Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

The following questions are designed to test your

understanding of this chapter’s material. For more information on

how to get additional questions, please see

www.lammle.com/ccna

.

You can find the answers to these questions in Appendix B, “Answers to

Review Questions.”

1.  Which of the following statements is false when a packet is being

compared to an access list?

A.  It’s always compared with each line of the access list in sequential

order.

B.  Once the packet matches the condition on a line of the access list,

the packet is acted upon and no further comparisons take place.

C.  There is an implicit “deny” at the end of each access list.

D.  Until all lines have been analyzed, the comparison is not over.

2.  You need to create an access list that will prevent hosts in the network

range of 192.168.160.0 to 192.168.191.0. Which of the following lists

will you use?

A.

access-list 10 deny 192.168.160.0 255.255.224.0

B.

access-list 10 deny 192.168.160.0 0.0.191.255

C.

access-list 10 deny 192.168.160.0 0.0.31.255

D.

access-list 10 deny 192.168.0.0 0.0.31.255

3.  You have created a named access list called BlockSales. Which of the

following is a valid command for applying this to packets trying to

enter interface Fa0/0 of your router?

A.

(config)#ip access-group 110 in

B.

(config-if)#ip access-group 110 in

C.

(config-if)#ip access-group Blocksales in

D.

(config-if)#BlockSales ip access-list in

4.  Which access list statement will permit all HTTP sessions to network

192.168.144.0/24 containing web servers?

A.

access-list 110 permit tcp 192.168.144.0 0.0.0.255 any eq 80

B.

access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80

C.

access-list 110 permit tcp 192.168.144.0 0.0.0.255

192.168.144.0 0.0.0.255 any eq 80

D.

access-list 110 permit udp any 192.168.144.0 eq 80

5.  Which of the following access lists will allow only HTTP traffic into

network 196.15.7.0?

A.

access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www

B.

access-list 10 deny tcp any 196.15.7.0 eq www

C.

access-list 100 permit 196.15.7.0 0.0.0.255 eq www

D.

access-list 110 permit ip any 196.15.7.0 0.0.0.255

E.

access-list 110 permit www 196.15.7.0 0.0.0.255

6.  What router command allows you to determine whether an IP access

list is enabled on a particular interface?

A.

show ip port

B.

show access-lists

C.

show ip interface

D.

show access-lists interface

7.  In the work area, connect the

show

command to its function on the

right.

show

access-

list

Shows only the parameters for the access list 110. This

command does not show you the interface the list is set on.

show

access-

list 110

Shows only the IP access lists configured on the router.

show ip

access-

list

Shows which interfaces have access lists set.

show ip

interface

Displays all access lists and their parameters configured on

the router. This command does not show you which

interface the list is set on.

8.  If you wanted to deny all Telnet connections to only network

192.168.10.0, which command could you use?

A.

access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet

B.

access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet

C.

access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23

D.

access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23

9.  If you wanted to deny FTP access from network 200.200.10.0 to

network 200.199.11.0 but allow everything else, which of the following

command strings is valid?

A.

access-list 110 deny 200.200.10.0 to network 200.199.11.0 eq

ftp

B.

access-list 111 permit ip any 0.0.0.0 255.255.255.255

C.

access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any

D.

access-list 100 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0

0.0.0.255 eq ftp

E.

access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0

0.0.0.255 eq ftp

access-list 198 permit ip any 0.0.0.0 255.255.255.255

10.  You want to create an extended access list that denies the subnet of

the following host: 172.16.50.172/20. Which of the following would

you start your list with?

A.

access-list 110 deny ip 172.16.48.0 255.255.240.0 any

B.

access-list 110 udp deny 172.16.0.0 0.0.255.255 ip any

C.

access-list 110 deny tcp 172.16.64.0 0.0.31.255 any eq 80

D.

access-list 110 deny ip 172.16.48.0 0.0.15.255 any

11.  Which of the following is the wildcard (inverse) version of a /27

mask?

A.  0.0.0.7

B.  0.0.0.31

C.  0.0.0.27

D.  0.0.31.255

12.  You want to create an extended access list that denies the subnet of

the following host: 172.16.198.94/19. Which of the following would

you start your list with?

A.

access-list 110 deny ip 172.16.192.0 0.0.31.255 any

B.

access-list 110 deny ip 172.16.0.0 0.0.255.255 any

C.

access-list 10 deny ip 172.16.172.0 0.0.31.255 any

D.

access-list 110 deny ip 172.16.188.0 0.0.15.255 any

13.  The following access list has been applied to an interface on a router:

access-list 101 deny tcp 199.111.16.32 0.0.0.31 host

199.168.5.60

Which of the following IP addresses will be blocked because of this

single rule in the list? (Choose all that apply.)

A.  199.111.16.67

B.  199.111.16.38

C.  199.111.16.65

D.  199.11.16.54

14.  Which of the following commands connects access list 110 inbound to

interface Ethernet0?

A.

Router(config)#ip access-group 110 in

B.

Router(config)#ip access-list 110 in

C.

Router(config-if)#ip access-group 110 in

D.

Router(config-if)#ip access-list 110 in

15.  What is the effect of this single-line access list?

access-list 110 deny ip 172.16.10.0 0.0.0.255 host 1.1.1.1

A.  Denies only the computer at 172.16.10

B.  Denies all traffic

C.  Denies the subnet 172.16.10.0/26

D.  Denies the subnet 172.16.10.0/25

16.  You configure the following access list. What will the result of this

access list be?

access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp

access-list 110 deny tcp any any eq 23

int ethernet 0

ip access-group 110 out

A.  Email and Telnet will be allowed out E0.

B.  Email and Telnet will be allowed in E0.

C.  Everything but email and Telnet will be allowed out E0.

D.  No IP traffic will be allowed out E0.

17.  Which of the following series of commands will restrict Telnet access

to the router?

A.

Lab_A(config)#

access-list 10 permit 172.16.1.1

Lab_A(config)#

line con 0

Lab_A(config-line)#

ip access-group 10 in

B.

Lab_A(config)#

access-list 10 permit 172.16.1.1

Lab_A(config)#

line vty 0 4

Lab_A(config-line)#

access-class 10 out

C.

Lab_A(config)#

access-list 10 permit 172.16.1.1

Lab_A(config)#

line vty 0 4

Lab_A(config-line)#

access-class 10 in

D.

Lab_A(config)#

access-list 10 permit 172.16.1.1

Lab_A(config)#

line vty 0 4

Lab_A(config-line)#

ip access-group 10 in

18.  Which of the following is true regarding access lists applied to an

interface?

A.  You can place as many access lists as you want on any interface

until you run out of memory.

B.  You can apply only one access list on any interface.

C.  One access list may be configured, per direction, for each layer 3

protocol configured on an interface.

D.  You can apply two access lists to any interface.

19.  What is the most common attack on a network today?

A.  Lock picking

B.  Naggle

C.  DoS

D.

auto secure

20.  You need to stop DoS attacks in real time and have a log of anyone

who has tried to attack your network. What should you do your

network?

A.  Add more routers.

B.  Use the

auto secure

command.

C.  Implement IDS/IPS.

D.  Configure Naggle.

Chapter 13

Network Address Translation (NAT)

THE FOLLOWING ICND1 EXAM TOPICS ARE

COVERED IN THIS CHAPTER:

4.0 Infrastructure Services

4.7 Configure, verify, and troubleshoot inside source NAT

4.7.a Static

4.7.b Pool

4.7.c PAT

In this chapter, we’re going to dig into Network

Address Translation (NAT), Dynamic NAT, and Port Address Translation

(PAT), also known as NAT Overload. Of course, I’ll demonstrate all the

NAT commands. I also provided some fantastic hands-on labs for you to

configure at the end of this chapter, so be sure not to miss those!

It’s important to understand the Cisco objectives for this chapter. They

are very straightforward: you have hosts on your inside Corporate

network using RFC 1918 addresses and you need to allow those hosts

access to the Internet by configuring NAT translations. With that

objective in mind, that will be my direction with this chapter.

Because we’ll be using ACLs in our NAT configurations, it’s important

that you’re really comfortable with the skills you learned in the previous

chapter before proceeding with this one.

To find up-to-the-minute updates for this chapter, please see

www.lammle.com/ccna

or the book’s web page at

www.sybex.com/go/ccna

.

When Do We Use NAT?

Network Address Translation (NAT) is similar to Classless Inter-Domain

Routing (CIDR) in that the original intention for NAT was to slow the

depletion of available IP address space by allowing multiple private IP

addresses to be represented by a much smaller number of public IP

addresses.

