When
most people think of Network Address Translation (NAT) they
immediately think of the operation of Port Address Translation where
you can translate many internal RFC1918 private addresses to a single
public globally routable IP address. Most people think that a
standard consumer grade router does NAT to allow several PC’s to
share a single internet connection however this operation is called
Port Address Translation (PAT).
Lab Prerequisites
Objective 4. – Configure a NAT translation statement to Port Address Translate any host machines matching the access-list previously created to the IP address of Serial0/0.223.
PAT
is a type of Network Address Translation that translates inside local
addresses to a single inside global address which would be in most
cases the IP Address your ISP assigns you. You can think of PAT as a
dynamic form of extended NAT. The general operation of PAT is quite
simple.
A
PC on the inside network with the IP address 10.55.1.22 attempts to
communicate to the internet however its IP address is not routable on
the internet so this IP address would have to be translated to an IP
address that is. When the PC attempts to communicate to an IP address
on the internet the router will port address translate the packets to
its own public IP address and random port number and install the NAT
flow into the NAT table for return traffic.
So
for example; PC 10.55.1.22 attempts to communicate to 4.2.2.2 so it
sends its traffic to the default gateway. This router is connected to
the internet and can reach 4.2.2.2 via a T1 interface. The router
then translates the incoming packet sourced from 10.55.1.22 on a
random port to the IP Address of its T1 interface with a randomly
generated source port and the same destination. Once this is done the
router adds the translation to the NAT table and forwards the
traffic. When the traffic returns to the router it uses the same
translation to translate the return traffic back to the internal
private IP host inside the network.
Port
Address Translation can serve up to 10,000 PC’s using a single IP
address. In this scenario every internal privately address PC could
theoretically use a maximum of 6 random ports simultaneously. This is
a very high number for most companies and very hard to break. However
if you’re hitting the max session range on a router/firewall for
PAT you can just add another public IP address to be port address
translated.
To
configure Port Address Translation, you must specify the inside and
outside NAT interfaces as with any NAT configuration. Afterward
you’ll need to create an access control list to will be referenced
by the NAT translation statement to match inside networks and/or host
machines to be translated. If you have multiple public IP addresses
and you wish to port address translate to an IP address other then
the IP address that’s assigned to the routers WAN interface you’ll
need to create a NAT pool with the specified IP address(es). In most
scenarios you’ll just port address translate to the single IP
address that is assigned to the routers public interface. When using
the IP address of the routers interface you do not need to specify a
pool. You just specify the interface name followed by “overload”.
Example; ip
nat inside source list PAT_TRAFFIC interface Serial0/0.223 overload
In
this lab you will be using R1, R2 and R3 to simulate a small company
network connected to an ISP at R2 and using R2 to port address
translate simulated inside host machines with private IP addresses
from R1 to a single public IP address so inside machines can reach
the simulated internet host 4.2.2.2 on R3.
Please
review the following command(s) listed below;
- CommandDescriptionip nat inside source listaclnameor# ip.ip.ip.ip overloadThis command is executed in global configuration mode to configure a NAT translation that matches inside host to be permitted to be port address translated to a specific IP Address.ip nat inside source listaclnameor# interface interface#/#overloadThis command is executed in global configuration mode to configure a NAT translation that matches inside host that will permitted to be port address translated to a specific IP Address assigned to a specific interface.show ip nat translationsThis command is executed in user or privileged mode to view all the current NAT translations in the routers NAT table.clear ip nat translation *This command is executed in privileged mode to purge all the dynamic NAT translations that exist in the routing table. If this command is executed in a live network take caution as it will drop current dynamic NAT translated TCP sessions.
The
following logical topology shown below is used in this lab;
Lab Prerequisites
- If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1, R2 and R3.
- Establish a console session with devices R1, R2 and R3 than load the initial configurations provided below by copying the config from the textbox and pasting it into the respected routers console.
Lab Objectives
- Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.
- Configure the respected NAT inside/outside interfaces on R2.
- Create a named extended named access-list on R2 matching the simulated host on R1 using only a single line in the ACL.
- Configure a NAT translation statement to Port Address Translate any host machines matching the access-list previously created to the IP address of Serial0/0.223
- Verify that you can ping the simulated host 4.2.2.2 located on R3 from R1′s simulated host loopback interfaces you created earlier.
- After verifying IP connectivity between the inside simulated host machines on R1 to the simulated internet host on R3 (4.2.2.2), view the NAT translation table on R2 and verify that the router is translating the inside local addresses to a single inside global address.
Lab Instruction
Objective
1. – Create 4 new loopback interfaces on R1 using the 10.55.0.0/22
allocation and advertise them into EIGRP AS 10.
R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface loopback0 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up R1(config-if)#ip add 10.55.0.1 255.255.255.0 R1(config-if)#interface loopback1 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R1(config-if)#ip add 10.55.1.1 255.255.255.0 R1(config-if)#interface loopback2 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up R1(config-if)#ip add 10.55.2.1 255.255.255.0 R1(config-if)#interface loopback3 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up R1(config-if)#ip add 10.55.3.1 255.255.255.0 R1(config-if)#exit R1(config)#router eigrp 10 R1(config-router)#network 10.55.0.0 0.0.3.255 R1(config-router)#end R1#
Objective
2. – Configure the respected NAT inside/outside interfaces on R2.
R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#interface Serial0/0.221 R2(config-subif)#ip nat inside %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up R2(config-subif)#interface Serial0/0.223 R2(config-subif)#ip nat outside R2(config-subif)#exit R2(config)#
Objective
3. – Create a named extended named access-list on R2 matching the
simulated host on R1 using only a single line in the ACL.
R2(config)#ip access-list extended PAT_TRAFFIC_ACL R2(config-ext-nacl)#10 permit ip 10.55.0.0 0.0.3.255 any R2(config-ext-nacl)#exit R2(config)#
Objective 4. – Configure a NAT translation statement to Port Address Translate any host machines matching the access-list previously created to the IP address of Serial0/0.223.
R2(config)#ip nat inside source list PAT_TRAFFIC_ACL interface Serial0/0.223 overload R2(config)#end R2#
Objective
5. – Verify that you can ping the simulated host 4.2.2.2 located on
R3 from R1′s simulated host loopback interfaces you created
earlier.
R1#ping 4.2.2.2 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/94/168 ms R1#ping 4.2.2.2 source lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/108/200 ms R1#ping 4.2.2.2 source lo2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.2.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 72/133/196 ms R1#ping 4.2.2.2 source lo3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.3.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/114/240 ms R1#
Objective
6. – After verifying IP connectivity between the inside simulated
host machines on R1 to the simulated internet host on R3 (4.2.2.2),
view the NAT translation table on R2 and verify that the router is
translating the inside local addresses to a single inside global
address.
R2#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.29.81.1:2 10.55.0.1:2 4.2.2.2:2 4.2.2.2:2 icmp 172.29.81.1:3 10.55.1.1:3 4.2.2.2:3 4.2.2.2:3 icmp 172.29.81.1:4 10.55.2.1:4 4.2.2.2:4 4.2.2.2:4 icmp 172.29.81.1:5 10.55.3.1:5 4.2.2.2:5 4.2.2.2:5 R2#
As
shown above in R2′s NAT translation table you will see the inside
global IP address and source port number(s) assigned to the inside
local source IP addresses per NAT translation flow. (A NAT
Translation flow is a single line entry in the NAT Translation
table).
