Dynamic and Static NAT mappings

Dynamic NAT

Topology using Packet Tracer from Cisco

 

Dynamic NAT

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configuring NAT.

Router ISP: IP = 198.0.1.5 /30 (DTE)
Router Gateway: IP = 198.0.1.6 /30 (DCE)

Router Gateway internal side IP = 172.16.0.1 on FastEthernet 0/0
Clock rate 64000

ISP>
ISP>en
ISP#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISP(config)#line con 0
ISP(config-line)# exec-timeout 0 0
ISP(config-line)# password cisco
ISP(config-line)#line vty 0 4
ISP(config-line)# password cisco 123
ISP(config-line)# login
ISP(config-line)#ena
ISP(config-line)#enapa
ISP(config-line)#ena
ISP(config-line)#enable pass
ISP(config-line)#exit
ISP(config)#ena
ISP(config)#enable pa
ISP(config)#enable password cisco
ISP(config)#ena se
ISP(config)#ena secret cisco
ISP(config)#end
ISP#
%SYS-5-CONFIG_I: Configured from console by console
copy run sta
ISP#copy run startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
ISP#
Similar configs on the GW router. As shown in the show run commant output.

GATEWAY(config)#do sh run
Building configuration…

Current configuration : 757 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname GATEWAY
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password cisco
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
description EXTERNAL Connection to ISP
ip address 198.0.1.6 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
line con 0
exec-timeout 0 0
password cisco
line vty 0 4
password cisco 123
login
!
!
!
End

Verify that pinging the GW works.
Next configure a static route from ISP to the company Gateway.
Let’s allocate network 200.20.20.0/32 for internet access outside the company. All addresses shall be translated to one of the IP addresses in the range during an outside connection
ISP(config)#ip route 200.20.20.0 255.255.255.224 198.0.1.6
ISP(config)#do sh ip route

Gateway of last resort is not set

198.0.1.0/30 is subnetted, 1 subnets
C 198.0.1.4 is directly connected, Serial0/0/1
200.20.20.0/27 is subnetted, 1 subnets
S 200.20.20.0 [1/0] via 198.0.1.6

Next create a default route from GATEWAY to ISP. This will forward any unknown destination IP address out to the ISP.

GATEWAY#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GATEWAY(config)#ip route 0.0.0.0 0.0.0.0 198.0.1.5
GATEWAY(config)#do sh ip route

Gateway of last resort is 198.0.1.5 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
198.0.1.0/30 is subnetted, 1 subnets
C 198.0.1.4 is directly connected, Serial0/0/0
S* 0.0.0.0/0 [1/0] via 198.0.1.5
A ping from the PC to the GW is ok but not to the ISP. The packets have no way of getting back. Hence, request time out.
PC>ping 198.0.1.5

Pinging 198.0.1.5 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 198.0.1.5:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>ping 198.0.1.6

Pinging 198.0.1.6 with 32 bytes of data:

Reply from 198.0.1.6: bytes=32 time=63ms TTL=255
Reply from 198.0.1.6: bytes=32 time=46ms TTL=255
Reply from 198.0.1.6: bytes=32 time=63ms TTL=255
Reply from 198.0.1.6: bytes=32 time=31ms TTL=255

Ping statistics for 198.0.1.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

On GW router:
Define POOL of Usable Public IP Addresses

GATEWAY(config)#ip nat pool STUDYLABS 200.20.20.10 200.20.20.30 netmask 255.255.255.224
An Access List that matches the internal private addresses.

GATEWAY(config)#access-list 1 permit 172.16.0.0 0.0.0.255

Define the NAT translation from Inside the List to the Outside Pool

GATEWAY(config)#ip nat inside source list 1 pool STUDYLABS

Speciy Interfaces for Out and In

GATEWAY(config)#int fastEthernet 0/0
GATEWAY(config-if)# ip nat inside
GATEWAY(config-if)#int s0/0/0
GATEWAY(config-if)#ip nat outside

A ping to the IPS interface is now ok .
PC>ping 198.0.1.5

Pinging 198.0.1.5 with 32 bytes of data:

Reply from 198.0.1.5: bytes=32 time=94ms TTL=254
Reply from 198.0.1.5: bytes=32 time=94ms TTL=254
Reply from 198.0.1.5: bytes=32 time=94ms TTL=254
Reply from 198.0.1.5: bytes=32 time=93ms TTL=254

