Config Lab: Pat w/ a Pool 1

 In 200-301 V2 Ch10: NAT, 200-301 V2 Part 3: IP Services, 200-301 V2 Parts, Config Lab, Config Lab CCNA Vol 2 Part 3, Hands-on

Configuring PAT with a pool of inside global addresses combines almost everything you can possibly configure with NAT in a Cisco router. Look at the requirements in this latest lab and put together your own configuration, with a pool and PAT multiplexing connections using port numbers.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

Requirements

Configure PAT to support hosts in the subnet off R1’s G0/1 interface, for instance, for inside hosts like S1, S2, and S3. Use the following specific rules:

  • Match all inside addresses using a numbered ACL (ACL 1)
  • Configure a NAT pool called nat_pool, have the pool use the IP address 10.15.20.130 using the associated interface subnet mask
  • Configure a PAT statement to use ACL 1 and the configured nat_pool for outside communications to R2
  • Configure static routes as needed on R2 so that R2 can forward packets back to these inside global addresses
  • Assume all router interfaces shown in the lab are up, working, and configured with IP addresses

 

Figure 1: PAT Topology

 

Initial Configuration

Examples 1 and 2 show the beginning configuration state of R1 and R2.

hostname R1
!
interface Loopback0
 ip address 10.15.20.129 255.255.255.252
!
interface GigabitEthernet0/1
 ip address 192.168.100.65 255.255.255.192
 no shutdown
!
interface GigabitEthernet0/2
 ip address 172.16.100.1 255.255.255.252
 no shutdown

Example 1: R1 Config

 

hostname R2
!
interface GigabitEthernet0/1
 ip address 172.16.100.2 255.255.255.252
 no shutdown

Example 2: R2 Config

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!

Network Device Info:

The CML topology matches the lab topology.

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

Answers

Figure 1: PAT Topology

 

interface GigabitEthernet0/1
 ip nat inside
!
interface GigabitEthernet0/2
 ip nat outside
!
ip nat pool nat_pool 10.15.20.130 10.15.20.130 netmask 255.255.255.252
ip nat inside source list 1 pool nat_pool overload
access-list 1 permit 192.168.100.64 0.0.0.63

Example 3: R1 Config

 

ip route 10.15.20.128 255.255.255.252 172.16.100.1

Example 4: R2 Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

Commentary

There are several ways to configure NAT, including static NAT, dynamic NAT, and Port Address Translation (PAT). Static NAT is typically used for one-to-one translations from a specific inside address (called an inside local address) to a specific outside address (called an inside global address). Dynamic NAT differs slightly because it allocates the outside address from a configured pool rather than pre-determining the specific address to use in each case. The third major type of NAT, PAT (or NAT overload), uses either a specific outside address or a configured pool.

The difference between PAT and the other types is that the mapping is not one-to-one from an inside address to an outside address. With PAT, there is a many-to-one mapping between the inside local address and the inside global address using unique TCP and UDP port numbers to decide where and how to translate the packets.

As an overview of the requirements for this lab, you were tasked with configuring PAT using a NAT pool called nat_pool and access list 1. The NAT pool should be configured with one address (10.15.20.130) with the associated interface’s subnet mask. The ACL should match only R1’s LAN connecting to S1, S2, and S3. Once these are configured, the last step is to configure a PAT statement to use both the NAT pool and ACL to map entries from R1’s LAN to the configured address.

First, you have to determine which interface(s) connect to hosts inside the network and connect to hosts outside the network. For this lab, R1’s G0/1 interface is connected to S1, S2, and S3 and is considered the inside interface. To configure this, use the ip nat inside command while in interface configuration mode. R1’s G0/2 interface is connected to R2 and is considered the outside interface. To configure this, use the ip nat outside command while in interface configuration mode.

Next, you were tasked with configuring a NAT pool called nat_pool and include address 10.15.20.130 only. To accomplish this, use the global command ip nat pool nat_pool 10.15.20.130 10.15.20.130 netmask 255.255.255.252. This command defines the same address twice, which defines the beginning and ending address in a range, meaning a range of length 1 in this case.

Note that the netmask value (255.255.255.252 in this example) acts as a math check. Per the requirements, you should have used 255.255.255.252; however, as long as the two addresses are in the same subnet if using the configured subnet mask, the command would work.

The third task to perform is to configure the ACL to match R1’s LAN connecting to S1, S2, and S3; this LAN subnet is 192.168.100.64/26. To configure this, use the access-list 1 permit 192.168.100.64 0.0.0.63 command.

The last part of the NAT-specific config uses one long command that ties four ideas together:

  1. Packets entering interfaces (per the source keyword)
  2. Packets matching the logic in ACL 1
  3. To use a NAT pool called nat_pool
  4. To use the PAT (overload) feature

The command: ip nat inside source list 1 pool nat_pool overload.

Beyond NAT, the routers in the outside part of the network need a route to send packets back to the inside global address, that is, the address in the pool. The requirements of the lab tell you to configure a static route on R2 to remedy this. The command to configure R2 would be ip route 10.15.20.128 255.255.255.252 172.16.100.1, with 172.16.100.1 being R1’s G0/2 IP address, as found in the initial configuration for R1.

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 Occasional incorrect NAT show command output based on sequencing CPT may show incorrect NAT behavior if you configure NAT and then move directly to testing. You might want to configure, then save and re-open the .pkt file before testing.

 

Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps. 

  1. Verify the dynamic PAT configuration by checking the reachability from S1, S2, and S3 to R2 using ping.
    1. At router R1, using the show ip nat translations command to verify that the NAT table begins with no entries.
    2. From S1/S2/S3, try the ping 172.16.10.2 command, pinging R2’s global address, which tests the static NAT configuration.
    3. At router R1, using the show ip nat translations command to verify a new NAT table entry appeared in support of each flow.
    4. Pay close attention to the port numbers used.
    5. Pay close attention to the outside global address(es) used and compare those to the range of addresses in the configured NAT pool.
  2. Use a TCP or UDP app to test from S1/S2/S3 to router R2. For instance, use Telnet.
    1. Because the initial configuration did not prepare router R2 for inbound Telnet, add configuration on R2 as follows:
      • line vty 0 15
      • transport input all
      • login
      • password cisco
    2. From S1/S2/S3, try the telnet 172.16.100.2 command, pinging R2’s global address, which tests the static NAT configuration.
    3. At router R1, using the show ip nat translations command to verify a new NAT table entry appeared in support of each flow.

More Labs with Related Content!

Config Lab: Interface PAT 1
Announcing: New Config Labs, with Packet Tracer and CML Support
Subscribe
Notify of
guest

15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Everett Dean

Want eBooks? Want extra practice questions? Get the Premium Edition: CCNA 200-301 Official Cert Guide, Volume 1 Premium Edition eBook and Practice Test.

I have purchased the premium edition above and have been unable to get the simulator lite installed have contacted Pearson this week and the file that is downloaded from their site does not complete the installation can you advise.

Everett Dean
everett.d.dean@hotmail.com
Home 321 425-6168
Cell 321 604-7842

certskills

Hi Everett,
Thanks for the note, and thanks for getting the Premium Edition of the book. As for your specific issue, that’s something I don’t have any ability to help with. Pearson produces, packages, etc the Sim. Sounds like you can download it but it doesn’t work. The only path then is to continue to work with Pearson support. Hope you find a good resolution.
Regards,
Wendell

cam

Heads up, looks like default gateway is misconfigured on s1-s3. Should be 192.168.100.65, not 192.168.100.1. Thanks a bunch for putting all these together, have been a huge help being able to practice on different architectures and learn specific skills without needing to think about the whole setup process each time.

certskills

Hi Cam,
You’re quite welcome! Glad you’re finding them useful. And it’s great to hear that the labs are working as intended.
All,
I fixed the .pkt file per Cam’s note, so the default gateway settings are now correct (if you download the file anew.)
Wendell

Lawrence

I’m confused about the route for R2: why do we use R1’s loopback address as the route? Since all the inside addresses will be translated to 10.15.20.130, why not use that as the route with a /32 mask?
Thanks.

certskills

Lawrence,
I’d agree that the /32 route you suggest would work and would meet the requirements as stated. It would certainly work in that NAT, as configured for this lab, will function with the route you suggest or the one shown here in the answer. I probably made the route match the entire subnet out of habit, expecting that one day the NAT pool would increase in size.

ccna questions

yes, NAT pool size is likely to increase in size.

anon

Hi I would love to ask why dont we use ip nat outside on the loopback interface? Could you elaborate on how to decide when and on which interfaces to use inside/outside? Thanks a bunch!

certskills

Sure, Petro.
Think of those two commands as enabling NAT in the data plane. Without them, when a frame arrives on an interface, the router does not perform NAT before routing the packet. With those commands, the router performs NAT before performing routing.
Regarding the commands, the most likely config for NAT uses “inside source” nat as enabled with the global “ip nat inside source…” command. Assuming that’s configured, “ip nat inside” says, when a packet arrives entering that interface, before routing, perform NAT as per the detail in the “ip nat inside source” command. That means checking for current NAT table entries that match, plus adding NAT table entries as needed.
For packets that enter an outside interface, the “ip nat outside” command says “do NAT”, but because inside NAT is enabled globally, and the interface command says “outside”, the NAT logic only uses the existing NAT table entries. It does not trigger the addition of a new NAT table entry, just as you would want. EG, you would not want some device in the Internet to create a table entry to allow access to devices inside the enterprise.
Why not the loopbacks? The packets that need to have NAT applied don’t flow in the loopback interface. That simple.
Hope this helps,
Wendell

Bill

Hi Wendell – is assigning the inside global addresses to a loopback interface necessary when those addresses do not exist on a subnet between 2 routers within a network? Here is my thinking: we configure inside global addresses via 1-1 or pool and they are added to a NAT table entry (is that assumption correct?). Are NAT table entries not communicated to neighboring routers? If not, what would happen if we didn’t assign the inside global addresses to a loopback interface, would R2 be unable to send packets to the inside global addresses (i.e. back to R1) because it wouldn’t recognize/know where to send them?

Riol

hi wendell,

do you have discord?

certskills

Hi Riol.
No, no discord for me. Do you use it much? Curious as to your question.
Thanks,
Wendell

Vicente Torres

Hi Wendell,

I did the lab and I got a different line (“ip nat pool nat_pool 10.15.20.130 10.15.20.130 netmask 255.255.255.255”) comparing to Answers’ “ip nat pool nat_pool 10.15.20.130 10.15.20.130 netmask 255.255.255.252”.

The netmask is the only difference. It seems that ping is working ok. So I wonder if both solutions could be considered similar or if there is any pro and cons with those different netmasks.

Thanks.

John rambo

Hello Wendell,

I hope all is well.

Would it be acceptable to create an access list for of servers for example:

R1(config)#access-list 1 permit 192.168.100.70
R1(config)#access-list 1 permit 192.168.100.80
R1(config)#access-list 1 permit 192.168.100.90
R1(config)#end

Thank you

Nick

I downloaded the packet tracer file for this lab however, when configuring the nat_pool using 10.15.20.130 10.15.20.130 netmask 255.255.255.252 I keep getting invalid input detected at the netmask. Now keep in mind I didn’t configure any interfaces, I downloaded the file and started configuring the nat_pool. Any ideas as to what could be wrong? Do I need to reconfigure something.

15
0
Would love your thoughts, please comment.x
()
x