Lab 32: Configuring Static NAT and DSLw-Part II

Configuring NAT

NAT translation can be configured in three primary ways:

• Dynamic translation ” NAT translates inside addresses to a pool of global addresses. After a period of time, the translation times out and global address goes back to the pool to be reused. The timeout value for all NAT translations is based on protocol. The timeout values are listed in the later section "Clearing and Changing NAT Translations."

• Static translation ” NAT uses a one-for-one address mapping. This allows the outside network to initiate a session to the inside network based on the NAT address.

• Overload of a single IP address ” This involves multiplexing addresses in which many local IP addresses use port address translation (PAT) to share a single global IP address.

All three methods of configuration follow a similar four-step process:

Step 1. Define NAT inside and outside networks. First, define what networks are to be translated. You might not want all inside networks to be translated. Also note where they reside from your router's perspective, and mark that interface as a NAT inside interface. Second, locate the exit point of your routing domain, where the destination networks exist; usually this is the Internet. Configure this exit interface as a NAT outside interface. You can have multiple inside and outside interfaces. These steps are accomplished using the ip nat inside and ip nat outside commands at the interface or subinterface prompts.

Step 2. Ensure that IP reachability exits between the destination network/ Internet and the address/pool that you are translating to. If you are configuring a dynamic or static translation, you must ensure that the outside network can reach the subnet of your inside global network. The inside global network is the network that you are translating your addresses into. Put the subnet of the global address on a loopback interface, and ensure that the subnet is propagated via a routing protocol or a static route. This is to ensure that the subnet is reachable from the outside network.

Step 3. Configure the specific networks that are to be translated. If you are configuring dynamic NAT pools, this step is accomplished with the following command:

  ip nat inside source  [  list {1-99}   route-map  ]  pool   pool_name   overload  

Use an access list or a route map to match the networks that will be translated. Take into account all networks that might pass through the interface, not just the local network. The pool argument defines what pool will be used for translation. The overload argument enables the router to use one global address for many local addresses.

If you are configuring static translation, use the following command:

  ip nat inside source static   local_ip_addr global_ip_addr  

Step 4. Configure the address pool. This step is covered in Step 3 if you are using a static translation. When using dynamic translation, first "anchor" the global subnet to a loopback address. For example, if you are translating to the subnet of 150.100.100.0/24, put this subnet on a loopback address instead of using a secondary IP address on a "real" interface. This way, NAT will work on multiple interfaces if one goes down. This also prevents potential routing issues on IP secondary interfaces. To define the pool, use the following command:

  ip nat pool   pool_name starting_ip_addr ending_ip_addr  {  netmask   netmask   prefix-length   prefix-length  } 

Configuring NAT Dynamic Translation

Using the four-step process listed, now you will walk through the NAT configuration that you did earlier in this chapter. Figure 15-2 illustrates a private IP network of 172.16.1.0/24.

This network needs reachability to the Internet ” specifically , the host 128.100.1.10 on the UW Ethernet segment. The router nat_router has a T1 connection to the Internet through the isp_router. The ISP has assigned the network 128.100.100.0/24 to nat_router for access to the Internet. The engineers who support nat_router do not want to change all the IP host addresses from a 172.16.1.x network to a 128.100.100.x network, so they use dynamic NAT.

First, you must define NAT inside and outside networks. The inside network is where the networks to be translated reside, while the outside network is your destination network. In this example, your E0 port will become your NAT inside interface, while your S0 port will be your NAT outside interface. Figure 15-3 highlights the inside and outside networks.

To configure the inside and outside interface, use the ip nat [ inside outside ] command. Example 15-3 demonstrates the use of the command.

Example 15-3 Configuring Inside and Outside Interfaces

 nat_router(config)#  interface e0  nat_router(config-if)#  ip nat inside  nat_router(config-if)#  exit  nat_router(config)#  interface s0  nat_router(config-if)#  ip nat outside  

The next step requires you to "anchor" the subnet that you are translating to on this router. You do this by assigning the network given to you from your ISP ”in this case, 128.100.100.0/24 to a local interface. Use the first host address on the loopback interface, and use 128.100.100.2 to 128.100.100.254 as the address pool. The second part of this step requires that you have a route to the outside network and that the outside networks have a route to the subnet 128.100.100.0/24. For this example, you add a static default route on the nat_router and you use the ip classless command, which would appear as follows :

  interface Loopback20   ip address 128.100.100.1 255.255.255.0   ip classless   ip route 0.0.0.0 0.0.0.0 128.100.11.2  

Relevant to this example but not shown is a static route on the isp_router to the subnet 128.100.100.0/24. This route must be propagated by the isp_router to any and all destination networks, such as the uw_router. At this point, before proceeding, ensure that all routers have IP reachability to the 128.100.100.0/24 subnet. Without IP reachability, NAT will fail.

The third step in the process is to use the ip nat inside source command to define the networks to be translated. In this example, you will use the following commands:

  ip nat inside source list 69 pool publicpool   access-list 69 permit 172.16.1.0 0.0.0.255  

This command sequence calls access list 69 and compares the source network of the packet coming in the inside interface to the list. If the source IP address is in the subnet range of 172.16.1.x, the network is translated to the IP pool called publicpool.

Finally, the last step is defining the pool publicpool using the ip nat pool command:

  ip nat pool publicpool 128.100.100.2 128.100.100.254 netmask 255.255.255.0  

This statement uses the IP address range of 128.100.100.2 to 128.100.100.254, with a subnet mask of 255.255.255.0 for translation. Because 128.100.100.1 is the address of the loopback address, you do not want to include it in the pool range. Example 15-4 lists the relevant portions the configuration of the nat_router.

Example 15-4 NAT Dynamic Translation Configuration

  hostname nat_router   !   !   ip subnet-zero   !    interface Loopback20     ip address 128.100.100.1 255.255.255.0     no ip directed-broadcast    !   interface Ethernet0   ip address 172.16.1.254 255.255.255.0   no ip directed-broadcast    ip nat inside    !   interface Serial0   ip address 128.100.11.1 255.255.255.252   no ip directed-broadcast    ip nat outside    !   <<<text omitted>>>   !    ip nat pool publicpool 128.100.100.2 128.100.100.254 netmask 255.255.255.0     ip nat inside source list 69 pool publicpool     ip classless     ip route 0.0.0.0 0.0.0.0 128.100.11.2     !     access-list 69 permit 172.16.1.0 0.0.0.255   

Configuring NAT Static Translation

Configuring static translation is similar to configuring dynamic translation, except that you do not configure an IP pool. Instead, you configure a one-to-one address map of which specific hosts are to be translated to a specific address. A static translation can be used as an inside static translation or can have an outside static translation. Most implementations of NAT simply use an inside static translation, but when NAT is overlapping, you might want to use an outside source translation.

Building on the previous example of NAT illustrated in Figure 15-3, modify it so that only one address, 172.16.1.10, will be translated to 128.100.100.10. To configure static NAT, follow the same steps as previously defined, which include defining the inside and outside networks. Define the loopback address to "anchor" the global network and ensure routing between this subnet, 128.100.100.0/24, and the outside networks. The only part that is different from dynamic NAT configuration is defining how networks get translated. Instead of using the ip nat inside source list x command, use the ip nat inside static command. Specifically, this example uses the following command:

  ip nat inside source static 172.16.1.10 128.100.100.10  

This command causes the address 172.16.1.10 to be mapped to 128.100.100.10. No other translations will occur on the router. Example 15-5 lists how the configuration would appear with a static configuration.

Example 15-5 NAT Static Translation Example

  hostname nat_router   !   ip subnet-zero   !   interface Loopback20    ip address 128.100.100.1 255.255.255.0    no ip directed-broadcast   !   interface Ethernet0   ip address 172.16.1.254 255.255.255.0   no ip directed-broadcast    ip nat inside    !   interface Serial0   ip address 128.100.11.1 255.255.255.252   no ip directed-broadcast    ip nat outside    !   <<<text omitted>>>   !    ip nat inside source static 172.16.1.10 128.100.100.10    ip classless   ip route 0.0.0.0 0.0.0.0 128.100.11.2  

Configuring Easy IP and Port Address Translation (PAT)

Perhaps "Easy IP" expresses the best example of overloading a single IP address for NAT. Easy IP combines NAT overload/PAT and PPP/Internet Protocol Control Protocol (IPCP). However, NAT TCP overload is not limited to PPP.

For the purposes of this text, TCP overload and PAT are synonymous. PAT provides for many-to-one IP translations. Essentially, this allows many IP addresses to share or be translated into a single IP address. PAT uses a unique source port number on the inside global IP address to distinguish between each translation.

Easy IP (Phase 1) enables a Cisco router to automatically negotiate its own registered WAN address, and it enables local hosts to access the global networks or Internet through this single IP address. Many ISPs use IPCP to dynamically assign an IP address to the remote serial interface. Because this address is unknown until it is assigned, NAT static and dynamic translations cannot be configured. Therefore, to accommodate this type of configuration, Cisco uses Easy IP. Essentially, this is what happens:

Step 1. A remote router makes a PPP connection to the ISP or a central site router. Easy IP uses PPP/IPCP to obtain an address from a DHCP server residing at the central site or ISP.

Step 2. Easy IP receives the new "dynamic" address and assigns it to WAN interface.

Step 3. Easy IP then uses port address translation (PAT) to perform a many-to-one address/port association, using multiple inside local addresses and the new global "dynamic" address.

To configure Easy IP, you can begin by following the four-step process outlined earlier. The main difference occurs in Step 4 and the enabling of IPCP. Figure 15-4 illustrates a typical home user or small office with an ISDN connection to an ISP. The home user does not have any registered IP address space and obtains an address when dialing up the ISP. This user also has multiple workstations that must access the Internet, providing an ideal candidate for Easy IP.

The first step is to define inside and outside networks. Here, the inside network is the Ethernet, while the BRI or Dialer 10 interface is the outside network. Use the same NAT commands, ip nat inside and ip nat outside, to define these networks on the appropriate interfaces.

The next step is to ensure that routing exists between the router and the Internet. Because only one exit point exists, use a default static route pointing to the dialer interface. Be sure to include the ip classless command when using a default route.

The third step involves defining what networks are to be translated and how they are translated. Here, you will point your translation to the Dialer 10 interface because the IP address is unknown. Use the overload command, which tells the router to use PAT. Doing so enables many connections to the Internet through one IP address. The command will look like the following:

  ip nat inside source list 10 interface Dialer10 overload  

Because you don't have an address pool to define static translations, Step 4 is a good place to configure IPCP. To configure IPCP, you must have PPP as your Layer 2 encapsulation, and you must have Cisco IOS Software Release 11.3 or greater. The command to enable IPCP is ip address negotiated under the serial or dialer interface. Example 15-6 illustrates the dialer configuration and IPCP needed on the easyip_router.

Example 15-6 IPCP and Dialer Configuration for Easy IP

  interface BRI0   no ip address   no ip directed-broadcast   encapsulation ppp   dialer pool-member 10   isdn switch-type basic-ni   isdn spid1 71538154750101 3815475   isdn spid2 71538154760101 3815476   ppp multilink   !   interface Dialer10    ip address negotiated          IPCP configuration    no ip directed-broadcast    ip nat outside     encapsulation ppp    no ip mroute-cache   dialer remote-name isp_router   dialer idle-timeout 300   dialer string 4262200   dialer hold-queue 80   dialer load-threshold 10 either   dialer pool 10   dialer-group 10   compress stac   no cdp enable   ppp authentication pap   ppp pap sent-username ksolie password 7 1304474B5B5D577E   ppp multilink   !  

Notice that most ISPs also use PAP for authentication. This also might be a requirement for your configuration to the ISP. For more information on the dialer configurations or ISDN setup, see Chapter 7, "WAN Protocols and Technologies: Integrated Services Digital Network (ISDN)."

Example 15-7 lists the entire configuration needed for Easy IP.

Example 15-7 Easy IP Configuration

  hostname easyip_router   !   ip subnet-zero   !   isdn switch-type basic-ni   !   interface Ethernet0   ip address 172.16.1.254 255.255.255.0   no ip directed-broadcast    ip nat inside    !   interface BRI0   no ip address   no ip directed-broadcast   encapsulation ppp   dialer pool-member 10   isdn switch-type basic-ni   isdn spid1 71538154750101 3815475   isdn spid2 71538154760101 3815476   ppp multilink   !   interface Dialer10    ip address negotiated    no ip directed-broadcast    ip nat outside     encapsulation ppp    no ip mroute-cache   dialer remote-name isp_router   dialer idle-timeout 300   dialer string 4262200   dialer hold-queue 80   dialer load-threshold 10 either   dialer pool 10   dialer-group 10   no cdp enable   ppp authentication pap   ppp pap sent-username ksolie password 7 1304474B5B5D577E   ppp multilink   !    ip nat inside source list 10 interface Dialer10 overload     ip classless     ip route 0.0.0.0 0.0.0.0 Dialer10    !    access-list 10 permit 172.16.1.0 0.0.0.255    access-list 110 permit ip any any   dialer-list 10 protocol ip list 110