Ping statistics for 198.0.1.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% los
GATEWAY#sh ip nat statistics
Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: Serial0/0/0
Inside Interfaces: FastEthernet0/0
Hits: 4 Misses: 4
Expired translations: 4
Dynamic mappings:
— Inside Source
access-list 1 pool STUDYLABS refCount 0
pool STUDYLABS: netmask 255.255.255.224
start 200.20.20.10 end 200.20.20.30
type generic, total addresses 21 , allocated 0 (0%), misses 0

create a loopback interface on ISP to simulate an outside network and ping the interface in order to view NAT translations

ISP(config)#int loopback 0

%LINK-5-CHANGED: Interface Loopback0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

ISP(config-if)#ip address 10.10.10.1 255.255.255.0
Pinging the loopback interface.
PC>ping 10.10.10.1

Pinging 10.10.10.1 with 32 bytes of data:

Reply from 10.10.10.1: bytes=32 time=94ms TTL=254
Reply from 10.10.10.1: bytes=32 time=78ms TTL=254
Reply from 10.10.10.1: bytes=32 time=79ms TTL=254
Reply from 10.10.10.1: bytes=32 time=78ms TTL=254

Ping statistics for 10.10.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

Now view the ip nat translaton output.

GATEWAY#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 200.20.20.10:27 172.16.0.10:27 198.0.1.5:27 198.0.1.5:27
icmp 200.20.20.10:28 172.16.0.10:28 198.0.1.5:28 198.0.1.5:28
icmp 200.20.20.10:29 172.16.0.10:29 198.0.1.5:29 198.0.1.5:29
icmp 200.20.20.10:30 172.16.0.10:30 198.0.1.5:30 198.0.1.5:30
icmp 200.20.20.10:31 172.16.0.10:31 10.10.10.1:31 10.10.10.1:31
icmp 200.20.20.10:32 172.16.0.10:32 10.10.10.1:32 10.10.10.1:32
icmp 200.20.20.10:33 172.16.0.10:33 10.10.10.1:33 10.10.10.1:33
icmp 200.20.20.10:34 172.16.0.10:34 10.10.10.1:34 10.10.10.1:34

the inside local host is translated to IP 200.20.20.10. the 1st viable IP in our pool
by pinging from the second PC with IP 172.16.0.11 we see that the it is given the next avaible IP in the pool for translation

GATEWAY#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 200.20.20.11:35 172.16.0.10:35 10.10.10.1:35 10.10.10.1:35
icmp 200.20.20.11:36 172.16.0.10:36 10.10.10.1:36 10.10.10.1:36
icmp 200.20.20.11:37 172.16.0.10:37 10.10.10.1:37 10.10.10.1:37
icmp 200.20.20.11:38 172.16.0.10:38 10.10.10.1:38 10.10.10.1:38
icmp 200.20.20.10:1 172.16.0.11:1 10.10.10.1:1 10.10.10.1:1
icmp 200.20.20.10:2 172.16.0.11:2 10.10.10.1:2 10.10.10.1:2
icmp 200.20.20.10:3 172.16.0.11:3 10.10.10.1:3 10.10.10.1:3
icmp 200.20.20.10:4 172.16.0.11:4 10.10.10.1:4 10.10.10.1:4

 

 Static NAT

Same topology with a Web server included for static mapping.

 

Static NAT

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Used in a scenario where an inside host has got to be accessible from outside eg. a Web server or printer.
Web server ip 172.16.0.15 255.255.255.0

GATEWAY(config)#ip nat inside source static 172.16.0.15 200.20.20.1

GATEWAY(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
— 200.20.20.1 172.16.0.15 — —

The mapping is displayed because it is a static mapping. We don’t have to generate traffic in order to see the translations.
A ping from the IPS to the Web server doesn’t go through. This is because the ISP cannot ping the server directly. But a ping to the ip 200.20.20.1 will directly forward packets to the Webserver.
ISP#ping 172.16.0.15

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.15, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

ISP#ping 200.20.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 78/90/94 ms.

GATEWAY(config)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
icmp 200.20.20.1:26 172.16.0.15:26 198.0.1.5:26 198.0.1.5:26
icmp 200.20.20.1:27 172.16.0.15:27 198.0.1.5:27 198.0.1.5:27
icmp 200.20.20.1:28 172.16.0.15:28 198.0.1.5:28 198.0.1.5:28
icmp 200.20.20.1:29 172.16.0.15:29 198.0.1.5:29 198.0.1.5:29
icmp 200.20.20.1:30 172.16.0.15:30 198.0.1.5:30 198.0.1.5:30
— 200.20.20.1 172.16.0.15 — —

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Find me on YouTube

Recent Posts

Recent Comments