Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

like statically mapping a server, for example.

Here is a sample output of a PAT configuration:

ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0

ip nat inside source list 1 pool globalnet overload

!

interface Ethernet0/0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0/0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!

access-list 1 permit 10.1.1.0 0.0.0.255

The nice thing about PAT is that these are only a few differences between

this configuration and the previous dynamic NAT configuration:

Our pool of addresses has shrunk to only one IP address.

We included the

overload

keyword at the end of our

ip nat inside

source

command.

A really key factor to see in the example is that the one IP address that’s

in the pool for us to use is the IP address of the outside interface. This is

perfect if you are configuring NAT Overload for yourself at home or for a

small office that only has one IP address from your ISP. You could,

however, use an additional address such as 170.168.2.2 if you had that

address available to you as well, and doing that could prove very helpful

in a very large implementation where you’ve got such an abundance of

simultaneously active internal users that you need to have more than one

overloaded IP address on the outside!

Simple Verification of NAT

As always, once you’ve chosen and configured the type of NAT you’re

going to run, which is typically PAT, you must be able to verify your

configuration.

To see basic IP address translation information, use the following

command:

Router#

show ip nat translations

When looking at the IP NAT translations, you may see many translations

from the same host to the corresponding host at the destination.

Understand that this is typical when there are many connections to the

same server.

You can also verify your NAT configuration via the

debug ip nat

command. This output will show the sending address, the translation,

and the destination address on each debug line:

Router#

debug ip nat

But wait—how do you clear your NAT entries from the translation table?

Just use the

clear ip nat translation

command, and if you want to clear

all entries from the NAT table, just use an asterisk (

*

) at the end of the

command.

Testing and Troubleshooting NAT

Cisco’s NAT gives you some serious power—and it does so without much

effort, because the configurations are really pretty simple. But we all

know nothing’s perfect, so in case something goes wrong, you can figure

out some of the more common culprits by running through this list of

potential causes:

Check the dynamic pools. Are they composed of the right scope of

addresses?

Check to see if any dynamic pools overlap.

Check to see if the addresses used for static mapping and those in the

dynamic pools overlap.

Ensure that your access lists specify the correct addresses for

translation.

Make sure there aren’t any addresses left out that need to be there,

and ensure that none are included that shouldn’t be.

Check to make sure you’ve got both the inside and outside interfaces

delimited properly.

A key thing to keep in mind is that one of the most common problems

with a new NAT configuration often isn’t specific to NAT at all—it usually

involves a routing blooper. So, because you’re changing a source or

destination address in a packet, make sure your router still knows what to

do with the new address after the translation!

The first command you should typically use is the

show ip nat

translations

command:

Router#

show ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 192.2.2.1 10.1.1.1 --- ---

--- 192.2.2.2 10.1.1.2 --- ---

After checking out this output, can you tell me if the configuration on the

router is static or dynamic NAT? The answer is yes, either static or

dynamic NAT is configured because there’s a one-to-one translation from

the inside local to the inside global. Basically, by looking at the output,

you can’t tell if it’s static or dynamic per se, but you absolutely can tell

that you’re not using PAT because there are no port numbers.

Let’s take a look at another output:

Router#

sh ip nat trans

Pro Inside global Inside local Outside local

Outside global

tcp 170.168.2.1:11003 10.1.1.1:11003 172.40.2.2:23

172.40.2.2:23

tcp 170.168.2.1:1067 10.1.1.1:1067 172.40.2.3:23

172.40.2.3:23

Okay, you can easily see that the previous output is using NAT Overload

(PAT). The protocol in this output is TCP, and the inside global address is

the same for both entries.

Supposedly the sky’s the limit regarding the number of mappings the

NAT table can hold. But this is reality, so things like memory and CPU, or

even the boundaries set in place by the scope of available addresses or

ports, can cause limitations on the actual number of entries. Consider

that each NAT mapping devours about 160 bytes of memory. And

sometimes the amount of entries must be limited for the sake of

performance or because of policy restrictions, but this doesn’t happen

very often. In situations like these, just go to the

ip nat translation max-

entries

command for help.

Another handy command for troubleshooting is

show ip nat statistics

.

Deploying this gives you a summary of the NAT configuration, and it will

count the number of active translation types too. Also counted are hits to

an existing mapping as well any misses, with the latter causing an

attempt to create a mapping. This command will also reveal expired

translations. If you want to check into dynamic pools, their types, the

total available addresses, how many addresses have been allocated and

how many have failed, plus the number of translations that have

occurred, just use the

pool

keyword after statistics.

Here is an example of the basic NAT debugging command:

Router#

debug ip nat

NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0]

NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0]

NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1]

NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2]

NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3]

NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1]

Notice the last line in the output and how the

NAT

at the beginning of the

line has an asterisk (

*

). This means the packet was translated and fast-

switched to the destination. What’s fast-switched? Well in brief, fast-

switching has gone by several aliases such as cache-based switching and

this nicely descriptive name, “route once switch many.” The fast-

switching process is used on Cisco routers to create a cache of layer 3

routing information to be accessed at layer 2 so packets can be forwarded

quickly through a router without the routing table having to be parsed for

every packet. As packets are packet switched (looked up in the routing

table), this information is stored in the cache for later use if needed for

faster routing processing.

Let’s get back to verifying NAT. Did you know you can manually clear

dynamic NAT entries from the NAT table? You can, and doing this can

come in seriously handy if you need to get rid of a specific rotten entry

without sitting around waiting for the timeout to expire! A manual clear

is also really useful when you want to clear the whole NAT table to

reconfigure a pool of addresses.

You also need to know that the Cisco IOS software just won’t allow you to

change or delete an address pool if any of that pool’s addresses are

mapped in the NAT table. The

clear ip nat translations

command

clears entries—you can indicate a single entry via the global and local

address and through TCP and UDP translations, including ports, or you

can just type in an asterisk (

*

) to wipe out the entire table. But know that

if you do that, only dynamic entries will be cleared because this command

won’t remove static entries.

Oh, and there’s more—any outside device’s packet destination address

that happens to be responding to any inside device is known as the inside

global (IG) address. This means that the initial mapping has to be held in

the NAT table so that all packets arriving from a specific connection get

translated consistently. Holding entries in the NAT table also cuts down

on repeated translation operations happening each time the same inside

machine sends packets to the same outside destinations on a regular

basis.

Let me clarify: When an entry is placed into the NAT table the first time,

a timer begins ticking and its duration is known as the translation

timeout. Each time a packet for a given entry translates through the

router, the timer gets reset. If the timer expires, the entry will be

unceremoniously removed from the NAT table and the dynamically

assigned address will then be returned to the pool. Cisco’s default

translation timeout is 86,400 seconds (24hours), but you can change that

with the

ip nat translation timeout

command.

Before we move on to the configuration section and actually use the

commands I just talked about, let’s go through a couple of NAT examples

and see if you can figure out the best configuration to go with. To start,

look at

Figure 13.4

and ask yourself two things: Where would you

implement NAT in this design? What type of NAT would you configure?

FIGURE 13.4

NAT example

In

Figure 13.4

, the NAT configuration would be placed on the corporate

router, just as I demonstrated with

Figure 13.1

, and the configuration

would be dynamic NAT with overload (PAT). In this next NAT example,

what type of NAT is being used?

ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask

255.255.255.0

ip nat inside source list 1 pool todd-nat

The preceding command uses dynamic NAT without PAT. The

pool

in the

command gives the answer away as dynamic, plus there’s more than one

address in the pool and there is no

overload

command at the end of our

ip nat inside source

command. This means we are not using PAT!

In the next NAT example, refer to

Figure 13.5

and see if you can come up

with the configuration needed.

FIGURE 13.5

Another NAT example

Figure 13.5

shows a border router that needs to be configured with NAT

and allow the use of six public IP addresses to the inside locals,

192.1.2.109 through 192.1.2.114. However, on the inside network, you

have 62 hosts that use the private addresses of 192.168.10.65 through

192.168.10.126. What would your NAT configuration be on the border

router?

Actually, two different answers would both work here, but the following

would be my first choice based on the exam objectives:

ip nat pool Todd 192.1.2.109 192.1.2.109 netmask 255.255.255.248

access-list 1 permit 192.168.10.64 0.0.0.63

ip nat inside source list 1 pool Todd overload

The command

ip nat pool Todd 192.1.2.109 192.1.2.109 netmask

255.255.255.248

sets the pool name as Todd and creates a dynamic pool

of only one address using NAT address 192.1.2.109. Instead of the

netmask

command, you can use the

prefix-length 29

statement. Just in case

you’re wondering, you cannot do this on router interfaces as well!

The second answer would get you the exact same result of having only

192.1.2.109 as your inside global, but you can type this in and it will also

work:

ip nat pool Todd 192.1.2.109 192.1.2.114 netmask

255.255.255.248

. But this option really is a waste because the second

through sixth addresses would only be used if there was a conflict with a

TCP port number. You would use something like what I’ve shown in this

example if you literally had about ten thousand hosts with one Internet

connection! You would need it to help with the TCP-Reset issue when two

hosts are trying to use the same source port number and get a negative

acknowledgment (NAK). But in our example, we’ve only got up to 62

hosts connecting to the Internet at the same time, so having more than

one inside global gets us nothing!

If you’re fuzzy on the second line where the access list is set in the NAT

configuration, do a quick review of Chapter 12, “Security.” But this isn’t

difficult to grasp because it’s easy to see in this access-list line that it’s

just the

network number

and

wildcard

used with that command. I always

say, “Every question is a subnet question,” and this one is no exception.

The inside locals in this example were 192.168.10.65–126, which is a

block of 64, or a 255.255.255.192 mask. As I’ve said in pretty much every

chapter, you really need to be able to subnet quickly!

The command

ip nat inside source list 1 pool Todd overload

sets the

dynamic pool to use PAT by using the

overload

command.

And be sure to add the

ip nat inside

and

ip nat outside

statements on

the appropriate interfaces.

If you’re planning on testing for any Cisco exam, configure the

hands-on labs at the end of this chapter until you’re really

comfortable with doing that!

One more example, and then you are off to the written lab, hands-on labs,

and review questions.

The network in

Figure 13.6

is already configured with IP addresses as

shown in the figure, and there is only one configured host. However, you

need to add 25 more hosts to the LAN. Now, all 26 hosts must be able to

get to the Internet at the same time.

FIGURE 13.6

Last NAT example

By looking at the configured network, use only the following inside

addresses to configure NAT on the Corp router to allow all hosts to reach

the Internet:

Inside globals: 198.18.41.129 through 198.18.41.134

Inside locals: 192.168.76.65 through 192.168.76.94

This one is a bit more challenging because all we have to help us figure

out the configuration is the inside globals and the inside locals. But even

meagerly armed with these crumbs of information, plus the IP addresses

of the router interfaces shown in the figure, we can still configure this

correctly.

To do that, we must first determine what our block sizes are so we can get

our subnet mask for our NAT pool. This will also equip us to configure

the wildcard for the access list.

You should easily be able to see that the block size of the inside globals is

8 and the block size of the inside locals is 32. Know that it’s critical not to

stumble on this foundational information!

So we can configure NAT now that we have our block sizes:

ip nat pool Corp 198.18.41.129 198.18.41.134 netmask

255.255.255.248

ip nat inside source list 1 pool Corp overload

access-list 1 permit 192.168.76.64 0.0.0.31

Since we had a block of only 8 for our pool, we had to use the

overload

command to make sure all 26 hosts can get to the Internet at the same

time.

There is one other simple way to configure NAT, and I use this command

at my home office to connect to my ISP. One command line and it’s done!

Here it is:

ip nat inside source list 1 int s0/0/0 overload

I can’t say enough how much I love efficiency, and being able to achieve

something cool using one measly line always makes me happy! My one

little powerfully elegant line essentially says, “Use my outside local as my

inside global and overload it.” Nice! Of course, I still had to create ACL 1

and add the inside and outside interface commands to the configuration,

but this is a really nice, fast way to configure NAT if you don’t have a pool

of addresses to use.

Summary

Now this really was a fun chapter. Come on—admit it! You learned a lot

about Network Address Translation (NAT) and how it’s configured as

static and dynamic as well as with Port Address Translation (PAT), also

called NAT Overload.

I also described how each flavor of NAT is used in a network as well as

how each type is configured.

We finished up by going through some verification and troubleshooting

commands. Now don’t forget to practice all the wonderfully helpful labs

until you’ve got them nailed down tight!

Exam Essentials

Understand the termNAT. This may come as news to you, because I

didn’t—okay, failed to—mention it earlier, but NAT has a few nicknames.

In the industry, it’s referred to as network masquerading, IP-

masquerading, and (for those who are besieged with OCD and compelled

to spell everything out) Network Address Translation. Whatever you want

to dub it, basically, they all refer to the process of rewriting the

source/destination addresses of IP packets when they go through a router

or firewall. Just focus on the process that’s occurring and your

understanding of it (i.e., the important part) and you’re on it for sure!

Remember the three methods of NAT. The three methods are

static, dynamic, and overloading; the latter is also called PAT.

Understand static NAT. This type of NAT is designed to allow one-to-

one mapping between local and global addresses.

Understand dynamic NAT. This version gives you the ability to map a

range of unregistered IP addresses to a registered IP address from out of

a pool of registered IP addresses.

Understand overloading. Overloading really is a form of dynamic

NAT that maps multiple unregistered IP addresses to a single registered

IP address (many-to-one) by using different ports. It’s also known as

PAT.

Written Lab 13

In this section, you’ll complete the following lab to make sure you’ve got

the information and concepts contained within it fully dialed in:

Lab 13.1: NAT

You can find the answers to this lab in Appendix A, “Answers to Written

Labs.”

In this section, write the answers to the following questions:

1.  What type of address translation can use only one address to allow

thousands of hosts to be translated globally?

2.  What command can you use to show the NAT translations as they

occur on your router?

3.  What command will show you the translation table?

4.  What command will clear all your NAT entries from the translation

table?

5.  An inside local is before or after translation?

6.  An inside global is before or after translation?

7.  Which command can be used for troubleshooting and displays a

summary of the NAT configuration as well as counts of active

translation types and hits to an existing mapping?

8.  What commands must be used on your router interfaces before NAT

will translate addresses?

9.  In the following output, what type of NAT is being used?

ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask

255.255.255.0

10.  Instead of the

netmask

command, you can use the _____________

statement.

Hands-on Labs

I am going to use some basic routers for these labs, but really, almost any

Cisco router will work. Also, you can use the LammleSim IOS version to

run through all the labs in this (and every) chapter in this book.

Here is a list of the labs in this chapter:

Lab 13.1: Preparing for NAT

Lab 13.2: Configuring Dynamic NAT

Lab 13.3: Configuring PAT

I am going to use the network shown in the following diagram for our

hands-on labs. I highly recommend you connect up some routers and run

through these labs. You will configure NAT on router Lab_A to translate

the private IP address of 192.168.10.0 to a public address of 171.16.10.0.

Table 13.3

shows the commands we will use and the purpose of each

command.

TABLE 13.3

Command summary for NAT/PAT hands-on labs

Command

Purpose

ip nat inside source list

acl

poolname

Translates IPs that match the ACL to

the pool

ip nat inside source static

inside_addr outside_addr

Statically maps an inside local address

to an outside global address

ip nat pool

name

Creates an address pool

ip nat inside

Sets an interface to be an inside

interface

ip nat outside

Sets an interface to be an outside

interface

show ip nat translations

Shows current NAT translations

Lab 13.1: Preparing for NAT

In this lab, you’ll set up your routers with IP addresses and RIP routing.

1.  Configure the routers with the IP addresses listed in the following

table:

Yüklə 22,5 Mb.

Dostları ilə paylaş: