Jaycee's Networking

May 17, 2009

NAT

Filed under: IOS — Tags: — Jaycee @ 2:58 am

A. NAT (Network Address Translation):

1. NAT provides a method for mapping an internal IP address space to an external IP address space.

2. NAT is configured on our gateway.

3. There are two methods of performaing NAT: static and dynamic.

a. With static translation, each inside address is mapped to a specific outside address.
b. With dynamic translation, possible outside addresses are collected into an address pool and are selected from the pool on an as-needed basis.

B. Static NAT:

1. Assign IP address for NAT for IP addresses .2 ~ .5

2. We can’t map 172.168.1.1 because that’s the address of the serial0 interface.

ip nat inside source static 10.10.1.2 172.168.1.2
ip nat inside source static 10.10.1.3 172.168.1.3
ip nat inside source static 10.10.1.4 172.168.1.4
ip nat inside source static 10.10.1.5 172.168.1.5
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside

C. Dynamic NAT:

1. Define the IP address pool from 172.168.1.2 ~ 172.168.1.254.

2. Leave out 172.168.1.1 because that is our serial 0 interface.

ip nat pool poolone 172.168.1.2 172.168.1.254 netmask 255.255.255.0
ip nat inside source list 20 pool poolone
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255
access-list 20 permit 10.10.0.0 0.0.255.255

3. Static and dynamic mappings can be combined; just do NOT include the statically mapped internal addresses in your address pool.

4. This allows you to specify some hosts (i.e. mail servers) that have a fixed external address but belong to your internal network, while allowing other hosts to be assigned their external address dynamically.

D. PAT (Port Address Translation):

1. The router uses the port number to distinguish between different connections using the same address.

2. In this example, we have one public IP address (172.168.1.2) that is shared by all our hosts on the 10.10.1.0/24 private network.

3. It creates an explicit external address pool and then uses it to map inside addresses.

ip nat pool poolone 172.168.1.2 172.168.1.2 netmask 255.255.255.0
ip nat inside source list 20 pool poolone overload
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255

4. You can also do this for only single IP translation: you can omit the “ip nat pool” command and instead tell the “ip nat inside” command to use the IP address of your serial interface for translations.

ip nat inside source list 20 interface serial0 overload
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255

E. Static PAT:

If you want the servers on different machines but you want only one external address.

=> Mapping incoming ports to different NAT addresses.

1. The solution is static PAT.

2. To do the port-based translation, we use the keyword “extendable,” which allows us to map UDP and TCP ports to internal addresses.

3. In this example, we have one unique global IP address (172.168.1.1) mapped to our internal network (10.10.1.0/24) using the “overload” keyword.

4. We want our incoming email traffic (port 25) to go to 10.10.1.5, and our incoming web traffic (port 80) to go to 10.10.1.4.

ip nat inside source list 20 interface serial0 overload
!
ip nat inside source static tcp 10.10.1.5 25 172.168.1.1 25 extendable
!
ip nat inside source static tcp 10.10.1.4 80 172.168.1.1 80 extendable
!
interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
!
interface serial0
 ip address 172.168.1.1 255.255.255.0
 ip nat outside
!
access-list 20 permit 10.10.0.0 0.0.255.255

F. NAT show Commands:

1. show ip nat statistics:

a. the total number of translations
b. the interfaces configured for NAT
c. the hits (the number of times the router looked in the NAT table and found a match)
d. the misses (the number of times the router looked in the NAT table and didn’t find an entry)
e. the number of translations that have expired

R1#show ip nat statistics
Total translations: 1 (0 static, 1 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet0
Hits: 9  Misses: 1
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 20 pool poolone refcount 1
 pool poolone: netmask 255.255.255.0
            start 172.168.1.2 end 172.168.1.2
            type generic, total addresses 1, allocated 1 (100%), misses 1

2. show ip nat translations

It shows all the NAT translations that occur.

R1#show ip nat translations
Pro Inside global     Inside local     Outside local     Outside global
--- 172.168.1.2          10.10.1.1         ---               ---

3. clear ip nat translations *

a. It’s possible for dynamic address translation to get confused. Then this happens, translated traffic stops flowing through the router.

b. To fix, use “clear ip nat translations *“. (* means to clear all dynamic translations.)

G. SNAT (Stateful NAT) with HSRP:

1. SNAT provides increased IP resiliency.

2. SNAT allows two or more routers to perform NAT.

3. One router is the active NAT router, the other one as the backup.

4. SNAT is designed to work in concert (協調) with HSRP to detect failover. However, you can configure SNAT to work on its own.

5. A new feature that broadens SNAT’s protocol support: embedded addressing.

=> With embedded addressing, the NAT process learns ports from the application itself. It allows SNAT to support VoIP, FTP, and DNS applications.

6. Configuring SNAT with HSRP:

a. use “ip nat stateful” command.

b. It takes 3 important options: id, redundancy, and mapping-id.

(1) id — identifies the router to the SNAT protocol (each router should be configured with a unique id value).

(2) redundancy — identifies the HSRP process that we are going to use for our configuration.

=> In this example, we have given our HSRP configuration the name SNATHSRP.

(3) mapping-id — identifies which NAT translations are sent to SNAT peers.

=> In this case, we have chosen a mapping id of 10, which means that any translations created in our NAT rule will have an id of 10 associated with them.

=> These translations are then identified – by the mapping id – as ones to send to our peer router.

=> You can have multiple mapping-ids that form a mapping list.

R1:

interface ethernet0
 ip address 10.10.1.1 255.255.255.0
 ip nat outside
 standby name SNATHSRP
 standby preempt
 standby priority 120
 standby ip 10.10.1.3
! Any NAT translations with a mapping id of 10 are sent to our peer
ip nat stateful id 1 redundancy SNATHSRP mapping-id 10
!
ip nat pool poolone 172.168.1.1 172.168.1.254 prefix-length 24
!
ip nat inside source list 20 pool poolone mapping-id 10 overload
!
access-list 20 permit 10.10.0.0 0.0.255.255

R2:

interface ethernet0
 ip address 10.10.1.2 255.255.255.0
 ip nat outside
 standby name SNATHSRP
 standby preempt
 standby ip 10.10.1.3
! Enable SNAT for the group (id is 2 for router 2)
! Any NAT translations with a mapping id of 10 are sent to our peer
ip nat stateful id 2 redundancy SNATHSRP mapping-id 10
!
ip nat pool poolone 172.168.1.1 172.168.1.254 prefix-length 24
!
ip nat inside source list 20 pool poolone mapping-id 10 overload
!
access-list 20 permit 10.10.0.0 0.0.255.255

H. SNAT without HSRP:

1. It’s possible to configure SNAT without the benefit of HSRP by using a static primary and peer relationship.

2. Use “primary” defines the interface and IP address to use for SNAT:

R1:

ip nat stateful id 1 primary 10.10.1.1 peer 10.10.1.2 mapping-id 10

R2:

ip nat stateful id 2 primary 10.10.1.2 peer 10.10.1.1 mapping-id 10
Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: