NAT / PAT
NAT / PAT Topics Identify how NAT and PAT solve the limited IP address problem Describe NAT and PAT operation Configure NAT and PAT Verify NAT and PAT Purpose: This figure states the chapter objectives. Emphasize: Read or state each objective so each student has a clear understanding of the chapter objectives.
Why Use NAT? Inside Outside SA 192.168.2.2 SA 10.1.1.1 Internet 10.1.1.1 NAT border router Use NAT if: You need to connect to the Internet and your hosts do not have globally unique IP addresses 10.1.1.2 Purpose: This figure describes circumstances when you would implement NAT. Emphasize: Examples when NAT may be employed include two companies that have duplicate internal addressing schemes merge, or a company changes its Internet Service Provider (ISP) but does not want to change its internal address scheme. Transition: Advantages and disadvantages of using NAT follow.
NAT Implementation Considerations Advantages Conserves legally registered addresses Reduces address overlap occurrence Increases flexibility when connecting to Internet Eliminates address renumbering as network changes Disadvantages Translation introduces switching path delays Loss of end-to-end IP traceability Certain applications will not function with NAT enabled Purpose: This figure describes advantages and disadvantages of implementing NAT. Note: The most obvious advantage is that NAT conserves the legally registered address scheme. Transition: An overview of NAT follows.
NAT Overview and Terminology Inside DA 192.168.2.2 B Host B 172.20.7.3 DA 10.1.1.1 SA 192.168.2.2 C Internet 10.1.1.2 SA 10.1.1.1 A Simple NAT table D Purpose: This figure is a transition into the NAT overview section. It also highlights some important NAT terms. Emphasize: Highlight the different sending addresses on the packet before it enters the router and after it leaves the router. Compare those addresses to those listed on the NAT table. Describe each term as it relates to the figure. Note: The letters on the figure correspond to the descriptions in the text. Descriptions for outside local IP address and extended translation entry are not represented graphically. Easy IP is a related feature to NAT available on Cisco routers. Configuring Easy IP is not taught in this course. The Easy IP (Phase 1) feature combines NAT and Point-to-point (PPP)/Internet Protocol Control Protocol (IPCP). This feature enables a Cisco router to automatically negotiate its own registered WAN interface IP address from a central server and enable all remote hosts to access the global Internet using this single registered IP address. Because Easy IP (Phase 1) uses existing port-level multiplexed NAT functionality within the Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet. Reference: For a complete description of the Easy IP configuration commands, refer to the “Easy IP Commands” chapter in the Dial Solutions Command Reference. 10.1.1.1 Inside Local IP Inside Global Address IP Address A B 10.1.1.2 192.168.2.3 10.1.1.1 192.168.2.2
NAT Operation NAT functions: Translation inside local addresses Internet 10.1.1.2 NAT functions: Translation inside local addresses Overloading inside global addresses Purpose: This figure is a transition that highlights the NAT functions that are presented in the next few figures. Emphasize: The next few figures discuss the following NAT functions: Translating inside global addresses Overloading inside global addresses Handling overlapping networks Transmission Control Protocol (TCP) load distribution Transition: The next figure describes translating inside global addresses. 10.1.1.1 NAT table Inside Local Inside Global IP Address IP Address 10.1.1.1 192.168.2.2 10.1.1.2 192.168.2.3
Translating Inside Local Addresses 4 DA 192.168.2.2 5 10.1.1.3 3 Host B 172.20.7.3 DA 10.1.1.1 SA 192.168.2.2 Internet 10.1.1.2 10.1.1.2 Purpose: This figure explains how address translation works. Emphasize: Later when students learn to configure address translation, they will be able to use either static NAT configuration or dynamic NAT configuration. Transition: The next figure describes overloading inside global addresses. SA 10.1.1.1 1 2 NAT table Inside Local IP Address Inside Global IP Address 10.1.1.1 10.1.1.3 192.168.2.4 10.1.1.2 192.168.2.3 10.1.1.1 192.168.2.2
Overloading Inside Global Addresses 4 DA 192.168.2.2 Host B 5 10.1.1.3 3 172.20.7.3 DA 10.1.1.1 SA 192.168.2.2 4 Internet DA 192.168.2.2 Host C 10.1.1.2 1 172.21.7.3 2 NAT table Purpose: This figure explains how overloading inside global addresses works. Emphasize: Overloading inside global address translation is Port Address Translation (PAT). How to configure PAT on a Cisco 700 series router is described later in this chapter. Transition: The next figure describes TCP load distribution. SA 10.1.1.1 Protocol Inside Local IP Inside Global IP Outside Global 10.1.1.1 Address: Port Address: Port IP Address: Port 10.1.1.1 TCP 10.1.1.3:1723 192.168.2.2:1492 172.21.7.3:23 TCP 10.1.1.2:1723 192.168.2.2:1723 172.21.7.3:23 TCP 10.1.1.1:1024 192.168.2.2:1024 172.20.7.3:23
Static NAT Configuration Example ip nat inside source static 10.1.1.1 192.168.2.2 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside interface Serial0 ip address 172.16.2.1 255.255.255.0 ip nat outside This interface connected to the inside network. This interface connected to the outside world. Purpose: This figure displays the static NAT configuration output. Emphasize: Highlight the inside and outside interfaces on this configuration. Note: This figure and the subsequent NAT configuration figures only display the configurations necessary to configure NAT translation. Other commands may be necessary for routing. Maps the inside local address to the inside global address.
Dynamic NAT Configuration ip nat pool dyn-nat 192.168.2.1 192.168.2.254 netmask 255.255.255.0 ip nat inside source list 1 pool dyn-nat ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside interface Serial0 ip address 172.16.2.1 255.255.255.0 ip nat outside access-list 1 permit 10.1.1.0 0.0.0.255 This interface connected to the inside network. Purpose: This figure displays the dynamic NAT configuration output. This interface connected to the outside world. Translate between inside hosts addressed from 10.1.1.0/24 to the globally unique 192.168.2.0/24 network.
Configuring Inside Global Address Overloading ip nat pool ovrld-nat 192.168.2.1 192.168.2.2 netmask 255.255.255.0 ip nat inside source list 1 pool ovrld-nat overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside interface Serial0/0 ip address 172.16.2.1 255.255.255.0 ip nat outside access-list 1 permit 10.1.1.0 0.0.0.255 Purpose: This figure describes how to configure inside global address overloading.
Verifying NAT Basic IP address translation Router#show ip nat trans Pro Inside global Inside local Outside local Outside global --- 192.2.2.1 10.1.1.1 --- --- --- 192.2.2.2 10.1.1.2 --- --- IP address translation with overloading Router#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23 Purpose: This figure describes how to verify your NAT configuration output. Emphasize: The upper output box displays the typical NAT table. The lower output box displays the NAT table with overloading. Note: When looking at the IP NAT translations, you may see many translations from the same host to the same host at the destination. This is typical of many connections to the Web. Unique TCP port numbers are used to distinguish between hosts. A translation for a Telnet is still active. Two different inside hosts appear on the outside with a single IP address.
Troubleshooting NAT An example address translation inside-to-outside. Router#debug ip nat NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [4] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [5] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [6] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [2] Purpose: This figure describes the debug ip nat command. Emphasize: Show the sending address, the translation, and the destination address on each debug line. An example address translation inside-to-outside. A reply to the packet sent. An example TCP conversation, inside-to-outside. * Indicates translation was in the fast path.
Clearing NAT Translation Entries Router#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23 router#clear ip nat trans * router# router#show ip nat trans All entries are cleared. router#show ip nat trans Pro Inside global Inside local Outside local Outside global udp 192.168.2.2:1220 10.1.1.2:1120 171.69.2.132:53 171.69.2.132:53 tcp 192.168.2.1:1100310.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23 router#clear ip nat trans udp inside 192.168.2.2 10.1.1.2 1220 171.69.2.132 53 171.69.2.132 53 tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23 Purpose: This figure describes how to clear your NAT entries from the translation table. Emphasize: The “*” clears all entries from the NAT table. Both output boxes in the figure show how the NAT table looks before and after translations are cleared. 192.168.2.2 is cleared.
NAT Configuration Lab.pdf NAT Configuration Lab.pkt Lab file NAT Configuration Lab.pdf Lab scenario NAT Configuration Lab.pkt