Allocating External Addresses Dynamically
Problem
You want to dynamically select addresses from a pool.
Solution
You can configure the router to automatically select global addresses from a pool as they are required:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255 Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0 Router(config)#ip nat inside source list 15 pool NATPOOL Router(config)#interface FastEthernet 0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#interface FastEthernet 0/1 Router(config-if)#ip address 192.168.2.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#interface Ethernet1/0 Router(config-if)#ip address 172.16.1.2 255.255.255.0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#end Router#
Discussion
This example is similar to Recipe 21.1. The important functional difference is that the internal devices will appear on the outside with different global addresses. The first internal device that makes an outbound connection will get the first address in the range, 172.16.1.100, the next one will get the next address, 172.16.1.101, and so forth.
You configure the range with the ip nat pool command:
Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0 Router(config)#ip nat inside source list 15 pool NATPOOL
In this case, the ip nat inside command does not have the overload keyword. Without this keyword, when the pool of addresses is used up, the router will respond to any additional requests with an ICMP host unreachable message. So once all of the addresses in the poll are in use, any additional devices that try to make any connections through this router will simply fail. But if you include the overload keyword, the router will simply start over at the beginning of the range and allocate multiple interior addresses for each external one:
Router(config)#ip nat inside source list 15 pool NATPOOL overload
Once again, as in Recipe 21.1, any devices that are excluded by the access-list will simply not use this NAT rule. So the excluded devices will appear on the outside with their real (inside local) IP addresses.
Note that in this example, the IP address of the external interface is 172.16.1.2/24, and the pool of translation external addresses for use in translation is 172.16.1.100 tHRough 172.16.1.150. So the pool of NAT addresses is part of the same IP subnet as the external IP address of the NAT router. This is a common practice for Internet connections where the ISP assigns a range of global addresses. But it is not necessary.
Your NAT pool can be anything, as long as the external network knows that this router can route to the NAT addresses. This is particularly useful in cases when you need a larger pool than what is available in that one subnet. For an extreme example, we could easily have made our NAT pool span the entire range 10.0.0.0/8 to give us access to a huge number of external addresses. Of course, this range is not globally unique, so it can't be used on the public Internet:
Router(config)#ip nat pool NATPOOL 10.0.0.1 10.255.255.254 netmask 255.0.0.0
See Also
Recipe 21.1