In this final part of the NAT series, we’ll be talking about some other methods of configuring network address translation. We’ll be looking at Static NAT and Dynamic NAT. Part 1 can be found here.
CCNA Training – Resources (Intense)
In this type of NAT, an internal IP address is mapped to an external IP address. Unlike Dynamic NAT, each time the connection request is made for that device (such as a server), it connects using that IP address. Say for instance our ISP allocates a public address of 184.108.40.206, and we map it via static NAT to the server. Each time a connection is made to that server it uses 220.127.116.11, but it differentiates each connection with a port number. Below is an example:
In this scenario below, we are going to access the web server located in the Head office from a computer in the Arizona office. The computer in the Arizona office has an internal IP address of 192.168.10.2. The IP address of the server is 192.168.20.15, but it will be seen as 18.104.22.168, the IP address given to us by our ISP.
The first step is to label the interfaces. The inside interface will be labeled as “ipnat inside” and the outside interface will be labeled as “ipnat outside.”
Ip address 192.168.20.1 255.255.255.0
Ip address 22.214.171.124 255.255.255.252
The next step is to enable static NAT. The command to do this is ‘ipnat inside source static local-ip global-ip ‘. For this configuration, we will be using “ipnat inside source static 192.168.10.15 126.96.36.199” which will map the inside local address (192.168.10.15) to the outside local address (188.8.131.52).
ARIZONA OFFICE ROUTER CONFIGURATION
ip address 192.168.10.1 255.255.255.0
ip address 184.108.40.206 255.255.255.252
clock rate 64000
ip route 0.0.0.0 0.0.0.0 220.127.116.11
line con 0
linevty 0 4
HEAD OFFICE ROUTER
ip address 192.168.20.1 255.255.255.0
ip address 18.104.22.168 255.255.255.252
ipnat inside source static 192.168.10.15 22.214.171.124
ip route 0.0.0.0 0.0.0.0 126.96.36.199
line con 0
linevty 0 4
Below is the output after running a ping (ICMP) and a telnet attempt to the server (TCP):
Another awesome feature of Static NAT is that it can be mapped to ports. Say for instance our ISP gives us a public address of 188.8.131.52. We can use this same IP address for both NAT overload and static NAT. And if we have NAT Overload configured on our router and we want people to access our mail servers from outside the office, we can just map the public address to a port.
For instance, Email service uses Port 25 and Web service uses Port 80, etc.
The command for this is “ipnat inside source static tcp 192.168.20.15 80 184.108.40.206 80“.This will map the inside local address (192.168.20.15) on port 80 to the inside global address (220.127.116.11) on port 80.
This feature has a lot of advantages. One of them is that it allows us to use one IP address for our NAT operation, thus saving us the cost of getting more than one public address.
Another advantage is that it lets us maximize our public address to the fullest. By this I mean that since we’re not using all the ports at the same time <1-65535> (depending on the number of clients using it at once), we are allowed to map one address to as many ports as the need arises.
For example, we can have a mail server and a web server in our organization. To use the address, all we need to do is to map the address to the Port: 18.104.22.168:80 for the web server, and 22.214.171.124:25 for the mail server.
This kind of NAT is used to map the inside local IP address to the inside global IP address on the fly from a pool of available IP addresses. Say for instance our ISP allocates us with an IP address range of 126.96.36.199 – 188.8.131.52:
The first step is to label the interfaces. The inside interface will be labeled as “ipnat inside“, and the outside interface will be labeled as “ipnat outside“.
The first step is to create a pool of addresses, which are the IP addresses allocated to us. This is done with the “ipnat pool” command:
Ipnat pool pool-namestart-ipend-ip prefix length ‘length‘
Ipnat pool NAT_ADDRESS184.108.40.206220.127.116.11prefix-length 24
Ipnat pool pool-namestart-ip end-ipnetmask ‘net-mask’
Ipnat pool NAT_ADDRESS 18.104.22.168 22.214.171.124netmask255.255.255.0
The next step is to create an access list for the required computers/clients that should be allowed or denied access:
access-list ALLOWED_COMPUTERS permit 192.168.10.0 0.0.0.255
The final step is to tie the access-list and the pool together with this command:
Ipnat inside source list ALLOWED_COMPUTERS pool NAT_ADDRESS….
This command means that the computers in the access list (ALLOWED_COMPUTERS) can use the pool of addresses (NAT_ADDRESS).
Some useful NAT commands
Show ipnatTranslations: shows the translations on the NAT tables.
Show ipnat statistics: displays the status and configuration information for NAT
Debug ipnat: used to troubleshoot NAT problems on a router.
Once debugging is enabled on a router, it remains in effect till you turn it off with the “no debug ipnat” command.
DO NOT USE IN A PRODUCTION ENVIRONMENT!
Clear ipnat translations *: clears all NAT table entries.
NAT is a concept that can be both enjoyable to configure and also confusing. All in all, it is a wonderful concept as its advantages are numerous; chief among them being the conservation of the available IP addresses.
NAT also has its disadvantages. As it does not allow for full end-to-end communications between two hosts using their configured IP address, troubleshooting can sometimes be a challenge. NAT can also introduce latency in the communication path and cause application performance issues due to the delay in translating IP addresses.
I hope has been very informative for you and like I always say, the key to mastering any concept is constant practice…
CCNA Cisco Certified Network Associate Study Guide, 7th Edition, by Todd Lammle