While IP addresses are routable through the public Internet, other IP addresses (as defined by RFC 1918) are considered private and are intended for use within an organization. Network Address Translation (NAT) allows private IP addresses to be translated into Internet-routable IP addresses (that is, public IP addresses).
Names of NAT IP Addresses
Dynamic NAT Configuration
Step 1: Create an access control list (ACL) to match the inside local addresses to be translated. While you could use either a named or numbered ACL and either a standard or an extended ACL, the command to create a standard numbered ACL (in global configuration mode) is access-list <1 – 99> permit <network_address> <wildcard_mask>
Step 2: Define a NAT pool containing the available inside global addresses by issuing the ip nat pool <pool_name> <starting_ip> <ending_ip> netmask <subnet_mask> command in global configuration mode.
Step 3: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).
Step 4: Specify that an interface is an outside interface, with the ip nat outside command (in interface configuration mode).
Step 5: Associate the ACL (identifying the inside local addresses) with the NAT pool (identifying the inside global addresses) using the ip nat inside source list <acl> pool <nat_pool> command (in global configuration mode).
Static NAT Configuration
Step 1: Create one or more inside local address to inside global address mappings with the ip nat inside source static <inside_local_address> <inside_global_address> command in global configuration mode.
Step 2: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).
Step 3: Specify that an interface is an outside interface with the ip nat outside command (in interface configuration mode).
PAT
Step 1: Create an access control list (ACL) to match the inside local addresses to be translated. While you could use either a named or numbered ACL and either a standard or an extended ACL, the command to create a standard numbered ACL (in global configuration mode) is access-list <1 - 99> permit <network_address> <wildcard_mask>
Step 2: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).
Step 3: Specify that an interface is an outside interface with the ip nat outside command (in interface configuration mode).
Step 4: Associate the ACL (identifying the inside local addresses) with the router’s outside interface, and enable overloading with the ip nat inside source list <acl> interface <outside_interface> overload command (in global configuration mode).
Names of NAT IP Addresses
Dynamic NAT Configuration
Step 1: Create an access control list (ACL) to match the inside local addresses to be translated. While you could use either a named or numbered ACL and either a standard or an extended ACL, the command to create a standard numbered ACL (in global configuration mode) is access-list <1 – 99> permit <network_address> <wildcard_mask>
Step 2: Define a NAT pool containing the available inside global addresses by issuing the ip nat pool <pool_name> <starting_ip> <ending_ip> netmask <subnet_mask> command in global configuration mode.
Step 3: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).
Step 4: Specify that an interface is an outside interface, with the ip nat outside command (in interface configuration mode).
Step 5: Associate the ACL (identifying the inside local addresses) with the NAT pool (identifying the inside global addresses) using the ip nat inside source list <acl> pool <nat_pool> command (in global configuration mode).
Static NAT Configuration
Step 1: Create one or more inside local address to inside global address mappings with the ip nat inside source static <inside_local_address> <inside_global_address> command in global configuration mode.
Step 2: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).
Step 3: Specify that an interface is an outside interface with the ip nat outside command (in interface configuration mode).
PAT
Step 1: Create an access control list (ACL) to match the inside local addresses to be translated. While you could use either a named or numbered ACL and either a standard or an extended ACL, the command to create a standard numbered ACL (in global configuration mode) is access-list <1 - 99> permit <network_address> <wildcard_mask>
Step 2: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).
Step 3: Specify that an interface is an outside interface with the ip nat outside command (in interface configuration mode).
Step 4: Associate the ACL (identifying the inside local addresses) with the router’s outside interface, and enable overloading with the ip nat inside source list <acl> interface <outside_interface> overload command (in global configuration mode).
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#hostname
HQ
HQ(config)#interface
loop 0
HQ(config-if)#
*Jul 11
11:08:00.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
HQ(config-if)#description
### HQ LAN ###
HQ(config-if)#ip
address 10.10.10.1 255.255.255.0
HQ(config-if)#
HQ(config-if)#interface
loop 1
HQ(config-if)#
*Jul 11
11:08:13.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1,
changed state to up
HQ(config-if)#description
### EMAIL SERVER ###
HQ(config-if)#ip
address 10.10.20.238 255.255.255.255
HQ(config-if)#
HQ(config-if)#interface
serial 2/0
HQ(config-if)#description
### TO ISP ###
HQ(config-if)#ip
address 209.165.200.226 255.255.255.248
HQ(config-if)#no
shut
HQ(config-if)#
*Jul 11
11:09:50.615: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
HQ(config-if)#
*Jul 11
11:09:51.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0,
changed state to up
HQ(config-if)#end
HQ#
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#hostname
ISP
ISP(config)#interface
loop 0
ISP(config-if)#
*Jul 11
11:26:13.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
ISP(config-if)#description
### INTERNET ###
ISP(config-if)#ip
address 209.165.202.129 255.255.255.240
ISP(config-if)#
ISP(config-if)#interface
serial 2/0
ISP(config-if)#description
### TO HQ ###
ISP(config-if)#ip
address 209.165.200.225 255.255.255.248
ISP(config-if)#no
shut
ISP(config-if)#
*Jul 11
11:27:37.067: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
ISP(config-if)#
*Jul 11
11:27:38.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0,
changed state to up
ISP(config-if)#do
ping 209.165.200.226
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
.!!!!
Success
rate is 80 percent (4/5), round-trip min/avg/max = 20/33/56 ms
ISP(config-if)#
ISP(config-if)#interface
serial 2/1
ISP(config-if)#description
### TO BRANCH ###
ISP(config-if)#ip
address 209.165.200.241 255.255.255.248
ISP(config-if)#no
shut
ISP(config-if)#
*Jul 11
11:28:21.771: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
ISP(config-if)#
*Jul 11
11:28:22.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to up
ISP(config-if)#
*Jul 11
11:28:43.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to down
ISP(config-if)#ip
route 209.165.200.232 255.255.255.248 s2/0
ISP(config)#ip
route 209.165.200.248 255.255.255.248 s2/1
ISP(config)#end
ISP#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#hostname
Branch
Branch(config)#interface
loop 0
Branch(config-if)#
*Jul 11
11:35:08.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
Branch(config-if)#description
### BRANCH LAN ###
Branch(config-if)#ip
address 192.168.1.1 255.255.255.0
Branch(config-if)#
Branch(config-if)#interface
serial 2/1
Branch(config-if)#description
### TO ISP ###
Branch(config-if)#ip
address 209.165.200.242 255.255.255.248
Branch(config-if)#no
shut
Branch(config-if)#
*Jul 11
11:36:11.543: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
Branch(config-if)#
*Jul 11
11:36:12.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to up
Branch(config-if)#do
ping 209.165.200.241
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms
Branch(config-if)#end
Branch#
HQ#show
ip interface brief | inc up
Serial2/0 209.165.200.226 YES manual
up up
Loopback0 10.10.10.1 YES manual up up
Loopback1 10.10.20.238 YES manual up up
HQ#
HQ#show
interface description | inc up
Se2/0 up up ### TO ISP ###
Lo0 up up ### HQ LAN ###
Lo1 up up ### EMAIL SERVER ###
ISP#show
ip interface brief | inc up
Serial2/0 209.165.200.225 YES manual
up up
Serial2/1 209.165.200.241 YES manual
up up
Loopback0 209.165.202.129 YES manual
up up
ISP#
ISP#show
interface description | inc up
Se2/0 up up ### TO HQ ###
Se2/1 up up ### TO BRANCH ###
Lo0 up up ### INTERNET ###
Branch#show
ip interface brief | inc up
Serial2/1 209.165.200.242 YES manual
up up
Loopback0 192.168.1.1 YES manual up up
Branch#
Branch#show
interface description | inc up
Se2/1 up up ### TO ISP ###
Lo0 up up ### BRANCH LAN ###
Branch#tclsh
Branch(tcl)#foreach
address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} {
ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 20/26/36 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds: // NO ROUTE CONFIGURED
.....
Success
rate is 0 percent (0/5)
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds: // NO ROUTE CONFIGURED
.....
Success
rate is 0 percent (0/5)
HQ#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
HQ(config)#ip
route 0.0.0.0 0.0.0.0 209.165.200.225 // CONFIGURE DEFAULT ROUTE TO ISP HOP
HQ(config)#end
HQ#
Branch#conf
t
Enter
configuration commands, one per line.
End with CNTL/Z.
Branch(config)#ip
route 0.0.0.0 0.0.0.0 209.165.200.241 // CONFIGURE DEFAULT ROUTE TO ISP HOP
Branch(config)#end
Branch#
Branch#tclsh
Branch(tcl)#foreach
address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} {
ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/17/24 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/32/44 ms
Branch#tclsh
Branch(tcl)#foreach
address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} {
ping $address source 192.168.1.1 }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1
.....
Success
rate is 0 percent (0/5)
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1 // NEED NAT FOR HQ PRIVATE LAN
.....
Success
rate is 0 percent (0/5)
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1 // NEED NAT FOR HQ PRIVATE LAN
.....
Success
rate is 0 percent (0/5)
Branch#ping
209.165.200.226 source loop 0
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1 // NEED NAT FOR HQ PRIVATE LAN
.....
Success
rate is 0 percent (0/5)
HQ#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
HQ(config)#ip
access-list extended HQ-NAT-ACL
HQ(config-ext-nacl)#permit
ip 10.10.10.0 0.0.0.255 any // NAT ACL
HQ(config-ext-nacl)#exit
HQ(config)#ip
nat ?
Stateful Stateful NAT configuration commands
create Create flow entries
inside Inside address translation
log NAT Logging
outside Outside address translation
piggyback-support NAT Piggybacking Support
pool Define pool of addresses
portmap Define portmap of portranges
service Special translation for application
using non-standard
port
sip-sbc SIP Session Border Controller
commands
source Source address translation
translation NAT translation entry configuration
HQ(config)#ip
nat pool ?
WORD
Pool name
HQ(config)#ip
nat pool HQ-NAT-POOL ?
A.B.C.D
Start IP address
netmask
Specify the network mask
prefix-length
Specify the prefix length
HQ(config)#ip
nat pool HQ-NAT-POOL 209.165.200.233 ?
A.B.C.D
End IP address
HQ(config)#ip
nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 ?
netmask
Specify the network mask
prefix-length
Specify the prefix length
HQ(config)#ip
nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 prefix-length ?
<1-32>
Prefix length
HQ(config)#ip
nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 prefix-length 29 // NAT POOL
HQ(config)#
*Jul 11 11:48:36.823:
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
HQ(config)#ip
nat inside ?
destination
Destination address translation
source
Source address translation
HQ(config)#ip
nat inside source ?
list
Specify access list describing local addresses
route-map
Specify route-map
static
Specify static local->global mapping
HQ(config)#ip
nat inside source list ?
<1-2699> Access list number for local addresses
WORD
Access list name for local addresses
HQ(config)#ip
nat inside source list HQ-NAT-ACL ?
interface
Specify interface for global address
pool
Name pool of global addresses
HQ(config)#ip
nat inside source list HQ-NAT-ACL pool ?
WORD
Pool name for global addresses
HQ(config)#ip
nat inside source list HQ-NAT-ACL pool HQ-NAT-POOL // BIND NAT ACL AND NAT POOL
HQ(config)#
HQ(config)#ip
nat inside source static ?
A.B.C.D
Inside local IP address
esp
IPSec-ESP (Tunnel mode) support
network
Subnet translation
tcp
Transmission Control Protocol
udp
User Datagram Protocol
HQ(config)#ip
nat inside source static 10.10.20.238 ?
A.B.C.D
Inside global IP address
interface
Specify interface for global address
HQ(config)#ip nat inside source
static 10.10.20.238 209.165.200.238 // STATIC NAT FOR EXTERNAL CLIENT
HQ(config)#
HQ(config)#interface
loop 0
HQ(config-if)#ip nat inside // IDENTIFY INSIDE NAT INTERFACE FOR HQ LAN
HQ(config-if)#
HQ(config-if)#interface
loop 1
HQ(config-if)#ip nat inside // IDENTIFY INSIDE NAT INTERFACE FOR HQ EMAIL SERVER
HQ(config-if)#
HQ(config-if)#interface
serial 2/0
HQ(config-if)#ip nat outside // IDENTIFY OUTSIDE NAT INTERFACE
HQ(config-if)#end
HQ#
Branch#conf
t // CONFIGURE NAT FOR BRANCH ROUTER
Enter
configuration commands, one per line.
End with CNTL/Z.
Branch(config)#ip
access-list extended BRANCH-NAT-ACL
Branch(config-ext-nacl)#permit
ip 192.168.1.0 0.0.0.255 any
Branch(config-ext-nacl)#exit
Branch(config)#ip nat pool
BRANCH-NAT-POOL 209.165.200.249 209.165.200.254 prefix-length 29
Branch(config)#
*Jul 11 11:55:07.451:
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
Branch(config)#
Branch(config)#ip nat inside
source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL
Branch(config)#
Branch(config)#interface
loop 0
Branch(config-if)#ip nat inside
Branch(config-if)#
Branch(config-if)#interface
serial 2/1
Branch(config-if)#ip nat outside
Branch(config-if)#end
Branch#
*Jul 11
12:10:24.099: %SYS-5-CONFIG_I: Configured from console by console
Branch#
Branch#show
ip nat ?
nvi
NVI information
statistics
Translation statistics
translations
Translation entries
Branch#show
ip nat translations
Branch#
Branch#show
ip nat statistics // VERIFY NAT
Total
active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak
translations: 0
Outside interfaces:
Serial2/1
Inside interfaces:
Loopback0
Hits:
0 Misses: 0
CEF
Translated packets: 0, CEF Punted packets: 0
Expired
translations: 0
Dynamic
mappings:
-- Inside
Source
[Id: 1]
access-list BRANCH-NAT-ACL
pool BRANCH-NAT-POOL
refcount 0
pool BRANCH-NAT-POOL: netmask 255.255.255.248
start 209.165.200.249 end
209.165.200.254
type generic, total addresses 6,
allocated 0 (0%), misses 0
Total
doors: 0
Appl
doors: 0
Normal
doors: 0
Queued
Packets: 0
Branch#tclsh
Branch(tcl)#foreach
address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} {
ping $address source 192.168.1.1 }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/24/40 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/19/24 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/41/68 ms
Branch#show
ip nat statistics
Total active translations: 4
(0 static, 4 dynamic; 3 extended)
Peak
translations: 4, occurred 00:00:32 ago
Outside
interfaces:
Serial2/1
Inside
interfaces:
Loopback0
Hits: 30 Misses: 0
CEF
Translated packets: 15, CEF Punted packets: 0
Expired
translations: 0
Dynamic
mappings:
-- Inside
Source
[Id: 1]
access-list BRANCH-NAT-ACL pool BRANCH-NAT-POOL refcount 4
pool BRANCH-NAT-POOL: netmask 255.255.255.248
start 209.165.200.249 end
209.165.200.254
type generic, total addresses 6, allocated 1 (16%),
misses 0
Total
doors: 0
Appl
doors: 0
Normal
doors: 0
Queued
Packets: 0
Branch#show
ip nat translations // VERIFY ACTIVE NAT (PAT) TRANSLATIONS
Pro
Inside global Inside local Outside local Outside global
icmp
209.165.200.249:11 192.168.1.1:11
209.165.200.241:11 209.165.200.241:11
icmp
209.165.200.249:12 192.168.1.1:12
209.165.202.129:12 209.165.202.129:12
icmp
209.165.200.249:13 192.168.1.1:13
209.165.200.226:13 209.165.200.226:13
--- 209.165.200.249 192.168.1.1 --- ---
Branch#telnet
209.165.200.238 80 /source-interface loop 0 // INITIATE STATIC NAT TRAFFIC TO HQ EMAIL SERVER
Trying
209.165.200.238, 80 ...
%
Connection refused by remote host
Branch#telnet
209.165.200.238 23 /source-interface loop 0
Trying
209.165.200.238 ... Open
HQ#show
ip nat translations
Pro
Inside global Inside local Outside local Outside global
---
209.165.200.238 10.10.20.238 --- ---
HQ#show
ip nat statistics
Total active translations: 4
(1 static, 3 dynamic; 3 extended)
Peak
translations: 4, occurred 00:00:33 ago
Outside
interfaces:
Serial2/0
Inside
interfaces:
Loopback0, Loopback1
Hits: 21 Misses: 0
CEF
Translated packets: 12, CEF Punted packets: 0
Expired
translations: 0
Dynamic
mappings:
-- Inside
Source
[Id: 1]
access-list HQ-NAT pool HQ-NAT-POOL refcount 0
pool HQ-NAT-POOL: netmask 255.255.255.248
start 209.165.200.233 end
209.165.200.237
type generic, total addresses 5,
allocated 0 (0%), misses 0
Total
doors: 0
Appl
doors: 0
Normal
doors: 0
Queued
Packets: 0
HQ#show
ip nat translations
Pro
Inside global Inside local Outside local Outside global
tcp
209.165.200.238:23 10.10.20.238:23
209.165.200.249:57553 209.165.200.249:57553
tcp
209.165.200.238:80 10.10.20.238:80
209.165.200.242:22962 209.165.200.242:22962
tcp
209.165.200.238:80 10.10.20.238:80
209.165.200.249:17221 209.165.200.249:17221
--- 209.165.200.238 10.10.20.238 --- ---
HQ#tclsh // PING TO PUBLIC IP ADDRESS USING HQ LAN IP 10.10.10.1/24
HQ(tcl)#foreach
address {
+>(tcl)#209.165.200.225
+>(tcl)#209.165.200.242
+>(tcl)#209.165.202.129
+>(tcl)#}
{ ping $address source 10.10.10.1 }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds:
Packet
sent with a source address of 10.10.10.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/25/40 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.200.242, timeout is 2 seconds:
Packet
sent with a source address of 10.10.10.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/34/64 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet
sent with a source address of 10.10.10.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
HQ#show
ip nat translations
Pro
Inside global Inside local Outside local Outside global
icmp
209.165.200.233:0 10.10.10.1:0
209.165.200.225:0
209.165.200.225:0
icmp
209.165.200.233:1 10.10.10.1:1
209.165.200.242:1
209.165.200.242:1
icmp
209.165.200.233:2 10.10.10.1:2
209.165.202.129:2
209.165.202.129:2
--- 209.165.200.233 10.10.10.1 --- ---
---
209.165.200.238 10.10.20.238 --- ---
No comments:
Post a Comment