Since then, it’s been discovered that NAT is also a useful tool for network

migrations and mergers, server load sharing, and creating “virtual

servers.” So in this chapter, I’m going to describe the basics of NAT

functionality and the terminology common to NAT.

Because NAT really decreases the overwhelming amount of public IP

addresses required in a networking environment, it comes in really handy

when two companies that have duplicate internal addressing schemes

merge. NAT is also a great tool to use when an organization changes its

Internet service provider (ISP) but the networking manager needs to

avoid the hassle of changing the internal address scheme.

Here’s a list of situations when NAT can be especially helpful:

When you need to connect to the Internet and your hosts don’t have

globally unique IP addresses

When you’ve changed to a new ISP that requires you to renumber

your network

When you need to merge two intranets with duplicate addresses

You typically use NAT on a border router. For example, in

Figure 13.1

,

NAT is used on the Corporate router connected to the Internet.

FIGURE 13.1

Where to configure NAT

Now you may be thinking, “NAT’s totally cool and I just gotta have it!”

But don’t get too excited yet because there are some serious snags related

to using NAT that you need to understand first. Don’t get me wrong—it

can truly be a lifesaver sometimes, but NAT has a bit of a dark side you

need to know about too. For the pros and cons linked to using NAT, check

out

Table 13.1

.

TABLE 13.1

Advantages and disadvantages of implementing NAT

Advantages

Disadvantages

Conserves legally

registered addresses.

Translation results in switching path delays.

Remedies address overlap

events.

Causes loss of end-to-end IP traceability

Increases flexibility when

connecting to the

Internet.

Certain applications will not function with

NAT enabled

Eliminates address

renumbering as a network

evolves.

Complicates tunneling protocols such as

IPsec because NAT modifies the values in the

header

The most obvious advantage associated with NAT is that it

allows you to conserve your legally registered address scheme. But a

version of it known as PAT is also why we’ve only just recently run out

of IPv4 addresses. Without NAT/PAT, we’d have run out of IPv4

addresses more than a decade ago!

Types of Network Address Translation

In this section, I’m going to go over the three types of NATs with you:

Static NAT (one-to-one) This type of NAT is designed to allow one-to-

one mapping between local and global addresses. Keep in mind that the

static version requires you to have one real Internet IP address for every

host on your network.

Dynamic NAT (many-to-many) This version gives you the ability to

map an unregistered IP address to a registered IP address from out of a

pool of registered IP addresses. You don’t have to statically configure

your router to map each inside address to an individual outside address

as you would using static NAT, but you do have to have enough real, bona

fide IP addresses for everyone who’s going to be sending packets to and

receiving them from the Internet at the same time.

Overloading (one-to-many) This is the most popular type of NAT

configuration. Understand that overloading really is a form of dynamic

NAT that maps multiple unregistered IP addresses to a single registered

IP address (many-to-one) by using different source ports. Now, why is

this so special? Well, because it’s also known as Port Address Translation

(PAT), which is also commonly referred to as NAT Overload. Using PAT

allows you to permit thousands of users to connect to the Internet using

only one real global IP address—pretty slick, right? Seriously, NAT

Overload is the real reason we haven’t run out of valid IP addresses on

the Internet. Really—I’m not joking!

I’ll show you how to configure all three types of NAT

throughout this chapter and at the end of this chapter with the hands-

on labs.

NAT Names

The names we use to describe the addresses used with NAT are fairly

straightforward. Addresses used after NAT translations are called global

addresses. These are usually the public addresses used on the Internet,

which you don’t need if you aren’t going on the Internet.

Local addresses are the ones we use before NAT translation. This means

that the inside local address is actually the private address of the sending

host that’s attempting to get to the Internet. The outside local address

would typically be the router interface connected to your ISP and is also

usually a public address used as the packet begins its journey.

After translation, the inside local address is then called the inside global

address and the outside global address then becomes the address of the

destination host. Check out

Table 13.2

, which lists all this terminology

and offers a clear picture of the various names used with NAT. Keep in

mind that these terms and their definitions can vary somewhat based on

implementation. The table shows how they’re used according to the Cisco

exam objectives.

TABLE 13.2

NAT terms

Names Meaning

Inside

local

Source host inside address before translation—typically an RFC

1918 address.

Outside

local

Address of an outside host as it appears to the inside network.

This is usually the address of the router interface connected to

ISP—the actual Internet address.

