CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

Port Address Translation – NAT – DHCP and DNS

This chapter focuses on some of the Internet Protocol services that can be provided by a router. You will learn about how a router can be used to enable automatic assignment of IP addresses via DHCP, how to increase security in the network using IP access control lists, how the Network Address Translation (NAT) feature has been used to preserve IPv4 addressing, Port Address Translation (PAT) and how to configure Network Time Protocol.

We cover these and more services in our CCNP ENCOR course.

Back to book index.

Contents hide
DHCP Functionality
Mini-lab – DHCP Configuration on Cisco IOS Routers
IP Helper Address
IP Forward Protocol
Domain Name System
Troubleshooting DNS
Network Address Translation
Local and Global Addresses
Static NAT
Dynamic NAT and Port Address Translation (PAT)
Configuring and Verifying NAT
Troubleshooting NAT
Network Time Protocol
End of Chapter Questions
Chapter 19 Labs
Lab 1: Configuring a Router as a DHCP Server
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through
Show Run
Lab 2: Static NAT
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through
Show Runs
Lab 3: NAT Pool
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through
Show Runs
Lab 4: NAT Overload
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through
Show Runs

DHCP Functionality

Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP information to hosts in a network. It reduces the burden for network administrators, speeds up device configuration, and reduces the chances of a configuration mistake, especially allocating the same IP address to more than one machine, which will cause network issues. The information provided by the DHCP servers includes IP addresses, subnet masks, default router, DNS servers, and other parameters.

DHCP was created to address the many shortfalls of protocols, such as BOOTP and RARP. DHCP is designed to work with IPv4. DHCPv6 for IPv6 was first described in RFC 3315 in 2003; however, it has been updated many times subsequently in other RFCs. We will look at DHCPv6 briefly later, but it isn’t specifically mentioned in the CCNA syllabus.

When the host first boots up, if it has been enabled to use DHCP (which is the default in most operating systems), it will send a broadcast message asking for its IP information. This broadcast message is heard by all the DHCP servers in its subnet, and the DHCP servers respond with some configuration information.

Host requests IP configuration information

FIG 19.1 – Host requests IP configuration information

DHCP uses UDP ports 67 and 68 to communicate over the network. The device that needs an IP address is the DHCP client, while the device that provides the IP address is the DHCP server. In most networks, the DHCP service is run on a server, but a router can also be configured to provide this service. In fact, a router can be configured as a DHCP client or a DHCP server. To configure a router as a DHCP client (to obtain its IP address from a server), the interface-level command to use is Router(config-if)#ip address dhcp.

DHCP clients go through the following states:

  1. Initializing
  2. Selecting
  3. Requesting
  4. Bound
  5. Renewing
  6. Rebinding

IP addresses are allocated to a specific host by the DHCP server for a period of time. This period is called the lease time, and it can be expressed in hours or days. DHCP servers should also exclude addresses from the DHCP pool that they don’t want to assign to the host. Those IP addresses are assigned statically and are used on routers and server interfaces. Failure to exclude reserved IP addresses from the DHCP pool can lead to duplicate IP addresses being assigned to hosts.

The process for obtaining an IP address via DHCP is described in Figure 19.2 below:

DHCP request and allocation process

FIG 19.2 – DHCP request and allocation process

  1. DHCP Discover – When a DHCP-enabled device boots up, it sends a broadcast out to UDP port 67. The broadcast packet will reach every device on its subnet, including any possible DHCP servers located there.
  2. DHCP Offer – The DHCP servers in the subnet see the DHCP Discover message sent by the client and send back a response (DHCP Offer packet). This is also a broadcast packet because the client still doesn’t have an IP address yet, so it cannot receive unicast packets. The DHCP Offer packet contains the IP Information (address, subnet mask, gateway, etc.) that the client can use.
  3. DHCP Request – After the client workstation receives the offer made by the DHCP server, it will send a broadcast DHCP Request message to a specific DHCP server. The client might have received offers from multiple DHCP servers but it only needs a single IP address, so it must choose a DHCP server (based on an identifier), and this is usually done on a first-come-first-served basis. This broadcast also lets all the other DHCP servers know that it has selected an offer so they can stop sending offers.
  4. DHCP Ack – The DHCP server sends another broadcast message, DHCP Ack, to confirm the IP address allocation to that specific client.

Figure 19.3 below shows a DHCP packet capture. For this capture, I configured a router as a DHCP server with the address 192.168.1.1 and an address pool of 192.168.1.0/24, but I excluded IP address 192.168.1.1 because it was in use on the Fast Ethernet interface. The requesting router interface is offered the first available address from the pool, which is 192.168.1.2.

DHCP Offer capture

FIG 19.3 – DHCP Offer capture

It’s worth noting that on the host router (R2 below), you will see a message telling you that you have been allocated an IP address via DHCP, and you can issue the show ip interface brief command to see that the method column is set to DHCP:

R2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#int f0/0

R2(config-if)#ip address dhcp

R2(config-if)#no shut

R2(config-if)#end

*Mar  1 00:03:45.387: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.2, mask 255.255.255.0, hostname R2

 

R2#show ip interface brief

Interface  IP-Address    OK?   Method    Status            Protocol

Fa0/0      192.168.1.2   YES   DHCP      up                    up

Fa0/1      unassigned    YES   unset     administratively down down

R2#

We will cover the full IOS commands shortly.

Besides the IP address, the server can also supply other parameters in the DHCP Offer package, including:

  • Subnet mask
  • Lease duration
  • Default gateway
  • Domain Name Server

The lease duration in the DHCP Offer specifies the amount of time a host can use its assigned IP address before sending back a request to the DHCP server (IP address refresh). The DHCP server will usually allocate the same IP address to the client. When a DHCP client leaves the network or its lease period expires, the associated IP address is handed back to the DHCP server, which can assign it to another host.

DHCP servers can also be configured to assign specific addresses to certain hosts based on their MAC address. This feature is especially useful when configuring servers to use DHCP addresses (although the recommendation, in this case, is to manually assign IP addresses). This is because users usually identify a server based on a fixed IP address, and we don’t want that IP address to change over time.

Cisco IOS-based routers can be configured as either DHCP servers or DHCP clients (per interface).

DHCP client functionality for routers (as opposed to host computers) is not very common. This is because routers are critical infrastructure devices, and the recommendation is to address them manually instead of dynamically so their IP addresses are always known and fixed.

