Scribd
Upload
339 views

NAT Configuration

This document discusses configuring different types of NAT: 1. Static NAT allows inbound and outbound traffic for a single IP address and is used to access servers from outside the network. 2. Static NAT with port forwarding allows multiple servers to use the same public IP by forwarding traffic to private servers based on port numbers. 3. Dynamic NAT uses a pool of public IP addresses and matches private addresses to this pool using an ACL for address translation. Overload NAT allows multiple private IPs to map to a single public IP by overloading ports. 4. PAT (Port Address Translation) is the most common type of NAT for internet access. It operates similarly to overload NAT but with dynamic public IP addressing

Uploaded by

abalo afi
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
339 views

NAT Configuration

This document discusses configuring different types of NAT: 1. Static NAT allows inbound and outbound traffic for a single IP address and is used to access servers from outside the network. 2. Static NAT with port forwarding allows multiple servers to use the same public IP by forwarding traffic to private servers based on port numbers. 3. Dynamic NAT uses a pool of public IP addresses and matches private addresses to this pool using an ACL for address translation. Overload NAT allows multiple private IPs to map to a single public IP by overloading ports. 4. PAT (Port Address Translation) is the most common type of NAT for internet access. It operates similarly to overload NAT but with dynamic public IP addressing

Uploaded by

abalo afi
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

NAT configuring

Task 1 - Static NAT

 NAT is a very important tool in an IPv4 network, because you may remember we have 2
network types (private - RFC 1918 and public - formally called internet).

 There are several types and ways to configure NAT, but we will only focus on the "common
and must use ones" this are for CCNA purposes.

 Static NAT is a very simple NAT configuration where it works for inbound and outbound
traffic, in other words, we can use this to access a server from outside (some books call this as
DMZ)

 In the lab we have many "public IP" for probes

 From ExternalPC open firefox and browse 189.203.32.10 this actually doesn't work, but if
you browse youtube or facebook, it should work

 The first thing we need to do is configure the interfaces with the correct nat role
(inside/outside)

 On R1

 interface ethernet 0/0

 ip nat outside

 interface ethernet 0/1

 ip nat inside

 interface ethernet 0/2

 ip nat inside

 # Now it is time to configure the nat rule (static nat, also called one to one)

 ip nat inside source static 192.168.40.20 189.203.32.10

 again, from ExternalPC try to open 189.203.32.10 (nagiosadmin/nagios), now it works, also
if you use the port of graphito (189.203.32.10:8080) it also works, because we consider to nat
all the 189.203.32.10 to 192.168.40.20

 you can also use show ip nat translations to observe how it is working or debug ip nat

 The cold truth here is that we will need a public IP for each private IP, let try the next Task
Task 2 - Static NAT with Port forward

 Most of the time we have some limited Public IP's, also most of the times our Public IP is
dynamic, we can still use Static NAT, but in order to several Servers use the same public IP,
we will add port forwarding

 At this moment you should have the interfaces as nat inside/outside, if don't you need to do it
first.

 this time we only will add the NAT rules as follow, notice that you can't use the same port
twice (the public one), but you can forward to another port.

 ip nat inside source static tcp 192.168.40.10 80 interface ethernet 0/0 80

ip nat inside source static tcp 192.168.40.20 80 interface ethernet 0/0 81

ip nat inside source static tcp 192.168.40.10 80 interface ethernet 0/0 9000

ip nat inside source static tcp 192.168.40.40 3000 interface ethernet 0/0 777

ip nat inside source static tcp 192.168.40.30 80 interface ethernet 0/0 3000

 Time to make sobre probes:

 From External PC using Firefox

 Open 189.203.32.1 <--- this will be zabbix

189.203.32.1:81 <--- this open nagios

189.203.32.1:9000 <--- also open zabbix

189.203.32.1:777 <--- ntop

189.203.32.1:3000 <---- syslog

 you can also use show ip nat translations to observe how it is working or debug ip nat

 great Job, let’s do the next Task

 Task 3 - Dynamic NAT

 At this moment you shoul have the interfaces as nat inside/outside, if don't you need to do it
first.

 For this type of NAT, we need to consider:

1) create a pool (we need several public IP)


2) match the addresses can use this type of nat (ACL)
3) join the pool and the ACL (nat rule)

 Our ISP give 189.203.32.5-189.203.32.6 /29

 ip nat pool nat-pool 189.203.32.5 189.203.32.6 netmask 255.255.255.248

ip access-list standard nat

 permit 192.168.10.0 0.0.0.255

 permit 192.168.20.0 0.0.0.255

 permit 192.168.30.0 0.0.0.255

ip nat inside source list nat pool nat-pool

Time to make probes

From all PC's (PC1, PC2, PC3 and PC4) open firefox and open Facebook.

The first one work

Second one work

Third one... oops it doesn't work, this is because we only have 2 Public IP, this means only 2
PC's can translate at a time, don't worry we can do a little trick called "overload or pat"

First we need to delete the entry

no ip nat inside source list nat pool nat-pool

now configure again but add overload at the end

ip nat inside source list nat pool nat-pool overload

try again, and now all the PC's can go to internet, you can also use show ip nat translations
to observe how it is working or debug ip nat

great job!

Task 4 - PAT

The last type of NAT we will talk is the most used one to go to internet, this is called nat
overloaded or PAT.

For this scenario we consider that we have a dynamic Public IP,

We already have the interfaces mapped (inside/outside)


Also, we already have the ACL matching LAN traffic

First, we need to delete the last rule:

no ip nat inside source list nat pool nat-pool overload

now only need to create the rule:

 ip nat inside source list nat interface e0/0 overload

 try again, and now all the PC's can go to internet, you can also use show ip nat translations
to observe how it is working or debug ip nat

 great job!

You might also like