1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dynamic NAT

Discussion in 'General Cisco Certifications' started by Headache, Mar 5, 2007.

  1. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I'm trying to figure out how to build a lab to configure dynamic NAT, but so far it's proving to be something of a pain in the ass.

    The thing I'm thinking of doing is using router-on-a-stick to create lots of sub-interfaces on one router to use as inside local addresses and then creating lots of sub-interfaces on a second router to use as outside local addresses.

    My question is, since the new sub-interfaces on both routers are intended to be used only as local addresses, can I get by without using a switch ? Because I really don't want to go into the hassle of creating loads of Vlans that I don't particularly need.

    My second question is, if it turns out that I really do have to use a switch, can I put all the sub-interfaces on a single Vlan ? Or would that basically screw up connectivity between the two routers ?

    Any help would be appreciated.
     
    Certifications: CCNA
    WIP: CCNP
  2. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Another question just occured to me. If router-on-stick doesn't work, can I use loopback addresses instead ?

    Cheers.
     
    Certifications: CCNA
    WIP: CCNP
  3. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Is anyone home ?
     
    Certifications: CCNA
    WIP: CCNP
  4. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,369
    85
    190
    dunno... is the light on?
     
  5. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Headache,

    First thing, the NAT process must be contained within a single router.

    Second, the "router on a stick" requires a switch with VLAN capabilities connected to the single router port. So I am interested in how you're intending to implement "router on a stick" by avoiding using a switch.

    Third, multiple subinterfaces are not required for NAT. You need at least two, one that you designate as the inside, and one that you designate as the outside.

    Fourth, the main purpose of subinterfacing on the "router on a stick" is to route between multiple VLANs on a VLAN capable switch or switches. The purpose of NAT is to translate the source IP address field in the IP packet header. The subinterfaces on a router helps in the routing process of the packets between VLANs, whether NAT is off or on. What NAT does when the bits are decapsulated to the packet level, is to substitute the inside local source IP address field in the packet with the inside global NAT source IP address into the field. Then the router routes the packet like normal.

    My suggestion to help understand NAT is to first learn how basic routing works by designing and implementing two separate networks on two sides of a router. Then try to get a host on network 1 to ping a host in network 2 then a host in network 2 to ping a host in network 1. Give that a try then post back.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  6. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Headache,

    A loopback address is not used with VLANs or NAT.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  7. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    I will config up a lab tomorrow night, post the config and draw it on the white board for ya. I need the practice anyways. :D

    In a basic unix class this week...for work. They took me away from networking as my primary role...I guess they needed me on 1st level unix troubleshooting...ack. Unix is surprisingly interesting I must say.
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  8. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    If they also pay for your Unix training really go for it as Unix support tends to be a specialised, demanding and interesting area that pays really well usually.

    I would interested in seeing your config also...as I am doing something in this space later this year...

    supag33k
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  9. Headache

    Headache Gigabyte Poster

    1,092
    9
    85

    R.h.Lee I understand what you are saying.

    Let me try to explain myself a bit better. I'm trying to simulate DYNAMIC nat, not static nat.

    To do this I need a ready pool of about half a dozen ip addresses from somewhere to use as my inside local addresses on the router. And I want these addresses to show up when you enter "show ip nat translations".

    Considering I don't have multiple DTEs to work with, my question is, where do I find the addresses to fulfill this role ?

    The only ways I know is to create virtual ip addresses on a router using router-on-a-stick and loopback addresses.

    I'm not getting these mixed up with network address translation or Vlans or anything like that. I just need a pool of about half a dozen ip addresses that I can use to configure dynamic Nat. That's all.

    To illustrate:

    sh ip int brief
    Interface IP-Address OK? Method Status Protocol
    FastEthernet0/0 unassigned YES NVRAM up up

    FastEthernet0/0.1 172.18.1.11 YES manual up up

    FastEthernet0/0.2 172.18.2.12 YES manual up up

    FastEthernet0/0.3 172.18.3.13 YES manual up up

    FastEthernet0/0.4 172.18.4.14 YES manual up up

    FastEthernet0/0.5 172.18.5.15 YES manual up up

    FastEthernet0/0.6 172.18.6.16 YES manual up up

    Serial0/0 172.16.1.1 YES NVRAM up up

    Serial0/1 201.21.21.1 YES NVRAM administratively down down

    FastEthernet1/0 172.17.1.1 YES NVRAM administratively down down

    R1#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    R1(config)#ip nat inside source list 1 pool nat-pool
    R1(config)#access-list 1 permit 172.18.1.11 0.0.5.255
    R1(config)#ip nat pool nat-pool 215.15.15.1 215.15.15.5 netmask 255.255.255.128
    R1(config)#interface fastethernet 0/0
    R1(config-if)#ip nat inside
    R1(config-if)#interface serial 0/0
    R1(config-if)#ip nat outside
    R1(config-if)#exit
    R1(config)#exit
    R1#
    00:20:20: %SYS-5-CONFIG_I: Configured from console by console
    R1#show ip nat translations
     
    Certifications: CCNA
    WIP: CCNP
  10. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    UPDATE:

    Still haven't figured out a way to build a proper lab for dynamic NAT yet. I've tried my hand at router-on-a-stick, but I didn't get very far.

