- Network Address translation rewrite sources ip address in packet normally to hide private ip address
- Also used in case where we have overlapping subnets maybe a merger of networks
- static translation is 1 to 1 translation guaranteed same ip everytime
- dynamic translation is 1 to 1 done dynamically so not guaranteed same ip every time
- Port address translation is many to one translation based on tcp/udp ports common for overloading scenerios
- Inside local is inside ip before translation
- inside global is inside ip after translation
- outside global is original outside ip address
- outside local is outside ip after translation as seen on inside
- Major thing in nat is the order of operations when going from inside to outside routing takes place before nat when coming from outside to inside routing takes place after nat.
Commands
Static Nat
ip nat inside source static 10.10.10.1 30.30.30.30 - this going out
ip nat outside source static 30.30.30.30 10.10.10.1- this is coming in
int fa0/0
ip nat inside
int s0/0
ip nat outside
Dynamic Nat
ip nat pool 'name of pool' "start ip" "end ip"netmask "mask"
access-list "aclno" permit "source ip"
ip nat inside source-list "acl no" pool " name of pool"
int fa0/0
ip nat inside
int s0/0
ip nat outside
PAT
To the source list command we just need to add the keyword overload so we could define a smaller pool and choose overload when the pool runs out it will overload the last ip?
LAB
----
For the LAB sw2 and R5 are inside the network r5 is the border router + will do the nat
The rest of router are outside they do not have a route to inside address 10.164.48.0/24
----
s2(config)#int vlan 58
s2(config-if)#ip address 10.164.48.2 255.255.255.0
s2(config-if)#e
00:09:37: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 155.0.58.5 (Vlan58) is down: interface downxit
s2(config)#ip route 0.0.0.0 0.0.0.0 10.164.48.5
r5
---
r5(config)#int fa0/0
r5(config-if)#ip address 10.164.48.5 255.255.255.0
r5(config-if)#no shut
r5(config-if)#
The first thing we will do is define a pool for the nat address
r5(config)#do sh run | begin ip nate
r5(config)#do sh run | begin ip nat
ip nat pool INSIDE-GLOBAL 155.28.254.0 155.28.254.254 prefix-length 24 add-route
what this command is saying that we will use a pool 155.28.254.0-254 with mask /24 the add route is to add static route to nv0 - the nat interface so we can use to advertise out to external networks
r5(config)#router eigrp 1
r5(config-router)#redistribute static 1 1 1 1 1 1
^
% Invalid input detected at '^' marker.
r5(config-router)#redistribute static metric 1 1 1 1 1
Next step we will define an access-list of what we are going to NAT
5(config)#access-list 1 permit 10.164.48.0 0.0.0.255
so we will nat address in 10.164.48.0- this important step we can have problems if start doing ip any any like control plane traffic can end up getting natted and just unexpected results it is better to limit down to our specfic networks
Next step is the actual nat command
r5(config)#ip nat source list 1 pool INSIDE-GLOBAL overload
ok so this is saying source list 1 is anything matched in the acl 1 and we will use the pool INSIDE-GLOBAL with port overload if we run address we can use port numbers to do many to one translations
ok next is to enable on the interfaces
r5(config)#int fa0/0
r5(config-if)#ip nat enable
r5(config-if)#int s0/0/0
r5(config-if)#ip nat enable
s1
---
s2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 67/67/67 ms
i can ping 1.1.1.1 sucessifully
r5
---
r5#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
r5#sh ip nat nvi tran
Pro Source global Source local Destin local Destin global
icmp 155.28.254.1:5 10.164.48.2:5 1.1.1.1:5 1.1.1.1:5
r5#
we are getting translated from 10.164.48.2 to 155.28.254.1 port 5
r1
---
we can see this traffic been sent back from src1 dst 155.28.254.1
when this gets to r5. R5 checks its state table above and will forward the reply back to 10.164.48.2
*Mar 1 03:00:16.795: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:16.859: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:16.927: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:16.995: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.063: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.131: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.199: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.263: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.331: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.399: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.467: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.531: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.599: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.667: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.735: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
*Mar 1 03:00:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 155.28.254.1
r1
---
r1#ping 155.28.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.28.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#telnet 155.28.254.1
Trying 155.28.254.1 ...
i can not ping or telnet this is because there is no way for r5 to know to forward this to 10.164.48.2 as there is no state information from and outbound packet
we can create a static entry for
r5
----
r5(config)#ip nat source static tcp 10.164.48.2 23 interface s0/0/0 8080
bascially this command is saying anything coming on port 8080 on interface s0/0/0 will be redirected to 10.164.48.2 on port 23
r5#clear ip nat nvi translation *
r1
---
r1#
r1#telnet 155.0.0.5 8080
Trying 155.0.0.5, 8080 ... Open
User Access Verification
Username: cisco
Password:
s2>
working as expected
A pesticide spraying in Riyadh*Spraying pesticide in Riyadh*examination in Riyadh*Restoration in Riyadh*Water leak detection in Riyadh*Spraying of pesticides in Riyadh*A water insulation in Riyadh*Insulation of tanks in Riyadh*Furniture transfer in Riyadh*Foam insulation in Dammam
ReplyDelete