In this final part of the NAT series, we’ll be talking about some other methods of configuring network address translation. We’ll be looking at Static NAT and Dynamic NAT. Part 1 can be found here.

CCNA Training – Resources (Intense)

STATIC NAT

In this type of NAT, an internal IP address is mapped to an external IP address. Unlike Dynamic NAT, each time the connection request is made for that device (such as a server), it connects using that IP address. Say for instance our ISP allocates a public address of 68.10.1.6, and we map it via static NAT to the server. Each time a connection is made to that server it uses 68.10.1.6, but it differentiates each connection with a port number. Below is an example:

In this scenario below, we are going to access the web server located in the Head office from a computer in the Arizona office. The computer in the Arizona office has an internal IP address of 192.168.10.2. The IP address of the server is 192.168.20.15, but it will be seen as 68.10.1.6, the IP address given to us by our ISP.

STEPS REQUIRED

STEP ONE

The first step is to label the interfaces. The inside interface will be labeled as “ipnat inside” and the outside interface will be labeled as “ipnat outside.

!
Interface FastEthernet0/0
Ip address 192.168.20.1 255.255.255.0
Ipnat inside
!
Interface Serial1/0
Ip address 68.10.1.6 255.255.255.252
Ipnat outside

STEP TWO

The next step is to enable static NAT. The command to do this is ‘ipnat inside source static local-ip global-ip ‘. For this configuration, we will be using “ipnat inside source static 192.168.10.15 68.10.1.6” which will map the inside local address (192.168.10.15) to the outside local address (68.10.1.6).

ARIZONA OFFICE ROUTER CONFIGURATION

interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 68.10.1.5 255.255.255.252
clock rate 64000
!
classless
ip route 0.0.0.0 0.0.0.0 68.10.1.6
!
line con 0
linevty 0 4
login
end

HEAD OFFICE ROUTER

interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ipnat inside
duplex auto
speed auto
!
interface Serial1/0
ip address 68.10.1.6 255.255.255.252
ipnat outside
!
ipnat inside source static 192.168.10.15 68.10.1.6
ip classless
ip route 0.0.0.0 0.0.0.0 68.10.1.5
!
line con 0
linevty 0 4
login
!
End

Below is the output after running a ping (ICMP) and a telnet attempt to the server (TCP):

Another awesome feature of Static NAT is that it can be mapped to ports. Say for instance our ISP gives us a public address of 68.10.1.6. We can use this same IP address for both NAT overload and static NAT. And if we have NAT Overload configured on our router and we want people to access our mail servers from outside the office, we can just map the public address to a port.

For instance, Email service uses Port 25 and Web service uses Port 80, etc.

The command for this is “ipnat inside source static tcp 192.168.20.15 80 68.10.1.6 80“.This will map the inside local address (192.168.20.15) on port 80 to the inside global address (68.10.1.6) on port 80.

This feature has a lot of advantages. One of them is that it allows us to use one IP address for our NAT operation, thus saving us the cost of getting more than one public address.

Another advantage is that it lets us maximize our public address to the fullest. By this I mean that since we’re not using all the ports at the same time <1-65535> (depending on the number of clients using it at once), we are allowed to map one address to as many ports as the need arises.

For example, we can have a mail server and a web server in our organization. To use the address, all we need to do is to map the address to the Port: 68.10.1.6:80 for the web server, and 68.10.1.6:25 for the mail server.

DYNAMIC NAT

This kind of NAT is used to map the inside local IP address to the inside global IP address on the fly from a pool of available IP addresses. Say for instance our ISP allocates us with an IP address range of 68.10.1.2 – 68.10.1.254:

STEP 1

The first step is to label the interfaces. The inside interface will be labeled as “ipnat inside“, and the outside interface will be labeled as “ipnat outside“.

STEP 2

The first step is to create a pool of addresses, which are the IP addresses allocated to us. This is done with the “ipnat pool” command:

Ipnat pool pool-namestart-ipend-ip prefix length ‘length
Ipnat pool NAT_ADDRESS68.10.1.268.10.1.254prefix-length 24

Or

Ipnat pool pool-namestart-ip end-ipnetmask ‘net-mask’
Ipnat pool NAT_ADDRESS 68.10.1.2 68.10.1.254netmask255.255.255.0

STEP 3

The next step is to create an access list for the required computers/clients that should be allowed or denied access:

access-list ALLOWED_COMPUTERS permit 192.168.10.0 0.0.0.255

Step 4

The final step is to tie the access-list and the pool together with this command:

Ipnat inside source list ALLOWED_COMPUTERS pool NAT_ADDRESS….

This command means that the computers in the access list (ALLOWED_COMPUTERS) can use the pool of addresses (NAT_ADDRESS).

Some useful NAT commands

Show ipnatTranslations: shows the translations on the NAT tables.

Show ipnat statistics: displays the status and configuration information for NAT

Debug ipnat: used to troubleshoot NAT problems on a router.

WARNING!!!

Once debugging is enabled on a router, it remains in effect till you turn it off with the “no debug ipnat” command.

DO NOT USE IN A PRODUCTION ENVIRONMENT!

Clear ipnat translations *: clears all NAT table entries.

NAT is a concept that can be both enjoyable to configure and also confusing. All in all, it is a wonderful concept as its advantages are numerous; chief among them being the conservation of the available IP addresses.

NAT also has its disadvantages. As it does not allow for full end-to-end communications between two hosts using their configured IP address, troubleshooting can sometimes be a challenge. NAT can also introduce latency in the communication path and cause application performance issues due to the delay in translating IP addresses.

I hope has been very informative for you and like I always say, the key to mastering any concept is constant practice…

References

http://serverfault.com/questions/296767/cisco-1841-router-nat-overload-appears-to-not-be-working-config-problem-or-ho

http://www.trainsignal.com/blog/nat-network-address-translation-pat-port-address-translation

http://www.net130.com/technic/001/Cisco%20IOS%20Network%20Address%20Translation%20(NAT).htm

CCNA Cisco Certified Network Associate Study Guide, 7th Edition, by Todd Lammle

http://wiki.filezilla-project.org/Network_Configuration

http://en.wikipedia.org/wiki/Network_address_translation

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml#intro

http://www.ciscopress.com/articles/article.asp?p=25273