Answers: PAT w/ a Pool 1

certskills
By certskills July 13, 2016 09:10

Configuring #PAT with a pool has it all as far as NAT is concerned. Exercise your memory and skills, and as always, find a place to try it out if you can. (This config may have the command with the most parameters/keywords in a single command within all of CCENT and CCNA R&S!) The lab requirements are at this post.

Answers

Figure 1: PAT Topology

Example 3: R1 Config

Example 4: R2 Config

 

Commentary

There are a number of different ways to configure NAT including static NAT, dynamic NAT and Port Address Translation (PAT). Static NAT is typically used for one-to-one translations from a specific inside address (called an inside local address) to a specific outside address (called an inside global address). Dynamic NAT is slightly different because the outside address to be used will be allocated from a configured pool, which address in the pool that will be used for a specific device is not specified. The third major type of NAT is called PAT (or NAT overload); this type of NAT can be configured either with a specific outside address or with a configured pool.

The difference between PAT and the other types is that the mapping is not one-to-one from an inside address to an outside address. With PAT, there is a many-to-one mapping between the inside local address and the inside global address by using unique TCP and UDP port numbers to decide where and how to translate the packets.

As an overview of the requirements, for this lab you were tasked with configuring PAT using a NAT pool called nat_pool and access list 1. The NAT pool should be configured with one address (10.15.20.130) with the associated interface’s subnet mask. The ACL should match only R1’s LAN connecting to S1, S2, and S3. Once these are configured, the last step is to configure a PAT statement to use both the NAT pool and ACL to map entries from R1’s LAN to the configured address.

To begin, you have to determine which interface(s) connect to hosts inside the network, and which hosts connect to the outside network. For this lab, R1’s G0/1 interface is connected to S1, S2, and S3 and is considered the inside interface. To configure this, use the ip nat inside command while in interface configuration mode. R1’s G0/2 interface is connected to R2 and is considered the outside interface. To configure this, use the ip nat outside command while in interface configuration mode.

Next, you were tasked with configuring a NAT pool called nat_pool and include address 10.15.20.130 only. To accomplish this, use the global command ip nat pool nat_pool 10.15.20.130 10.15.20.130 netmask 255.255.255.252. This command defines the same address twice, which defines the beginning and ending address in a range, meaning a range of length 1 in this case.

Note that the netmask value (255.255.255.252 in this example) acts as a math check. Per the requirements, you should have used 255.255.255.252; however, as long as the two addresses are in the same subnet if using the configured subnet mask, the command would work.

 

 

 

The third task to perform is to configure the ACL to match R1’s LAN connecting to S1, S2, and S3; this LAN subnet is 192.168.100.64/26. To configure this, use the access-list 1 permit 192.168.100.64 0.0.0.63 command.

The last part of the NAT-specific config uses one long command that ties the ideas together. It ties packets entering source interfaces, to matching logic based on ACL 1, to the use of a NAT pool called nat_pool, and to use PAT (overload). The command: ip nat inside source list 1 pool nat_pool overload.

Beyond NAT, the routers in the outside part of the network need a route to send packets back to the inside global address, that is, the address in the pool. The requirements of the lab tell you to configure a static route on R2 to remedy this. The command to configure on R2 would be ip route 10.15.20.128 255.255.255.252 172.16.100.1, with 172.16.100.1 being R1’s G0/2 IP address, as found in the initial configuration for R1.

PAT w/ a Pool 1
Layer 3 Switching 1
certskills
By certskills July 13, 2016 09:10
Write a comment

8 Comments

  1. abrakour June 5, 06:27

    Hi Wendell,
    Could you explain a little more on the choice of the subnet masks both on defining the NAT and the static route on R2?

    I mean, since we’re using single addresses, what’s the point of including the rest (it’s only one address but still) of the subnet? I get how it’s not affecting the functionality of the configuration, it just does not feel right. I hope I phrased it wright and you get what I mean.

    Reply to this comment
    • CCENTSkills June 6, 09:58

      Abrakour,
      I think I get what you mean. I chose to use the same mask for both the subnet and the “ip nat pool” command just for consistency. The rationale: You set aside a subnet on the loopback for the long-term use for NAT/PAT. Today, you use one IP address. But you made a larger subnet for the sake of future growth. Since the pool’s (currently) single IP address comes from that subnet, I used the same mask as the subnet.

      Maybe you have a different idea of what you would choose as a normal NAT config in this case, and maybe that’s what causing you to not feel right?

      And to be clear, I think we both it it’s correct, and that there are other correct alternatives. Your getting at what’s making you feel like something’s not quite right. Note that all the mask does on the “ip nat pool” is to do a check on the address range to make sure that they are all in the same subnet, so it’s really just a math check.
      Wendell

      Reply to this comment
      • abrakour July 14, 13:04

        Hi Wendell,
        My “not feeling right” was because we were defining a single address (twice) in the “ip nat pool” command followed by a mask that included another address. I mean, why don’t we use a 255.255.255.255 subnet mask? But your explanation covered my Q.
        Thanks again!

        Reply to this comment
  2. Bav January 1, 13:10

    Hi Wendell,

    What is the significance of the loopback interface? I see it’s also using the same subnet address as the NAT pool.

    Reply to this comment
    • CCENTSkills January 8, 09:49

      Hi Bav,
      NAT needs an/some address(es) to translate to for the global address space. So, you can use the outside interface address, unused addresses in the outside interface, or any other subnet, as the subnet off a loopback interface. however, on the return trip, the routers in the global address space need to have a route so they can forward the packet back to the NATing router. When using addressing on the link between the enterprise and the ISP, that route usually exists already (but not always). When using addresses from some other interface, like a loopback interface, you need to take extra care that the routers in the global address space can route the packet back.
      W

      Reply to this comment
      • Jacob T December 22, 11:03

        I think the question here is: Why have the Loopback interface/subnet at all?

        Would it be valid to simply NAT from the inside 192.168.100.64 /26 subnet to R1s GigabitEthernet0/2 interface IP of 172.16.100.1 instead?

        My current thoughts as to the reason:

        In an earlier comment, you stated the rationale for assigning a single address to the nat_pool, but still setting aside a /30 subnet for that pool, was for future growth. This subnet is the one used off the loop0 interface.
        That being said, the purpose of the loopback is for future growth?
        If you simply translated it to GigabitEthernet0/2’s IP address, that subnet is currently used up (2 usable addresses, one for R1 and the other for R2). If you ever needed to add an additional global address in that subnet for NAT/PAT purposes, you couldn’t. There are no more addresses to use. So, you create a loopback interface in a different subnet and use that as your global address pool for NAT/PAT instead.

        Correct? Or am I missing something?

        Reply to this comment
        • CCENTSkills January 18, 10:32

          Hi Jacob,
          Makes sense to me.
          It’s definitely not a question of what can be done, but of preferences, and of small advantages. EG, maybe the WAN link comes from the provider’s address space, and the company has a small publix prefix. You would then create a small subnet, add it to a loopback as shown here. But yes, from a what works, assuming the address space on the link is routable from the global side, NATting to addresses in that subnet is reasonable (vs using a separate loopback+subnet).
          Wendell

          Reply to this comment
  3. Paolo February 6, 14:52

    Hi Wendell,

    I configured the “ip route 10.15.20.130 255.255.255.255 172.16.100.1” on R2, because it’s the only address in the nat_pool, is that correct?
    I know that this way R2 can’t reach the loopback interface on R1 but it is not a requirement, if I’m not wrong…

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories