Dynamic NAT

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm trying to figure out how to build a lab to configure dynamic NAT, but so far it's proving to be something of a pain in the ass.

The thing I'm thinking of doing is using router-on-a-stick to create lots of sub-interfaces on one router to use as inside local addresses and then creating lots of sub-interfaces on a second router to use as outside local addresses.

My question is, since the new sub-interfaces on both routers are intended to be used only as local addresses, can I get by without using a switch ? Because I really don't want to go into the hassle of creating loads of Vlans that I don't particularly need.

My second question is, if it turns out that I really do have to use a switch, can I put all the sub-interfaces on a single Vlan ? Or would that basically screw up connectivity between the two routers ?

Any help would be appreciated.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Another question just occured to me. If router-on-stick doesn't work, can I use loopback addresses instead ?

Cheers.

 

Is anyone home ?

 

dunno... is the light on?

 

Headache,

First thing, the NAT process must be contained within a single router.

Second, the "router on a stick" requires a switch with VLAN capabilities connected to the single router port. So I am interested in how you're intending to implement "router on a stick" by avoiding using a switch.

Third, multiple subinterfaces are not required for NAT. You need at least two, one that you designate as the inside, and one that you designate as the outside.

Fourth, the main purpose of subinterfacing on the "router on a stick" is to route between multiple VLANs on a VLAN capable switch or switches. The purpose of NAT is to translate the source IP address field in the IP packet header. The subinterfaces on a router helps in the routing process of the packets between VLANs, whether NAT is off or on. What NAT does when the bits are decapsulated to the packet level, is to substitute the inside local source IP address field in the packet with the inside global NAT source IP address into the field. Then the router routes the packet like normal.

My suggestion to help understand NAT is to first learn how basic routing works by designing and implementing two separate networks on two sides of a router. Then try to get a host on network 1 to ping a host in network 2 then a host in network 2 to ping a host in network 1. Give that a try then post back.

 

Headache,

A loopback address is not used with VLANs or NAT.

 

I will config up a lab tomorrow night, post the config and draw it on the white board for ya. I need the practice anyways.

In a basic unix class this week...for work. They took me away from networking as my primary role...I guess they needed me on 1st level unix troubleshooting...ack. Unix is surprisingly interesting I must say.

 

If they also pay for your Unix training really go for it as Unix support tends to be a specialised, demanding and interesting area that pays really well usually.

I would interested in seeing your config also...as I am doing something in this space later this year...

supag33k

 

R.h.Lee I understand what you are saying.

Let me try to explain myself a bit better. I'm trying to simulate DYNAMIC nat, not static nat.

To do this I need a ready pool of about half a dozen ip addresses from somewhere to use as my inside local addresses on the router. And I want these addresses to show up when you enter "show ip nat translations".

Considering I don't have multiple DTEs to work with, my question is, where do I find the addresses to fulfill this role ?

The only ways I know is to create virtual ip addresses on a router using router-on-a-stick and loopback addresses.

I'm not getting these mixed up with network address translation or Vlans or anything like that. I just need a pool of about half a dozen ip addresses that I can use to configure dynamic Nat. That's all.

To illustrate:

sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up

FastEthernet0/0.1 172.18.1.11 YES manual up up

FastEthernet0/0.2 172.18.2.12 YES manual up up

FastEthernet0/0.3 172.18.3.13 YES manual up up

FastEthernet0/0.4 172.18.4.14 YES manual up up

FastEthernet0/0.5 172.18.5.15 YES manual up up

FastEthernet0/0.6 172.18.6.16 YES manual up up

Serial0/0 172.16.1.1 YES NVRAM up up

Serial0/1 201.21.21.1 YES NVRAM administratively down down

FastEthernet1/0 172.17.1.1 YES NVRAM administratively down down

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat inside source list 1 pool nat-pool
R1(config)#access-list 1 permit 172.18.1.11 0.0.5.255
R1(config)#ip nat pool nat-pool 215.15.15.1 215.15.15.5 netmask 255.255.255.128
R1(config)#interface fastethernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#interface serial 0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#exit
R1#
00:20:20: %SYS-5-CONFIG_I: Configured from console by console
R1#show ip nat translations

 

UPDATE:

Still haven't figured out a way to build a proper lab for dynamic NAT yet. I've tried my hand at router-on-a-stick, but I didn't get very far.

First, I set up 6 vlans on my switch and assigned ip addresses to them. My intention was to reserve these addresses for my dynamic NAT configs.

Second, I assigned 6 sub-interfaces to my router to compliment the Vlans.

Third, I tested connectivity using ping and sh arp. Connectivity was okay.

Fourth, I configured dynamic Nat using the Vlans for my inside local addresses and used the class C range 215.15.15.1/25 - 215.15.15.5/25 for my inside global addresses.

After all of that I tried viewing the results using "show ip nat transactions", but nothing came of it.

CONCLUSION:

Dynamic Nat doesn't do virtual addresses.

I've set out my configs below. Maybe somebody else has a better idea.

SWITCH

conf t
Enter configuration commands, one per line. End with CNTL/Z.
3550/1(config)#int fa0/1
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 1
3550/1(config-if)#int fa0/1
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 2
3550/1(config-if)#int fa0/1
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 3
3550/1(config-if)#int fa0/1
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 4
3550/1(config-if)#int fa0/1
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 5
3550/1(config-if)#int fa0/1
3550/1(config-if)#switchport mode access
3550/1(config-if)#switchport access vlan 6
3550/1(config-if)#switchport trunk encapsulation dot1q
3550/1(config-if)#switchport mode trunk
3550/1(config-if)#speed 100
3550/1(config-if)#duplex full
3550/1(config-if)#int vlan 1
3550/1(config-if)#ip address 172.18.1.10 255.255.255.128
3550/1(config-if)#no shut
3550/1(config-if)#int vlan 2
3550/1(config-if)#ip address 172.18.2.11 255.255.255.128
3550/1(config-if)#no shut
3550/1(config-if)#int vlan 3
3550/1(config-if)#ip address 172.18.3.12 255.255.255.128
3550/1(config-if)#no shut
3550/1(config-if)#int vlan 4
3550/1(config-if)#ip address 172.18.4.13 255.255.255.128
3550/1(config-if)#no shut
3550/1(config-if)#int vlan 5
3550/1(config-if)#ip address 172.18.5.14 255.255.255.128
3550/1(config-if)#no shut
3550/1(config-if)#int vlan 6
3550/1(config-if)#ip address 172.18.6.15 255.255.255.128
3550/1(config-if)#no shut


ROUTER

Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#duplex full
R1(config-if)#speed 100
R1(config-if)#no shut
R1(config-if)#int fa0/0.1
R1(config-subif)#encapsulation dot1q 1
R1(config-subif)#ip address 172.18.1.16 255.255.255.128
R1(config-subif)#no shut
R1(config-subif)#int fa0/0.2
R1(config-subif)#encapsulation dot1q 2
R1(config-subif)#ip address 172.18.2.17 255.255.255.128
R1(config-subif)#no shut
R1(config-subif)#int fa0/0.3
R1(config-subif)#encapsulation dot1q 3
R1(config-subif)#ip address 172.18.3.18 255.255.255.128
R1(config-subif)#no shut
R1(config-subif)#int fa0/0.4
R1(config-subif)#encapsulation dot1q 4
R1(config-subif)#no shut
R1(config-subif)#ip address 172.18.4.19 255.255.255.128
R1(config-subif)#int fa0/0.5
R1(config-subif)#encapsulation dot1q 5
R1(config-subif)#ip address 172.18.5.20 255.255.255.128
R1(config-subif)#no shut
R1(config-subif)#int fa0/0.6
R1(config-subif)#encapsulation dot1q 6
R1(config-subif)#ip address 172.18.6.21 255.255.255.128
R1(config-subif)#no shut
R1(config-subif)#^Z

sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.18.4.19 - 0009.e84a.7e20 ARPA FastEthernet0/0.4
Internet 172.18.6.21 - 0009.e84a.7e20 ARPA FastEthernet0/0.6
Internet 172.18.2.17 - 0009.e84a.7e20 ARPA FastEthernet0/0.2
Internet 172.18.5.20 - 0009.e84a.7e20 ARPA FastEthernet0/0.5
Internet 172.18.3.18 - 0009.e84a.7e20 ARPA FastEthernet0/0.3
Internet 172.18.1.16 - 0009.e84a.7e20 ARPA FastEthernet0/0.1
Internet 172.18.3.12 2 0011.2022.3000 ARPA FastEthernet0/0.3
Internet 172.18.5.14 1 0011.2022.3000 ARPA FastEthernet0/0.5
Internet 172.18.6.15 1 0011.2022.3000 ARPA FastEthernet0/0.6
Internet 172.18.4.13 1 0011.2022.3000 ARPA FastEthernet0/0.4
Internet 172.18.2.11 2 0011.2022.3000 ARPA FastEthernet0/0.2

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat inside source list 1 pool nat-pool
R1(config)#access-list 1 permit 172.18.1.10 0.0.5.255
R1(config)#ip nat pool nat-pool 215.15.15.1 215.15.15.5 netmask 255.255.255.128
R1(config)#interface fastethernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#interface serial 0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#
R1(config)#^Z
R1#s
00:05:20: %SYS-5-CONFIG_I: Configured from console by console

R1#sh ip nat translations

 

You might want to check out the following:

http://www.cisco.com/warp/public/556/12.html

Seems like you are missing the overload command. Gotta run to work or will be late..but maybe the above info might help..

 

Thanks NetEyeBall. I'll have a read through and see what's what.

 

Headache,

It seems like you're having the classic problem of understanding the difference between ROUTING protocols and ROUTED protocols.

Whether you're using static NAT or dynamic NAT, the purpose is to SUBSTITUTE the "Source IP address" field in the IP Packet header from the inside local IP address to the inside global IP address.

So let's say a host with an inside local IP address sends a frame that's destined to an Internet destination. So on the host, the data is encapsulated all the way down to bits. The bits are transmitted by a cable to the switch. The switch decapsulates the bits to frames, inspects the destination MAC address and decides to forward the frame towards the router. The switch then encapsulates the frames into bits then sends the bits towards the router. The router port receives the bits, decapsulates the bits to a frame, then decapsulates the frame to the packet. This is the critical part. Whether you're using static NAT or dynamic NAT, the router does some surgery by removing the source IP address (e.g. 192.168.1.100) that is the inside local IP address field of the IP packet header then replacing the inside local source IP address with the inside global source IP address. In the case of static NAT, the inside global source IP address is based on the static NAT statement in your running-config. In the case of dynamic NAT with overloading, the inside local source IP address (e.g. 192.168.1.100) is replaced by the IP address assigned to the router interface that is connected to the Internet (aka the public IP address of your router). In the case of dynamic NAT with a pool of addresses, the router picks an available inside global IP address from the pool and substitutes the inside local source IP address of the packet (e.g. 192.168.1.100) with one of the available inside global IP addresses (To prevent conflict with legitimate IP addresses, let's assume the Internet is represented by the Class B private IP scheme) which range from 172.16.0.2 through 172.16.0.254. Let's say 172.16.0.100 is available, so the dynamic NAT process replaces the source IP address field of 192.168.1.100 with 172.16.0.100. Then the packet is encapsulated from the IP packet to a frame, then the frame is encapsulated from a frame to bits, then it's FORWARDED out of the router's port that's connected to the Internet. NOTE WELL, it is the source IP address field of the IP packet that is modified by NAT then routed by the router so you DON'T need to assign multiple IP addresses to subinterfaces of the router's interface/port that's facing (pun intended) the Internet.

So to answer your direct questions, you "find" the addresses to fulfill the role by defining the IP address range pool that's used in the dynamic NAT configuration line.

Creating a router-on-a-stick will NOT be a solution to your implementation of dynamic NAT because router-on-a-stick is used to help route the packets between the VLANs on a VLAN capable switch. The IP addresses assigned to the router's subinterfaces are the "default gateways" for the VLANs on the VLAN capable switch.

Using loopback addresses won't help because the purpose of NAT is to route from one sub/network to another sub/network while substituting the source IP address in the source IP address field of the IP packet header. Almost by definition, the loopback interface "loops back" out of the router then back into the router. It's as if there is a crossover cable connected from the router to itself.

Based on your reply, I do believe that you are confusing NAT with VLANs.

BTW,

Code:

R1(config)#ip nat pool nat-pool 215.15.15.1 215.15.15.5 netmask 255.255.255.128

I hope you have the permission of the true owners of that IP range for you to be "practicing" the configuration of dynamic NAT. I recommend using a private IP range for practice.

I still recommend first setting up basic routing between two sub/networks. Then after that is working then add the dynamic NAT features on top of that.

I hope this helps.

 

Ok. I set up Router1 with Nat translating all inside IPs (192.168.1.0 /24) to outside IP (150.140.130.2)

Current configuration : 1079 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
ip address 150.140.130.2 255.255.255.252
ip nat outside
clock rate 64000
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 150.140.130.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip nat pool ovrld 150.140.130.2 150.140.130.2 prefix-length 30
ip nat inside source list 99 pool ovrld overload
no ip http server
no ip http secure-server
ip classless
!
!
access-list 99 permit 192.168.1.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end



Debug on the Nat Translation:

*Mar 1 00:42:03.547: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [52]
*Mar 1 00:42:03.563: NAT: s=150.140.130.1, d=150.140.130.2->192.168.1.2 [359]
*Mar 1 00:42:03.567: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [53]
*Mar 1 00:42:03.583: NAT: s=150.140.130.1, d=150.140.130.2->192.168.1.2 [360]
*Mar 1 00:42:03.587: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [54]
*Mar 1 00:42:03.615: NAT: s=110.5.6.1, d=150.140.130.2->192.168.1.2 [156]
*Mar 1 00:42:21.695: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [61]
*Mar 1 00:42:21.727: NAT: s=110.5.6.1, d=150.140.130.2->192.168.1.2 [159]
*Mar 1 00:42:21.731: NAT: s=192.168.1.2->150.140.130.2, d=110.5.6.1 [62]

 

Great Lab, NetEyeBall.

As always.

I'll have a play around and see if I can put together something similar.

 

I'm always open to advice, r.h.lee. So every little bit helps.

Thanks.

 

Hi NetEyeBall,

I took a look at your configs just now and took my lab out for a quick spin. I found the configs very useful, thanks. I'm still having problems with debug output. I have full connectivity, so that isn't the problem. Maybe it's because I'm not yet clear on load distribution.

Like I said, big pain in the ass.



interface Serial0/0
bandwidth 1544
ip address 172.16.1.1 255.255.255.128
no ip directed-broadcast
ip nat outside
clockrate 64000
!
!
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
ip nat inside
speed 100
full-duplex
!
router ospf 1
network 172.16.1.0 0.0.0.127 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip nat pool nat-pool 172.16.1.1 172.16.1.1 netmask 255.255.255.128
ip nat inside source list 1 pool nat-pool overload
ip classless
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
--More--


00:23:08: NAT: i: ospf (172.16.1.1, 0) -> (224.0.0.5, 0) [1175]
00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [376]
00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [376]
00:23:09: NAT: o: tcp (172.16.1.2, 23) -> (172.16.1.1, 13890) [276]
00:23:09: NAT: o: tcp (192.168.1.2, 23) -> (192.168.1.1, 61441) [341]
00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [377]
00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [377]
00:23:09: NAT: o: tcp (172.16.1.2, 23) -> (172.16.1.1, 13890) [277]
00:23:09: NAT: o: tcp (192.168.1.2, 23) -> (192.168.1.1, 61441) [342]
00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [378]
00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [378]
00:23:09: NAT: o: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [379]
00:23:09: NAT: i: tcp (172.16.1.1, 13890) -> (172.16.1.2, 23) [379]
00:23:09: NAT: o: tcp (172.16.1.2, 23) -> (172.16.1.1, 13890) [278]
00:23:09: NAT: o: tcp (192.168.1.2, 23) -> (192.168.1.1, 61441) [343]

 

Glad to hear it helped. I want to play around with static nat as well.