- NAT Terminology.
- NAT Principles of Operations.
- Knowledge of ACLs.
- Completed Lab 1-1.
- Completed Lab 1-2.
- Completed Lab 2-1.
- Completed Lab 2-2 Static NAT.
- Completed Lab 2-2 Dynamic NAT.
Lab 2-1 Packet Tracer Topology Download.
Topology Diagram
Connecting a LAN to the Internet requires a little thought as there are few ways of doing it. Here we are going to explore three of them:
- Static NAT (one-to-one translation)
- Dynamic NAT (many-to-many translation)
- Dynamic NAT Overload or PAT (many-to-one translation)
Task 1: Defining static IP addresses and setting a static default route.
Task 2: Configure NAT.
Task 3: Configure PAT.
Dynamic NAT
Solution
Since in our previous lab exercise we used DHCP to assign IP Address to our Branch router, this time around let's try to do it manually (I should've done this in previous task; ups).
We begin by removing NAT line from our configuration on Branch
On Branch Router:
Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#no ip nat inside source static 10.1.1.100 209.165.201.10
Branch(config)#
We leave the following though:
interface FastEthernet0/0
ip nat inside
!
interface FastEthernet0/1
ip nat outside
!
They will be used in all flavors of NAT we configure here.
Now we need to configure the following steps to complete the lab:
- IP Address assigned manually (default router will have to be added manually too).
- Pool of public IP Addresses will need to be added (we'll use 209.165.201.3 - 209.165.201.10 /27).
- Access Control List will need to be added to match on source IP addresses (subnet 10.1.1.0).
- Dynamic NAT configuration.
And this is where the rubber meets the road.
Assign IP Address Manually
Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int f0/1
Branch(config-if)#ip address 209.165.201.1 255.255.255.224
Branch(config-if)#exit
Default Route Configuration
Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.201.2
Branch(config)#
Configuring Pool of Public Addresses (inside global)
Branch(config)#ip nat pool PUBLIC 209.165.201.3 209.165.201.10 netmask 255.255.255.224
Branch(config)#
NOTICE!
Packet tracer only supports 'netmask' argument. It does NOT support 'prefix-length number'.
Access Control List Configuration
Branch(config)#
Dynamic NAT Configuration
Branch(config)#
NOTICE!
IOS is case sensitive when it comes to defining name and using them ('PUBLIC' is not the same as 'public').
At this point there are NO NAT entries built in the NAT table. However, if we send the ping packet from PC1 towards 209.165.201.2, the entry is going to be created.
NOTICE!
Packet Tracer emulates real life behavior. First ping attempt lost two packets on ARP request.
Don't forget that ICMP protocol ages out very quickly (1 min.). So after pinging, try to look at the table as quickly as possible.
This type of NAT lends IP Address dynamically as soon as an interesting traffic matched in ACL is sent towards the Internet (out of 'ip nat outside' interface).
In case you want multiple hosts to borrow the same address you can either add the keyword 'overload' in as the last word in the NAT configuration:
or use Port Address Translation (PAT), which will be used in our next exercise.
Meanwhile this is the whole configuration we have done:
ip address 10.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.201.1 255.255.255.224
ip nat outside
duplex auto
speed auto
!
ip nat pool PUBLIC 209.165.201.3 209.165.201.10 netmask 255.255.255.224
!
ip nat inside source list 1 pool PUBLIC
!
ip route 0.0.0.0 0.0.0.0 209.165.201.2
!