WAN Routing

NAT configuration on MSR20 routers

Occasional Collector

NAT configuration on MSR20 routers

Hello Guys.


I have an MSR20 routers and i need to configure NAT on it so that my internal clients can use the public IP address of the router when accessing the internet. What are the configuration commands for doing this ? please help.




Re: NAT configuration on MSR20 routers

There are a ton of ways to configure NAT for either inbound or outbound usage.  I'll include a very basic one that does PAT (port address translation) that you can use on your MSR20 however note that its only one of MANY wanys to accomplish NAT. 


http://www.h3c.com/portal/products___solutions/technology/security_and_vpn/technology_white_paper/200808/613642_57_0.htm describes many of the different methods that can be used to represent NAT (altough no examples on that whitepaper... blah)


# only overloading a single address. You could specify a range if you expect more than 60k connections through this

# NAT device.  Note that even a single web page could temporarly use half a dozen connections to build the page.


nat address-group 1


# Only allow machines in the range of - to NAT outbound. Deny all others

acl number 2001 name authorized_nat_outbound

  # First off, deny addresses in the range that are not authorized

  rule 100 deny source logging


  # ...then authorize the rest of the block

  rule 110 permit source


  # Deny everything else

  rule 999 deny logging


acl number 3001 name inbound-from-public


  # First off permit the VRRP protocol to be transmitted

  rule 100 permit 112


  # We know for a fact that we want to block out all "faked" transport packets from ever entering

  rule 110 deny ip destination logging

  rule 120 deny ip destination logging

  rule 130 deny ip destination loggin


  # ... additionally deny anything sourced from an RFC1918 address

  rule 140 deny ip source logging

  rule 150 deny ip source logging

  rule 160 deny ip source logging


  # Specifically allow some "router initiated things" to return to the router (such as NTP)

  rule 200 permit udp destination 0 destination-port eq ntp


  # Allow specific protocols inbound to our site

  rule 300 permit tcp established

  rule 310 permit tcp destination 0 destination-port eq 80

  rule 320 permit tcp destination 0 destination-port eq 443

  # Allow various types of ICMP probing or ICMP returns to occur.  This
  # should be reviewed for security concerns vs operation validation needs.
  rule 950 permit icmp icmp-type echo
  rule 955 permit icmp icmp-type echo-reply
  rule 960 permit icmp icmp-type port-unreachable
  rule 965 permit icmp icmp-type net-unreachable
  rule 970 permit icmp icmp-type ttl-exceeded
  rule 975 deny icmp logging
  # By default, everything else is invalid
  rule 999 deny ip logging


interface Ethernet 0/0

 port link-mode route

 description Public Connection to the Internet

 firewall packet-filter name inbound-from-public inbound

 nat outbound static

 nat outbound 2001 address-group 1

 nat server protocol tcp global www inside www

 nat server protocol tcp global 443 inside 443

 ip address


interface Eternet 0/1

 port link-mode route

 ip address


ip route-static


 ntp-service source-interface Ethernet 0/0

 ntp-service unicast-server
 ntp-service unicast-server