This chapter focuses on some of the Internet Protocol services that can be provided by a router. You will learn about how a router can be used to enable automatic assignment of IP addresses via DHCP, how to increase security in the network using IP access control lists, how the Network Address Translation (NAT) feature has been used to preserve IPv4 addressing, Port Address Translation (PAT) and how to configure Network Time Protocol.
We cover these and more services in our CCNP ENCOR course.
DHCP Functionality
Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP information to hosts in a network. It reduces the burden for network administrators, speeds up device configuration, and reduces the chances of a configuration mistake, especially allocating the same IP address to more than one machine, which will cause network issues. The information provided by the DHCP servers includes IP addresses, subnet masks, default router, DNS servers, and other parameters.
DHCP was created to address the many shortfalls of protocols, such as BOOTP and RARP. DHCP is designed to work with IPv4. DHCPv6 for IPv6 was first described in RFC 3315 in 2003; however, it has been updated many times subsequently in other RFCs. We will look at DHCPv6 briefly later, but it isn’t specifically mentioned in the CCNA syllabus.
When the host first boots up, if it has been enabled to use DHCP (which is the default in most operating systems), it will send a broadcast message asking for its IP information. This broadcast message is heard by all the DHCP servers in its subnet, and the DHCP servers respond with some configuration information.
FIG 19.1 – Host requests IP configuration information
DHCP uses UDP ports 67 and 68 to communicate over the network. The device that needs an IP address is the DHCP client, while the device that provides the IP address is the DHCP server. In most networks, the DHCP service is run on a server, but a router can also be configured to provide this service. In fact, a router can be configured as a DHCP client or a DHCP server. To configure a router as a DHCP client (to obtain its IP address from a server), the interface-level command to use is Router(config-if)#ip address dhcp.
DHCP clients go through the following states:
- Initializing
- Selecting
- Requesting
- Bound
- Renewing
- Rebinding
IP addresses are allocated to a specific host by the DHCP server for a period of time. This period is called the lease time, and it can be expressed in hours or days. DHCP servers should also exclude addresses from the DHCP pool that they don’t want to assign to the host. Those IP addresses are assigned statically and are used on routers and server interfaces. Failure to exclude reserved IP addresses from the DHCP pool can lead to duplicate IP addresses being assigned to hosts.
The process for obtaining an IP address via DHCP is described in Figure 19.2 below:
FIG 19.2 – DHCP request and allocation process
- DHCP Discover – When a DHCP-enabled device boots up, it sends a broadcast out to UDP port 67. The broadcast packet will reach every device on its subnet, including any possible DHCP servers located there.
- DHCP Offer – The DHCP servers in the subnet see the DHCP Discover message sent by the client and send back a response (DHCP Offer packet). This is also a broadcast packet because the client still doesn’t have an IP address yet, so it cannot receive unicast packets. The DHCP Offer packet contains the IP Information (address, subnet mask, gateway, etc.) that the client can use.
- DHCP Request – After the client workstation receives the offer made by the DHCP server, it will send a broadcast DHCP Request message to a specific DHCP server. The client might have received offers from multiple DHCP servers but it only needs a single IP address, so it must choose a DHCP server (based on an identifier), and this is usually done on a first-come-first-served basis. This broadcast also lets all the other DHCP servers know that it has selected an offer so they can stop sending offers.
- DHCP Ack – The DHCP server sends another broadcast message, DHCP Ack, to confirm the IP address allocation to that specific client.
Figure 19.3 below shows a DHCP packet capture. For this capture, I configured a router as a DHCP server with the address 192.168.1.1 and an address pool of 192.168.1.0/24, but I excluded IP address 192.168.1.1 because it was in use on the Fast Ethernet interface. The requesting router interface is offered the first available address from the pool, which is 192.168.1.2.
FIG 19.3 – DHCP Offer capture
It’s worth noting that on the host router (R2 below), you will see a message telling you that you have been allocated an IP address via DHCP, and you can issue the show ip interface brief command to see that the method column is set to DHCP:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int f0/0
R2(config-if)#ip address dhcp
R2(config-if)#no shut
R2(config-if)#end
*Mar 1 00:03:45.387: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.2, mask 255.255.255.0, hostname R2
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Fa0/0 192.168.1.2 YES DHCP up up
Fa0/1 unassigned YES unset administratively down down
R2#
We will cover the full IOS commands shortly.
Besides the IP address, the server can also supply other parameters in the DHCP Offer package, including:
- Subnet mask
- Lease duration
- Default gateway
- Domain Name Server
The lease duration in the DHCP Offer specifies the amount of time a host can use its assigned IP address before sending back a request to the DHCP server (IP address refresh). The DHCP server will usually allocate the same IP address to the client. When a DHCP client leaves the network or its lease period expires, the associated IP address is handed back to the DHCP server, which can assign it to another host.
DHCP servers can also be configured to assign specific addresses to certain hosts based on their MAC address. This feature is especially useful when configuring servers to use DHCP addresses (although the recommendation, in this case, is to manually assign IP addresses). This is because users usually identify a server based on a fixed IP address, and we don’t want that IP address to change over time.
Cisco IOS-based routers can be configured as either DHCP servers or DHCP clients (per interface).
DHCP client functionality for routers (as opposed to host computers) is not very common. This is because routers are critical infrastructure devices, and the recommendation is to address them manually instead of dynamically so their IP addresses are always known and fixed.
DHCP server functionality on Cisco IOS routers involves a few steps:
- Enable the DHCP service (usually enabled by default)
- Assign a static IP on the LAN-facing interface you want to enable the DHCP service on
- Create a DHCP pool
- Define DHCP parameters within the DHCP pool
- Define excluded DHCP addresses
- Monitor correct DHCP address assignment
Mini-lab – DHCP Configuration on Cisco IOS Routers
Let’s work on an example based on the topology in Figure 19.4 below:
FIG 19.4 – Mini-lab: DHCP configuration on Cisco IOS routers
Start by enabling the DHCP service on Router 1:
R1(config)#service dhcp
Next, assign the 192.168.1.1/24 address on interface Fast Ethernet 0/1, facing the DHCP clients:
R1(config)#interface FastEthernet0/1
R1(config-if)#ip add 192.168.1.1 255.255.255.0
All the DHCP parameters that you want to transmit to the clients will be configured in DHCP pool configuration mode:
R1(config)#ip dhcp pool CCNA
R1(dhcp-config)#network 192.168.1.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#lease 1
R1(dhcp-config)#dns-server 8.8.8.8
Only the first two commands are compulsory. You have configured the DHCP pool so that it will offer addresses from the 192.168.1.0/24 subnet, with a default gateway of 192.168.1.1 (the router interface). You have also configured a lease time of one day and the DNS server IP address.
Finally, configure the router so that it will not offer all the IP addresses from the 192.168.1.0/24 range. The DHCP client allocations in this example should start at 192.168.1.11 and finish at 192.168.1.250. There might be multiple reasons behind this logic, but the most obvious one is that you want to statically assign the first and last addresses from the range to servers and network devices. The configuration to accomplish this is as follows:
R1(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)#ip dhcp excluded-address 192.168.1.251 192.168.1.254
Please note that the excluded addresses are configured in configuration mode, not in DHCP configuration mode.
After the DHCP client broadcasts a DHCP Discover on the link, the router sees it come in on interface Fast Ethernet 0/1 and associates the request with DHCP pool CCNA (based on the configured network statement). It will then offer the DHCP client the first available IP address in the pool, which is 192.168.1.11/24.
Check the PC to ensure that the address has been allocated. Alternatively, if you have another router on the end of the connection, use the ip address dhcp command on the interface and then use the show ip interface brief command. Remember to issue the no shut command on the interface.
[END OF MINI-LAB]It’s worth noting that DHCP Discover is used by the router to check whether the next IP address in the pool can be used. The router ARPs for the address, and if for some reason, it has been allocated (say by a user who didn’t know DHCP was in use), the address would be removed from the pool and placed into a conflict table until the issue was resolved.
Router#sh ip dhcp conflict
IP address Detection method Detection time VRF
10.10.12.2 Ping July 01 2015 12:01 AM
You can verify the correct DHCP address assignment using the show ip dhcp binding command.
You can expect to be asked to configure a router with DHCP in the exam, or to be presented with various configuration commands and asked to choose which are necessary in order to achieve the desired result, so make sure that you can configure the commands above from memory. You also need to know how to configure a router to be a DHCP server as well as a client.
IP Helper Address
Routers do not forward broadcast traffic, by default. There are instances where you may want a broadcast packet to pass through the router, for example, when a client sends a DHCP Request to obtain an IP address, and the DHCP server is on the other side of your router on another network. In this instance, you can use the ip helper-address command (activating dhcp relay), which will turn the broadcast packet into a unicast packet sent to the IP address configured:
RouterA#config t
RouterA(config)#interface FastEthernet0/0
RouterA(config-if)#ip helper-address 192.168.1.1
The ip helper-address command will automatically forward eight common UDP ports that use broadcasts:
- Time (37)
- TACACS (49)
- DNS (53)
- BOOTP server (67)
- BOOTP client (68)
- TFTP (69)
- NetBIOS name service (137)
- NetBIOS datagram service (138)
Figure 19.5 below demonstrates how you would use the command:
FIG 19.5 – IP helper address in operation
In the exam, you might be presented with an issue about DHCP Requests being stopped at the router and then asked how you would fix the issue. Well now you know!
IP Forward Protocol
What if you wanted to forward a protocol not on the list above? The ip forward-protocol command allows you to specify a number of protocols and ports that the router will forward. The output below specifies an IP helper address along with which protocol should be forwarded:
RouterA#config t
RouterA(config)#interface FastEthernet0/0
RouterA(config-if)#ip helper-address 192.168.1.1
RouterA(config-if)#ip forward-protocol udp
As with all Cisco IOS commands, you can Google them to do further research because many of them have multiple permutations. There are so many, in fact, that in the CCIE lab exam, Cisco gives you access to Command References and Configuration Guides on CD ROM. Bear in mind that some commands were introduced in later versions of the IOS, and these may not be available to you. Some have also been deprecated over time for business or security reasons.
You can access Cisco’s feature navigator tool for the IOS to check which services and commands are available for your model of devices as well as your IOS release. If your company has a contract with a Cisco TAC (Technical Assistance Center), they can do this for you or your presales advisor can.
Domain Name System
The DNS is a timesaving protocol that translates a hostname or fully qualified domain name (FQDN) to an IP address, saving you the trouble of having to memorize a long list of IP addresses. If you were a network administrator in the early days of networking, you would have had to manually add a very long hosts.txt file to your server in order to call up the correct website or device (by name) for clients. Figure 19.6 below shows a typical host file:
FIG 19.6 – Host file (Image © helpdeskgeek.com)
The early specifications for the DNS, written in 1983, solved the problems in the manual naming system. The modern Internet would not function without the use of the DNS. For example, if you were to type cisco.com into your browser, it would quickly call up the website and populate your browser window. You also could have typed the IP address 72.163.4.161 into the browser bar and get the same results, as shown in Figure 19.7 below:
FIG 19.7 – Typing the IP address 72.163.4.161 or cisco.com gives the same results
If you simply type cisco.com into the browser, the client queries the DNS server, the address of which is usually allocated by DHCP (more on this later). This then translates a hostname or FQDN to an IP address using UDP port 53. TCP is used by the DNS for zone transfers (i.e., DNS servers replicating databases) or if the response data size exceeds 512 bytes. This process is illustrated in Figure 19.8 below:
FIG 19.8 – The DNS process
What is the IP address of www.cisco.com?
The DNS server will resolve the name to an IP address, as shown in Figure 19.9 below:
FIG 19.9 – www.cisco.com is at 72.163.4.161
DNS queries can be either recursive or iterative. With a recursive lookup, the DNS server will fully answer the query by either providing the IP address or giving an error. With an iterative query, the DNS server can provide information, give an error, or direct the requester to another DNS server. This is illustrated in Figure 19.10 below, where 1 and 8 are recursive, and the rest are iterative:
FIG 19.10 – Recursive and iterative queries
- What is the IP address of cisco.com?
- What is the IP address of cisco.com?
- I don’t know. Ask the “.com” DNS server.
- What is the IP address of cisco.com?
- I don’t know. Ask the “cisco.com” DNS server.
- What is the IP address of cisco.com?
- The IP address of www.cisco.com is 72.163.4.161.
- The IP address of www.cisco.com is 72.163.4.161.
Troubleshooting DNS
The first step for any client-side DNS issues is to verify IP connectivity to the DNS server, using Ping or Traceroute, and check the IP settings on your PC. As already noted, the DNS operates using UDP port 53 and is carried over IP packets, so you should also check the access lists and/or firewall filtering on the client, server, or router.
Sometimes, customers who have read about various IP configuration settings decide that they want to hard-set (manually configure) an IP address, default gateway, and DNS server. Of course, this will then bypass any configurations you have set to be issued by the DHCP server. I have personally seen users configure their own IP addresses (ones already in use), which caused a number of issues.
If you have access, then confirm that the DNS server has or can get the requested record. If you have made changes to the IP servers in the network, such as your DNS server, you need to ensure that all hosts refresh their settings. DNS configuration errors are an obvious cause when you can ping an IP address but cannot ping the hostname.
Network Address Translation
No discussion about IP addressing would be complete without including Network Address Translation (NAT), which was implemented under RFC 1631. RFC 1918 addressed the shortage of IP addresses and allocated the ranges of private addresses 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x. As you already know, private IP addresses allocated under RFC 1918 are not routable on the Internet. NAT allows these private internal IP addresses to be translated into addresses that are routable on the Internet.
One of the benefits of using NAT is that it helps prevent the depletion of public IP addresses. You can use private IP addressing on your LAN safe in the knowledge that you will still be able to connect out to the Internet using NAT. It also prevents you from having to manually readdress internal hosts using private addressing that requires Internet access.
Another benefit is that hosts inside your LAN are protected from advertising their addresses out to the Internet. Your Internet-facing router will translate the private address to a public address and back again, so the NATing process is invisible to the hosts, even if they are on the other side of a WAN link.
A network using NAT is split into two logical halves—an inside half, which (usually) uses private addresses, and an outside half, which uses one or more public addresses. When the inside hosts attempt to contact another device on the Internet, the router swaps the private address for a public address and maintains a record of which private address was swapped for which public address.
The inside and outside parts of the network are defined with the following commands in interface configuration mode:
RouterA(config-if)#ip nat inside
RouterA(config-if)#ip nat outside
A router only needs one valid public IP address to perform NAT. This one IP address can be used many times over by assigning a port number to the inside hosts for the connection to the outside (using Port Address Translation).
There are three ways to configure NAT, and your choice will depend on different factors, including how many public addresses you have and what you want to achieve with the NAT configuration. Options include:
- Static NAT – maps a private to a public address on a one-to-one basis
- Dynamic NAT – maps the private (inside) address to a group or pool of public addresses; after a predetermined period of time, the translation times out
- NAT Overload – maps private addresses to one public address; also known as Port Address Translation (PAT) or one-way NAT
FIG 19.11 – NAT connection to the Internet
Local and Global Addresses
The terms used to describe the types of NATed addresses can cause some confusion, but it is worth knowing which is which:
- Inside local – the address assigned to a host inside the network; likely to be a private address not routable (RFC 1918) on the Internet
- Inside global – a routable IP address usually assigned by an ISP; represents one or more hosts on the LAN to the outside world
- Outside local – the address of an outside host as it appears to the internal network (LAN)
- Outside global – an outside address assigned to a host by the administrator; a public (routable) address
A local address is an address on the inside part of the network, and a global address is an address on the outside part of the network (usually the Internet).
Referring to Figure 19.12 below, the following output shows the static NAT configuration for the host translated to 80.1.1.1 (some of the configuration has been omitted for clarity):
RouterA(config)#ip nat inside source static 172.16.1.1 80.1.1.1
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#interface FastEthernet0/0
RouterA(config-if)#ip nat inside
Notice that in the configuration example above, the public address 80.1.1.1 is not applied to an interface. The public address is kept inside the router configuration and is used only when the inside host wants to go out to the Internet. If the inside host wanted to contact another host inside the same LAN, then a NAT translation would not take place.
FIG 19.12 – NAT example
When the host behind Router A goes out to the Internet to connect to the host behind Router B, you will see the following addresses in Router A’s NAT table (they may differ depending on how you configured NAT on your router):
Inside Global | Inside Local | Outside Global | Outside Local |
80.1.1.1 | 172.16.1.1 | 100.1.1.1 | 100.1.1.1 |
NOTE: The public addresses above belong to a company somewhere on the Internet and should not be used as part of your NAT configurations or for testing in your labs if your network has a connection out to the Internet.
Running a debug ip nat command as the host on the LAN goes through the router shows the translation taking place for host 172.16.1.1, pinging address 192.168.1.1, and being NATed to 80.1.1.1. The output below may not work or look the same in Packet Tracer:
RouterA#debug ip nat
03:38:28: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [30]
03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [30]
03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [31]
03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [31]
03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [32]
03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [32]
03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [33]
03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [33]
03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [34]
03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [34]
The source (s=) address is the host 172.16.1.1 on the LAN, which is translated to 80.1.1.1. The destination (d=) address 192.168.1.1 is another device on an outside network. The numbers in brackets [ ] indicate the IP identification number of the packet, which is useful for debugging.
RouterA#show ip nat translation
Pro Inside global Inside local Outside local Outside global
— 80.1.1.1 172.16.1.1 — —
There are several ways to configure NAT depending on network requirements. It is advisable to have a good working knowledge of NAT and how to configure static, dynamic, and PAT. The NAT labs will help you gain a good working knowledge of NAT.
Static NAT
Static NATs (or 1-to-1 NAT) are manually defined mappings and are always in the NAT translation table (i.e., they are not dynamically created and torn down). This is useful in allowing an internal device to be reachable from the Internet. When configuring static NAT, you do not need an ACL to specify inside addresses or a NAT pool to specify global addresses. Let’s take a look at Figure 19.13 below:
FIG 19.13 – Static NAT in use
Inside Addresses | Outside NAT Addresses |
172.16.1.1 | 80.1.1.1 |
172.16.1.2 | 80.1.1.2 |
For the network above, your configuration would be as follows:
Router(config)#interface f0/1
Router(config-if)#ip address 172.16.1.3 255.255.0.0
Router(config-if)#ip nat inside
Router(config)#interface s0/0
Router(config-if)#ip add 100.1.1.1 255.255.0.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip nat inside source static 172.16.1.1 80.1.1.1
Router(config)#ip nat inside source static 172.16.1.2 80.1.1.2
The ip nat inside source static command defines the NAT as a static NAT that translates the source address to a global public address when traffic hits the inside interface. Many network engineers run into configuration mistakes when they apply the wrong ip nat inside and ip nat outside statements! You should be very familiar with these kinds of errors and be able to spot them in the CCNA exam.
The IP addresses 80.1.1.1, 80.1.1.2, and 100.1.1.1 are allocated to hosts on the Internet, so don’t use them on any equipment you have connected to the Internet.
Dynamic NAT and Port Address Translation (PAT)
We will cover dynamic NAT (NAT pool) and Port Address Translation (PAT/NAT overload) at the same time. The reason for this is that to turn dynamic NAT into PAT, you simply add one tag command to the end of your configuration line. PAT is also known as one-way NAT because it can only be initiated from the inside of your network to the outside; it is also referred to as NAT overload.
Static NAT and dynamic NAT help us translate addresses, but they do not help us conserve IP address space, because the translations are 1:1. This is where NAT overload (PAT) comes in. With port overloading, you not only translate the IP source address but also the port numbers. This way, each port number of the global IP address can be used for a different connection. This allows you to have up to 65,000 connections using the same global IP address!
NAT overload is configured the same way as dynamic NAT. The only difference is that the overload keyword is added to the configuration. First, we will configure dynamic NAT for the network below using a pool of addresses from 200.1.1.1 to 100.
![]() |
In the real world, NAT overload uses the interface IP address more often than an address pool. |
FIG 19.14– Dynamic NAT example
Router(config)#interface f0/0
Router(config-if)#ip nat inside
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#interface s0/0
Router(config-if)#ip address 80.1.1.1 255.0.0.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip nat pool NAT_Pool 200.1.1.1 200.1.1.100 netmask 255.255.255.0
Router(config)#ip nat inside source list 1 pool NAT_Pool
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
I didn’t include the routing commands, but we will cover this in the NAT labs later on. The output below shows the NAT translation table on the router after a host on the inside is NATed as it goes out of the router to host 80.1.1.2 on the Internet. Because of the configuration, dynamic NAT is usually used for internal hosts to reach hosts on the Internet, not the other way around.
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 200.1.1.1:0 192.168.1.2:0 80.1.1.2:0 80.1.1.2:0
— 200.1.1.1 192.168.1.2 — —
Address 192.168.1.2 was allocated the routable address 200.1.1.1 from the NAT pool.
To configure PAT, you would carry out the exact same configuration as for dynamic NAT, but you would add the keyword overload to the end of the pool. With PAT, you only need one routable IP address for your pool. It’s still called a NAT pool even though you are using only one IP address. I didn’t include the interface-level commands because they are the same.
Router(config)#ip nat pool PAT_Pool 200.1.1.1 200.1.1.1 netmask 255.255.255.0
Router(config)#ip nat inside source list 1 pool PAT_Pool overload
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
This time you can see that PAT has utilized a port number, in this case, port number 1, which is appended to the end of the translation addresses.
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 200.1.1.1:1 192.168.1.2:1 80.1.1.2:1 80.1.1.2:1
As Dario mentioned above, you are more likely to overload your outside interface IP address, thus avoiding having to purchase a pool of routable IP addresses.
Router(config)#interface f0/0
Router(config-if)#ip nat inside
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#interface s0/0
Router(config-if)#ip address 80.1.1.1 255.0.0.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip nat inside source list 1 interface s0/0 overload
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Configuring and Verifying NAT
NAT configuration using Cisco IOS involves a few configuration steps. For dynamic NAT configuration, here are the steps required:
- Select the inside NAT interface using the ip nat inside interface configuration command.
- Select the outside NAT interface using the ip nat outside interface configuration command.
- Identify traffic that would be translated using an ACL. This can be a standard/extended and named or numbered ACL. I recommend named ACLs because they are more intuitive.
- Configure a pool of global addresses to which the local addresses would be translated. This step is optional because you can translate directly to an interface. The syntax for that is ip nat pool [name [start-ip]] end-ip [netmask [mask] | prefix-length [length]] global configuration command.
- Tie all the commands together: Configure dynamic NAT using the ip nat inside source list [ACL] [interface|pool] [name] [overload] global configuration command.
The output below shows how to configure dynamic NAT on the Cisco IOS. The description and remark features available in the Cisco IOS have been used to explain the configuration. This is quite useful on live networks to provide some context on why the network was configured in a particular manner. You can also read the Cisco configuration guide here.
R1(config)#interface GigabitEthernet0/0
R1(config-if)#description “Connected To The Inside Network”
R1(config-if)#ip address 10.1.1.1 255.255.255.248
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface Serial0/1
R1(config-if)#description “Connected To The Internet”
R1(config-if)#ip address 161.1.1.1 255.255.255.248
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#access-list 101 remark “Translate Inside Addresses Only”
R1(config)#access-list 101 permit ip 10.1.1.0 0.0.0.7 any
R1(config)#ip nat pool INSIDE-POOL 161.1.1.3 161.1.1.6 prefix-length 24
R1(config)#ip nat inside source list 101 pool INSIDE-POOL
R1(config)#exit
The show ip nat translations command can be used to verify that the inside networks are actually getting translated to the NAT pool, as shown below:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 161.1.1.4:4 10.1.1.1:4 200.1.1.1:4 200.1.1.1:4
icmp 161.1.1.3:1 10.1.1.2:1 200.1.1.1:1 200.1.1.1:1
tcp 161.1.1.5:159 10.1.1.3:159 200.1.1.1:23 200.1.1.1:23
Troubleshooting NAT
There is no mention of troubleshooting NAT in the CCNA syllabus but as I’ve learned over years of taking Cisco exams, the fact that it isn’t mentioned doesn’t mean that you won’t be asked about it!
You have already learned all that you need to know to troubleshoot NAT because (apart from IOS bugs) NAT issues are almost always a configuration error, in particular:
- NAT inside and outside statements missing from the interface
- Name calling the NAT pool doesn’t match the NAT pool name (case sensitive)
- ACL incorrectly configured to match wrong addresses or subnets
- ACL blocking the traffic before it is NATed
- Pool contains too few addresses and fills quickly
- No routing configured to reach the NAT pool addresses
You should be familiar with the show ip nat translations and debug ip nat commands to see real-time translations taking place. Don’t rush into troubleshooting NAT before checking the obvious, such as interface status, IP addressing, and IP connectivity. The network must have a route to reach all addresses, including those you have added to the NAT pool.
If you need to clear your NAT translations table, then use the clear ip nat translation * command in privileged mode. Bear in mind that all dynamic translations will expire when the timeout value is reached, so if you wait too long to check the translations table, you will find that it isn’t there. This doesn’t mean that NAT isn’t working. You can change NAT timeout values, but it is best to do this after consulting a Cisco TAC.
Network Time Protocol
Having an automated way to ensure that consistent and accurate time is held by your network devices is vital to the efficient operation of your network infrastructure. Network Time Protocol (NTP) is a protocol that allows automatic time configuration on distributed network devices based on a client/server model. The device peers with an NTP server, which provides the correct clock when clients request this. NTP functions on UDP port 123. A Cisco device can be configured to pull the exact time information from an NTP server (192.168.1.2 in the output below) using the following command:
R1(config)#ntp server 192.168.1.2
R1#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~192.168.1.2 0.0.0.0 16 – 64 0 0.0 0.00 6000
* master (synced), # master (unsynced), + selected, – candidate, ~ configured
You can see that the output above includes the term “stratum”. The stratum grades the reliability of time sources. A stratum 1 device is directly connected to a reliable source, such as an atomic clock. A stratum 2 device obtains its time from a stratum 1 device. A stratum 3 device obtains its time from a stratum 2 device, and so on.
FIG 19.15 – NTP stratum sources
NTP offers a number of configuration options, including authentication and peering, but going into depth on these will take us off track for the purposes of the CCNA exam.
End of Chapter Questions
Please visit www.howtonetwork.com/ccnasimplified to take the free Chapter 19 exam.
Chapter 19 Labs
Lab 1: Configuring a Router as a DHCP Server
The physical topology is shown in Figure 19.16 below:
FIG 19.16 – DHCP server
Lab Exercise
Your task is to configure the router to issue an IP address to the host via DHCP. Please feel free to try the lab without following the Lab Walk-through section.
Purpose
Configuring a router to act as a DHCP server is now included in the CCNA exam. You may also have to carry out this task as a network engineer while on site.
Lab Objectives
- Use the IP addressing scheme depicted in the diagram above. You will need to connect the router to the PC via a crossover cable unless you have a switch you can use.
- Set the IP address on the router’s Fast Ethernet interface as 172.16.1.1/24.
- Set the PC to search for an IP address via DHCP.
- Configure a DHCP pool on the router for network 172.16.0.0/24.
- Add an excluded address on the router and add TCP settings (optional).
- Finally, to test that DHCP is working, renew the IP address on the PC.
Lab Walk-through
- To set the IP addresses on an interface, you will need to do the following:
Router#conf t
Router(config)#interface fast0/0
Router(config)#ip address 172.16.1.1 255.255.255.0
- Enable DHCP on your router and set the address pool (in configuration mode):
Router(config)#service dhcp – Turn DHCP on
Router(config)#ip dhcp pool pool1 –Name your pool pool1
Router(dhcp-config)#network 172.16.0.0 255.255.0.0 – This is your DHCP pool
Router(dhcp-config)#lease 3 – 3-day lease on the IP address
Router(dhcp-config)#ip dhcp excluded-address 172.16.1.1
Router(config-config)#exit – Drop back to config mode
- If you are using your home PC or laptop, set the network adaptor to obtain the IP address automatically:
FIG 19.17 – Obtaining IP address
- Issue an ipconfig /all command to check whether an IP address has been assigned to your PC. You may need to issue an ipconfig /renew command if an old IP address is still in use:
[PC] ipconfig /all
Physical Address…………….: 0001.C7DD.CB19
IP Address………………….: 172.16.0.1
Subnet Mask…………………: 255.255.0.0
Default Gateway……………..: 0.0.0.0
DNS Servers…………………: 0.0.0.0
- If you want, you can go back into the DHCP pool and add a default gateway and a DNS server address, which will also be set on the host PC:
Router(config)#ip dhcp pool pool1
Router(dhcp-config)#default-router 172.16.1.2
Router(dhcp-config)#dns-server 172.16.1.3
PC]ipconfig /renew
IP Address………………….: 172.16.0.1
Subnet Mask…………………: 255.255.0.0
Default Gateway……………..: 172.16.1.2
DNS Server………………….: 172.16.1.3
Show Run
hostname Router
!
ip dhcp excluded-address 172.16.1.1
!
ip dhcp pool pool1
network 172.16.0.0 255.255.0.0
dns-server 172.16.1.3
default-router 172.16.1.2
lease 3
!
ip cef
ip audit po max-events 100
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.0.0
!
end
Lab 2: Static NAT
The physical topology is shown in Figure 19.18 below:
FIG 19.18 – Static NAT
Lab Exercise
Your task is to configure the network in Figure 19.18 to allow the 172.16.1.1 host on the 172.16.1.0 LAN to access the Internet using address 10.0.0.1. The 10.0.0.1 address would normally be a routable public address provided by your ISP (such as 80.1.1.1), but for this lab, we will use a private non-routable address. Please feel free to try the lab without following the Lab Walk-through section, and then just check the notes for the NAT configuration.
Purpose
Being able to configure NAT is a fundamental CCNA skill. Any client who needs to access the Internet will want to use NAT. The key is to understand the clients’ requirements, and then design a solution to fit their needs.
Lab Objectives
- Use the IP addressing scheme depicted in Figure 19.18. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
- Set Telnet access for the router to use the local login permissions for username banbury and the password ccna (not needed for NAT but added for practice purposes).
- Put a static route on the router.
- Configure the inside and outside NAT interfaces on the router.
- Configure a static NAT translation.
- Test the NAT translation.
Lab Walk-through
- To set the IP addresses on an interface, you will need to do the following:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.252
RouterA(config-if)#clock rate 64000 – If this is the DCE side
RouterA(config-if)#no shutdown
RouterA(config-if)#ip nat outside – The outside NAT network
RouterA(config-if)#interface Loopback0 – No need for no shutdown on Loopback interfaces
RouterA(config-if)#ip address 172.16.1.1 255.255.0.0
RouterA(config-if)#ip nat inside – The inside NAT network
RouterA(config-if)#^Z
RouterA#
Router B:
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.252
RouterB(config-if)#no shutdown
RouterB(config-if)#exit
RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/0 – Static route
RouterB(config)#^Z
RouterB#
Ping across the Serial link now.
- To set Telnet access, you need to configure the VTY lines to allow Telnet access; to do this, type the following (in configuration mode):
RouterA(config)#line vty 0 4 – Enters the VTY line configuration
RouterA(config-line)#login local – This will use local usernames and passwords for Telnet access
RouterA(config-line)#exit – Exits the VTY config mode
RouterA(config)#username banbury password ccna – Creates username and password for Telnet access (login local)
Router B:
RouterB(config)#line vty 0 4
RouterB(config-line)#login local
RouterB(config-line)#exit
RouterB(config)#username banbury password ccna
- To set the enable password, do the following:
RouterA(config)#enable secret cisco – Sets the enable password (encrypted)
Router B:
RouterB(config)#enable secret cisco
- Configure a static NAT translation:
RouterA(config)#ip nat inside source static 172.16.1.1 10.0.0.1
RouterA(config)#^Z
- To see if NAT is working, you need to turn on a debug with the debug ip nat command. Now imagine that the Loopback address 172.16.1.1 is a host in the LAN that wants to get out to the Internet. When the packet from the NATed LAN passes through the router, it will match the ACL and be statically translated to 10.0.0.1.
RouterA#debug ip nat – Turns on the NAT debug
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2 – Pings Router B
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Loopback0 – Source is the LAN
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms
03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [35]
03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [35]
03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [36]
03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [36]
03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [37]
03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [37]
03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [38]
03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [38]
03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [39]
03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [39]
You can see that the NAT debug shows the source (s=) as the Loopback interface address 172.16.1.1, which is translated to 10.0.0.1. The destination (d=) is the Serial address 192.168.1.2 for Router B. The asterisk (*) shows the returning packet that is translated back. The numbers in brackets (e.g., [35]) are the IP identification numbers of the packets.
RouterA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
— 10.0.0.1 172.16.1.1 — —
You can see from the NAT translation table above that the router is doing a 1-to-1 translation of the address.
- Now please enter reload at the Router# prompt, and type yes to confirm.
Show Runs
RouterA#show run
Building configuration…
Current configuration: 757 bytes
!
version 15.1
!
hostname RouterA
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
ip nat inside
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
clock rate 64000
ip nat outside
!
ip nat inside source static 172.16.1.1 10.0.0.1
!
end
RouterA#
– – –
RouterB#show run
Building configuration…
Current configuration: 456 bytes
!
version 15.1
!
hostname RouterB
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
end
Lab 3: NAT Pool
The physical topology is shown in Figure 19.19 below:
FIG 19.19 – NAT pool
Lab Exercise
Your task is to configure the network in Figure 19.19 to allow the hosts on the 172.16.0.0 LAN (we will simulate this with the Loopback address and secondary address) to access the Internet using the NAT pool 10.0.0.1 to 10.0.0.10. Please feel free to try the lab without following the Lab Walk-through section.
Purpose
Again, being able to configure NAT is a fundamental CCNA skill. Any client who needs to access the Internet will want to use NAT. The key is to understand the clients’ requirements, and then design a solution to fit their needs.
Lab Objectives
- Use the IP addressing scheme depicted in Figure 19.19. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
- Set Telnet access for the router to use the local login permissions for username banbury and the password ccna (optional).
- Put a static route on the router.
- Configure the inside and outside NAT interfaces on the router.
- Configure a pool of addresses the router will use as a NAT pool.
- Test the NAT configuration with a ping and debug.
Lab Walk-through
- To set the IP addresses for an interface, you will need to do the following:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.252
RouterA(config-if)#clock rate 64000 – If this is the DCE side
RouterA(config-if)#no shutdown
RouterA(config-if)#ip nat outside
RouterA(config-if)#interface Loopback0
RouterA(config-if)#ip address 172.16.1.1 255.255.0.0
RouterA(config-if)#ip address 172.16.1.2 255.255.0.0 secondary
The secondary address will act as a second host on the LAN.
RouterA(config-if)#ip nat inside
RouterA(config-if)#^Z
RouterA#
Router B:
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.252
RouterB(config-if)#no shutdown
RouterB(config-if)#exit
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
RouterB(config)#^Z
RouterB#
Ping across the Serial link now.
- To set Telnet access, you need to configure the VTY lines to allow Telnet access. To do this, type the following (in configuration mode):
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
RouterA(config-line)#exit
RouterA(config)#username banbury password ccna
Router B:
RouterB(config)#line vty 0 4
RouterB(config-line)#login local
RouterB(config-line)#exit
RouterB(config)#username banbury password ccna
- To set the enable password, do the following:
RouterA(config)#enable secret cisco
Router B:
RouterB(config)#enable secret cisco
- You need to configure a NAT pool and then tell the pool which ACL to access to determine which traffic you want to be NATed:
RouterA(config)#ip nat pool internet_out 10.0.0.1 10.0.0.10 prefix-length 24
(or you could have entered ip nat pool internet_out 10.0.0.1 10.0.0.10 netmask 255.255.255.0)
RouterA(config)#ip nat inside source list 1 pool internet_out
RouterA(config)#access-list 1 permit 172.16.0.0 0.0.255.255
RouterA(config)#^Z
- To see if NAT is working, you need to turn on a debug with the debug ip nat command. Now imagine that the Loopback address 172.16.1.1 is a host in the LAN that wants to get out to the Internet. When the packet from the NATed LAN passes through the router, it will match the ACL and be translated to an address from the NAT pool.
RouterA#debug ip nat – Turns on the NAT debug
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2 – Pings Router B
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Loopback0 – Source is the LAN
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms
RouterA#
02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [20]
02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [20]
02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [21]
02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [21]
02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [22]
02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [22]
02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [23]
02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [23]
02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [24]
02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [24]
RouterA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
— 10.0.0.1 172.16.1.1 — —
RouterA#
You can see that the NAT debug shows the source (s=) as the Loopback interface, which is translated to 10.0.0.1. The destination (d=) is the Serial address 192.168.1.2 for router B. The asterisk (*) shows the returning packet that is translated back.
The numbers in brackets (e.g., [20]) are the IP identification numbers of the packets. Feel free to also issue the show ip nat statistics command.
If you want to check that the pool is allocating addresses correctly, you can source a second ping—this time from the secondary address. There should be another address allocated from the NAT pool.
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.1.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/68 ms
RouterA#
04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [45]
04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [45]
04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [46]
04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [46]
04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [47]
04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [47]
04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [48]
04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [48]
04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [49]
04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [49]
RouterA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
— 10.0.0.1 172.16.1.1 — —
— 10.0.0.2 172.16.1.2 — —
- Now please enter reload at the Router# prompt, and type yes to confirm.
Show Runs
RouterA#show run
Building configuration…
Current configuration: 749 bytes
!
version 15.1
!
hostname RouterA
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
ip address 172.16.1.2 255.255.0.0 secondary
ip nat inside
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
clockrate 64000
ip nat outside
!
ip nat pool internet_out 10.0.0.1 10.0.0.10 prefix-length 24
ip nat inside source list 1 pool internet_out
!
access-list 1 permit 172.16.0.0 0.0.255.255
!
end
RouterA#
– – –
RouterB#show run
Building configuration…
Current configuration: 456 bytes
!
version 15.1
!
hostname RouterB
!
ip subnet-zero
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 Serial 0/0
!
end
Lab 4: NAT Overload
The physical topology is shown in Figure 19.20 below:
FIG 19.20 – NAT overload
Lab Exercise
Your task is to configure the network in Figure 19.20 to allow the hosts in the 172.16.1.128 subnet to access the Internet using the NAT overload address 10.0.0.1. Hosts in the 172.16.1.64 subnet should not be NATed. Please feel free to try the lab without following the Lab Walk-through section.
Purpose
This lab will help you to understand NAT overload.
Lab Objectives
- Use the IP addressing scheme depicted in Figure 19.20. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
- Set Telnet access for the router to use the local login permissions for username banbury and the password ccna.
- Put a static route on the router.
- Configure the inside and outside NAT interfaces on the router.
- Configure NAT overload.
- Finally, test the NAT overload from Loopback 0 and Loopback 1.
Lab Walk-through
- To set the IP addresses for an interface, you will need to do the following:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#
RouterA(config)#interface Serial0/0
RouterA(config-if)#ip address 192.168.1.1 255.255.255.252
RouterA(config-if)#clock rate 64000
RouterA(config-if)#no shutdown
RouterA(config-if)#ip nat outside
RouterA(config-if)#interface Loopback0
RouterA(config-if)#ip address 172.16.1.129 255.255.255.192
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface Loopback1
RouterA(config-if)#ip address 172.16.1.65 255.255.255.192
RouterA(config-if)#ip nat inside
RouterA(config-if)#^Z
RouterA#
Router B:
Router#config t
Router(config)#hostname RouterB
RouterB(config)#interface Serial0/0
RouterB(config-if)#ip address 192.168.1.2 255.255.255.252
RouterB(config-if)#no shutdown
RouterB(config-if)#exit
RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
RouterB(config)#^Z
RouterB#
Ping across the Serial link now.
- To set Telnet access, you need to configure the VTY lines to allow Telnet access; to do this, type the following (in configuration mode):
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
RouterA(config-line)#exit
RouterA(config)#username banbury password ccna
Router B:
RouterB(config)#line vty 0 4
RouterB(config-line)#login local
RouterB(config-line)#exit
RouterB(config)#username banbury password ccna
- To set the enable password, do the following:
RouterA(config)#enable secret cisco
Router B:
RouterB(config)#enable secret cisco
- You need to configure a NAT pool and then tell the pool which ACL to access to determine which traffic you want to be NATed:
RouterA(config)#ip nat pool internet_out 10.0.0.1 10.0.0.1 prefix-length 24
RouterA(config)#ip nat inside source list 1 pool internet_out overload
RouterA(config)#access-list 1 permit 172.16.1.128 0.0.0.63
- To see if NAT is working, you need to turn on a debug with the debug ip nat command. Now imagine that the Loopback address 172.16.1.129 is a host in the LAN that wants to get out to the Internet. When the packet from the NATed LAN passes through the router, it will match the ACL and be translated to the NAT overload address.
RouterA#debug ip nat
IP NAT debugging is on
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Loopback0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/41/40ms
RouterA#
00:43:59: NAT: s=172.16.1.129-]10.0.0.1, d=192.168.1.2 [20]
00:43:59: NAT: s=192.168.1.2, d=10.0.0.1-]172.16.1.129 [20]
00:43:59: NAT: s=172.16.1.129-]10.0.0.1 d=192.168.1.2 [21]
00:43:59: NAT: s=192.168.1.2, d=10.0.0.1-]172.16.1.129 [21]
00:43:59: NAT: s=172.16.1.129-]10.0.0.1, d=192.168.1.2 [22]
00:43:59: NAT: s=192.168.1.2, d=10.0.0.1-]172.16.1.129 [22]
00:43:59: NAT: s=172.16.1.129-]10.0.0.1, d=192.168.1.2 [23]
00:43:59: NAT: s=192.168.1.2, d=10.0.0.1-]172.16.1.129 [23]
00:43:59: NAT: s=172.16.1.129-]10.0.0.1, d=192.168.1.2 [24]
00:43:59: NAT: s=192.168.1.2, d=10.0.0.1-]172.16.1.129 [24]
RouterA#show ip nat tran
Pro Inside global Inside local Outside local
Outside global
icmp 10.0.0.1:8759 172.16.1.129:8759 192.168.1.2:8759 192.168.1.2:8759
icmp 10.0.0.1:8760 172.16.1.129:8760 192.168.1.2:8760 192.168.1.2:8760
icmp 10.0.0.1:8761 172.16.1.129:8761 192.168.1.2:8761 192.168.1.2:8761
icmp 10.0.0.1:8762 172.16.1.129:8762 192.168.1.2:8762 192.168.1.2:8762
icmp 10.0.0.1:8763 172.16.1.129:8763 192.168.1.2:8763 192.168.1.2:8763
RouterA#
00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8759 (8759)
00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8760 (8760)
00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8761 (8761)
00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8762 (8762)
00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8763 (8763)
You can see from the NAT translation output above that the router is allocating ports for the translations (i.e., ports 8759 to 8763).
Now ping from Loopback 1, which does not match the ACL because it is in a different subnet. The address should not be NATed.
RouterA#ping
Protocol [ip]:
Target IP address: 192.168.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Loopback 1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/60 ms
RouterA#show ip nat tran
RouterA#
- Now please enter reload at the Router# prompt, and type yes to confirm.
Show Runs
RouterA#show run
Building configuration…
Current configuration: 757 bytes
!
version 15.1
!
hostname RouterA
!
ip subnet-zero
!
interface Loopback0
ip address 172.16.1.129 255.255.255.192
ip nat inside
!
Interface Loopback1
ip add 172.16.1.65 255.255.255.192
ip nat inside
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
ip nat outside
clock rate 64000
!
ip nat pool internet_out 10.0.0.1 10.0.0.1 prefix-length 24
ip nat inside source list 1 pool internet_out overload
ip classless
no ip http server
!
access-list 1 permit 172.16.1.128 0.0.0.63
!
!
end
RouterA#
– – –
RouterB#show run
Building configuration…
Current configuration: 456 bytes
!
version 15.1
!
hostname RouterB
!
ip subnet-zero
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 Serial0/0