-zero

! Route of last resort (where A.B.C.D is your default gateway)
ip route A.B.C.D

! Configure E0/0 as external
!  (where A.B.C.D is the public IP address with some netmask)
int E0/0
 ip address A.B.C.D netmask
 ip nat outside
 no shutdown

! Configure Fa1/0 as internal with IP
int Fa1/0
 ip address
 ip nat inside
 no shutdown

Set Up NAT in Overload Mode

In this example, we're going to use the class C for our internal network, but you can use any private IP range that suits your needs. Now we enable NAT and tell it the range of addresses that are allowed to be translated. Anything outside of that range will be denied. This is because NAT (not IP masq) is a one-to-one system, where you have a pool of public IP addresses that get mapped to a pool of an equal number of private addresses. However, we just want to mape a subnet (of any size) of private addresses behind a single public IP. In the Cisco world, this is the "overload" part.

! NAT, use int E0/0, with access list nat1, masq all under one IP (overload)
ip nat inside source list nat1 interface Ethernet0/0 overload

! This access list is used with the above statement to tell it 
!  what private address range to use and allow. Here we define the whole /24.
ip access-list standard nat1
 deny any

This should now work. On your private network, assign IP addresses using the router as your gateway.

Create Reflexive Access Lists

We want to do one last thing for security sake; create a reflexive access list on the internal interface. If you have other local interfaces it will prevent them from accessing the private network which is supposed to be isolated. Since the router knows they exist it can and will route to them internally; this is normal. But back to our access list; here's our firewall:

ip access-list extended fw-internal1-in
! Allow pings
 permit icmp any any
! Reflexive access list
 permit ip any any reflect reflexive-nat1


ip access-list extended fw-internal1-out
! Allow pings
 permit icmp any any
! Reflexive access list
 evaluate reflexive-nat1
! Deny everything else
 deny ip any any log


It's a really simple firewall that tracks traffic that came from your nwtwork and only allows it back in if it came from your network. You can add statements to fw-internal-in to keep them out of the reflexive list, or fw-internal-out if you want to allow specific things in. Finally, add the access lists to the interface.

interface FastEthernet1/0
 ip access-group fw-internal1-in in
 ip access-group fw-internal1-out out

A point of confusion may be what Cisco calls "in" and "out for access lists. "In" means packets in from the interface, while "out" means packets out to the interface. (Still confused? In the example above, traffic to a computer on your LAN is out and from the LAN to the internet is in.)

It's that easy!