NAT: Basic configuration
·
NAT
simply means Network Address Translation
·
First
of all, why do we need Address Translation?
·
Because
we use private addresses inside in an environment, RFC 1918 IP addresses, i.e, 10.0.0.0/0,
172.16.0.0/16, 192.168.0.0/24 and these private addresses are not routable in
the internet.
·
So
we need a conversion mechanism.
·
That
doesn’t mean that NAT does conversion only from private address to public
address, it translates any address to any address.
·
There
are many varieties of NAT.
·
In
this post, let me configure basic NAT
·
Let
me take a small topology to configure NAT:
R1----s1/0---------------s1/0----R2----s1/1----------------s1/1----R3
10.1.1.1-----------------10.1.1.2---23.1.1.2------------------23.1.1.3
·
R1-R2:
Internal network
·
R2-R3:
External network
·
Translation
is to be configured from internal to external
Before Configuring NAT:
R1(config-if)#do show run int ser1/0
Building
configuration...
Current
configuration : 86 bytes
!
interface
Serial1/0
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
end
R1(config-if)#
R1(config-if)#do ping 10.1.1.2
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/18/60 ms
R1(config-if)#
R2(config-if)#do show run int ser1/0
Building
configuration...
Current
configuration : 86 bytes
!
interface
Serial1/0
ip address 10.1.1.2 255.255.255.0
serial restart-delay 0
end
R2(config-if)#do ping 10.1.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/19/52 ms
R2(config-if)#
R2(config-if)#do show run int ser1/1
Building
configuration...
Current
configuration : 86 bytes
!
interface
Serial1/1
ip address 23.1.1.2 255.255.255.0
serial restart-delay 0
end
R2(config-if)#do ping 23.1.1.3
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/21/48 ms
R2(config-if)#
R3(config-if)#do show run int ser1/1
Building
configuration...
Current
configuration : 86 bytes
!
interface
Serial1/1
ip address 23.1.1.3 255.255.255.0
serial restart-delay 0
end
R3(config-if)#do ping 23.1.1.2
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 23.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/16/44 ms
R3(config-if)#
R1(config-if)#do
ping 23.1.1.2
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 23.1.1.2, timeout is 2 seconds:
.....
Success
rate is 0 percent (0/5)
R1(config-if)#
Observation:
·
R1-R2
ser1/0 link is up
·
R2-R3
ser1/1 link is up
·
R1
cannot ping 23.1.1.0 network as expected, because there is no routing
configured and NAT also is not there.
NAT configuration:
·
We
have to configure NAT in the R2 router.
·
Since
R1-R2 is part of internal network, I need to configure “ip nat inside” under
ser1/0 in R2
·
Since
R2-R3 is part of external network, I need to configure “ip nat outside” under
ser1/1 in R2
·
We
need to match the inside network using an access-list
·
Call
this access-list in NAT creation
R2(config)#int
ser1/0
R2(config-if)#ip
nat inside
R2(config-if)#
*Mar 1 00:40:25.491: %LINEPROTO-5-UPDOWN: Line
protocol on Interface NVI0, changed state to up
R2(config-if)#int
ser1/1
R2(config-if)#ip
nat outside
R2(config-if)#
R2(config)#access-list
1 permit 10.1.1.0 0.0.0.255
R2(config)#ip nat inside source list 1 interface ser1/1
·
This
is the main command.
·
It
simply means, whenever someone from inside network, matched by access-list 1,
is trying to go outside, translate the address as that of Ser1/1 interface R2.
·
Now
that I have configured NAT, let me verify it:
R1#ping 23.1.1.3
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
.....
Success
rate is 0 percent (0/5)
R1#
·
BadL let’s debug
this one:
R1#debug
ip packet detail
IP
packet debugging is on (detailed)
R1#ping 23.1.1.3
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
*Mar 1 00:47:29.639: IP: s=10.1.1.1 (local),
d=23.1.1.3, len 100, unroutable
*Mar 1 00:47:29.639: ICMP type=8, code=0.
*Mar 1 00:47:31.635: IP: s=10.1.1.1 (local),
d=23.1.1.3, len 100, unroutable
*Mar 1 00:47:31.635: ICMP type=8, code=0.
*Mar 1 00:47:33.635: IP: s=10.1.1.1 (local),
d=23.1.1.3, len 100, unroutable
*Mar 1 00:47:33.635: ICMP type=8, code=0.
*Mar 1 00:47:35.635: IP: s=10.1.1.1 (local),
d=23.1.1.3, len 100, unroutable
*Mar 1 00:47:35.635: ICMP type=8, code=0.
*Mar 1 00:47:37.635: IP: s=10.1.1.1 (local),
d=23.1.1.3, len 100, unroutable
*Mar 1 00:47:37.635: ICMP type=8, code=0.
Success
rate is 0 percent (0/5)
R1#
·
Gee,
it says unroutable, but I have configured NAT
·
Mmmm
let see the routing table now:
R1#show ip
route
Codes:
C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded static
route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected,
Serial1/0
R1#
·
This
is the expected behavior right, there is no routing entry for 23.1.1.0/24 and
also there is no default route configured.
·
Let
me configure a default route in R1:
R1#conf
t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
R1(config)#
·
For
the successful ping, we must have end-to-end connectivity.
·
So,
let me configure a default route in R3 also, towards R2.
R3(config)#ip route 0.0.0.0 0.0.0.0 ser1/1
R3(config)#
·
Now,
let’s try pining 23.1.1.3 from R1:
R1(config)#do
ping 23.1.1.3
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/36/108 ms
R1(config)#
R3(config)#do
ping 10.1.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/29/96 ms
R3(config)#
Observation:
·
That’s
good! R1 and R3 are able to ping each other.
·
Now,
let’s see some NAT output in R2:
R2#show ip nat
translations
Pro
Inside global Inside local Outside local Outside global
icmp
23.1.1.2:12 10.1.1.1:12 23.1.1.3:12 23.1.1.3:12
R2#
Observation:
·
Interesting,
there many terms here!
·
Inside Local: This is inside IP address (we are translating this address only
and this address is not visible to outside world)
·
Inside Global: This is the translated inside IP address and visible to external
world
·
Outside local: This is the outside IP address, local to the external router.
·
Outside Global: This is outside IP address, which is visible to inside world.
(in this case since I’m not translating the outside IP address, I’m seeing the
same IP address for outside-local and outside-global
·
These
4 terms are very critical in understanding NAT and its troubleshooting.
·
One
more handy command to troubleshoot NAT:
R2#show ip nat statistics
Total
active translations: 5 (0 static, 5 dynamic; 5 extended)
Outside
interfaces:
Serial1/1
Inside
interfaces:
Serial1/0
Hits:
121 Misses: 14
CEF
Translated packets: 135, CEF Punted packets: 0
Expired
translations: 9
Dynamic
mappings:
--
Inside Source
[Id:
1] access-list 1 interface Serial1/1 refcount 5
Appl
doors: 0
Normal
doors: 0
Queued
Packets: 0
R2#
hey very clear explanation.. thanks!
ReplyDelete