Answers: Dynamic NAT 1

certskills
By certskills August 10, 2016 09:10

This latest lab asked you to configure dynamic NAT. As always, it is helpful to do the lab first, even on paper or in a text editor. However, this is a great one to try on real gear or with any other tool – make sure to create some traffic and prove to yourself that the NAT configuration worked. Check out the original lab here first.

 

Answers

Figure 1: Dynamic NAT Topology

 Example 3: R1 Config

Commentary

There are a number of different ways to configure NAT including static NAT, dynamic NAT, and Port Address Translation (PAT). Static NAT is typically used for one-to-one translations from a specific inside address (called an inside local address) to an specific outside address (called an inside global address). Dynamic NAT is slightly different because the outside address to be used will be allocated from a configured pool, which address in the pool that will be used for a specific device is not specified. The third major type of NAT is called PAT (or NAT overload); this type of NAT can be configured either with a specific outside address or with a configured pool.

The difference between PAT and the other types is that the mapping is not one-to-one from an inside address to an outside address. With PAT, there is a many-to-one mapping between the inside local address and the inside global address by using unique TCP and UDP port numbers to decide where and how to translate the packets.

To begin, you have to determine which interface(s) connect to hosts inside the network, and which hosts connect to the outside network. For this lab, R1’s G0/1 interface is connected to S1, S2, and S3 and is considered the inside interface. To configure this, use the ip nat inside command while in interface configuration mode. R1’s G0/2 interface is connected to R2 and is considered the outside interface. To configure this, use the ip nat outside command while in interface configuration mode.

Next, you were tasked with configuring a NAT pool called nat_pool and including addresses 172.16.10.10 through 172.16.10.20. The command ip nat pool nat_pool 172.16.10.10 172.16.10.20 netmask 255.255.255.0 global command does just that. The two addresses define the beginning and ending range of addresses in the pool.

Note that the netmask value (255.255.255.0 in this example) acts as a math check. As long as the two addresses are in the same subnet, if using the listed subnet mask, then your answer is correct. It does not have to match the actual subnet mask. In this case, masks 255.255.255.224, 255.255.255.192, and 255.255.255.128 would also work.

Take a quick look at the ip nat inside global command; note that it refers to an ACL (ACL 1 in the sample). The ACL should match the inside local addresses that should drive the NAT function. In this case, packets coming from hosts in subnet 10.1.1.0/24 should cause dynamic NAT to occur, so the simple ACL 1 matches packets whose source IP address are in that subnet with the access-list 1 permit 10.1.1.0 0.0.0.255 command.

Taking a closer look at the ip nat inside command, the fourth and final task requires this command to link the ACL logic of matching packets coming in a source interface (source list 1) to the pool to use to dynamically allocate an inside global address (pool nat_pool). The full command strings all the ideas together: ip nat inside source list 1 pool nat_pool.

Finally, note that the requirements tell you to configure static routes on R2 as needed for the inside global addresses. In this case, the configuration uses a range of addresses that exist in the subnet between R1 and R2, so R2 already has a connected route that includes the addresses used by NAT. So there is no need for any additional static routes.

Dynamic NAT 1
IPv6 Static Routes 3
certskills
By certskills August 10, 2016 09:10
Write a comment

3 Comments

  1. rfinell July 17, 21:40

    “Note that the netmask value (255.255.255.0 in this example) acts as a math check. As long as the two addresses are in the same subnet, if using the listed subnet mask, then your answer is correct. It does not have to match the actual subnet mask. In this case, masks 255.255.255.240, 255.255.255.224, 255.255.255.192, and 255.255.255.128 would also work.”

    Why would mask 255.255.255.240 work? Doesn’t that put 172.16.10.10 and 172.16.10.20 in different subnets?

    Reply to this comment
    • CCENTSkills July 25, 10:27

      Hi,
      It wouldn’t, for the reasons you noted. Mask 255.255.255.240 shouldn’t have been listed. I’ve removed it from the description. Thanks for the note!
      Wendell

      Reply to this comment
  2. Million November 22, 16:08

    Hi Wendell
    my comment is you used a private ip address for your pool of addresses. The problem with that is even though the nat works those servers will still not get internet connectivity or communicate with a host on the other side because they are still using a private ip as an inside global address.

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories