Friday, February 1, 2019

Configuring Dynamic and Static NAT

While IP addresses are routable through the public Internet, other IP addresses (as defined by RFC 1918) are considered private and are intended for use within an organization. Network Address Translation (NAT) allows private IP addresses to be translated into Internet-routable IP addresses (that is, public IP addresses).

Names of NAT IP Addresses



Dynamic NAT Configuration

Step 1: Create an access control list (ACL) to match the inside local addresses to be translated. While you could use either a named or numbered ACL and either a standard or an extended ACL, the command to create a standard numbered ACL (in global configuration mode) is access-list <1 – 99> permit <network_address> <wildcard_mask>

Step 2: Define a NAT pool containing the available inside global addresses by issuing the ip nat pool <pool_name> <starting_ip> <ending_ip> netmask <subnet_mask> command in global configuration mode.

Step 3: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).

Step 4: Specify that an interface is an outside interface, with the ip nat outside command (in interface configuration mode).

Step 5: Associate the ACL (identifying the inside local addresses) with the NAT pool (identifying the inside global addresses) using the ip nat inside source list <acl> pool <nat_pool> command (in global configuration mode).


Static NAT Configuration
 
Step 1: Create one or more inside local address to inside global address mappings with the ip nat inside source static <inside_local_address> <inside_global_address> command in global configuration mode.

Step 2: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).

Step 3: Specify that an interface is an outside interface with the ip nat outside command (in interface configuration mode).


PAT

Step 1: Create an access control list (ACL) to match the inside local addresses to be translated. While you could use either a named or numbered ACL and either a standard or an extended ACL, the command to create a standard numbered ACL (in global configuration mode) is access-list <1 - 99> permit <network_address> <wildcard_mask>

Step 2: Specify that an interface is an inside interface with the ip nat inside command (in interface configuration mode).

Step 3: Specify that an interface is an outside interface with the ip nat outside command (in interface configuration mode).

Step 4: Associate the ACL (identifying the inside local addresses) with the router’s outside interface, and enable overloading with the ip nat inside source list <acl> interface <outside_interface> overload command (in global configuration mode).


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#hostname HQ
HQ(config)#interface loop 0
HQ(config-if)#
*Jul 11 11:08:00.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
HQ(config-if)#description ### HQ LAN ###
HQ(config-if)#ip address 10.10.10.1 255.255.255.0
HQ(config-if)#
HQ(config-if)#interface loop 1
HQ(config-if)#
*Jul 11 11:08:13.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
HQ(config-if)#description ### EMAIL SERVER ###
HQ(config-if)#ip address 10.10.20.238 255.255.255.255
HQ(config-if)#
HQ(config-if)#interface serial 2/0
HQ(config-if)#description ### TO ISP ###
HQ(config-if)#ip address 209.165.200.226 255.255.255.248
HQ(config-if)#no shut
HQ(config-if)#
*Jul 11 11:09:50.615: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
HQ(config-if)#
*Jul 11 11:09:51.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
HQ(config-if)#end
HQ#


R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#hostname ISP
ISP(config)#interface loop 0
ISP(config-if)#
*Jul 11 11:26:13.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
ISP(config-if)#description ### INTERNET ###
ISP(config-if)#ip address 209.165.202.129 255.255.255.240
ISP(config-if)#
ISP(config-if)#interface serial 2/0
ISP(config-if)#description ### TO HQ ###
ISP(config-if)#ip address 209.165.200.225 255.255.255.248
ISP(config-if)#no shut
ISP(config-if)#
*Jul 11 11:27:37.067: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
ISP(config-if)#
*Jul 11 11:27:38.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
ISP(config-if)#do ping 209.165.200.226
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/33/56 ms
ISP(config-if)#
ISP(config-if)#interface serial 2/1
ISP(config-if)#description ### TO BRANCH ###
ISP(config-if)#ip address 209.165.200.241 255.255.255.248
ISP(config-if)#no shut
ISP(config-if)#
*Jul 11 11:28:21.771: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
ISP(config-if)#
*Jul 11 11:28:22.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up
ISP(config-if)#
*Jul 11 11:28:43.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to down
ISP(config-if)#ip route 209.165.200.232 255.255.255.248 s2/0
ISP(config)#ip route 209.165.200.248 255.255.255.248 s2/1
ISP(config)#end
ISP#


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#hostname Branch
Branch(config)#interface loop 0
Branch(config-if)#
*Jul 11 11:35:08.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Branch(config-if)#description ### BRANCH LAN ###
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#
Branch(config-if)#interface serial 2/1
Branch(config-if)#description ### TO ISP ###
Branch(config-if)#ip address 209.165.200.242 255.255.255.248
Branch(config-if)#no shut
Branch(config-if)#
*Jul 11 11:36:11.543: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
Branch(config-if)#
*Jul 11 11:36:12.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up
Branch(config-if)#do ping 209.165.200.241
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms
Branch(config-if)#end
Branch#


HQ#show ip interface brief | inc up
Serial2/0                  209.165.200.226 YES manual up                    up     
Loopback0                  10.10.10.1      YES manual up                    up     
Loopback1                  10.10.20.238    YES manual up                    up     
HQ#
HQ#show interface description | inc up
Se2/0                          up             up       ### TO ISP ###
Lo0                            up             up       ### HQ LAN ###
Lo1                            up             up       ### EMAIL SERVER ###


ISP#show ip interface brief | inc up
Serial2/0                  209.165.200.225 YES manual up                    up     
Serial2/1                  209.165.200.241 YES manual up                    up     
Loopback0                  209.165.202.129 YES manual up                    up     
ISP#
ISP#show interface description | inc up
Se2/0                          up             up       ### TO HQ ###
Se2/1                          up             up       ### TO BRANCH ###
Lo0                            up             up       ### INTERNET ###


Branch#show ip interface brief | inc up
Serial2/1                  209.165.200.242 YES manual up                    up     
Loopback0                  192.168.1.1     YES manual up                    up     
Branch#
Branch#show interface description | inc up
Se2/1                          up             up       ### TO ISP ###
Lo0                            up             up       ### BRANCH LAN ###


Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/36 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:     // NO ROUTE CONFIGURED
.....
Success rate is 0 percent (0/5) 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:   // NO ROUTE CONFIGURED
.....
Success rate is 0 percent (0/5)


HQ#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.225        // CONFIGURE DEFAULT ROUTE TO ISP HOP
HQ(config)#end
HQ#


Branch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.241     // CONFIGURE DEFAULT ROUTE TO ISP HOP
Branch(config)#end
Branch#


Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/17/24 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/44 ms


Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address source 192.168.1.1 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:     
Packet sent with a source address of 192.168.1.1     // NEED NAT FOR HQ PRIVATE LAN
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1    // NEED NAT FOR HQ PRIVATE LAN
.....
Success rate is 0 percent (0/5)


Branch#ping 209.165.200.226 source loop 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1     // NEED NAT FOR HQ PRIVATE LAN
.....
Success rate is 0 percent (0/5)


HQ#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#ip access-list extended HQ-NAT-ACL
HQ(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any      // NAT ACL
HQ(config-ext-nacl)#exit
HQ(config)#ip nat ? 
  Stateful           Stateful NAT configuration commands
  create             Create flow entries
  inside             Inside address translation
  log                NAT Logging
  outside            Outside address translation
  piggyback-support  NAT Piggybacking Support
  pool               Define pool of addresses
  portmap            Define portmap of portranges
  service            Special translation for application using non-standard
                     port
  sip-sbc            SIP Session Border Controller commands
  source             Source address translation
  translation        NAT translation entry configuration

HQ(config)#ip nat pool ?
  WORD  Pool name

HQ(config)#ip nat pool HQ-NAT-POOL ?
  A.B.C.D        Start IP address
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

HQ(config)#ip nat pool HQ-NAT-POOL 209.165.200.233 ?                  
  A.B.C.D  End IP address

HQ(config)#ip nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 ?
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

HQ(config)#ip nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 prefix-length ?    
  <1-32>  Prefix length

HQ(config)#ip nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 prefix-length 29    // NAT POOL
HQ(config)#
*Jul 11 11:48:36.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
HQ(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

HQ(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

HQ(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

HQ(config)#ip nat inside source list HQ-NAT-ACL ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

HQ(config)#ip nat inside source list HQ-NAT-ACL pool ?
  WORD  Pool name for global addresses

HQ(config)#ip nat inside source list HQ-NAT-ACL pool HQ-NAT-POOL     // BIND NAT ACL AND NAT POOL
HQ(config)#
HQ(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

HQ(config)#ip nat inside source static 10.10.20.238 ?
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

HQ(config)#ip nat inside source static 10.10.20.238 209.165.200.238    // STATIC NAT FOR EXTERNAL CLIENT
HQ(config)#
HQ(config)#interface loop 0
HQ(config-if)#ip nat inside      // IDENTIFY INSIDE NAT INTERFACE FOR HQ LAN
HQ(config-if)#
HQ(config-if)#interface loop 1
HQ(config-if)#ip nat inside      // IDENTIFY INSIDE NAT INTERFACE FOR HQ EMAIL SERVER
HQ(config-if)#
HQ(config-if)#interface serial 2/0
HQ(config-if)#ip nat outside      // IDENTIFY OUTSIDE NAT INTERFACE
HQ(config-if)#end
HQ#


Branch#conf t      // CONFIGURE NAT FOR BRANCH ROUTER
Enter configuration commands, one per line.  End with CNTL/Z.
Branch(config)#ip access-list extended BRANCH-NAT-ACL
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any
Branch(config-ext-nacl)#exit
Branch(config)#ip nat pool BRANCH-NAT-POOL 209.165.200.249 209.165.200.254 prefix-length 29
Branch(config)#
*Jul 11 11:55:07.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
Branch(config)#
Branch(config)#ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL
Branch(config)#
Branch(config)#interface loop 0
Branch(config-if)#ip nat inside
Branch(config-if)#
Branch(config-if)#interface serial 2/1
Branch(config-if)#ip nat outside
Branch(config-if)#end
Branch#
*Jul 11 12:10:24.099: %SYS-5-CONFIG_I: Configured from console by console
Branch#
Branch#show ip nat ?
  nvi           NVI information
  statistics    Translation statistics
  translations  Translation entries

Branch#show ip nat translations
Branch#

Branch#show ip nat statistics     // VERIFY NAT
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
  Serial2/1
Inside interfaces:
  Loopback0
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list BRANCH-NAT-ACL pool BRANCH-NAT-POOL refcount 0
 pool BRANCH-NAT-POOL: netmask 255.255.255.248
        start 209.165.200.249 end 209.165.200.254
        type generic, total addresses 6, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0


Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address source 192.168.1.1 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/40 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/24 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/68 ms


Branch#show ip nat statistics               
Total active translations: 4 (0 static, 4 dynamic; 3 extended)
Peak translations: 4, occurred 00:00:32 ago
Outside interfaces:
  Serial2/1
Inside interfaces:
  Loopback0
Hits: 30  Misses: 0
CEF Translated packets: 15, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list BRANCH-NAT-ACL pool BRANCH-NAT-POOL refcount 4
 pool BRANCH-NAT-POOL: netmask 255.255.255.248
        start 209.165.200.249 end 209.165.200.254
        type generic, total addresses 6, allocated 1 (16%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Branch#show ip nat translations      // VERIFY ACTIVE NAT (PAT) TRANSLATIONS
Pro Inside global      Inside local       Outside local      Outside global
icmp 209.165.200.249:11 192.168.1.1:11    209.165.200.241:11 209.165.200.241:11
icmp 209.165.200.249:12 192.168.1.1:12    209.165.202.129:12 209.165.202.129:12
icmp 209.165.200.249:13 192.168.1.1:13    209.165.200.226:13 209.165.200.226:13
--- 209.165.200.249    192.168.1.1        ---                ---



Branch#telnet 209.165.200.238 80 /source-interface loop 0    // INITIATE STATIC NAT TRAFFIC TO HQ EMAIL SERVER  
Trying 209.165.200.238, 80 ...
% Connection refused by remote host

Branch#telnet 209.165.200.238 23 /source-interface loop 0 
Trying 209.165.200.238 ... Open


HQ#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 209.165.200.238    10.10.20.238       ---                ---



HQ#show ip nat statistics 
Total active translations: 4 (1 static, 3 dynamic; 3 extended)
Peak translations: 4, occurred 00:00:33 ago
Outside interfaces:
  Serial2/0
Inside interfaces:
  Loopback0, Loopback1
Hits: 21  Misses: 0
CEF Translated packets: 12, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list HQ-NAT pool HQ-NAT-POOL refcount 0
 pool HQ-NAT-POOL: netmask 255.255.255.248
        start 209.165.200.233 end 209.165.200.237
        type generic, total addresses 5, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0


HQ#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 209.165.200.238:23 10.10.20.238:23    209.165.200.249:57553 209.165.200.249:57553
tcp 209.165.200.238:80 10.10.20.238:80    209.165.200.242:22962 209.165.200.242:22962
tcp 209.165.200.238:80 10.10.20.238:80    209.165.200.249:17221 209.165.200.249:17221
--- 209.165.200.238    10.10.20.238       ---                ---


HQ#tclsh     // PING TO PUBLIC IP ADDRESS USING HQ LAN IP 10.10.10.1/24
HQ(tcl)#foreach address {
+>(tcl)#209.165.200.225
+>(tcl)#209.165.200.242
+>(tcl)#209.165.202.129
+>(tcl)#} { ping $address source 10.10.10.1 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/25/40 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.242, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/34/64 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms


HQ#show ip nat translations            
Pro Inside global      Inside local       Outside local      Outside global
icmp 209.165.200.233:0 10.10.10.1:0       209.165.200.225:0  209.165.200.225:0
icmp 209.165.200.233:1 10.10.10.1:1       209.165.200.242:1  209.165.200.242:1
icmp 209.165.200.233:2 10.10.10.1:2       209.165.202.129:2  209.165.202.129:2
--- 209.165.200.233    10.10.10.1         ---                ---
--- 209.165.200.238    10.10.20.238       ---                ---

No comments:

Post a Comment