Tuesday, 16 October 2012

NAT: Configuration with PAT


NAT: Configuration with PAT

      ·         NAT simply means Network Address Translation

·         First of all, why do we need Address Translation?

·         Because we use private addresses inside in an environment, RFC 1918 IP addresses, i.e., 10.0.0.0/0, 172.16.0.0/16, 192.168.0.0/24 and these private addresses are not routable in the internet.

·         So we need a conversion mechanism.

·         That doesn’t mean that NAT does conversion only from private address to public address, it translates any address to any address.

·         There are many varieties of NAT.

 

·         In this post, let me configure NAT with PAT (Port Address Translation)

·         This is sometimes called one to many translation

·         Generally in small office environments, internet is configured this way.

·         They just get one Public address and they do NAT with PAT to browse the internet.

 

·         Let me take a small topology to configure NAT:

 

R1----s1/0---------------s1/0----R2----s1/1----------------s1/1----R3

10.1.1.1-----------------10.1.1.2---23.1.1.2------------------23.1.1.3

 

·         R1-R2: Internal network

·         R2-R3: External network

·         Translation is to be configured from internal to external

 

Before Configuring NAT:

 

R1(config-if)#do show run int ser1/0

Building configuration...

 

Current configuration : 86 bytes

!

interface Serial1/0

 ip address 10.1.1.1 255.255.255.0

 serial restart-delay 0

end

 

R1(config-if)#

R1(config-if)#do ping 10.1.1.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/18/60 ms

R1(config-if)#

 

R2(config-if)#do show run int ser1/0

Building configuration...

 

Current configuration : 86 bytes

!

interface Serial1/0

 ip address 10.1.1.2 255.255.255.0

 serial restart-delay 0

end

 

R2(config-if)#do ping 10.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/19/52 ms

R2(config-if)#

R2(config-if)#do show run int ser1/1

Building configuration...

 

Current configuration : 86 bytes

!

interface Serial1/1

 ip address 23.1.1.2 255.255.255.0

 serial restart-delay 0

end

 

R2(config-if)#do ping 23.1.1.3

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/21/48 ms

R2(config-if)#

 

R3(config-if)#do show run int ser1/1

Building configuration...

 

Current configuration : 86 bytes

!

interface Serial1/1

 ip address 23.1.1.3 255.255.255.0

 serial restart-delay 0

end

 

R3(config-if)#do ping 23.1.1.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/44 ms

R3(config-if)#

 

R1(config-if)#do ping 23.1.1.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.1.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R1(config-if)#

 

Observation:

·         R1-R2 ser1/0 link is up

·         R2-R3 ser1/1 link is up

·         R1 cannot ping 23.1.1.0 network as expected, because there is no routing configured and NAT also is not there.

 

NAT configuration:

 

·         We have to configure NAT in the R2 router.

·         Since R1-R2 is part of internal network, I need to configure “ip nat inside” under ser1/0 in R2

·         Since R2-R3 is part of external network, I need to configure “ip nat outside” under ser1/1 in R2

·         We need to match the inside network using an access-list

·         Call this access-list in NAT creation

 

R2(config)#int ser1/0

R2(config-if)#ip nat inside

R2(config-if)#

*Mar  1 00:40:25.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

R2(config-if)#int ser1/1

R2(config-if)#ip nat outside

R2(config-if)#

 

R2(config)#access-list 1 permit 10.1.1.0 0.0.0.255

 

R2(config)#ip nat inside source list 1 interface serial 1/1 overload

 

R1#ping 23.1.1.3

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/32/84 ms

R1#

R2#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 23.1.1.2:18       10.1.1.1:18        23.1.1.3:18        23.1.1.3:18

icmp 23.1.1.2:19       10.1.1.1:19        23.1.1.3:19        23.1.1.3:19

icmp 23.1.1.2:20       10.1.1.1:20        23.1.1.3:20        23.1.1.3:20

icmp 23.1.1.2:21       10.1.1.1:21        23.1.1.3:21        23.1.1.3:21

R2#

·         It keeps track of the address with the port numbers

·         Multiple users from inside can go outside
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)