Config Lab: Static NAT 1
Static NAT matches a single inside local address with a single inside global address. It does not conserve addresses, but it does let you make a server reachable to external devices with a permanent address to use with the static NAT entry. This lab asks you to configure static NAT for a small set of servers that need to be made available to users in the Internet.
The Lab Exercise
Requirements
Configure static Network Address Translation (NAT) on R1 for inside hosts S1, S2, and S3. Think of R2 as a router at the ISP and router R1 as the Enterprise router that performs NAT. The available inside global addresses exist in a subnet off interface loopback 0. The specific rules for this lab are:
- Configure S1 to use inside global address 172.16.1.10
- Configure S2 to use inside global address172.16.1.20
- Configure S3 to use inside global address 172.16.1.30 a
- For a route to direct packets from the Internet back to the Enterprise, configure a static route on R2 to match the inside global addresses found on R1’s loopback 0 interface (subnet 172.16.1.0/24.)
- Assume all router interfaces shown in the lab are up, working, and configured with IP addresses
Figure 1: Static NAT Topology
Initial Configuration
Examples 1 and 2 show the beginning configuration state of R1 and R2.
hostname R1
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
ip address 10.10.10.1 255.255.255.252
no shutdown
Example 1: R1 Config
hostname R2
!
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.252
no shutdown
Example 2: R2 Config
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
The CML topology matches the lab topology.
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Static NAT Topology
interface GigabitEthernet0/1
ip nat inside
!
interface GigabitEthernet0/2
ip nat outside
!
ip nat inside source static 192.168.1.10 172.16.1.10
ip nat inside source static 192.168.1.20 172.16.1.20
ip nat inside source static 192.168.1.30 172.16.1.30
Example 3: R1 Config
!
ip route 172.16.1.0 255.255.255.0 10.10.10.1
Example 4: R2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
There are several ways to configure NAT, including static NAT, dynamic NAT, and Port Address Translation (PAT). Static NAT is typically used for one-to-one translations from a specific inside address (called an inside local address) to a specific outside address (called an inside global address). Dynamic NAT differs slightly because it allocates the outside address from a configured pool, with the router choosing the specific IP address to use in each case. The third major type of NAT, PAT (or NAT overload), supports using either a specific outside address or a configured pool.
The difference between PAT and the other types is that the mapping is not one-to-one from an inside address to an outside address. With PAT, there is a many-to-one mapping between the inside local address and the inside global address using unique TCP and UDP port numbers to decide where and how to translate the packets.
For this lab, you were tasked with configuring static NAT, specifically entries to translate the addresses of servers S1, S2, and S3. The requirements also specified which specific outside addresses to use: 172.16.1.10 (S1), 172.16.1.20 (S2), and 172.16.1.30 (S3).
First, you have to determine which interface(s) connect to hosts inside the network and which hosts connect to the outside network. For this lab, R1’s G0/1 interface is connected to S1, S2, and S3 and is considered the inside interface; to configure this, use the ip nat inside command while in interface configuration mode. R1’s G0/2 interface is connected to R2 and is considered the outside interface; to configure this, use the ip nat outside command while in interface configuration mode.
The second task to perform is to configure the static NAT entries. S1, an inside host, uses address 192.168.1.10. R1 then needs an ip nat inside source static 192.168.1.10 172.16.1.10 global command to create the static NAT entry. This causes R1 to monitor packets arriving on the inside interfaces, look for those with a source IP address of 192.168.1.10, and if found, translate that source address to 172.16.1.10 if forwarding that packet out an outside interface. Similarly, the commands ip nat inside source static 192.168.1.20 172.16.1.20 and ip nat inside source static 192.168.1.30 172.16.1.30 create the NAT table entries for the other two servers.
Beyond the NAT configuration, routers in the outside part of the design need to route packets to the inside global addresses. In this lab, the only router in the outside part of the network is R2. The requirements asked that we create a static route for the 172.16.1.0/24 subnet on R2 so that R2 would have a route to send packets back to the inside global addresses. The command to configure R2 would be ip route 172.16.1.0 255.255.255.0 10.10.10.1, with 10.10.10.1 being R1’s G0/2 IP address, as found in the initial configuration R1.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | CPT static NAT show commands differ from real | Cisco Packet Tracer (CPT) supports static NAT configuration, and the feature works once configured. However, the show commands display output as if you had configured dynamic NAT or dynamic NAT with PAT, for instance, displaying port numbers in the NAT table entries. |
2 | Better results in CPT with configure, save, close, open, verify process. | CPT may show incorrect NAT behavior if you configure NAT and then move directly to testing. You might want to configure, then save and re-open the .pkt file before testing. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- Verify the NAT configuration by checking the reachability of S1, S2, and S3 from R2 or vice versa.
- From R2, try the ping 172.16.1.10 command, pinging S1’s inside global address, which tests the static NAT configuration.
- From R2, you could connect to a server with SSH using the ssh -l cisco global-inside-address command.
- Alternately, from the command prompt of the servers, try to ping R2 or Telnet/SSH to R2.
Hi Mr Odom,
Was R2 included in this lab just for testing purposes, or it has an essential role ?
Thanks in advance
Hi,
R2 is there for testing only. NAT could work in this case without R2 being there, but you can test as discussed in the Verification Tips tab using R2 as a destination on the other side of the NAT function.
Wendell
Thank you!
Hello Mr. Odom,
Hoping you can help me understand this lab. I am unable to ping R2’s G0/1 interface from any of the servers using the CPT file provided. I am also confused why the CCNA 200-301 study guide did not mention using a loopback interface but the lab sets up a scenario where a loopback has the inside global address and is the target interface between inside and outside traffic. Why not just setup R1’s interface as you did in your examples within the book?
Thank you in advance,
J
Hi Joe,
This one took a bit to investigate. And I’ve been out for a bit. Sorry for the delay.
1) The ping result question. It’s a Packet Tracer issue. If configured on real gear as shown, the ping would work.
2) The ping result question, part 2: It now works if you use the revised .pkt file. PT supports static NAT a little, but not well. It appears (my opinion) that they made dynamic NAT work, and added a little more code to make static NAT sort of work. For example, the NAT show commands are incorrect when static NAT is configured (at current PT versions.) When investigating, I noticed that if (a) I changed the WAN link’s subnet masks to 255.255.255.0 (not 255.255.255.252 as they were), the pings then worked as configured in this lab.
So… if you try the lab again, downloading the revised .pkt file as of today, the ping will work if you just add the config shown in the solution. At least it does for me.
I can’t tell you why, as it’s overcoming a bug (in my opinion.)
3) Using a loopback interface rather than the WAN link IP addresses. Your question here is more about choices I make about this blog and my books rather than a technical question. I could have made this lab use the WAN link’s IP address range, but when we wrote this lab, we choice to use a loopback. The book makes brief mention of that option, just under Figure 10-9 in the 200-101 OCG, but shows no examples. By choice, I let the content in the blog roam a bit more than I do with the books, which of course need to be held to a more rigorous approach.
As an exercise, I’d say change the lab to use addresses from the range on the WAN link, and see how it works.
Hope this helps,
Wendell
Hello Wendell,
Please a question. This is unrelatred to this topic, there is no blog post for chapter 16 of vol 2 and I didn’t know where to ask the question.
I do not quite understand the concept of NBI and would appreciate if you can explain it with an example. From the text, I understand the control plane functions are removed from the networking devices and centralised on the controller. The text indicates the controller gathers all useful information about the network and the NBI opens the controller so that its data and functions can be used by other programs. Are you able to walk through this concept with an example like how OSPF would work in an SD network?
Am basically looking to understand how this works in real life from start to finish using a control plane protocol if this is not too much to ask. Maybe that will help me understand the concept of NBI. Thanks.
Well, I can try. Not sure I can do that in a reasonable length.
So, imagine OSPF as implemented in a router. Separate all that OSPF does with all that IP routing does – that is, receiving a packet, matching the IP routing table, forwarding the packet. IP routing relies of good IP routing table entries, and of course, OSPF, running locally on the router, adds many of those entries to the IP routing table.
Now take all that OSPF software, all it’s tables, the LSDB, etc etc. Move it all to a server. OSPF on that server has all the config, all the data, everything it needs to do all the calculations for ALL the routers.
It makes the calculations on the server.
Then, it uses a new interface/protocol to communicate with each router, telling each router what IP routing table entries to add to the respective router’s IP routing table.
At that point, all routers’ IP routing tables have the same IP routing table entries they would have had in the old model. They were just learned from a centralized server.
So, to your specific questions:
1) Any OSPF config would exist in the centralized controller where OSPF runs
2) There would be new things created in software for OSPF to know each router’s interface IP addresses and interface state. That would be part of the API and protocol from the controller to the router.
3) For the data plane, aka your “to be able to route packets”, nothing new is needed. The routers already have the ability to route packets based on routing table entries.
Hope this helps.
W
hello again Grand Master,
quick question – i configured a static route* on R2 to subnet 172.16.1.0 with a netmask of 26 (to include up to the .30 assignment to S3) instead of /24 – all pings worked to satisfy the lab requirements.
the questions is – would this be an indirect access-control method, in that, had there been more hosts connected to SW1 (ex S4 using .40), access through R2 to the Server subnet would be limited to hosts with ip addresses up to .30?
in other words, end hosts (and R2) would not be able to communicate with S4 = access control?
*S 172.16.1.0/26 [1/0] via 10.10.10.1
corrections:
1st line – “i configured a static route on R2 to subnet 172.16.1.0 with a netmask of 27 …”2nd to last line – “end hosts connected to R2 (and R2)” …
sorted tested the lab with the added devices and proved my assumption. TY!
David,
Even better – you saw it for yourself!
I agree, it works… but for “operational simplicity”, aka using the KISS principle so the whole staff understands, I’d say match the subnet, and use ACLs for filtering.
what if i let all configuration be same and chose the interface loopack 0 for ip nat outside?
i think that im wrong but just confused .
we mapped the inside locals(in subnet 192.168.1.0/) to inside globals that are in subnet 172.16.1.0/24 (after which our loopback interface resides )so why dont we choose this as our ip nat outside?
if iam configuring this way i can ping r2 from s1 but i cannot ping s1 from r2?did we choose because of this point asked
i think i dont understand the packet flow in this question
Sana,
Yeah, I think the lab was missing a few ideas. I’ve added some text to the lab setup section to talk about what you’re asking about. But:
The *ip nat outside* command goes on the interface that the router forwards packets on. It’s not identifying the interface from which you find the inside global addresses.
Also, with inside NAT, TCP and UDP flows (and presumably ICMP flows) must be initiated from inside the network, so the ping from R2 to S1 won’t normally work.
Instead of, “ip route 172.16.1.0 255.255.255.0 10.10.10.1,” can I use “ip route 172.16.1.0 255.255.255.0 g0/1″? Or is that incorrect?
Thank you!
Proof’s in the working. Did it work? I think it should. But yes, with IPv4, using the outgoing interface works.