CCNA 5.6: Configure, verify, and troubleshoot inside source NAT
Inside source Network Address Translation (NAT) is used to map private IP addresses on a LAN to a public IP address(es) on the outside interface of the router
- Inside source Network Address Translation (NAT) is used to map private IP addresses on a LAN to public IP address(es) on the outside interface of the router
- The interface of the router connecting to the LAN network is the inside
- The interface of the router connecting to the WAN is the outside
- Different methods of NAT are used depending on the desired outcome: Static, Pool and PAT
- Assign inside and outside NAT interfaces
Router(config)#interface F0/1 Router(config-if)#description OUTSIDE INTERFACE Router(config-if)#ip address pu.bl.i.c 255.255.255.0 Router(config-if)#ip nat outside Router(config)#interface F0/2 Router(config-if)#description OUTSIDE INTERFACE Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside
- One-to-one mapping
- Translates a specific inside IP address to a specific outside IP address
- Translations are statically configured and placed in the translation table whether there is traffic or not
- This is mostly useful for hosts that provide application services like mail, web, FTP, etc
Router(config)#ip nat inside source static 192.168.1.10 pu.bl.ic.12 Router(config)#ip nat inside source static 192.168.1.11 pu.bl.ic.25
- A form of Dynamic NAT
- Many-to-many mappings
- Translates multiple inside IP addresses to multiple outside IP addresses
- Most useful when there are fewer addresses available (the pool) than actual hosts to be translated
- Entries in the translation table are created when hosts initiate connections
- One-to-on mappings are created, but it's said to be many-to-many because the mappings can vary and are dependent on the available IPs in the pool at the time of the request
- NAT entries are removed from the translation table and the IP address is returned to the NAT pool after a specified and configurable amount of time where the host does not communicate
Steps to configure NAT
- Create a pool of addresses. This pool consists of 100 private addresses from .100 to .199 even though the netmask covers all 256 addresses
Router(config)#ip nat pool MYNATPOOL 192.168.1.100 192.168.1.199 netmask 255.255.255.0
- Create an access-list for the inside networks that has to be mapped
Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any
- Associate the access-list 100 that is selecting the internal network 192.168.1.0 0.0.0.255 to be natted to the pool MYNATPOOL and then overload the addresses
Router(config)#ip nat inside source list 100 pool MYNATPOOL overload
- PAT: Port-address translation
- An extension to NAT that permits multiple IP addresses on a LAN to be mapped to a single public IP address
- The goal of PAT is to conserve IP addresses
- A PAT device transparently modifies IP packets as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host - the PAT device - on the public network.
- PAT is a translation method that allows the user to conserve addresses in the global address pool by allowing source ports in TCP and UDP to be translated.
- Different local addresses map to the same global address and the port translation provides the necessary uniqueness.
- When translation is required, the new port number is picked out of the same range as the original following the convention of Berkeley Standard Distribution (SD).
- This prevents end stations from seeing connection requests with source ports apparently corresponding to the Telnet, HTTP, or FTP daemon, for example.
- As a result, Cisco IOS PAT supports about 4000 local addresses that can be mapped to the same global address.
- To configure PAT/NAT correctly the first time, you need to understand the Cisco NAT terminology and how your IP networks/addresses map to each of the entities listed below:
- Inside Local—This is the local IP address of a private host on your network (e.g., a workstation's IP address).
- Inside Global—This is the public IP address that the outside network sees as the IP address of your local host.
- Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
- Outside Global—This is the public IP address of the remote host (e.g., the IP address of the remote Web server that a workstation is connecting to).
- The overload command is essential to force the router to use PAT
PacketTracer Lab: CCNA-5.6-Configure-verify-and-troubleshoot-inside-source-NAT.pkt
Subscribe Now for access to the labs!