Dynamic NAT 1

certskills
By certskills August 8, 2016 09:05

Dynamic NAT – specifically, dynamic NAT without also doing PAT – creates a 1-to-1 mapping between an inside local address and an inside global address. Unlike static NAT, however, with dynamic NAT the specific IP addresses to map are not pre-determined. The router adds the entries to the table, taking them from a pool, and then removing them after inactivity for later re-use. Today’s lab gives you practice creating the configuration, including defining the pool of addresses.

Requirements

Configure dynamic Network Address Translation (NAT) on R1 for devices S1, S2, and S3, as follows:

  • Enable dynamic NAT for all hosts in the subnet connected to R1’s G0/1 interface, a subnet inside the enterprise network
  • Create a pool of addresses to use when translating before forwarding packets towards R2, considered to be the outside part of the network.
  • Use a name of nat_pool
  • The pool should use a subset of the addresses in the subnet that sits between R1 and R2, specifically addresses 172.16.10.10 through 172.16.10.20 (inclusive)
  • Configure static routes as needed on R2 so that R2 can forward packets back to these inside global addresses
  • Assume all router interfaces shown in the lab are up, working, and configured with IP addresses

Figure 1: Dynamic NAT Topology

Initial Configuration

Example 1 and 2 show the beginning configuration state of R1 and R2.

Example 1: R1 Config

Example 2: R2 Config

 

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear or other tools, configure the lab using them.

To test your solution if you happen to try it with VIRL or real gear, you can verify the NAT configuration by checking the reachability of R2 from S1, S2, or S3 using the ping command. After these pings have been issued, you can check which addresses where assigned by using the show ip nat translations command on R1 or verify the NAT configuration and status by using the show ip nat statistics command. Or telnet from a PC to router R2. To do that, you might need to add the commands line vty 0 15, transport input all, login, and password cisco to set up simply password security and enable Telnet on router R2.

Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

All interfaces in topology match the lab figure.

Network Device Info:

The switch used in the lab is an unmanaged switch.

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device

IP Address

User/password

PC1

10.1.1.25

cisco/cisco

PC2

10.1.1.35

cisco/cisco

PC3

10.1.1.45

cisco/cisco

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: telnet 10.1.1.1

Answers: CLI Miscellany 1
Answers: Dynamic NAT 1
certskills
By certskills August 8, 2016 09:05
Write a comment

6 Comments

  1. Ryuu May 12, 00:03

    Hello ..
    i have one question regarding NAT .
    on my lab i have 3 routers and 2 PCs

    R1 > is acting as ISP router.
    int 0/0 ip add 8.8.8.2/30 connecting to R2
    R2 > connecting to ISP & to my lan
    int 0/0 ip add 8.8.8.1/30 connecting to ISP
    int 1/0 ip add 192.168.150.1/25 conn to LAN
    for some reason when i enable NAT.
    int 0/0
    ip nat out
    int 1/0
    ip nat in
    when i type ” ip nat out ” under 0/0 i can no longer ping ISP router and ISP can’t ping my local global address. but RIPv2 updates going through and i can ping ISP router from my local network. and when i delete “ip nat out” i can ping ISP & ISP can ping my local global address. what is the problem here?

    Reply to this comment
    • CCENTSkills May 15, 09:16

      I not guessing the issue off the top of my head, unless it’s an incomplete config. Do you have an “ip nat inside…” global command to define the rules of what should be natted? That’s the only thing that comes to mind.

      Reply to this comment
  2. nadir May 12, 01:23

    Having issues with pinging the global ip when “ip nat outside” is applied to the outside interface on my 2811 router.
    When i dont attempt to do translation of inside lan ips to the inside global ip ie there is no “ip nat outside” on the outside interface i can ping the golbal inside ip from the routers cli and from the internet.
    Once i apply “ip nat outside” i cant ping the ip from the routers CLI or see it from the internet. However my lan ips can access the internet just fine.
    put simply, whenever nat is applied the router cant ping its own global ip on the outside interface.

    Reply to this comment
  3. alice June 13, 14:54

    hello ,
    Though i have configured the inside local and global interfaces correctly, what could be the reasons, if the ‘sh ip nat translation’ command doesn’t list any translations?
    Can we use any routing process(like static routes or routing protocols ) on the NAT router ?

    Reply to this comment
    • CCENTSkills June 19, 07:19

      Hi Alice,
      If you configure static NAT, the translation should appear assuming you’ve done the config correctly and the interfaces are up/up. However, for dynamic NAT, you have to generate some packets that cause dynamic NAT to need to create a translation table entry. Try issuing a ping or telnet to create some traffic if that was the case for you.
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories