- NAT Terminology.
- NAT Principles of Operations.
- Completed Lab 1-1.
- Completed Lab 1-2.
- Completed Lab 2-1.
- Completed Lab 2-2 Static NAT.
- Completed Lab 2-2 Dynamic NAT.
Lab 2-1 Packet Tracer Topology Download.
Topology Diagram
Connecting a LAN to the Internet requires a little thought as there are few ways of doing it. Here we are going to explore three of them:
- Static NAT (one-to-one translation)
- Dynamic NAT (many-to-many translation)
- Dynamic NAT Overload or PAT (many-to-one translation)
Task 1: Defining static IP addresses and setting a static default route.
Task 2: Configure NAT.
Task 3: Configure PAT.
STATIC NAT
Solution
Solution
Let's tackle the first one.
Task 1: Defining static IP addresses and setting a static default route.
In this type of NAT we allow the Internet to connect to our private host in both directions. NAT table will contain a static entry presenting our local host address (inside local) with public IP address (inside global). Typically we register the public IP address in DNS database allowing users on the Internet to communicate with our local host.
In this task let's assume that our extra public IP Address is: 209.165.20.1.10.
Roll up your sleeves and let's make it work.
First, what is necessary to connect a router to the Internet?
- Router must have its interface facing the Internet configured with public IP Address. This can be done manually or a router can obtain public IP address from a DHCP server located at the ISP.
- Router must know how to access all unknown addresses on the Internet. This can be accomplished by learning Internet networks via BGP protocol or by using 'default route'. Here we're going to use the latter.
- CCNA courses do not use the latest methods of doing NAT which utilizes a NVI interface. The older method is used which requires signifying which interface is private (ip nat inside), and which interface is connected to the Internet (ip nat outside).
- Appropriate NAT method must be configured.
STATIC NAT (one-to-one translation)
In our first approach let's allow Branch router to learn public IP Address using DHCP pool configured on HQ. The pool will only have one IP Address (209.165.201.1). In order to do that, type the following configuration on HQ:
HQ Configuration:
HQ#ena
HQ#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HQ(config)#ip dhcp pool BRANCH
HQ(dhcp-config)#network 209.165.201.0 255.255.255.224
HQ(dhcp-config)#default-router 209.165.201.2
HQ(dhcp-config)#exit
HQ(config)#ip dhcp excluded-address 209.165.201.2 209.165.201.254
HQ(config)#
Branch#
Branch#ena
Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int fas0/1
Branch(config-if)#ip address dhcp
Branch(config-if)#exit
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address 209.165.201.1, mask 255.255.255.224, hostname Branch
HQ#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HQ(config)#ip dhcp pool BRANCH
HQ(dhcp-config)#network 209.165.201.0 255.255.255.224
HQ(dhcp-config)#default-router 209.165.201.2
HQ(dhcp-config)#exit
HQ(config)#ip dhcp excluded-address 209.165.201.2 209.165.201.254
HQ(config)#
We're off to a good start now.
Assign public IP Address on Branch Fas0/1 interface using DHCP
Branch#ena
Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int fas0/1
Branch(config-if)#ip address dhcp
Branch(config-if)#exit
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address 209.165.201.1, mask 255.255.255.224, hostname Branch
Notice that apart from IP Address 209.165.201.1/27, the Branch router also received the 'default route' as per HQ DHCP configuration. Now it can send the packets towards all unknown IP Addresses using HQ as its next-hop router (209.165.201.2).
Now, let's assume that ISP (Internet Service Provider) has given us another public IP Address for our public server purpose (WWW, SMTP, FTP, etc.).
Server IP Addresses:
Inside Local: 10.1.1.100 (private)
Inside Global: 209.165.201.10 (host will be seen as this public address)
Inside Global: 209.165.201.10 (host will be seen as this public address)
Since our router has already IP Address dynamically assigned and default route has been installed in the routing table, the next step is to signify which interface is private and which one is public.
Branch(config-if)#ip nat inside
Branch(config-if)#
Branch(config-if)#int fas0/1
Branch(config-if)#ip nat outside
Branch(config-if)#exit
This is where a lot of beginners make mistakes by doing this in the opposite way. Remember the 'ip nat inside' interfaces are the ones facing LAN (private network), the 'ip nat outside' interface is the one connected to ISP.
Finally, static NAT configuration:
Branch(config)#ip nat inside source static 10.1.1.100 209.165.201.10
Branch(config)#end
Branch#
Let's observe what was installed in the NAT table.
It looks good. Whenever Branch router receives IP packet destined to 209.165.201.10 will redirect the packet towards its inside local IP Address 10.1.1.100 as signified by NAT entry.
NOTICE!
This entry never ages out. It means that the router can send the packets to your public server 10.1.1.100 whenever it receives IP packet on its OUTSIDE interface (Fas0/1) with IP Address destination 209.165.201.10.
Now we can check if HQ router is able to ping 209.165.201.10.
After two rounds of ping here's what we find in NAT table on Branch.
HQ Configuration:
!
ip dhcp excluded-address 209.165.201.2 209.165.201.254
!
ip dhcp pool BRANCH
network 209.165.201.0 255.255.255.224
default-router 209.165.201.2
!
Branch Configuration:
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
!
ip nat inside source static 10.1.1.100 209.165.201.10
!
In the next exercise we're going to us Dynamic NAT configuration (many-to-many translation).