Friday, 2 October 2015

Configuring NAT on Our Internetwork

Okay, now I’m going to go ahead and connect the link between our Corp router and the R3 router
using a 64.1.1.4/30 network and the LAN F0/0 link on the R3 router using the 64.1.1.8/30 network.
After NAT is working, I’ll then walk you through the verification commands I’ve been talking
about throughout this article.

Our inter network is shown in Figure 11.6, and the inside local addresses that I’ve been
using throughout this article are shown in Table 11.3.


I know—Figure 11.6 shows the same network we’ve been using, but there’s a difference
here. The connection between the Corp router and the R3 router is now using global PAT
addresses. They can’t talk because the other Corp connections have private IP addresses. (In
the real world, the ISP would block these, right? So let’s make this work!) Remember, we call
them “inside locals” when using NAT, meaning before translation, and our ISP is blocking the
private IP address ranges. What do we do? Well first we need to configure NAT on the Corp
router, so let’s get to work!



Now we all know we need to be able to communicate from all the networks connected
to the Corp router out to all the networks connected to the R3 router using the new global
address of 64.1.1.5/30. Right? You’re nodding your head yes—good! Here we go:
Corp#config t
Corp(config)#ip nat pool Todd 64.1.1.5 64.1.1.5 net 255.255.255.252
Corp(config)#access-list 1 permit 10.1.0.0 0.0.255.255
Corp(config)#ip nat inside source list 1 pool Todd overload
Before I add the interface configurations, notice I used the IP address of the Corp’s outside
interface 64.1.1.5 as both a start and finish address of the pool. I did that because it works just
fine when using PAT.
Anyway, it’s important not to forget to configure NAT on all interfaces:
Corp(config)#int s0/2/0
Corp(config-if)#ip nat outside
Corp(config-if)#int f0/1
Corp(config-if)#ip nat inside
Corp(config-if)#int s0/0/0
Corp(config-if)#ip nat inside
Corp(config-if)#int s0/0/1
Corp(config-if)#ip nat inside
Corp(config-if)#int s0/1/0
Corp(config-if)#ip nat inside
Corp(config-if)#
Now that PAT is configured and our interfaces are all set, let’s telnet from HostC to HostD—
wait, first I’ll ping from host to host, then I’ll telnet:
Corp#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 64.1.1.5:271 10.1.9.2:271 64.1.1.10:271 64.1.1.10:271
tcp 64.1.1.5:11000 10.1.9.2:11000 64.1.1.10:23 64.1.1.10:23
Corp#
Now I’m going to turn on debug ip nat on the Corp router, then telnet from HostB to
HostD. Let’s take a look at the output on the Corp router:
Corp#debug ip nat
*May 9 22:57:47.679: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.679: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [0]
*May 9 22:57:47.683: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.683: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [0]
*May 9 22:57:47.699: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.699: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [1]
*May 9 22:57:47.703: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.703: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [1]
*May 9 22:57:47.707: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.707: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [2]
*May 9 22:57:47.711: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.711: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [3]
*May 9 22:57:47.719: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.719: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [2]
*May 9 22:57:47.723: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.723: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [3]
*May 9 22:57:47.723: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.723: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [4]
*May 9 22:57:47.731: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.731: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [5]
*May 9 22:57:47.735: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:47.735: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [4]
*May 9 22:57:47.735: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.735: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [6]
*May 9 22:57:47.747: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.747: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [7]
*May 9 22:57:47.951: NAT*: TCP s=11000->1024, d=23
*May 9 22:57:47.951: NAT*: s=10.1.6.2->64.1.1.5, d=64.1.1.10 [8]
*May 9 22:57:48.103: NAT*: TCP s=23, d=1024->11000
*May 9 22:57:48.103: NAT*: s=64.1.1.10, d=64.1.1.5->10.1.6.2 [5]
Corp#
Well, well—this is some pretty interesting output to say the least! You can see that the first
line shows our source and destination port numbers that are being used on HostB. The second line
shows our inside source being translated to our inside global with the outside local/global address
listed last—and then, from the outside host back to our HostB. Let’s verify all this with the show
ip nat translation command:
Corp#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 64.1.1.5:11000 10.1.9.2:11000 64.1.1.10:23 64.1.1.10:23
Corp#

Now, let’s use the command show ip nat statistics on the Corp router:
Corp#sh ip nat stat
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
Serial0/2/0
Inside interfaces:
FastEthernet0/1, Serial0/0/0, Serial0/0/1, Serial0/1/0
Hits: 269 Misses: 13
CEF Translated packets: 227, CEF Punted packets: 0
Expired translations: 27
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool Todd refcount 2
pool Todd: netmask 255.255.255.252
start 64.1.1.5 end 64.1.1.5
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
Corp#

What we can see here is a summary of our configuration, our two active translations,
as well as the inside and outside interfaces that are being used. The pool is listed right there
toward the bottom of the output. And it all looks good, so it’s time to move on to configure
NAT using SDM.

1 comment:

  1. DUDE! You STOLE MY chapters from my book and posted it here! You're a piece of shit! This is copied directly from my CCNA R/S Cisco Study Guide! Get this off your site now! EVERYTHING ON YOUR SITE IS STOLEN
    YOU'RE A LOSER!

    ReplyDelete