    First, I set up 6 vlans on my switch and assigned ip addresses to them. My intention was to reserve these addresses for my dynamic NAT configs.

    Second, I assigned 6 sub-interfaces to my router to compliment the Vlans.

    Third, I tested connectivity using ping and sh arp. Connectivity was okay.

    Fourth, I configured dynamic Nat using the Vlans for my inside local addresses and used the class C range 215.15.15.1/25 - 215.15.15.5/25 for my inside global addresses.

    After all of that I tried viewing the results using "show ip nat transactions", but nothing came of it.

    CONCLUSION:

    Dynamic Nat doesn't do virtual addresses.

    I've set out my configs below. Maybe somebody else has a better idea.

    SWITCH

    conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    3550/1(config)#int fa0/1
    3550/1(config-if)#switchport mode access
    3550/1(config-if)#switchport access vlan 1
    3550/1(config-if)#int fa0/1
    3550/1(config-if)#switchport mode access
    3550/1(config-if)#switchport access vlan 2
    3550/1(config-if)#int fa0/1
    3550/1(config-if)#switchport mode access
    3550/1(config-if)#switchport access vlan 3
    3550/1(config-if)#int fa0/1
    3550/1(config-if)#switchport mode access
    3550/1(config-if)#switchport access vlan 4
    3550/1(config-if)#int fa0/1
    3550/1(config-if)#switchport mode access
    3550/1(config-if)#switchport access vlan 5
    3550/1(config-if)#int fa0/1
    3550/1(config-if)#switchport mode access
    3550/1(config-if)#switchport access vlan 6
    3550/1(config-if)#switchport trunk encapsulation dot1q
    3550/1(config-if)#switchport mode trunk
    3550/1(config-if)#speed 100
    3550/1(config-if)#duplex full
    3550/1(config-if)#int vlan 1
    3550/1(config-if)#ip address 172.18.1.10 255.255.255.128
    3550/1(config-if)#no shut
    3550/1(config-if)#int vlan 2
    3550/1(config-if)#ip address 172.18.2.11 255.255.255.128
    3550/1(config-if)#no shut
    3550/1(config-if)#int vlan 3
    3550/1(config-if)#ip address 172.18.3.12 255.255.255.128
    3550/1(config-if)#no shut
    3550/1(config-if)#int vlan 4
    3550/1(config-if)#ip address 172.18.4.13 255.255.255.128
    3550/1(config-if)#no shut
    3550/1(config-if)#int vlan 5
    3550/1(config-if)#ip address 172.18.5.14 255.255.255.128
    3550/1(config-if)#no shut
    3550/1(config-if)#int vlan 6
    3550/1(config-if)#ip address 172.18.6.15 255.255.255.128
    3550/1(config-if)#no shut


    ROUTER

    Enter configuration commands, one per line. End with CNTL/Z.
    R1(config)#int fa0/0
    R1(config-if)#duplex full
    R1(config-if)#speed 100
    R1(config-if)#no shut
    R1(config-if)#int fa0/0.1
    R1(config-subif)#encapsulation dot1q 1
    R1(config-subif)#ip address 172.18.1.16 255.255.255.128
    R1(config-subif)#no shut
    R1(config-subif)#int fa0/0.2
    R1(config-subif)#encapsulation dot1q 2
    R1(config-subif)#ip address 172.18.2.17 255.255.255.128
    R1(config-subif)#no shut
    R1(config-subif)#int fa0/0.3
    R1(config-subif)#encapsulation dot1q 3
    R1(config-subif)#ip address 172.18.3.18 255.255.255.128
    R1(config-subif)#no shut
    R1(config-subif)#int fa0/0.4
    R1(config-subif)#encapsulation dot1q 4
    R1(config-subif)#no shut
    R1(config-subif)#ip address 172.18.4.19 255.255.255.128
    R1(config-subif)#int fa0/0.5
    R1(config-subif)#encapsulation dot1q 5
    R1(config-subif)#ip address 172.18.5.20 255.255.255.128
    R1(config-subif)#no shut
    R1(config-subif)#int fa0/0.6
    R1(config-subif)#encapsulation dot1q 6
    R1(config-subif)#ip address 172.18.6.21 255.255.255.128
    R1(config-subif)#no shut
    R1(config-subif)#^Z

    sh arp
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 172.18.4.19 - 0009.e84a.7e20 ARPA FastEthernet0/0.4
    Internet 172.18.6.21 - 0009.e84a.7e20 ARPA FastEthernet0/0.6
    Internet 172.18.2.17 - 0009.e84a.7e20 ARPA FastEthernet0/0.2
    Internet 172.18.5.20 - 0009.e84a.7e20 ARPA FastEthernet0/0.5
    Internet 172.18.3.18 - 0009.e84a.7e20 ARPA FastEthernet0/0.3
    Internet 172.18.1.16 - 0009.e84a.7e20 ARPA FastEthernet0/0.1
    Internet 172.18.3.12 2 0011.2022.3000 ARPA FastEthernet0/0.3
    Internet 172.18.5.14 1 0011.2022.3000 ARPA FastEthernet0/0.5
    Internet 172.18.6.15 1 0011.2022.3000 ARPA FastEthernet0/0.6
    Internet 172.18.4.13 1 0011.2022.3000 ARPA FastEthernet0/0.4
    Internet 172.18.2.11 2 0011.2022.3000 ARPA FastEthernet0/0.2

    R1#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    R1(config)#ip nat inside source list 1 pool nat-pool
    R1(config)#access-list 1 permit 172.18.1.10 0.0.5.255
    R1(config)#ip nat pool nat-pool 215.15.15.1 215.15.15.5 netmask 255.255.255.128
    R1(config)#interface fastethernet 0/0
    R1(config-if)#ip nat inside
    R1(config-if)#interface serial 0/0
    R1(config-if)#ip nat outside
    R1(config-if)#exit
    R1(config)#
    R1(config)#^Z
    R1#s
    00:05:20: %SYS-5-CONFIG_I: Configured from console by console

    R1#sh ip nat translations
     
    Certifications: CCNA
    WIP: CCNP
  11. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  12. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Thanks NetEyeBall. I'll have a read through and see what's what.
     
    Certifications: CCNA
    WIP: CCNP
  13. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Headache,

    It seems like you're having the classic problem of understanding the difference between ROUTING protocols and ROUTED protocols.

    Whether you're using static NAT or dynamic NAT, the purpose is to SUBSTITUTE the "Source IP address" field in the IP Packet header from the inside local IP address to the inside global IP address.

    So let's say a host with an inside local IP address sends a frame that's destined to an Internet destination. So on the host, the data is encapsulated all the way down to bits. The bits are transmitted by a cable to the switch. The switch decapsulates the bits to frames, inspects the destination MAC address and decides to forward the frame towards the router. The switch then encapsulates the frames into bits then sends the bits towards the router. The router port receives the bits, decapsulates the bits to a frame, then decapsulates the frame to the packet. This is the critical part. Whether you're using static NAT or dynamic NAT, the router does some surgery by removing the source IP address (e.g. 192.168.1.100) that is the inside local IP address field of the IP packet header then replacing the inside local source IP address with the inside global source IP address. In the case of static NAT, the inside global source IP address is based on the static NAT statement in your running-config. In the case of dynamic NAT with overloading, the inside local source IP address (e.g. 192.168.1.100) is replaced by the IP address assigned to the router interface that is connected to the Internet (aka the public IP address of your router). In the case of dynamic NAT with a pool of addresses, the router picks an available inside global IP address from the pool and substitutes the inside local source IP address of the packet (e.g. 192.168.1.100) with one of the available inside global IP addresses (To prevent conflict with legitimate IP addresses, let's assume the Internet is represented by the Class B private IP scheme) which range from 172.16.0.2 through 172.16.0.254. Let's say 172.16.0.100 is available, so the dynamic NAT process replaces the source IP address field of 192.168.1.100 with 172.16.0.100. Then the packet is encapsulated from the IP packet to a frame, then the frame is encapsulated from a frame to bits, then it's FORWARDED out of the router's port that's connected to the Internet. NOTE WELL, it is the source IP address field of the IP packet that is modified by NAT then routed by the router so you DON'T need to assign multiple IP addresses to subinterfaces of the router's interface/port that's facing (pun intended) the Internet.

    So to answer your direct questions, you "find" the addresses to fulfill the role by defining the IP address range pool that's used in the dynamic NAT configuration line.

    Creating a router-on-a-stick will NOT be a solution to your implementation of dynamic NAT because router-on-a-stick is used to help route the packets between the VLANs on a VLAN capable switch. The IP addresses assigned to the router's subinterfaces are the "default gateways" for the VLANs on the VLAN capable switch.

    Using loopback addresses won't help because the purpose of NAT is to route from one sub/network to another sub/network while substituting the source IP address in the source IP address field of the IP packet header. Almost by definition, the loopback interface "loops back" out of the router then back into the router. It's as if there is a crossover cable connected from the router to itself.

    Based on your reply, I do believe that you are confusing NAT with VLANs.

    BTW,
    Code:
    R1(config)#ip nat pool nat-pool 215.15.15.1 215.15.15.5 netmask 255.255.255.128
    
    I hope you have the permission of the true owners of that IP range for you to be "practicing" the configuration of dynamic NAT. I recommend using a private IP range for practice.

    I still recommend first setting up basic routing between two sub/networks. Then after that is working then add the dynamic NAT features on top of that.

    I hope this helps.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  14. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    Ok. I set up Router1 with Nat translating all inside IPs (192.168.1.0 /24) to outside IP (150.140.130.2)

    Current configuration : 1079 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router1
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    no logging console
    !
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    !
    !
    ip audit po max-events 100
    !
    !
    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    speed 100
    full-duplex
    !
    interface Serial1/0
    no ip address
    shutdown
    !
    interface Serial1/1
    ip address 150.140.130.2 255.255.255.252
    ip nat outside
    clock rate 64000
    !
    interface Serial1/2
    no ip address
    shutdown
    !
    interface Serial1/3
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    network 150.140.130.0 0.0.0.3 area 0
    network 192.168.1.0 0.0.0.255 area 0
    !
    ip nat pool ovrld 150.140.130.2 150.140.130.2 prefix-length 30
    ip nat inside source list 99 pool ovrld overload
    no ip http server
    no ip http secure-server
    ip classless
    !
    !
    access-list 99 permit 192.168.1.0 0.0.0.255
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    !
    end



    Debug on the Nat Translation:

    *Mar 1 00:42:03.547: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [52]
    *Mar 1 00:42:03.563: NAT: s=150.140.130.1, d=150.140.130.2->192.168.1.2 [359]
    *Mar 1 00:42:03.567: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [53]
    *Mar 1 00:42:03.583: NAT: s=150.140.130.1, d=150.140.130.2->192.168.1.2 [360]
    *Mar 1 00:42:03.587: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [54]
    *Mar 1 00:42:03.615: NAT: s=110.5.6.1, d=150.140.130.2->192.168.1.2 [156]
    *Mar 1 00:42:21.695: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [61]
    *Mar 1 00:42:21.727: NAT: s=110.5.6.1, d=150.140.130.2->192.168.1.2 [159]
    *Mar 1 00:42:21.731: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [62]

    [​IMG]
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  15. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Great Lab, NetEyeBall.

    As always.

    I'll have a play around and see if I can put together something similar.
     
    Certifications: CCNA
    WIP: CCNP
  16. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I'm always open to advice, r.h.lee. So every little bit helps.

    Thanks.
     
    Certifications: CCNA
    WIP: CCNP
  17. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Hi NetEyeBall,

    I took a look at your configs just now and took my lab out for a quick spin. I found the configs very useful, thanks. I'm still having problems with debug output. I have full connectivity, so that isn't the problem. Maybe it's because I'm not yet clear on load distribution.

    Like I said, big pain in the ass.



    interface Serial0/0
    bandwidth 1544
    ip address 172.16.1.1 255.255.255.128
    no ip directed-broadcast
    ip nat outside
    clockrate 64000
    !
    !
    interface FastEthernet1/0
    ip address 192.168.1.2 255.255.255.0
    no ip directed-broadcast
    ip nat inside
    speed 100
    full-duplex
    !
    router ospf 1
    network 172.16.1.0 0.0.0.127 area 0
    network 192.168.1.0 0.0.0.255 area 0
    !
    ip nat pool nat-pool 172.16.1.1 172.16.1.1 netmask 255.255.255.128
    ip nat inside source list 1 pool nat-pool overload
    ip classless
    no ip http server
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    dialer-list 1 protocol ip permit
    dialer-list 1 protocol ipx permit
    --More--


    00:23:08: NAT: i: ospf (172.16.1.1, 0) -> (224.0.0.5, 0) [1175]
    00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [376]
    00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [376]
    00:23:09: NAT: o: tcp (172.16.1.2, 23) -> (172.16.1.1, 13890) [276]
    00:23:09: NAT: o: tcp (192.168.1.2, 23) -> (192.168.1.1, 61441) [341]
    00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [377]
    00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [377]
    00:23:09: NAT: o: tcp (172.16.1.2, 23) -> (172.16.1.1, 13890) [277]
    00:23:09: NAT: o: tcp (192.168.1.2, 23) -> (192.168.1.1, 61441) [342]
    00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [378]
    00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [378]
    00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [379]
    00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [379]
    00:23:09: NAT: o: tcp (172.16.1.2, 23) -> (172.16.1.1, 13890) [278]
    00:23:09: NAT: o: tcp (192.168.1.2, 23) -> (192.168.1.1, 61441) [343]
     
    Certifications: CCNA
    WIP: CCNP
  18. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    Glad to hear it helped. I want to play around with static nat as well.
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall

Share This Page

Loading...