I just finished NAT scenarios from Narbik’s workbook volume 4. NAT wasn’t that bad but I still took my time while going through each lab. I have already repeated each lab twice just to get some hands-on practice but once again my work experience is coming in handy. I am sure you already know what NAT is but here is a brief overview in CIsco’s own words
“NAT enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) address in the internal network into legal addresses before packets are forwarded onto another network. NAT can be configured to advertise only one address for the entire network to the outside world. This ability provides additional security, effectively hiding the entire internal network behind that one address.”
Types of NAT
- Static NAT
- Dynamic NAT
- PAT (Port Address Translation)
Doesn’t matter which type of NAT you are working with, you have to understand these key definitions
Inside local address—This is an IP address of a private host on our local network.
Inside global address—This is the public IP address assigned to our organization from Service Provider.
Outside local address—Local IP address from the remote private network that our host sees as the IP address of the remote host.
Outside global address—Public IP address of the remote host assigned by Service Provider.
Once you are familiar with the terms, then there are a few other steps that you need to know. Remember you can work with either static or dynamic NAT so knowing all the different ways a task can be performed can increase your chances in the actual lab.
Configuring Inside Source Addresses
There are two ways to perform inside source address translation:
-
Static translation establishes a one-to-one mapping between your inside local address and an inside global address. Static translation is useful when a host on the inside must be accessible by a fixed address from the outside. Below are the summary steps for performing static inside source translation.
enable
configure terminal
ip nat inside source static local-ip global-ip
interface type number
ip address ip-address mask secondary
ip nat inside
exit
interface type number
ip address ip-address mask
ip nat outside
-
Dynamic translation establishes a mapping between an inside local address and a pool of global addresses
enable
configure terminal
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
access-list access-list-number permit source [source-wildcard]
ip nat inside source list access-list-number pool name
interface type number
ip address ip-address mask
ip nat inside
exit
interface type number
ip address ip-address mask
ip nat outside
Port Address Translation (PAT):
Port Address Translation (PAT) allows us to use single global ip address for multiple inside local addresses. This helps to save company’s public addresses by allowing all the internal users access to the outside network using TCP and UDP ports that are unused. The router maintains enough information from the TCP and UDP port numbers to translate the global addresses back to the correct local addresses.
enable
configure terminal
ip nat pool name start-ip end-ip {netmask netmask| prefix-length prefix-length}
access-list access-list-number permit source [source-wildcard]
ip nat inside source list access-list-number pool name overload
interface type number
ip address ip-address mask
ip nat inside
exit
interface type number
ip address ip-address mask
ip nat outside
If you don’t want to create a pool then you can point it to the outside interface and it will use the ip address of the physical interface. As always it is important that we remember all the different ways a task can be performed as that will increase our chances in the real lab.
Extendable Keyword:
ip nat inside source static global-ip local-ip extendable
By default, Cisco IOS will not allow us to have two NAT enteries for the same IP address. Extendable keyword creates an extended entry in the translation table so we can have multiple translation entries for a single IP address. This is helpful when you have more than one service providers.
Using Route-maps for NAT:
Route-maps are so powerful that whenever I have a chance to use route-maps, i use them. Route-maps allow us to match any combination of access-list, next-hop and output interface to determine which pool to use. Route-maps with static translations enables NAT multihoming.
enable
configure terminal
ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip route-map map-name}
exit
show ip nat translations [verbose]
The NAT Routemaps Outside-to-Inside Support feature enables the deployment of a NAT routemap configuration that will allow IP sessions to be initiated from the outside to the inside. An initial session from inside-to-outside is required to trigger a NAT. New translation sessions can then be initiated from outside-to-inside to the inside host that triggered the initial translation.
enable
configure terminal
ip nat pool name start-ip end-ip netmask netmask
ip nat pool name start-ip end-ip netmask netmask
ip nat inside source route-map name pool name [reversible]
ip nat inside source route-map name pool name [reversible]
TCP Load Balancing for NAT
We can also use NAT to perform load balancing so that users point to one virtual ip address and the NAT device translates that to different physical boxes on a round-robin basis. This is helpful if you have some application that is heavily utilized and you want to achieve better performance. Allocating 5 physical boxes and then combining them together using a virtual IP address can ease out the load.
enable
configure terminal
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary
access-list access-list-number permit source [source-wildcard]
ip nat inside destination-list access-list-number pool name
interface type number
ip address ip-address mask
ip nat inside
exit
interface type number
ip address ip-address mask
ip nat outside
 Static NAT with HSRP
When an ARP query is triggered for an address that is configured with NAT static mapping and owned by the router, NAT responds with the burned in MAC address on the interface to which the ARP is pointing. Two routers are acting as HSRP active and standby. Their NAT inside interfaces must be enabled and configured to belong to a group. Make sure that you enable the HSRP on the NAT interface and then configure NAT and link it to the HSRP instance.
-
Enabling HSRP on the NAT Interface
enable
configure terminal
interface type number
ip address ip-address mask
no ip redirects
ip nat {inside | outside}
standby [group-number] ip [ip-address [secondary]]
standby name [group-name]
end
show standby
show ip nat translations [verbose]
- Configuring NAT & Integrating it with HSRP
enable
configure terminal
ip nat inside source {list {access-list-number | access-list-name} pool pool-name} [overload] | static local-ip global- ip redundancy group-name}
ip nat outside source {list {access-list-number | access-list-name} pool pool-name} [overload] | static local-ip global- ip redundancy group-name}
exit
show ip nat translations [verbose]
 There is also SNAT aka Stateful NAT with or without HSRP that we need to be familiar with. That’s something that we should read on the DOCCD and be very comfortable with. I think I have spent enough time on NAT so time to move on to IP Services.
About CCIETalk
Connect with Us