Destination NAT Configuration

This section describes how to configure Destination NAT. This feature is used to publish an internal address as public ip address. In our example the private host 10.0.0.1 will be mapped to an address on the WAN network. This is commonly used to make a private server available on public networks.

The steps needed to enable the iMX950 security features must have been performed. This document assumes that the steps listed in the Configuring the Security Application section were performed.

In our example the private host 10.0.0.1 will be mapped to an address on the WAN network. This is commonly used to make a private server available on public networks.

For reference the network that will be used for these exercises will be as shown:



  1. From Host B (10.0.0.2) you should be able to ping Host A (192.168.13.100)

    ping 192.168.13.100

    The pings will be successful.

  2. In this example DNAT will be used to expose Host A(192.168.13.100) as ip address 10.0.0.110 on the public WAN network
    1. Execute the following commands:

      iS5comm# configure terminal

      iS5comm(config)# set ip nat enable

      iS5comm(config)# interface gigabitethernet 0/3

      iS5comm(config-if)# ip nat dest 10.0.0.110 ip 192.168.13.100

      iS5comm(config-if)# exit

      iS5comm(config)# exit

      iS5comm# show run nat

    Text similar to the following will appear in the terminal:



  3. Test the NAT configuration.
    1. Ping from Host B (10.0.0.2) to 10.0.0.110

    The pings will succeed and will be received by 192.168.13.100. Running a program such as Wireshark on the Host A will provide evidence of this.

  4. View the rules that were set up in earlier steps. Enter the following:

    iS5comm# show ip nat rules

    The following will appear.



  5. To remove NAPT perform the following steps.
    1. Execute these commands

      iS5comm# configure terminal

      iS5comm(config)# set ip nat disable

      iS5comm(config)# interface gigabitethernet 0/3

      iS5comm(config-if)# no ip nat dest 10.0.0.110 ip 192.168.13.100

      iS5comm(config-if)# exit

      iS5comm(config)# exit

    The Destination NAT configuration has been removed.

  6. As an optional exercise it is possible to configure destination NAT for specific protocols and port numbers.

    ip nat dest 10.0.0.110 tcp port 80 192.168.13.100 port 8080

    The above command line will map the ingress IP (10.0.0.110), tcp port 80, to IP address 192.168.13.100 and port 8080.

In this section you set up a Destination NAT, and then removed it. Well done!