Inside

Source host address used after translation to get onto the

global

Internet. This is also the actual Internet address.

Outside

global

Address of outside destination host and, again, the real Internet

address.

How NAT Works

Okay, it’s time to look at how this whole NAT thing works. I’m going to

start by using

Figure 13.2

to describe basic NAT translation.

FIGURE 13.2

Basic NAT translation

In this figure, we can see host 10.1.1.1 sending an Internet-bound packet

to the border router configured with NAT. The router identifies the

source IP address as an inside local IP address destined for an outside

network, translates the source IP address in the packet, and documents

the translation in the NAT table.

The packet is sent to the outside interface with the new translated source

address. The external host returns the packet to the destination host and

the NAT router translates the inside global IP address back to the inside

local IP address using the NAT table. This is as simple as it gets!

Let’s take a look at a more complex configuration using overloading, also

referred to as PAT. I’ll use

Figure 13.3

to demonstrate how PAT works by

having an inside host HTTP to a server on the Internet.

FIGURE 13.3

NAT overloading example (PAT)

With PAT, all inside hosts get translated to one single IP address, hence

the term overloading. Again, the reason we’ve just run out of available

global IP addresses on the Internet is because of overloading (PAT).

Take a look at the NAT table in

Figure 13.3

again. In addition to the inside

local IP address and inside global IP address, we now have port numbers.

These port numbers help the router identify which host should receive

the return traffic. The router uses the source port number from each host

to differentiate the traffic from each of them. Understand that the packet

has a destination port number of 80 when it leaves the router, and the

HTTP server sends back the data with a destination port number of 1026,

in this example. This allows the NAT translation router to differentiate

between hosts in the NAT table and then translate the destination IP

address back to the inside local address.

Port numbers are used at the Transport layer to identify the local host in

this example. If we had to use real global IP addresses to identify the

source hosts, that’s called static NAT and we would run out of addresses.

PAT allows us to use the Transport layer to identify the hosts, which in

turn allows us to theoretically use up to about 65,000 hosts with only one

real IP address!

Static NAT Configuration

Let’s take a look at a simple example of a basic static NAT configuration:

ip nat inside source static 10.1.1.1 170.46.2.2

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.46.2.1 255.255.255.0

ip nat outside

!

In the preceding router output, the

ip nat inside source

command

identifies which IP addresses will be translated. In this configuration

example, the

ip nat inside source

command configures a static

translation between the inside local IP address 10.1.1.1 and the outside

global IP address 170.46.2.2.

Scrolling farther down in the configuration, we find an

ip nat

command

under each interface. The

ip nat inside

command identifies that

interface as the inside interface. The

ip nat outside

command identifies

that interface as the outside interface. When you look back at the

ip nat

inside source

command, you can see that the command is referencing

the inside interface as the source or starting point of the translation. You

could also use the command like this:

ip nat outside source

. This option

indicates the interface that you designated as the outside interface should

become the source or starting point for the translation.

Dynamic NAT Configuration

Basically, dynamic NAT really means we have a pool of addresses that

we’ll use to provide real IP addresses to a group of users on the inside.

Because we don’t use port numbers, we must have real IP addresses for

every user who’s trying to get outside the local network simultaneously.

Here is a sample output of a dynamic NAT configuration:

ip nat pool todd 170.168.2.3 170.168.2.254

netmask 255.255.255.0

ip nat inside source list 1 pool todd

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

The

ip nat inside source list 1 pool todd

command tells the router to

translate IP addresses that match

access-list 1

to an address found in

the IP NAT pool named

todd

. Here the ACL isn’t there to filter traffic for

security reasons by permitting or denying traffic. In this case, it’s there to

select or designate what we often call interesting traffic. When interesting

traffic has been matched with the access list, it’s pulled into the NAT

process to be translated. This is actually a common use for access lists,

which aren’t always just stuck with the dull job of just blocking traffic at

an interface!

The command

ip nat pool todd 170.168.2.3 170.168.2.254 netmask

255.255.255.0

creates a pool of addresses that will be distributed to the

specific hosts that require global addresses. When troubleshooting NAT

for the Cisco objectives, always check this pool to confirm that there are

enough addresses in it to provide translation for all the inside hosts. Last,

check to make sure the pool names match exactly on both lines,

remembering that they are case sensitive; if they don’t, the pool won’t

work!

Yüklə 22,5 Mb.

Dostları ilə paylaş: