Show IP Protocols: Configure NAT/PAT to enable outbound Internet connectivity (CNA-04-005)

Tuesday, June 2, 2009

Configure NAT/PAT to enable outbound Internet connectivity (CNA-04-005)

Related Posts: ACL, CCNA, CCNA Exploration 4.0, Cisco Network Academy, NAT, PAT

CCNA Exploration 4.0, Semester 4, "Configure NAT/PAT to enable outbound Internet connectivity" Packet Tracer 5.0 practice file (CNA-04-005).

CNA-04-005.pkt, (Backup Link)

CNA-04-005-pat-sample-sol.pkt, (Backup Link)

CNA-04-005-nat-sample-sol.pkt, (Backup Link)

The diagram is the same as the previous post, except that EIGRP between Router R0 and Router R1 is removed, and a new default route pointing to R0 (here it represents the Internet) has been added into R1.

Before we start to configure NAT/PAT, we can easily verify that any PCs or Switches below R1 cannot connect to R0. This is because R0 does not have any route to those network addresses (192.168.X.0/24) below R1. We must successfully configure NAT/PAT to translate all source IP addresses into those in network 10.1.1.0/24 to achieve outbound connectivity to R0 (Internet).

Recall that the 3 basic steps to configure NAT/PAT:

Specify "Inside" interfaces: source addresses of packets coming through these interfaces need to be translated

Specify Outside interfaces: destination addresses of packets coming through these interfaces need to be recovered

Define translation rule: this step is quite different between NAT and PAT. I will discuss PAT and NAT in different sections later

Step 1 and 2 are all the same in all modes:

interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.11.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat outside
 clock rate 64000
!

[PAT]

The only difference is at Step 3. Let's start from PAT.

PAT enable us to reuse the IP address of Router R1's "Serial0/0/0" interface for all inside hosts. Since every host is translated into the same IP address, we can only tell which packets should be recovered to which source host by its TCP/UDP port number.

Now, we need ACL here again! We use ACL to classify packets. If the classification result is permit, then it will be translated; otherwise if the result is deny, it will NOT be translated.

Key configuration fragment is as below:

ip nat inside source list 100 interface Serial0/0/0 overload
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
!

Here is the translation result of PAT. NOTE: If you want to see similar results as I do, you must create some connections outbound to R0, such as TELNET. The screen capture is done when 2 PCs are having 2 active TELNET sessions to Router R0.

R1>show ip nat translation
Pro  Inside global     Inside local       Outside local      Outside global
tcp 10.1.1.1:1024      192.168.10.10:1025 10.1.1.2:23        10.1.1.2:23
tcp 10.1.1.1:1025      192.168.11.10:1025 10.1.1.2:23        10.1.1.2:23

R1>

We can see clearly the effect of PAT on Router R0. R0 thought it was 2 connections sourced from 10.1.1.1.

R0>show user
    Line       User       Host(s)              Idle       Location
* 67 vty 0                idle                 00:00:00 10.1.1.1
  68 vty 1                idle                 00:01:48 10.1.1.1

  Interface    User               Mode         Idle     Peer Address
R0>

[NAT]

In NAT, each local IP address will occupy one public global address when we configure NAT instead. Here I assume IP addresses from 10.1.1.101 to 10.1.1.200 is reserved as a pool for NAT use.

NOTE: IP address pool here is similar to car parking slot pool. One car, one slot, and in "first-come-first-serve" way. In above example, only the first 100 local hosts making outbound connections will get its own address. If the pool is full, starting from 101st late comer, no new local hosts can be served by NAT and thus cannot make outbound connections at all!

Key configuration fragment is as below:

ip nat pool INET-POOL 10.1.1.101 10.1.1.200 netmask 255.255.255.0
ip nat inside source list 100 pool INET-POOL
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
!

The screen capture is done as before when 2 PCs are having 2 active TELNET sessions to Router R0.

R1>show ip nat translation
Pro  Inside global     Inside local       Outside local      Outside global
---  10.1.1.101        192.168.10.10      ---                ---
---  10.1.1.102        192.168.11.10      ---                ---

R1>

The effect of NAT is clearer on Router R0. R0 thought they were connecting from 10.1.1.101 and 10.1.1.102.

R0>show users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00 
  67 vty 0                idle                 00:01:45 10.1.1.101
  68 vty 1                idle                 00:01:35 10.1.1.102

  Interface    User               Mode         Idle     Peer Address
R0>

Do you like this post? You really should consider Subscribing by Email!