Monday, January 18, 2016

Lab 2-2 Dynamic NAT




Lab pre-requisites:

Lab 2-1 Packet Tracer Topology Download.

Topology Diagram


Connecting a LAN to the Internet requires a little thought as there are few ways of doing it. Here we are going to explore three of them:
  • Static NAT (one-to-one translation)
  • Dynamic NAT (many-to-many translation)
  • Dynamic NAT Overload or PAT (many-to-one translation)

Task 1: Defining static IP addresses and setting a static default route.
Task 2: Configure NAT.
Task 3: Configure PAT.

Dynamic NAT
Solution

Since in our previous lab exercise we used DHCP to assign IP Address to our Branch router, this time around let's try to do it manually (I should've done this in previous task; ups).

We begin by removing NAT line from our configuration on Branch

On Branch Router:

Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#no ip nat inside source static 10.1.1.100 209.165.201.10

Branch(config)#

We leave the following though:

interface FastEthernet0/0
 ip nat inside
!
interface FastEthernet0/1
 ip nat outside
!

They will be used in all flavors of NAT we configure here.

Now we need to configure the following steps to complete the lab:

  • IP Address assigned manually (default router will have to be added manually too).
  • Pool of public IP Addresses will need to be added (we'll use 209.165.201.3 - 209.165.201.10 /27).
  • Access Control List will need to be added to match on source IP addresses (subnet 10.1.1.0).
  • Dynamic NAT configuration.
And this is where the rubber meets the road.

Assign IP Address Manually

Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int f0/1
Branch(config-if)#ip address 209.165.201.1 255.255.255.224
Branch(config-if)#exit

Default Route Configuration

Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2

Branch(config)#


Configuring Pool of Public Addresses (inside global)

Branch(config)#ip nat pool PUBLIC 209.165.201.3 209.165.201.10 netmask 255.255.255.224
Branch(config)#



NOTICE!
Packet tracer only supports 'netmask' argument. It does NOT support 'prefix-length number'.


Access Control List Configuration

Branch(config)#access-list 1 permit 10.1.1.0 0.0.0.255
Branch(config)#

Dynamic NAT Configuration

Branch(config)#ip nat inside source list 1 pool PUBLIC
Branch(config)#


NOTICE!
IOS is case sensitive when it comes to defining name and using them ('PUBLIC' is not the same as 'public').



At this point there are NO NAT entries built in the NAT table. However, if we send the ping packet from PC1 towards 209.165.201.2, the entry is going to be created.




NOTICE!
Packet Tracer emulates real life behavior. First ping attempt lost two packets on ARP request. 



Don't forget that ICMP protocol ages out very quickly (1 min.). So after pinging, try to look at the table as quickly as possible.

This type of NAT lends IP Address dynamically as soon as an interesting traffic matched in ACL is sent towards the Internet (out of 'ip nat outside' interface).

In case you want multiple hosts to borrow the same address you can either add the keyword 'overload' in as the last word in the NAT configuration:

ip na inside source list 1 pool PUBLIC overload

or use Port Address Translation (PAT), which will be used in our next exercise.

Meanwhile this is the whole configuration we have done:

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 209.165.201.1 255.255.255.224
 ip nat outside
 duplex auto
 speed auto
!
ip nat pool PUBLIC 209.165.201.3 209.165.201.10 netmask 255.255.255.224
!
ip nat inside source list 1 pool PUBLIC
!
ip route 0.0.0.0 0.0.0.0 209.165.201.2 

!

Cisco Is Easy - Main

  Cisco Basics (CCNA level)  Lessons: Watch Video Tutorials on Youtube 01 - Connecting to Cisco Console Port with MINICOM 02 - Navigatin...