Cisco CCNA 200-301 – NAT – Network Address Translation Part 3

7. Dynamic NAT Lab Demo

In this lecture you’ll see how to configure dynamic Nat with our lab demo. So this labs following on from the previous one where we configured static Nat, when we did that, we configured a static Nat entry for our host on the inside at ten dot o dot one, dot ten. And that was being Natted to the outside address of 203 dot dot 1133. In this lab, we’re going to configure another Nat rule to allow our PCs on the 100 two subnet to get out to the Internet. And those PCs don’t accept incoming connections. So we don’t need to configure static rules for them. We can configure a dynamic Nat rule which is going to give them public IP addresses on a first come, first served basis. So let’s look at the existing configuration with the static Nat rule first. So I’ve got that configured on R one.

So if I do a show run on here and scroll down, you’ll see that I’ve already got Nat interfaces configured for that static natural. So fast zero that’s on the outside, it’s got IP net outside on there and Fast 10. That is the interface facing the internal server that is configured as Ipnot inside Fast 20. That is the interface which faces the PCs on the 100 dot two subnet. So I need to configure that as I P not inside as well. You can have multiple interfaces configured as I P not inside or IP not outside. And whenever traffic goes between them, it’s going to get knotted.

You can also see a little bit further down there is that static Nat rule as well. So the first thing I need to do is configure that interface facing the PCs for IP not inside. So I’ll go to global configuration, it was interface Fast 20, and I’ll say Ipnot inside. So that is the interface configured. Next thing that I need to do is configure my pool of addresses that the internal hosts can get Natted to. So the public IP address pool, the command for that is Ipnat pool.

I’ll call this flag box for this example. And the range of addresses is 203 01134, going up to 2030 one 1314 at the top of the range. And I say that the net mask is 2552-552-5524. That’s a subnet mask on that public facing interface. Next thing I do is I configure an access list where I’ll specify the range of IP addresses, the hosts on the inside that are going to get mapped to these public addresses. So I’m just looking at them based on resource IP address.

So I can use a standard access list here. So I’ll use access list one and permit. And the subnet the hosts are on is ten 20 with a wild card mask of 0255. So I’ve got my pool of addresses configured, I’ve got my access list specifying my inside hosts configured. The last thing that I need to do here is tie them together and the way I do that is I say IP net inside source. And rather than being static for a static Nat entry, it is a list. And I say one to say that it is access list one and pool flackbox. So that ties the access list and the pool together.

And that is it now done. So that is my configuration done. All I need to do now really is check that it is working. So I’ll do a debug here to watch it working. So I’ll do a debug IP net and I’ll go onto my first PC, which is PC One, and ping the host on the outside. Let’s just check what its IP address was. So I’m on ten 210 and I’m going to ping 2030 one 1320 on the outside and PC One should be netted to the first address in the pool, which is going to be 203 01134. So let’s just verify that 203 one 1320. So ping 2030 one 1320 and the ping works. So connectivity is good. And if I jump back onto R One, I can see my debug output there. That was happening in real time.

The source was 100 210 and it was natted to 203 1134 as expected. And the outside address 2030 113 20. Let’s put some lines in here so we can see a gap. And I’ll ping from PC two as well. So ping 2030 one 1320 on the outside and then jump back onto R One and you can see there’s source ten 211 has been natted to the next address in the pool, which is two or 301135.

And the outside address 203 one 1320. I can also do a Show IP not translations. And if I’ve done this quick enough, I can see both entries in the Nat translation table as well. Okay, so that’s how we can configure and verify dynamic Nat. If I wanted to clear these translations, the ones that you see in the table there, let’s just ping again to make sure that it doesn’t time out on its own. So I’ll ping from PC One and PC Two and I’ll do an undebug all to get rid of the debug output and a Show IP not translations again. And if I wanted to clear these because I was doing troubleshooting, then I can do a clear IP not translation and then a star for all.

And if I now do my Show command again, I can see that they have been removed. I’ve just got the static entry is still in there. Now the dynamic ones have been removed. OK, so that was everything I needed to show you. One last thing, let’s look at the Statistics command as well. So show IP not Statistics and there you can see how many Nat hits we’ve got. That’s how many packets have been sent through our Nat rule. We’ve verified everything’s working, so we’re all good. But a potential problem with this is that you’ve got a limited number of addresses in your pool. And once you hit that limit, then other hosts won’t be able to get it to the outside because they won’t be natted to an IP address. So the way that we can expand that range is by using pat port address translation. We’ll cover that in the next lecture.

8. PAT Port Address Translation

You’ll learn about the last of our not types, which is Pat port address translation. This allows the same IP address to be reused multiple times for translations. So with standard dynamic not that you saw in the last lecture, the inside hosts are translated to public IP addresses on a first come, first serve basis. When we send traffic out, that requires a public IP address for every inside host which communicates with the outside network. When all the addresses in the pool have been used, new outbound connections from other inside hosts are going to fail because there’s no addresses left to translate them to. We’ve already used up all of the addresses in our pool. Port address translation, or Pat, is an extension to an app that permits multiple devices to be mapped to a single public IP address. So this is the solution to that problem. With Pat, you don’t need a public IP address for every inside host. The router tracks translations by IP address and layer four port number as well. So typically for real world deployments, we’re going to need this because we’re going to have a lot more hosts on the inside with private IP addresses than we’re going to have public IP addresses on the outside available because those public IP addresses cost money.

So we’re going to use Pat so that we can reuse them for multiple hosts on the inside, because different inside hosts are assigned different port numbers. When we use Pat, the router knows which host to send the return traffic to, even when the public IP address is the same. So let’s have a look at how this works in the lab. We’re using the same lab topology again. I’ve got my hosts on the inside on the ten 224 subnet. I don’t need to use this for my internal server because I’ve got a permanent fixed static Nat translation for that. But on my normal PCs, I’ve got probably loads of PCs on the inside there and I don’t have enough public IP addresses to give them all of their own one. So I’m going to use Pat so they can all get internet access at the same time. Dynamic Nat with overload uses pat to allow more clients to be translated than IP addresses are available in the Nap pool. Dynamic Nat with overload is really just a type of path. It’s not a different thing. If the Nap pool is, for example, 203 01134 to 230-1136, the first two hosts which initiate outbound connections will be translated to 203 01134 for the first one and 203 01135 for the second one.

So exactly the same as standard dynamic Nat, where it changes is when we get to the end of the Nat pool. The third host will be translated to 203 01136 and the router will track which source port number was used in its translation table. The fourth, 5th, 5th, etc. Hosts will also be translated to 203 01136 because that’s the highest address in the pool, but they will use different source port numbers. When the return traffic is sent back, the router checks the destination port number to see which host to forward it to. So it’s tracking based on IP address and port number, because we’ve also got the port number that allows us to differentiate between the different hosts that are using the same IP address. So let’s walk through this with an example. Here.

We do have that pool of the three addresses, two or 03:01, one, three, four to 230-1136. And we’ve done our configuration. You’ll see how you do the configuration coming up in a minute. So our first host on the inside, ten 1010, it sends traffic out to a web server at 2030 one 1310. So it’s going to be a web server. So that’s going to be the destination IP address, and the destination port will be port 80. In our example, 1010 uses the source port number 49165. Whichever operating system is running on that host is going to choose a random source port number. So that’s what it came up with in our example. When it goes through the router, it’s going to match the Nat rule. So the router will match that traffic, and it’s going to change the source IP address from 1010 to 203 0134. It’s also changing the source port number here from 49165 to 40 96. That traffic gets sent out to the web server, and the web server sees it as coming from the NATO source of two or 31134, and port number 496. So the web server will send traffic back. It sends it to a destination IP address and port number of 203 011-3496, the same place it came from. When that return traffic reaches the router, it’s got a matching entry in the Nat translation table. So it knows to send that to ten 1010, port 49165. Then another host sends some traffic out to a web server that comes from ten 1011 port 49158. On the inside, the router knots it to two oh three dot o dot 1135, and source port number 4097. When the return traffic comes back from the web server, it’s sent to a destination of 203 01135, port 497.

The router sees it’s got a matching translation in its Nat table, so it sends that on to 1010 1011 port 49158, where it originally came from. Then a third PC sends traffic out to the Internet. That’s ten dot, ten dot, ten dot twelve, port number 49152. Notice that the first two hosts were translated to IP addresses 203 01134 and 230-1135, the first two addresses in our pool. This third host gets translated to the last IP address in our pool, which is 203 1136, and its port number gets changed to 40 98. You know the drill already. When the return traffic comes back from the server, it’s sent to a destination of 203 1136, port 498. And the router odd knows to send that to ten 1012 port 49152. Finally, another host sends traffic out to a web server. It’s 10 10 13, this time using sourceport 49152 throughout our napset to 203 01136 part 4099. We’ve already used up all the addresses in our Nat pool and if we were using just standard Nat, this traffic would fail.

But because we’re using dynamic Nat with overload, which is a form of Pat, we can reuse that last IP address in the pool. So this host also gets translated to 203 01136 that the router makes sure that it uses a different source port number. This time it uses 499. So when the return traffic comes back from the server on the outside it’s going to a destination of 23136 port 499. The router knows that traffic for that IP address and port number pair needs to go to 1010 13 port 49152 because it’s got that matching entry in its Nat translation table. Okay, so that is how Pat works. How to actually configure it is a super similar configuration to what we did for our standard dynamic not. This right here is showing the standard dynamic not configuration. So interface fast zero that was facing out towards the Internet. We configure that with IP not outside interface fast 20 was facing our host on the inside. We configure that with IP not inside. We configure the pool of global addresses ipnot pool flatbox 203 1134-223-1136 with a net mask 2552-552-5524 in our example because that’s a subnet mask on the outside interface. Then we create our access list to reference the inside host.

Access list one permit ten 20255 and finally we tie the Nat pool and the access list together with IP not inside source list one pool flatbox. So that’s the same configuration that you saw in the last lab demo when we did the standard dynamic Nat configuration. This is the one with the problem where we can only use however many IP addresses are in the pool. So the example here four, six, that’s three addresses. Only three hosts are going to be able to get out at the same time the fourth host is going to fail. How we can change this to being a packed configuration which will allow multiple hosts to reuse that top address in the pool is drumroll exactly the same configuration. We just put the keyword overload at the end of the IP Not inside source list one pool flatbox config. So that command you see down at the bottom there IP not inside source list one pool flatbox we just say overload at the end. Everything else, the configuration is exactly the same. So like I said before, for real world deployments you’re pretty much always going to be using the overload keyword.

You’re almost always going to have more hosts on the inside. When you’ve got IP addresses on the outside, you don’t want to run out of addresses in your pool. So you will configure it with the overload keyword just like this. Okay, so that was how we do overload. The last thing to show you. So the last Nat scenario to cover is a small office which has not purchased a range of public IP addresses. In this case, the outside interface facing the Internet will most likely get its IP address via DHCP from the service provider. So it’s a small office. They do have Internet connectivity, but they’ve only got a single IP address on the outside. They haven’t bought a range of IP addresses. Usually. In that case, you’re not going to have a single fixed IP address, you’re going to get your IP address from DHCP. And this gives us an issue for that because that DHCP address might change over time, the service provider won’t guarantee that the IP address stays the same.

So we can’t specify a pool with a fixed IP address because it might work at first, but it will stop working when the IP address changes that we get from the service provider. But it’s okay. But as a solution for this, pat can be used to allow multiple inside hosts to share a single outside public IP address, even when it’s using DHCP. The configuration is very similar to Dynamic Nap with overload, but it translates to the outside interface rather than a pool of addresses. So you must translate to the outside interface rather than a specific IP address because like I just said, the DHCP address that you get from the provider might change. So our configuration for this, actually, just before I walk through this, let’s look back at the previous one again.

So when we had a pool, we specified the pool of addresses, then we specified the access list, the hosts on the inside, and then we mapped them together when we’re using the outside interface rather than a pool, obviously we’re not going to have the first of those three commands, we’re not going to have the pool configured. So let’s look at this configuration now. So on interface fast zero facing the interface, I’ve got IP address DHCP there. I say IP not outside interface fast 10, which is facing the inside host for this example is IP not inside. The access list is configured exactly the same. Access list one, permit 100. Then I say IP not inside. Source list one interface fast zero overload.

So I’m not mapping the access list to a pool of addresses, I’m mapping it to the interface and it will automatically use the IP address that is configured on that interface. And I’ve configured the overload keyword at the end so all of my hosts on the inside will be able to use that one public IP address on the outside. The router will be able to differentiate between them for returning traffic because it’s going to have different port numbers being used. Okay, and how we actually verify this is the same command as usual, show IP, not translation and when I do this. You can see we’ve got the same output here, but we can see all of the port numbers that are being used there as well. So that’s how the router knows which traffic is for what. Okay, that was it for Pat. See you in the next lecture where we’ll do our live demo.

9. PAT Port Address Translation Lab Demo

In this lecture you’ll see how to configure Pat port address translation with a lab demo. The scenario here is that we’ve cleared out all of the old Nat config from the previous lectures, going with a new scenario here. So this is a small office, they don’t have any internal servers that they need to configure static Nat or they don’t have a pool of public IP addresses. They’re just getting their public IP address on their outside fast zero interface from DHCP and that’s not guaranteed to stay the same. The service provider could change it at any time. So because of that, we want our hosts on the inside to be able to get out to the outside. So we’re going to need to configure nap for that and we’re going to nap them to whatever happens to be the IP address on the outside interface right now. We also need to configure overload as well because we’ve got multiple hosts on the inside, we want them all to be able to share that same outside IP address. So let’s configure this. So I will go on to my router, which is our one, and let’s have a look and see what the IP address is right now. So I’ll do a show IP interface brief and you can see on my outside interface it is using DHCP and currently it’s using IP address 2030 1313. But like I said, we don’t want to use that IP address in our configuration because it might change. We’re going to use the interface instead, which is fast.

So first things to do are to configure our not interfaces as usual. So I’ll go to Global Config and interface fast Zero is IP, not outside, and Interface fast 20 is where my inside hosts are. So that’s Ipnot inside. Next thing I need to do is to configure my Nat rule in my access list to specify the host on the inside, I’ll say Access List One, permit there on subnet ten or two or with a wildcard of O 255. And then my Nat rule, I say Ipnot inside source it’s in list One, meaning I’m referencing Access List One that I just configured. And rather than mapping this to a pool, well, I can’t do that, I haven’t configured a pool.

I’m going to map it to the interface interfacefast Zero and I could hit enter here, but then that would be just my standard dynamic Nat without overload. So only one host on the inside would be able to get out. So I need to also remember putting the overload keyword to enable Pat. The router is now going to map the Nat translations by IP address and port number as well. And it’s going to track those so that when traffic comes back, it knows which host to send it back to.

So that’s the whole configuration. We just need to check it now. So let’s do a debug so we can watch what’s happening. So I’ll do a debug IP net, and then I’ll go on to a host on the inside, check that traffic can get out. So I’ll tell net 2030 one 1320. Let’s have a look back at the network diagram again. So that’s the hosting outside 203 one 1320. That’s a web server on the outside. I’ve already set that up and it’s going to accept incoming connections on Pour 80. But I need to check that my Nat rule is actually working. So I’ll go on to PC One and I’ll tell it to it on Por eight. And that’s open, so that looks good. And if I look now on R One because I enabled my debug, I can see that the traffic came from Ten 210. That is PC One and it was natted to the IP address of 203 one 1313. That’s my public IP address on the outside. That was learned through DHCP.

And I can see that the source port that was used originally from the host was 53386 and that was Natted to a source port number of 40 96. And it’s going out to 2311 320 on destination part 80. So that all looks good. Let’s also send traffic out from PC Two. So I’ll also turn it out from here to 203 one 1320 on port eight. And if I look back on my router again, I can see that it came from PC 210 211, and it’s going out to 203 one 1320. The source IP address was Natted to 2030 one 1313. So I’m reusing that same single public IP address that I’ve got. And this one, the original source part from the host was eleven five six one, and that was translated to 4097. So it’s going to be able to track the return traffic based on IP address and port number. It’s all going to be going back to the same IP address, but it’s going to be going back to different part numbers.

If I do a show IP, not translations, I can see that the return traffic is all going to be coming back to 203 1313. But when it’s going to part 496, the router knows to send that to 100 210. When it’s going to part four nine seven. The router knows to send that to ten 211. Okay, so that was it. That was the entire nap configuration. You’ve seen how to verify it as well for static, not dynamic knot and part as well. So that is done with that. See you in the next section.