Embed Size (px)
DESCRIPTION
learning cisco NAT
Citation preview
Defining NAT Inside and Outside Interfaces
The first step to deploy NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. This figure shows an example of this.
Define what you're trying to accomplish with NAT
• Allow internal users to access the internet
• Allow the internet to access internal devices
• Redirect TCP traffic to another TCP port or address?
• Redirect TCP traffic to another TCP port or address
• NAT during a network transition
• Allow overlapping networks to communicate
Configure NAT
Configure NAT in order to accomplish what you defined above. Based on what you defined in step 2, you need determine which of the following features to use:
• Static NAT
• Dynamic NAT
• Overloading (PAT)
• Any combination of the above
Static NAT
Uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. Step 1) Configure the static translation of an inside local address to an inside global address: Router(config)#ip nat inside source static local-ip global-ip
Step 2) Specify the inside interface: Router(config)#interface type number
Router(config-if)#ip nat inside
Step 3) Specify the outside interface: Router(config)#interface type number
Router(config-if)#ip nat outside
Static NAT Example
Dynamic NAT
Uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host.
Step 1) Define a pool of global addresses to be allocated Router(config)#ip nat pool name start-ip end-ip {netmask netmask |prefix-length prefix-length}
Step 2) Define a standard access list permitting those addresses that are to be translated Router(config)#access-list access-list-number source source-wildcard
Step 3) Bind the pool of addresses to the access list Router(config)#ip nat inside source list access-list-number pool name
Step 4) Specify the inside interface Router(config)#interface type number
Router(config-if)#ip nat inside
Step 5) Specify the outside interface Router(config)#interface type number
Router(config-if)#ip nat outside
Dynamic NAT Example
NAT Overload (PAT)
• NAT overloading (sometimes called Port Address Translation [PAT]) maps multiple private IP addresses to a single public IP address or a few addresses. To do this, each private address is also tracked by a port number. When a response comes back from outside, port numbers determine to which client the NAT router translates the packets.
• Commonly with home networks and small to medium-sized businesses, the ISP assigns only one registered IP address to your router. Therefore, it is necessary to overload that one IP address so that multiple inside clients can use it simultaneously.
• The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IP address. Therefore, no NAT pool is defined. The overload keyword enables the addition of the port number to the translation.
NAT Overload Descriptions
1. PC1 and PC2 send packets destined for the Internet.
2. When the packets arrive at R2, NAT overload changes the source address to the inside global IP address and keeps the assigned port numbers (1555 and 1331 in this example) to identify the client from which the packet originated.
3. R2 updates its NAT table. Notice the assigned ports. R2 then routes the packets to the Internet.
4. When the web server replies, R2 uses the destination source port to translate the packet to the correct client.
NAT Overload Example
R2(config)#ip nat inside source list 1 pool NAT-POOL1 overload
Practical Example (1) Allowing Internal Users to Access the Internet
interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside (Defines Ethernet 0 with an IP address and as a NAT inside interface) interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside (Defines Ethernet 1 with an IP address and as a NAT inside interface) interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside (Defines serial 0 with an IP address and as a NAT outside interface) ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24 (Defines a NAT pool named no-overload with a range of addresses 172.16.10.1 - 172.16.10.63) ip nat inside source list 7 pool no-overload (Indicates that any packets received on the inside interface that are permitted by access-list 7 has the source address translated to an address out of the NAT pool "no-overload) access-list 7 permit 10.10.10.0 0.0.0.31 access-list 7 permit 10.10.20.0 0.0.0.31 (Access-list 7 permits packets with source addresses ranging from 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31)
Practical Example (2) Configuring NAT to Allow Internal Users to Access the Internet Using Overloading
interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside (Defines Ethernet 0 with an IP address and as a NAT inside interface) interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside (Defines Ethernet 1 with an IP address and as a NAT inside interface) interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside (Defines serial 0 with an IP address and as a NAT outside interface) ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24 ! (Defines a NAT pool named ovrld with a range of a single IP address, 172.16.10.1) ip nat inside source list 7 pool ovrld overload (Indicates that any packets received on the inside interface that are permitted by access-list 7 has the source address translated to an address out of the NAT pool named ovrld. Translations are overloaded, which allows multiple inside devices to be translated to the same valid IP address) access-list 7 permit 10.10.10.0 0.0.0.31 access-list 7 permit 10.10.20.0 0.0.0.31 (Access-list 7 permits packets with source addresses ranging from 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31)
Practical Example (3) Redirecting TCP Traffic to Another TCP Port or Address
interface ethernet 0 ip address 172.16.10.1 255.255.255.0 ip nat inside (Defines Ethernet 0 with an IP address and as a NAT inside interface) interface serial 0 ip address 200.200.200.5 255.255.255.252 ip nat outside (Defines serial 0 with an IP address and as a NAT outside interface) ip nat inside source static tcp 172.16.10.8 8080 172.16.10.8 80 (Static NAT command that states any packet received in the inside interface with a source IP address of 172.16.10.8:8080 is translated to 172.16.10.8:80)
Practical Example (4) Using NAT During a Network Transition
interface ethernet 0 ip address 172.16.10.1 255.255.255.0 ip nat outside (Defines Ethernet 0 with an IP address and as a NAT outside interface) interface ethernet 1 ip address 172.16.50.1 255.255.255.0 ip nat inside (Defines Ethernet 1 with an IP address and as a NAT inside interface) interface serial 0 ip address 200.200.200.5 255.255.255.252 (Defines serial 0 with an IP address. This interface is not participating in NAT) ip nat inside source static 172.16.50.8 172.16.10.8 States that any packet received on the inside interface with a source IP address of 172.16.50.8 is translated to 172.16.10.8)