DHCP server functionality on Cisco IOS routers involves a few steps:

  1. Enable the DHCP service (usually enabled by default)
  2. Assign a static IP on the LAN-facing interface you want to enable the DHCP service on
  3. Create a DHCP pool
  4. Define DHCP parameters within the DHCP pool
  5. Define excluded DHCP addresses
  6. Monitor correct DHCP address assignment

Mini-lab – DHCP Configuration on Cisco IOS Routers

Let’s work on an example based on the topology in Figure 19.4 below:

Mini-lab: DHCP configuration on Cisco IOS routers

FIG 19.4 – Mini-lab: DHCP configuration on Cisco IOS routers

Start by enabling the DHCP service on Router 1:

 

R1(config)#service dhcp

 

Next, assign the 192.168.1.1/24 address on interface Fast Ethernet 0/1, facing the DHCP clients:

 

R1(config)#interface FastEthernet0/1

R1(config-if)#ip add 192.168.1.1 255.255.255.0

 

All the DHCP parameters that you want to transmit to the clients will be configured in DHCP pool configuration mode:

 

R1(config)#ip dhcp pool CCNA

R1(dhcp-config)#network 192.168.1.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.1.1

R1(dhcp-config)#lease 1

R1(dhcp-config)#dns-server 8.8.8.8

Only the first two commands are compulsory. You have configured the DHCP pool so that it will offer addresses from the 192.168.1.0/24 subnet, with a default gateway of 192.168.1.1 (the router interface). You have also configured a lease time of one day and the DNS server IP address.

Finally, configure the router so that it will not offer all the IP addresses from the 192.168.1.0/24 range. The DHCP client allocations in this example should start at 192.168.1.11 and finish at 192.168.1.250. There might be multiple reasons behind this logic, but the most obvious one is that you want to statically assign the first and last addresses from the range to servers and network devices. The configuration to accomplish this is as follows:

R1(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10

R1(config)#ip dhcp excluded-address 192.168.1.251 192.168.1.254

Please note that the excluded addresses are configured in configuration mode, not in DHCP configuration mode.

After the DHCP client broadcasts a DHCP Discover on the link, the router sees it come in on interface Fast Ethernet 0/1 and associates the request with DHCP pool CCNA (based on the configured network statement). It will then offer the DHCP client the first available IP address in the pool, which is 192.168.1.11/24.

Check the PC to ensure that the address has been allocated. Alternatively, if you have another router on the end of the connection, use the ip address dhcp command on the interface and then use the show ip interface brief command. Remember to issue the no shut command on the interface.

[END OF MINI-LAB]

It’s worth noting that DHCP Discover is used by the router to check whether the next IP address in the pool can be used. The router ARPs for the address, and if for some reason, it has been allocated (say by a user who didn’t know DHCP was in use), the address would be removed from the pool and placed into a conflict table until the issue was resolved.

Router#sh ip dhcp conflict

IP address        Detection method   Detection time          VRF

10.10.12.2        Ping               July 01 2015 12:01 AM

You can verify the correct DHCP address assignment using the show ip dhcp binding command.

You can expect to be asked to configure a router with DHCP in the exam, or to be presented with various configuration commands and asked to choose which are necessary in order to achieve the desired result, so make sure that you can configure the commands above from memory. You also need to know how to configure a router to be a DHCP server as well as a client.

IP Helper Address

Routers do not forward broadcast traffic, by default. There are instances where you may want a broadcast packet to pass through the router, for example, when a client sends a DHCP Request to obtain an IP address, and the DHCP server is on the other side of your router on another network. In this instance, you can use the ip helper-address command (activating dhcp relay), which will turn the broadcast packet into a unicast packet sent to the IP address configured:

RouterA#config t

RouterA(config)#interface FastEthernet0/0

RouterA(config-if)#ip helper-address 192.168.1.1

The ip helper-address command will automatically forward eight common UDP ports that use broadcasts:

  • Time (37)
  • TACACS (49)
  • DNS (53)
  • BOOTP server (67)
  • BOOTP client (68)
  • TFTP (69)
  • NetBIOS name service (137)
  • NetBIOS datagram service (138)

Figure 19.5 below demonstrates how you would use the command:

IP helper address in operation

FIG 19.5 – IP helper address in operation

In the exam, you might be presented with an issue about DHCP Requests being stopped at the router and then asked how you would fix the issue. Well now you know!

IP Forward Protocol

What if you wanted to forward a protocol not on the list above? The ip forward-protocol command allows you to specify a number of protocols and ports that the router will forward. The output below specifies an IP helper address along with which protocol should be forwarded:

RouterA#config t

RouterA(config)#interface FastEthernet0/0

RouterA(config-if)#ip helper-address 192.168.1.1

RouterA(config-if)#ip forward-protocol udp

As with all Cisco IOS commands, you can Google them to do further research because many of them have multiple permutations. There are so many, in fact, that in the CCIE lab exam, Cisco gives you access to Command References and Configuration Guides on CD ROM. Bear in mind that some commands were introduced in later versions of the IOS, and these may not be available to you. Some have also been deprecated over time for business or security reasons.

You can access Cisco’s feature navigator tool for the IOS to check which services and commands are available for your model of devices as well as your IOS release. If your company has a contract with a Cisco TAC (Technical Assistance Center), they can do this for you or your presales advisor can.

Domain Name System

The DNS is a timesaving protocol that translates a hostname or fully qualified domain name (FQDN) to an IP address, saving you the trouble of having to memorize a long list of IP addresses. If you were a network administrator in the early days of networking, you would have had to manually add a very long hosts.txt file to your server in order to call up the correct website or device (by name) for clients. Figure 19.6 below shows a typical host file:

Host file (Image ©  helpdeskgeek.com)

FIG 19.6 – Host file (Image ©  helpdeskgeek.com)

The early specifications for the DNS, written in 1983, solved the problems in the manual naming system. The modern Internet would not function without the use of the DNS. For example, if you were to type cisco.com into your browser, it would quickly call up the website and populate your browser window. You also could have typed the IP address 72.163.4.161 into the browser bar and get the same results, as shown in Figure 19.7 below:

Typing the IP address 72.163.4.161 or cisco.com gives the same results

FIG 19.7 – Typing the IP address 72.163.4.161 or cisco.com gives the same results

If you simply type cisco.com into the browser, the client queries the DNS server, the address of which is usually allocated by DHCP (more on this later). This then translates a hostname or FQDN to an IP address using UDP port 53. TCP is used by the DNS for zone transfers (i.e., DNS servers replicating databases) or if the response data size exceeds 512 bytes. This process is illustrated in Figure 19.8 below:

The DNS process

FIG 19.8 – The DNS process

What is the IP address of www.cisco.com?

The DNS server will resolve the name to an IP address, as shown in Figure 19.9 below:

www.cisco.com is at 72.163.4.161

FIG 19.9 – www.cisco.com is at 72.163.4.161

DNS queries can be either recursive or iterative. With a recursive lookup, the DNS server will fully answer the query by either providing the IP address or giving an error. With an iterative query, the DNS server can provide information, give an error, or direct the requester to another DNS server. This is illustrated in Figure 19.10 below, where 1 and 8 are recursive, and the rest are iterative:

Recursive and iterative queries

FIG 19.10 – Recursive and iterative queries

  1. What is the IP address of cisco.com?
  2. What is the IP address of cisco.com?
  3. I don’t know. Ask the “.com” DNS server.
  4. What is the IP address of cisco.com?
  5. I don’t know. Ask the “cisco.com” DNS server.
  6. What is the IP address of cisco.com?
  7. The IP address of www.cisco.com is 72.163.4.161.
  8. The IP address of www.cisco.com is 72.163.4.161.

Troubleshooting DNS

The first step for any client-side DNS issues is to verify IP connectivity to the DNS server, using Ping or Traceroute, and check the IP settings on your PC. As already noted, the DNS operates using UDP port 53 and is carried over IP packets, so you should also check the access lists and/or firewall filtering on the client, server, or router.

Sometimes, customers who have read about various IP configuration settings decide that they want to hard-set (manually configure) an IP address, default gateway, and DNS server. Of course, this will then bypass any configurations you have set to be issued by the DHCP server. I have personally seen users configure their own IP addresses (ones already in use), which caused a number of issues.

If you have access, then confirm that the DNS server has or can get the requested record. If you have made changes to the IP servers in the network, such as your DNS server, you need to ensure that all hosts refresh their settings. DNS configuration errors are an obvious cause when you can ping an IP address but cannot ping the hostname.

Network Address Translation

No discussion about IP addressing would be complete without including Network Address Translation (NAT), which was implemented under RFC 1631. RFC 1918 addressed the shortage of IP addresses and allocated the ranges of private addresses 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x. As you already know, private IP addresses allocated under RFC 1918 are not routable on the Internet. NAT allows these private internal IP addresses to be translated into addresses that are routable on the Internet.

One of the benefits of using NAT is that it helps prevent the depletion of public IP addresses. You can use private IP addressing on your LAN safe in the knowledge that you will still be able to connect out to the Internet using NAT. It also prevents you from having to manually readdress internal hosts using private addressing that requires Internet access.

Another benefit is that hosts inside your LAN are protected from advertising their addresses out to the Internet. Your Internet-facing router will translate the private address to a public address and back again, so the NATing process is invisible to the hosts, even if they are on the other side of a WAN link.

A network using NAT is split into two logical halves—an inside half, which (usually) uses private addresses, and an outside half, which uses one or more public addresses. When the inside hosts attempt to contact another device on the Internet, the router swaps the private address for a public address and maintains a record of which private address was swapped for which public address.

The inside and outside parts of the network are defined with the following commands in interface configuration mode:

RouterA(config-if)#ip nat inside

RouterA(config-if)#ip nat outside

A router only needs one valid public IP address to perform NAT. This one IP address can be used many times over by assigning a port number to the inside hosts for the connection to the outside (using Port Address Translation).

There are three ways to configure NAT, and your choice will depend on different factors, including how many public addresses you have and what you want to achieve with the NAT configuration. Options include:

  • Static NAT – maps a private to a public address on a one-to-one basis
  • Dynamic NAT – maps the private (inside) address to a group or pool of public addresses; after a predetermined period of time, the translation times out
  • NAT Overload – maps private addresses to one public address; also known as Port Address Translation (PAT) or one-way NAT

19 11 scaled

FIG 19.11 – NAT connection to the Internet

Local and Global Addresses

The terms used to describe the types of NATed addresses can cause some confusion, but it is worth knowing which is which:

  • Inside local – the address assigned to a host inside the network; likely to be a private address not routable (RFC 1918) on the Internet
  • Inside global – a routable IP address usually assigned by an ISP; represents one or more hosts on the LAN to the outside world
  • Outside local – the address of an outside host as it appears to the internal network (LAN)
  • Outside global – an outside address assigned to a host by the administrator; a public (routable) address

A local address is an address on the inside part of the network, and a global address is an address on the outside part of the network (usually the Internet).

Referring to Figure 19.12 below, the following output shows the static NAT configuration for the host translated to 80.1.1.1 (some of the configuration has been omitted for clarity):

RouterA(config)#ip nat inside source static 172.16.1.1 80.1.1.1

RouterA(config)#interface Serial0/0

RouterA(config-if)#ip nat outside

RouterA(config-if)#interface FastEthernet0/0

RouterA(config-if)#ip nat inside

Notice that in the configuration example above, the public address 80.1.1.1 is not applied to an interface. The public address is kept inside the router configuration and is used only when the inside host wants to go out to the Internet. If the inside host wanted to contact another host inside the same LAN, then a NAT translation would not take place.

NAT example

FIG 19.12 – NAT example

When the host behind Router A goes out to the Internet to connect to the host behind Router B, you will see the following addresses in Router A’s NAT table (they may differ depending on how you configured NAT on your router):

Inside Global Inside Local Outside Global Outside Local
80.1.1.1 172.16.1.1 100.1.1.1 100.1.1.1

NOTE: The public addresses above belong to a company somewhere on the Internet and should not be used as part of your NAT configurations or for testing in your labs if your network has a connection out to the Internet.

Running a debug ip nat command as the host on the LAN goes through the router shows the translation taking place for host 172.16.1.1, pinging address 192.168.1.1, and being NATed to 80.1.1.1. The output below may not work or look the same in Packet Tracer:

RouterA#debug ip nat

03:38:28: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [30]

03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [30]

03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [31]

03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [31]

03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [32]

03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [32]

03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [33]

03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [33]

03:38:29: NAT: s=172.16.1.1-]80.1.1.1, d=192.168.1.1 [34]

03:38:29: NAT: s=192.168.1.1, d=80.1.1.1-]172.16.1.1 [34]

The source (s=) address is the host 172.16.1.1 on the LAN, which is translated to 80.1.1.1. The destination (d=) address 192.168.1.1 is another device on an outside network. The numbers in brackets [ ] indicate the IP identification number of the packet, which is useful for debugging.

RouterA#show ip nat translation

Pro   Inside global   Inside local    Outside local   Outside global

—   80.1.1.1        172.16.1.1      —             —

There are several ways to configure NAT depending on network requirements. It is advisable to have a good working knowledge of NAT and how to configure static, dynamic, and PAT. The NAT labs will help you gain a good working knowledge of NAT.

Static NAT

Static NATs (or 1-to-1 NAT) are manually defined mappings and are always in the NAT translation table (i.e., they are not dynamically created and torn down). This is useful in allowing an internal device to be reachable from the Internet. When configuring static NAT, you do not need an ACL to specify inside addresses or a NAT pool to specify global addresses. Let’s take a look at Figure 19.13 below:

Static NAT in use

FIG 19.13 – Static NAT in use

Inside Addresses Outside NAT Addresses
172.16.1.1 80.1.1.1
172.16.1.2 80.1.1.2

For the network above, your configuration would be as follows:

Router(config)#interface f0/1

Router(config-if)#ip address 172.16.1.3 255.255.0.0

Router(config-if)#ip nat inside

Router(config)#interface s0/0

Router(config-if)#ip add 100.1.1.1 255.255.0.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#ip nat inside source static 172.16.1.1 80.1.1.1

Router(config)#ip nat inside source static 172.16.1.2 80.1.1.2

The ip nat inside source static command defines the NAT as a static NAT that translates the source address to a global public address when traffic hits the inside interface. Many network engineers run into configuration mistakes when they apply the wrong ip nat inside and ip nat outside statements! You should be very familiar with these kinds of errors and be able to spot them in the CCNA exam.

The IP addresses 80.1.1.1, 80.1.1.2, and 100.1.1.1 are allocated to hosts on the Internet, so don’t use them on any equipment you have connected to the Internet.

Dynamic NAT and Port Address Translation (PAT)

We will cover dynamic NAT (NAT pool) and Port Address Translation (PAT/NAT overload) at the same time. The reason for this is that to turn dynamic NAT into PAT, you simply add one tag command to the end of your configuration line. PAT is also known as one-way NAT because it can only be initiated from the inside of your network to the outside; it is also referred to as NAT overload.

Static NAT and dynamic NAT help us translate addresses, but they do not help us conserve IP address space, because the translations are 1:1. This is where NAT overload (PAT) comes in. With port overloading, you not only translate the IP source address but also the port numbers. This way, each port number of the global IP address can be used for a different connection. This allows you to have up to 65,000 connections using the same global IP address!

NAT overload is configured the same way as dynamic NAT. The only difference is that the overload keyword is added to the configuration. First, we will configure dynamic NAT for the network below using a pool of addresses from 200.1.1.1 to 100.

Instructor In the real world, NAT overload uses the interface IP address more often than an address pool.

 

Dynamic NAT example - port address translation PAT

FIG 19.14– Dynamic NAT example

Router(config)#interface f0/0

Router(config-if)#ip nat inside

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#interface s0/0

Router(config-if)#ip address 80.1.1.1 255.0.0.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#ip nat pool NAT_Pool 200.1.1.1 200.1.1.100 netmask 255.255.255.0

Router(config)#ip nat inside source list 1 pool NAT_Pool

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

I didn’t include the routing commands, but we will cover this in the NAT labs later on. The output below shows the NAT translation table on the router after a host on the inside is NATed as it goes out of the router to host 80.1.1.2 on the Internet. Because of the configuration, dynamic NAT is usually used for internal hosts to reach hosts on the Internet, not the other way around.

Router#show ip nat translations

Pro   Inside global  Inside local    Outside local    Outside global

icmp  200.1.1.1:0    192.168.1.2:0   80.1.1.2:0       80.1.1.2:0

—   200.1.1.1      192.168.1.2      —              —

Address 192.168.1.2 was allocated the routable address 200.1.1.1 from the NAT pool.

To configure PAT, you would carry out the exact same configuration as for dynamic NAT, but you would add the keyword overload to the end of the pool. With PAT, you only need one routable IP address for your pool. It’s still called a NAT pool even though you are using only one IP address. I didn’t include the interface-level commands because they are the same.

Router(config)#ip nat pool PAT_Pool 200.1.1.1 200.1.1.1 netmask 255.255.255.0

Router(config)#ip nat inside source list 1 pool PAT_Pool overload

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

This time you can see that PAT has utilized a port number, in this case, port number 1, which is appended to the end of the translation addresses.

Router#show ip nat translations

Pro   Inside global  Inside local    Outside local   Outside global

icmp  200.1.1.1:1    192.168.1.2:1   80.1.1.2:1      80.1.1.2:1

As Dario mentioned above, you are more likely to overload your outside interface IP address, thus avoiding having to purchase a pool of routable IP addresses.

Router(config)#interface f0/0

Router(config-if)#ip nat inside

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#interface s0/0

Router(config-if)#ip address 80.1.1.1 255.0.0.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#ip nat inside source list 1 interface s0/0 overload

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Configuring and Verifying NAT

NAT configuration using Cisco IOS involves a few configuration steps. For dynamic NAT configuration, here are the steps required:

  1. Select the inside NAT interface using the ip nat inside interface configuration command.
  2. Select the outside NAT interface using the ip nat outside interface configuration command.
  3. Identify traffic that would be translated using an ACL. This can be a standard/extended and named or numbered ACL. I recommend named ACLs because they are more intuitive.
  4. Configure a pool of global addresses to which the local addresses would be translated. This step is optional because you can translate directly to an interface. The syntax for that is ip nat pool [name [start-ip]] end-ip [netmask [mask] | prefix-length [length]] global configuration command.
  5. Tie all the commands together: Configure dynamic NAT using the ip nat inside source list [ACL] [interface|pool] [name] [overload] global configuration command.

The output below shows how to configure dynamic NAT on the Cisco IOS. The description and remark features available in the Cisco IOS have been used to explain the configuration. This is quite useful on live networks to provide some context on why the network was configured in a particular manner. You can also read the Cisco configuration guide here.

R1(config)#interface GigabitEthernet0/0

R1(config-if)#description “Connected To The Inside Network”

R1(config-if)#ip address 10.1.1.1 255.255.255.248

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#interface Serial0/1

R1(config-if)#description “Connected To The Internet”

R1(config-if)#ip address 161.1.1.1 255.255.255.248

R1(config-if)#ip nat outside

R1(config-if)#exit

R1(config)#access-list 101 remark “Translate Inside Addresses Only”

R1(config)#access-list 101 permit ip 10.1.1.0 0.0.0.7 any

R1(config)#ip nat pool INSIDE-POOL 161.1.1.3 161.1.1.6 prefix-length 24

R1(config)#ip nat inside source list 101 pool INSIDE-POOL

R1(config)#exit

The show ip nat translations command can be used to verify that the inside networks are actually getting translated to the NAT pool, as shown below:

R1#show ip nat translations

Pro  Inside global  Inside local   Outside local  Outside global

icmp 161.1.1.4:4    10.1.1.1:4     200.1.1.1:4    200.1.1.1:4

icmp 161.1.1.3:1    10.1.1.2:1     200.1.1.1:1    200.1.1.1:1

tcp  161.1.1.5:159  10.1.1.3:159   200.1.1.1:23   200.1.1.1:23

Troubleshooting NAT

There is no mention of troubleshooting NAT in the CCNA syllabus but as I’ve learned over years of taking Cisco exams, the fact that it isn’t mentioned doesn’t mean that you won’t be asked about it!

You have already learned all that you need to know to troubleshoot NAT because (apart from IOS bugs) NAT issues are almost always a configuration error, in particular:

  • NAT inside and outside statements missing from the interface
  • Name calling the NAT pool doesn’t match the NAT pool name (case sensitive)
  • ACL incorrectly configured to match wrong addresses or subnets
  • ACL blocking the traffic before it is NATed
  • Pool contains too few addresses and fills quickly
  • No routing configured to reach the NAT pool addresses

You should be familiar with the show ip nat translations and debug ip nat commands to see real-time translations taking place. Don’t rush into troubleshooting NAT before checking the obvious, such as interface status, IP addressing, and IP connectivity. The network must have a route to reach all addresses, including those you have added to the NAT pool.

If you need to clear your NAT translations table, then use the clear ip nat translation * command in privileged mode. Bear in mind that all dynamic translations will expire when the timeout value is reached, so if you wait too long to check the translations table, you will find that it isn’t there. This doesn’t mean that NAT isn’t working. You can change NAT timeout values, but it is best to do this after consulting a Cisco TAC.

Network Time Protocol

Having an automated way to ensure that consistent and accurate time is held by your network devices is vital to the efficient operation of your network infrastructure. Network Time Protocol (NTP) is a protocol that allows automatic time configuration on distributed network devices based on a client/server model. The device peers with an NTP server, which provides the correct clock when clients request this. NTP functions on UDP port 123. A Cisco device can be configured to pull the exact time information from an NTP server (192.168.1.2 in the output below) using the following command:

R1(config)#ntp server 192.168.1.2

 

R1#show ntp status

Clock is unsynchronized, stratum 16, no reference clock

nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18

reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)

clock offset is 0.0000 msec, root delay is 0.00 msec

root dispersion is 0.00 msec, peer dispersion is 0.00 msec

 

R1#show ntp associations

address       ref clock   st  when  poll reach  delay  offset  disp

~192.168.1.2  0.0.0.0     16  –     64   0      0.0    0.00    6000

* master (synced), # master (unsynced), + selected, – candidate, ~ configured

You can see that the output above includes the term “stratum”. The stratum grades the reliability of time sources. A stratum 1 device is directly connected to a reliable source, such as an atomic clock. A stratum 2 device obtains its time from a stratum 1 device. A stratum 3 device obtains its time from a stratum 2 device, and so on.

NTP stratum sources

FIG 19.15 – NTP stratum sources

NTP offers a number of configuration options, including authentication and peering, but going into depth on these will take us off track for the purposes of the CCNA exam.

End of Chapter Questions

Please visit www.howtonetwork.com/ccnasimplified to take the free Chapter 19 exam.

Chapter 19 Labs

Lab 1: Configuring a Router as a DHCP Server

The physical topology is shown in Figure 19.16 below:

DHCP server

FIG 19.16 – DHCP server

Lab Exercise

Your task is to configure the router to issue an IP address to the host via DHCP. Please feel free to try the lab without following the Lab Walk-through section.

Purpose

Configuring a router to act as a DHCP server is now included in the CCNA exam. You may also have to carry out this task as a network engineer while on site.

Lab Objectives

  1. Use the IP addressing scheme depicted in the diagram above. You will need to connect the router to the PC via a crossover cable unless you have a switch you can use.
  2. Set the IP address on the router’s Fast Ethernet interface as 172.16.1.1/24.
  3. Set the PC to search for an IP address via DHCP.
  4. Configure a DHCP pool on the router for network 172.16.0.0/24.
  5. Add an excluded address on the router and add TCP settings (optional).
  6. Finally, to test that DHCP is working, renew the IP address on the PC.

Lab Walk-through

  1. To set the IP addresses on an interface, you will need to do the following:

Router#conf t

Router(config)#interface fast0/0

Router(config)#ip address 172.16.1.1 255.255.255.0

  1. Enable DHCP on your router and set the address pool (in configuration mode):

Router(config)#service dhcp – Turn DHCP on

Router(config)#ip dhcp pool pool1 –Name your pool pool1

Router(dhcp-config)#network 172.16.0.0 255.255.0.0 – This is your DHCP pool

Router(dhcp-config)#lease 3 – 3-day lease on the IP address

Router(dhcp-config)#ip dhcp excluded-address 172.16.1.1

Router(config-config)#exit – Drop back to config mode

  1. If you are using your home PC or laptop, set the network adaptor to obtain the IP address automatically:

Obtaining IP address

FIG 19.17 – Obtaining IP address

  1. Issue an ipconfig /all command to check whether an IP address has been assigned to your PC. You may need to issue an ipconfig /renew command if an old IP address is still in use:

[PC] ipconfig /all

Physical Address…………….: 0001.C7DD.CB19

IP Address………………….: 172.16.0.1

Subnet Mask…………………: 255.255.0.0

Default Gateway……………..: 0.0.0.0

DNS Servers…………………: 0.0.0.0

  1. If you want, you can go back into the DHCP pool and add a default gateway and a DNS server address, which will also be set on the host PC:

Router(config)#ip dhcp pool pool1

Router(dhcp-config)#default-router 172.16.1.2

Router(dhcp-config)#dns-server 172.16.1.3

PC]ipconfig /renew

IP Address………………….: 172.16.0.1

Subnet Mask…………………: 255.255.0.0

Default Gateway……………..: 172.16.1.2

DNS Server………………….: 172.16.1.3

Show Run

hostname Router

!

ip dhcp excluded-address 172.16.1.1

!

ip dhcp pool pool1

network 172.16.0.0 255.255.0.0

dns-server 172.16.1.3

default-router 172.16.1.2

lease 3

!

ip cef

ip audit po max-events 100

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.0.0

!

end

Lab 2: Static NAT

The physical topology is shown in Figure 19.18 below:

Static NAT

FIG 19.18 – Static NAT

Lab Exercise

Your task is to configure the network in Figure 19.18 to allow the 172.16.1.1 host on the 172.16.1.0 LAN to access the Internet using address 10.0.0.1. The 10.0.0.1 address would normally be a routable public address provided by your ISP (such as 80.1.1.1), but for this lab, we will use a private non-routable address. Please feel free to try the lab without following the Lab Walk-through section, and then just check the notes for the NAT configuration.

Purpose

Being able to configure NAT is a fundamental CCNA skill. Any client who needs to access the Internet will want to use NAT. The key is to understand the clients’ requirements, and then design a solution to fit their needs.

Lab Objectives

  1. Use the IP addressing scheme depicted in Figure 19.18. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
  2. Set Telnet access for the router to use the local login permissions for username banbury and the password ccna (not needed for NAT but added for practice purposes).
  3. Put a static route on the router.
  4. Configure the inside and outside NAT interfaces on the router.
  5. Configure a static NAT translation.
  6. Test the NAT translation.

Lab Walk-through

  1. To set the IP addresses on an interface, you will need to do the following:

Router#config t

Router(config)#hostname RouterA

RouterA(config)#

RouterA(config)#interface Serial0/0

RouterA(config-if)#ip address 192.168.1.1 255.255.255.252

RouterA(config-if)#clock rate 64000 – If this is the DCE side

RouterA(config-if)#no shutdown

RouterA(config-if)#ip nat outside – The outside NAT network

RouterA(config-if)#interface Loopback0 – No need for no shutdown on Loopback interfaces

RouterA(config-if)#ip address 172.16.1.1 255.255.0.0

RouterA(config-if)#ip nat inside – The inside NAT network

RouterA(config-if)#^Z

RouterA#

 

Router B:

 

Router#config t

Router(config)#hostname RouterB

RouterB(config)#interface Serial0/0

RouterB(config-if)#ip address 192.168.1.2 255.255.255.252

RouterB(config-if)#no shutdown

RouterB(config-if)#exit

RouterB(config)#ip route 0.0.0.0 0.0.0.0 s0/0 – Static route

RouterB(config)#^Z

RouterB#

Ping across the Serial link now.

  1. To set Telnet access, you need to configure the VTY lines to allow Telnet access; to do this, type the following (in configuration mode):

RouterA(config)#line vty 0 4 – Enters the VTY line configuration

RouterA(config-line)#login local – This will use local usernames and passwords for Telnet access

RouterA(config-line)#exit – Exits the VTY config mode

RouterA(config)#username banbury password ccna – Creates username and password for Telnet access (login local)

 

Router B:

 

RouterB(config)#line vty 0 4

RouterB(config-line)#login local

RouterB(config-line)#exit

RouterB(config)#username banbury password ccna

  1. To set the enable password, do the following:

RouterA(config)#enable secret cisco – Sets the enable password (encrypted)

Router B:

 

RouterB(config)#enable secret cisco

  1. Configure a static NAT translation:

RouterA(config)#ip nat inside source static 172.16.1.1 10.0.0.1

RouterA(config)#^Z

  1. To see if NAT is working, you need to turn on a debug with the debug ip nat command. Now imagine that the Loopback address 172.16.1.1 is a host in the LAN that wants to get out to the Internet. When the packet from the NATed LAN passes through the router, it will match the ACL and be statically translated to 10.0.0.1.

RouterA#debug ip nat – Turns on the NAT debug

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2 – Pings Router B

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: Loopback0 – Source is the LAN

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms

03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [35]

03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [35]

03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [36]

03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [36]

03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [37]

03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [37]

03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [38]

03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [38]

03:48:01: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [39]

03:48:01: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [39]

You can see that the NAT debug shows the source (s=) as the Loopback interface address 172.16.1.1, which is translated to 10.0.0.1. The destination (d=) is the Serial address 192.168.1.2 for Router B. The asterisk (*) shows the returning packet that is translated back. The numbers in brackets (e.g., [35]) are the IP identification numbers of the packets.

RouterA#show ip nat translations

Pro Inside global  Inside local   Outside local Outside global

—  10.0.0.1       172.16.1.1     —            —

You can see from the NAT translation table above that the router is doing a 1-to-1 translation of the address.

  1. Now please enter reload at the Router# prompt, and type yes to confirm.

Show Runs

RouterA#show run

Building configuration…

Current configuration: 757 bytes

!

version 15.1

!

hostname RouterA

!

interface Loopback0

ip address 172.16.1.1 255.255.0.0

ip nat inside

!

interface Serial0/0

ip address 192.168.1.1 255.255.255.252

clock rate 64000

ip nat outside

!

ip nat inside source static 172.16.1.1 10.0.0.1

!

end

RouterA#

– – –

RouterB#show run

Building configuration…

Current configuration: 456 bytes

!

version 15.1

!

hostname RouterB

!

interface Serial0/0

ip address 192.168.1.2 255.255.255.252

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

end

Lab 3: NAT Pool

The physical topology is shown in Figure 19.19 below:

NAT pool

FIG 19.19 – NAT pool

Lab Exercise

Your task is to configure the network in Figure 19.19 to allow the hosts on the 172.16.0.0 LAN (we will simulate this with the Loopback address and secondary address) to access the Internet using the NAT pool 10.0.0.1 to 10.0.0.10. Please feel free to try the lab without following the Lab Walk-through section.

Purpose

Again, being able to configure NAT is a fundamental CCNA skill. Any client who needs to access the Internet will want to use NAT. The key is to understand the clients’ requirements, and then design a solution to fit their needs.

Lab Objectives

  1. Use the IP addressing scheme depicted in Figure 19.19. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
  2. Set Telnet access for the router to use the local login permissions for username banbury and the password ccna (optional).
  3. Put a static route on the router.
  4. Configure the inside and outside NAT interfaces on the router.
  5. Configure a pool of addresses the router will use as a NAT pool.
  6. Test the NAT configuration with a ping and debug.

Lab Walk-through

  1. To set the IP addresses for an interface, you will need to do the following:

Router#config t

Router(config)#hostname RouterA

RouterA(config)#

RouterA(config)#interface Serial0/0

RouterA(config-if)#ip address 192.168.1.1 255.255.255.252

RouterA(config-if)#clock rate 64000 – If this is the DCE side

RouterA(config-if)#no shutdown

RouterA(config-if)#ip nat outside

RouterA(config-if)#interface Loopback0

RouterA(config-if)#ip address 172.16.1.1 255.255.0.0

RouterA(config-if)#ip address 172.16.1.2 255.255.0.0 secondary

The secondary address will act as a second host on the LAN.

RouterA(config-if)#ip nat inside

RouterA(config-if)#^Z

RouterA#

 

Router B:

 

Router#config t

Router(config)#hostname RouterB

RouterB(config)#interface Serial0/0

RouterB(config-if)#ip address 192.168.1.2 255.255.255.252

RouterB(config-if)#no shutdown

RouterB(config-if)#exit

RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0

RouterB(config)#^Z

RouterB#

 

Ping across the Serial link now.

  1. To set Telnet access, you need to configure the VTY lines to allow Telnet access. To do this, type the following (in configuration mode):

RouterA(config)#line vty 0 4

RouterA(config-line)#login local

RouterA(config-line)#exit

RouterA(config)#username banbury password ccna

 

Router B:

 

RouterB(config)#line vty 0 4

RouterB(config-line)#login local

RouterB(config-line)#exit

RouterB(config)#username banbury password ccna

  1. To set the enable password, do the following:

RouterA(config)#enable secret cisco

 

Router B:

 

RouterB(config)#enable secret cisco

  1. You need to configure a NAT pool and then tell the pool which ACL to access to determine which traffic you want to be NATed:

RouterA(config)#ip nat pool internet_out 10.0.0.1 10.0.0.10 prefix-length 24

(or you could have entered ip nat pool internet_out 10.0.0.1 10.0.0.10 netmask 255.255.255.0)

RouterA(config)#ip nat inside source list 1 pool internet_out

RouterA(config)#access-list 1 permit 172.16.0.0 0.0.255.255

RouterA(config)#^Z

  1. To see if NAT is working, you need to turn on a debug with the debug ip nat command. Now imagine that the Loopback address 172.16.1.1 is a host in the LAN that wants to get out to the Internet. When the packet from the NATed LAN passes through the router, it will match the ACL and be translated to an address from the NAT pool.

RouterA#debug ip nat – Turns on the NAT debug

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2 – Pings Router B

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: Loopback0 – Source is the LAN

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms

RouterA#

02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [20]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [20]

02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [21]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [21]

02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [22]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [22]

02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [23]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [23]

02:12:37: NAT: s=172.16.1.1-]10.0.0.1, d=192.168.1.2 [24]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1-]172.16.1.1 [24]

RouterA#show ip nat translations

Pro  Inside global  Inside local  Outside local  Outside global

—  10.0.0.1       172.16.1.1    —            —

RouterA#

You can see that the NAT debug shows the source (s=) as the Loopback interface, which is translated to 10.0.0.1. The destination (d=) is the Serial address 192.168.1.2 for router B. The asterisk (*) shows the returning packet that is translated back.

The numbers in brackets (e.g., [20]) are the IP identification numbers of the packets. Feel free to also issue the show ip nat statistics command.

If you want to check that the pool is allocating addresses correctly, you can source a second ping—this time from the secondary address. There should be another address allocated from the NAT pool.

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.16.1.2

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/68 ms

RouterA#

04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [45]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [45]

04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [46]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [46]

04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [47]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [47]

04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [48]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [48]

04:09:23: NAT: s=172.16.1.2-]10.0.0.2, d=192.168.1.2 [49]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2-]172.16.1.2 [49]

RouterA#show ip nat translations

Pro  Inside global Inside local  Outside local  Outside global

—  10.0.0.1      172.16.1.1    —            —

—  10.0.0.2      172.16.1.2    —            —

  1. Now please enter reload at the Router# prompt, and type yes to confirm.

Show Runs

RouterA#show run

Building configuration…

Current configuration: 749 bytes

!

version 15.1

!

hostname RouterA

!

interface Loopback0

ip address 172.16.1.1 255.255.0.0

ip address 172.16.1.2 255.255.0.0 secondary

ip nat inside

!

interface Serial0/0

ip address 192.168.1.1 255.255.255.252

clockrate 64000

ip nat outside

!

ip nat pool internet_out 10.0.0.1 10.0.0.10 prefix-length 24

ip nat inside source list 1 pool internet_out

!

access-list 1 permit 172.16.0.0 0.0.255.255

!

end

RouterA#

– – –

RouterB#show run

Building configuration…

Current configuration: 456 bytes

!

version 15.1

!

hostname RouterB

!

ip subnet-zero

!

interface Serial0/0

ip address 192.168.1.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 Serial 0/0

!

end

Lab 4: NAT Overload

The physical topology is shown in Figure 19.20 below:

NAT overload

FIG 19.20 – NAT overload

Lab Exercise

Your task is to configure the network in Figure 19.20 to allow the hosts in the 172.16.1.128 subnet to access the Internet using the NAT overload address 10.0.0.1. Hosts in the 172.16.1.64 subnet should not be NATed. Please feel free to try the lab without following the Lab Walk-through section.

Purpose

This lab will help you to understand NAT overload.

Lab Objectives

  1. Use the IP addressing scheme depicted in Figure 19.20. Router A needs a clock rate on interface Serial 0/0: set this to 64000.
  2. Set Telnet access for the router to use the local login permissions for username banbury and the password ccna.
  3. Put a static route on the router.
  4. Configure the inside and outside NAT interfaces on the router.
  5. Configure NAT overload.
  6. Finally, test the NAT overload from Loopback 0 and Loopback 1.

Lab Walk-through

  1. To set the IP addresses for an interface, you will need to do the following:

Router#config t

Router(config)#hostname RouterA

RouterA(config)#

RouterA(config)#interface Serial0/0

RouterA(config-if)#ip address 192.168.1.1 255.255.255.252

RouterA(config-if)#clock rate 64000

RouterA(config-if)#no shutdown

RouterA(config-if)#ip nat outside

RouterA(config-if)#interface Loopback0

RouterA(config-if)#ip address 172.16.1.129 255.255.255.192

RouterA(config-if)#ip nat inside

RouterA(config-if)#interface Loopback1

RouterA(config-if)#ip address 172.16.1.65 255.255.255.192

RouterA(config-if)#ip nat inside

RouterA(config-if)#^Z

RouterA#

 

Router B:

 

Router#config t

Router(config)#hostname RouterB

RouterB(config)#interface Serial0/0

RouterB(config-if)#ip address 192.168.1.2 255.255.255.252

RouterB(config-if)#no shutdown

RouterB(config-if)#exit

RouterB(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0

RouterB(config)#^Z

RouterB#

Ping across the Serial link now.

  1. To set Telnet access, you need to configure the VTY lines to allow Telnet access; to do this, type the following (in configuration mode):

RouterA(config)#line vty 0 4

RouterA(config-line)#login local

RouterA(config-line)#exit

RouterA(config)#username banbury password ccna

 

Router B:

 

RouterB(config)#line vty 0 4

RouterB(config-line)#login local

RouterB(config-line)#exit

RouterB(config)#username banbury password ccna

  1. To set the enable password, do the following:

RouterA(config)#enable secret cisco

 

Router B:

 

RouterB(config)#enable secret cisco

  1. You need to configure a NAT pool and then tell the pool which ACL to access to determine which traffic you want to be NATed:

RouterA(config)#ip nat pool internet_out 10.0.0.1 10.0.0.1 prefix-length 24

RouterA(config)#ip nat inside source list 1 pool internet_out overload

RouterA(config)#access-list 1 permit 172.16.1.128 0.0.0.63

  1. To see if NAT is working, you need to turn on a debug with the debug ip nat command. Now imagine that the Loopback address 172.16.1.129 is a host in the LAN that wants to get out to the Internet. When the packet from the NATed LAN passes through the router, it will match the ACL and be translated to the NAT overload address.

RouterA#debug ip nat

IP NAT debugging is on

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: Loopback0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/41/40ms

 

RouterA#

00:43:59: NAT:  s=172.16.1.129-]10.0.0.1, d=192.168.1.2     [20]

00:43:59: NAT:  s=192.168.1.2, d=10.0.0.1-]172.16.1.129     [20]

00:43:59: NAT:  s=172.16.1.129-]10.0.0.1 d=192.168.1.2     [21]

00:43:59: NAT:  s=192.168.1.2, d=10.0.0.1-]172.16.1.129     [21]

00:43:59: NAT:  s=172.16.1.129-]10.0.0.1, d=192.168.1.2     [22]

00:43:59: NAT:  s=192.168.1.2, d=10.0.0.1-]172.16.1.129     [22]

00:43:59: NAT:  s=172.16.1.129-]10.0.0.1, d=192.168.1.2     [23]

00:43:59: NAT:  s=192.168.1.2, d=10.0.0.1-]172.16.1.129     [23]

00:43:59: NAT:  s=172.16.1.129-]10.0.0.1, d=192.168.1.2     [24]

00:43:59: NAT:  s=192.168.1.2, d=10.0.0.1-]172.16.1.129     [24]

 

RouterA#show ip nat tran

Pro    Inside global    Inside local      Outside local

Outside global

icmp   10.0.0.1:8759    172.16.1.129:8759 192.168.1.2:8759  192.168.1.2:8759

icmp   10.0.0.1:8760    172.16.1.129:8760 192.168.1.2:8760  192.168.1.2:8760

icmp   10.0.0.1:8761    172.16.1.129:8761 192.168.1.2:8761  192.168.1.2:8761

icmp   10.0.0.1:8762    172.16.1.129:8762 192.168.1.2:8762  192.168.1.2:8762

icmp   10.0.0.1:8763    172.16.1.129:8763 192.168.1.2:8763  192.168.1.2:8763

 

RouterA#

00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8759 (8759)

00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8760 (8760)

00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8761 (8761)

00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8762 (8762)

00:44:59: NAT: expiring 10.0.0.1 (172.16.1.129) icmp 8763 (8763)

You can see from the NAT translation output above that the router is allocating ports for the translations (i.e., ports 8759 to 8763).

Now ping from Loopback 1, which does not match the ACL because it is in a different subnet. The address should not be NATed.

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: Loopback 1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/60 ms

RouterA#show ip nat tran

RouterA#

  1. Now please enter reload at the Router# prompt, and type yes to confirm.

Show Runs

RouterA#show run

Building configuration…

Current configuration: 757 bytes

!

version 15.1

!

hostname RouterA

!

ip subnet-zero

!

interface Loopback0

ip address 172.16.1.129 255.255.255.192

ip nat inside

!

Interface Loopback1

ip add 172.16.1.65 255.255.255.192

ip nat inside

!

interface Serial0/0

ip address 192.168.1.1 255.255.255.252

ip nat outside

clock rate 64000

!

ip nat pool internet_out 10.0.0.1 10.0.0.1 prefix-length 24

ip nat inside source list 1 pool internet_out overload

ip classless

no ip http server

!

access-list 1 permit 172.16.1.128 0.0.0.63

!

!

end

RouterA#

– – –

RouterB#show run

Building configuration…

Current configuration: 456 bytes

!

version 15.1

!

hostname RouterB

!

ip subnet-zero

!

interface Serial0/0

ip address 192.168.1.2 255.255.255.252

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 Serial0/0

 

 

 

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.