Chapter 17. Configuring Network Time Protocol (NTP) and Simple Network Time Protocol (SNTP)

Lab 31: Configuring Dynamic NAT and Using Non-Standard FTP Port Numbers ”Part II

Lab Walkthrough

After completing the physical installation of the serial link and the two Ethernet segments, establish IP connectivity between the appropriate subnets.

Beginning with the dhs_router, configure the IP addresses of Ethernet and serial interfaces. The Serial 0 port is the DCE side of the link, so this side will have the clockrate command. You are not allowed to "see" the 9.3.3.0/24 subnet from this router. Instead, you will have assigned the router a CIDR block 200.100.1.32/29 for NAT. This is the network that you need a route to. Therefore, you will make a static route to it on the dhs_router.

For the lab purpose, you may or may not have a connection to the Internet. If you don't have a connection to the Internet, simulate an IP host by adding a loopback interface with the address 198.133.219.25. You should be able to ping this address from the 9.3.3.0/24 subnet when NAT is working properly. Example 15-12 lists the configuration for the dhs_router.

Example 15-12 dhs_router Configuration

  hostname dhs_router   !   <<<text omitted>>>   !   interface Loopback20   ip address 198.133.219.25 255.255.255.0   !   interface Ethernet0   ip address 200.100.1.17 255.255.255.248   !   interface Serial0   ip address 192.168.11.5 255.255.255.252   no fair-queue   clockrate 2000000   !   <<<text omitted>>>   !   no ip classless   ip route 200.100.1.32 255.255.255.248 192.168.11.6  

The configuration for the jpms_router will be a little more involved. Begin by assigning the appropriate IP addresses to the Ethernet and serial interfaces. You need to configure a default route pointing to 192.168.11.5. Don't forget to include the ip classless command when using a default route:

  ip classless   ip route 0.0.0.0 0.0.0.0 192.168.11.5  

At this point, you should be able to ping the "Internet" address of 198.133.219.25 from the router. If you issue a source ping from the router's Ethernet 0 interface or from the workstation 9.3.3.10, you should not be able to reach the "Internet" or the 200.100.1.16/29 subnet.

You can now begin to configure NAT on the jpms_router. First, define the inside and outside networks. Figure 15-6 illustrates the inside and outside networks from the jpms_router's perspective. After defining the inside and outside networks, configure them by using the ip nat outside command on the serial interface and ip nat inside on the Ethernet interface.

The next step in configuring NAT is to ensure that IP routing exists between the pool and the dhs_router. You have the IP subnet of 200.100.1.32/29 assigned to you from DHS. You must tell the jpms_router that this subnet exists on it. To accomplish this, use a loopback interface and assign the IP address of 200.100.1.33 to it. Note that this is the only subnet that you have a static router to on the dhs_router.

The third step in configuring NAT is to define the range of addresses and protocols that get translated. In this case, you want to translate FTP and ICMP to only one host, 200.100.1.18, when going to the 200.100.1.16/29 subnet. You also want to translate any addresses destined toward the Internet. To achieve this, use a route map on the ip nat inside source command. The route map can call an extended access list, where you can make decisions on specific traffic types. You also must use the pool keyword on this command. Example 15-13 demonstrates the command, along with the route map and access list needed on the jpms_router.

Example 15-13 Configuring the Addresses and Protocols to Be Translated

 jpms_router(config)#  ip nat inside source route-map trans_nat pool legalpool  jpms_router(config)#  route-map trans_nat permit 10  jpms_router(config-route-map)#  match ip address 101  jpms_router(config-route-map)#  exit  jpms_router(config)#  access-list 101 permit icmp 9.3.3.0 0.0.0.255   host 200.100.1.18 echo  jpms_router(config)#  access-list 101 permit icmp 9.3.3.0 0.0.0.255   host 200.100.1.18 echo-reply  jpms_router(config)#  access-list 101 permit tcp 9.3.3.0 0.0.0.255   host 200.100.1.18 eq ftp  jpms_router(config)#  access-list 101 deny   ip 9.3.3.0 0.0.0.255   200.100.1.16 0.0.0.7  jpms_router(config)#  access-list 101 permit ip 9.3.3.0 0.0.0.255 any  

The last step is to define and configure your NAT pool. Because you do not want to translate the host address of the loopback interface, the pool will have a starting address of 200.100.1.34 and an ending address of 200.100.1.38, ignoring the broadcast address of 200.100.1.39. Using the following command, you can configure the NAT pool, called legalpool:

 jpms_router(config)#  ip nat pool legalpool 200.100.1.34 200.100.1.38   netmask 255.255.255.248  

Example 15-14 provides the entire configuration for the jpms_router.

Example 15-14 Configuration of the jpms_router

  hostname jpms_router   !   <<<text omitted>>>   !   interface Loopback20   ip address 200.100.1.33 255.255.255.248   no ip directed-broadcast   !   interface Ethernet0   ip address 9.3.3.1 255.255.255.0   no ip directed-broadcast   ip nat inside   !   interface Serial0   ip address 192.168.11.6 255.255.255.252   no ip directed-broadcast   ip nat outside   no ip mroute-cache   !   <<<text omitted>>>   !   ip nat pool legalpool 200.100.1.34 200.100.1.38 netmask 255.255.255.248   ip nat inside source route-map trans_nat pool legalpool   ip classless   ip route 0.0.0.0 0.0.0.0 192.168.11.5   !   access-list 101 permit icmp 9.3.3.0 0.0.0.255 host 200.100.1.18 echo   access-list 101 permit icmp 9.3.3.0 0.0.0.255 host 200.100.1.18 echo-reply   access-list 101 permit tcp 9.3.3.0 0.0.0.255 host 200.100.1.18 eq ftp   access-list 101 deny   ip 9.3.3.0 0.0.0.255 200.100.1.16 0.0.0.7   access-list 101 permit ip 9.3.3.0 0.0.0.255 any   route-map trans_nat permit 10   match ip address 101  jpms_router# 

You can now test the configuration with the workstation 9.3.3.10 on the jpms_router. To properly test this particular NAT configuration, you need two IP workstations. The one on dhs_router will be running FTP server software, and the workstation on the jpms_router will be configured as the FTP client. ping the FTP server from the client workstation. You should be able to ping the server but not the Ethernet port of the dhs_router. You should also be able to ping the address 198.133.219.25. Test the FTP portion of the configuration by initiating an FTP session from the client to the server.

Be sure that you can transfer a file across the network. If you are having problems, ensure that the dhs_router can reach the IP pool on the jpms_router. We are not running any routing protocols, so the routers, servers, and stations that you are using for this test need to have the appropriate default or static routing to gain reachability. Verify that your route map calls the correct access list. Use the show access-list command to ensure that your access list is taking hits and is properly configured. In addition, be sure that your NAT pool host addresses are on the same subnet as your loopback interface. This "anchors" the subnet to that router and eventually to the NAT pool. Example 15-15 lists the show commands illustrating NAT translations while testing the network.

Example 15-15 Configuring NAT Inside and Out

 jpms_router#  show ip nat trans  Pro Inside global      Inside local       Outside local      Outside global icmp 200.100.1.33:512  9.3.3.10:512       200.100.1.18:512   200.100.1.18:512 tcp 200.100.1.33:1076  9.3.3.10:1076      200.100.1.18:21    200.100.1.18:21 tcp 200.100.1.33:1077  9.3.3.10:1077      200.100.1.18:20    200.100.1.18:20 tcp 200.100.1.33:1072  9.3.3.10:1072      200.100.1.18:21    200.100.1.18:21 jpms_router# jpms_router#  show ip nat stat  Total active translations: 1 (0 static, 1 dynamic; 1 extended) Outside interfaces:   Serial0 Inside interfaces:   Ethernet0 Hits: 3727  Misses: 87 Expired translations: 89 Dynamic mappings: -- Inside Source route-map trans_nat pool legalpool refcount 1  pool legalpool: netmask 255.255.255.248         start 200.100.1.33 end 200.100.1.38         type generic, total addresses 6, allocated 1 (16%), misses 0 jpms_router# jpms_router#  show access-lists  Extended IP access list 101     permit icmp 9.3.3.0 0.0.0.255 host 200.100.1.18 echo (1 match)     permit icmp 9.3.3.0 0.0.0.255 host 200.100.1.18 echo-reply     permit tcp 9.3.3.0 0.0.0.255 host 200.100.1.18 eq ftp (2 matches)     deny ip 9.3.3.0 0.0.0.255 200.100.1.16 0.0.0.7 (4 matches)     permit ip 9.3.3.0 0.0.0.255 any (1 match) jpms_router# 

The optional portion of this lab illustrates some new features of NAT that Cisco has introduced to help deal with some well-known applications that transport an IP address in the data stream. FTP is one such application. Because this application is so well known, when a Cisco router identifies port number 21 in a NAT translation, it modifies the data portion of the packet and also the IP header and checksums. This solution works great as long as FTP operates on port 21. When FTP connections occur on a port other then 21, NAT cannot properly handle the packet. Example 15-16 shows the debug ip nat detailed output of a packet failing to be translated properly.

Example 15-16 debug ip nat detailed List of an FTP Port Failure

 jpms_router#  debug ip nat detailed  IP NAT detailed debugging is on jpms_router# 11:36:27: NAT: i: udp (9.3.3.10, 1154) -> (206.191.193.1, 53) [36138] 11:36:27: NAT: i: udp (9.3.3.10, 1154) -> (204.221.151.213, 53) [36394] 11:36:27: NAT: o: icmp (192.168.11.5, 53) -> (200.100.1.33, 1154) [524] 11:36:31: NAT: i: udp (9.3.3.10, 1154) -> (206.191.193.1, 53) [36650] 11:36:31: NAT: i: udp (9.3.3.10, 1154) -> (204.221.151.213, 53) [36906] 11:36:31: NAT: o: icmp (192.168.11.5, 53) -> (200.100.1.33, 1154) [525]  11:36:38: NAT: i: tcp (9.3.3.10, 1155) -> (200.100.1.18, 2021) [37162]   11:36:41: NAT: i: tcp (9.3.3.10, 1155) -> (200.100.1.18, 2021) [37418]   11:36:47: NAT: i: tcp (9.3.3.10, 1155) -> (200.100.1.18, 2021) [37674]   11:36:59: NAT: i: tcp (9.3.3.10, 1155) -> (200.100.1.18, 2021) [37930]   11:37:24: NAT: i: tcp (9.3.3.10, 1156) -> (200.100.1.18, 2021) [38442]   11:37:27: NAT: i: tcp (9.3.3.10, 1156) -> (200.100.1.18, 2021) [38698]  11:37:31: NAT: deleting alias for 200.100.1.33  11:37:33: NAT: i: tcp (9.3.3.10, 1156) -> (200.100.1.18, 2021) [38954]   11:37:45: NAT: i: tcp (9.3.3.10, 1156) -> (200.100.1.18, 2021) [39210]   11:38:11: NAT: i: tcp (9.3.3.10, 1157) -> (200.100.1.18, 2021) [39466]   11:38:14: NAT: i: tcp (9.3.3.10, 1157) -> (200.100.1.18, 2021) [39722]   11:38:20: NAT: i: tcp (9.3.3.10, 1157) -> (200.100.1.18, 2021) [39978]   11:38:32: NAT: i: tcp (9.3.3.10, 1157) -> (200.100.1.18, 2021) [40234]  11:40:09: NAT: i: udp (9.3.3.10, 1158) -> (206.191.193.1, 53) [40490] 11:40:09: NAT: map match trans_nat 11:40:09: NAT: installing alias for address 200.100.1.33 11:40:09: NAT: alias insert failed for 200.100.1.33 

The inbound interface never receives a packet back from 200.100.1.18. Compare this output to Example 15-17, where you have a successful connect to a FTP sever on port 21.

Example 15-17 A Successful FTP NAT Translation, Listed by debug ip nat detailed

 jpms_router#  debug ip nat detailed  IP NAT detailed debugging is on jpms_router#  11:33:03: NAT: created edit_context (9.3.3.10,1145) -> (200.100.1.18,21)   11:33:03: NAT: o: tcp (200.100.1.18, 21) -> (200.100.1.33, 1145) [40457]   11:33:03: NAT: i: tcp (9.3.3.10, 1145) -> (200.100.1.18, 21) [11791]   11:33:03: NAT: o: tcp (200.100.1.18, 21) -> (200.100.1.33, 1145) [40713]   11:33:03: NAT: i: tcp (9.3.3.10, 1145) -> (200.100.1.18, 21) [12047]  11:33:03: NAT: o: tcp (200.100.1.18, 21) -> (200.100.1.33, 1145) [41225] 11:33:03: NAT: i: tcp (9.3.3.10, 1145) -> (200.100.1.18, 21) [12303] 11:33:03: NAT: o: tcp (200.100.1.18, 21) -> (200.100.1.33, 1145) [41481] 11:33:03: NAT: i: tcp (9.3.3.10, 1145) -> (200.100.1.18, 21) [12559] 

Here, you are receiving inbound and outbound requests to 200.100.1.18 on port 21, demonstrating a successful translation.

To allow FTP through NAT on a port other then 21, use the ip nat service command and add an access list identifying the FTP hosts . In this lab, you have to make an additional modification to your access list to include TCP port 2021. Example 15-18 shows the configuration changes.

Example 15-18 Using Nonstandard FTP Port Numbers and NAT

 jpms_router(config)#  ip nat service list 1 ftp tcp port 2021  jpms_router(config)#  access-list 1 permit 200.100.1.18  jpms_router(config)#  no access-list 101  jpms_router(config)#  access-list 101 permit icmp 9.3.3.0 0.0.0.255   host 200.100.1.18 echo  jpms_router(config)#  access-list 101 permit icmp 9.3.3.0 0.0.0.255   host 200.100.1.18 echo-reply  jpms_router(config)#  access-list 101 permit tcp 9.3.3.0 0.0.0.255   host 200.100.1.18 eq 2021  jpms_router(config)#  access-list 101 deny   ip 9.3.3.0 0.0.0.255   200.100.1.16 0.0.0.7  jpms_router(config)#access-list 101 permit ip 9.3.3.0 0.0.0.255 any 

NAT now recognizes that port 2021 to host 200.100.1.18 is an FTP data stream, and it makes the necessary modifications to support that protocol. Example 15-19 lists the output from the show debug ip nat detailed command, showing the use of FTP port 2021 successfully.

Example 15-19 debug ip nat detailed List of FTP on Port 2021

 11:48:17: NAT: i: tcp (9.3.3.10, 1164) -> (200.100.1.18, 2021) [52266] 11:48:17: NAT: o: tcp (200.100.1.18, 2021) -> (200.100.1.33, 1164) [4645] 11:48:17: NAT: i: tcp (9.3.3.10, 1164) -> (200.100.1.18, 2021) [52522] 11:48:17: NAT: o: tcp (200.100.1.18, 2021) -> (200.100.1.33, 1164) [5157] 11:48:17: NAT: i: tcp (9.3.3.10, 1164) -> (200.100.1.18, 2021) [52778] 11:48:17: NAT: o: tcp (200.100.1.18, 2021) -> (200.100.1.33, 1164) [5413]