Scribd
Upload
108 views

NAT 10 Lab Tasks

This lab aims to configure static and dynamic Network Address Translation (NAT). The International Travel Agency needs 100 private IP addresses translated to public IP addresses. NAT will be configured on a router to translate the private IP addresses (192.168.1.0/24) to public addresses in the pool 200.200.100.128/25. One private address (192.168.1.2) will have a static NAT configuration, while other private addresses will be dynamically translated to public addresses drawn from the address pool. Default routes are configured pointing traffic to the NAT and ISP routers.

Uploaded by

muhammad.mursleen025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
108 views

NAT 10 Lab Tasks

This lab aims to configure static and dynamic Network Address Translation (NAT). The International Travel Agency needs 100 private IP addresses translated to public IP addresses. NAT will be configured on a router to translate the private IP addresses (192.168.1.0/24) to public addresses in the pool 200.200.100.128/25. One private address (192.168.1.2) will have a static NAT configuration, while other private addresses will be dynamically translated to public addresses drawn from the address pool. Default routes are configured pointing traffic to the NAT and ISP routers.

Uploaded by

muhammad.mursleen025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Ghulam Ishaq Khan Institute of Engineering Sciences & Technology

Faculty of Computer Science & Engineering

Lab 10

NAT Configuration

Objective
In this lab, static Network Address Translation (NAT) and dynamic NAT are conf igured.

Scenario
The International Travel Agency needs approximately 100 private IP addresses translated in a one-
to-one f ashion with a pool of public IP addresses. To do this, ITA will use NAT translation with a
portion of its class C address space allocated by ISP1.

Step 1
Build and conf igure the network according to the diagram.
Use ping to test connectivity between the NAT and ISP1 routers, between the workstations and the
def ault gateway, and between WebServer and ISP1.

Step 2
Since no routing protocol will be enabled, conf igure a def ault route to the Internet on the NAT router:

NAT(config)#ip route 0.0.0.0 0.0.0.0 200.200.100.2


ISP1 needs to be able to reach hosts on the 192.168.0/24 network. But these hosts
will have their IP addresses translated to public IP addresses in the
200.200.100.128/25 network, so a static route to the 200.200.100.128/25 network is
required:
ISP1(config)#ip route 200.200.100.128 255.255.255.128 200.200.100.1

Step 3
Create a standard Access Control List that def ines all Internal Users:

NAT(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Step 4
In this step, conf igure private and public address spaces to be used f or NAT and conf igure the
translation:
The public address space 200.200.100.128/25 will be used as a pool to provide NAT translation f or
the private IP addresses. To statically map the Internal User with IP address 192.168.1.2 pictured in
the diagram, enter the f ollowing command

NAT(config)#ip nat inside source static 192.168.1.2 200.200.100.252

This static mapping has the advantage of allowing “external” users to always access the host
192.168.1.2 by way of the f ixed IP address 200.200.100.252 (in addition to letting the 192.168.1.2
Internal User access the Internet). On the down side, this external accessibility is also viewed as a
security vulnerability. To allow the other hosts on the internal (private) network to reach the Internet,
translations will need to be made f or those hosts as well. A list of static translations could be made
one by one, but a simpler alternative is to conf igure a pool of addresses and let the router make one-
to-one dynamic NAT translations f or these hosts. For example, to map the non-statically mapped
hosts in the 192.168.1.0/24 network to public IP addresses in the range 200.200.100.129
to200.200.100.250, proceed as f ollows:

NAT(config)#ip nat pool public 200.200.100.129 200.200.100.250 netmask


255.255.255.128
NAT(config)#ip nat inside source list 1 pool public

This provides a dynamic one-to-one NAT translation between public IP addresses in the “public” pool
and private IP addresses specif ied by access list 1. The Internal Users IP addresses are conf igured
independently of the NAT translation. Dynamic NAT translations are made f or any internal hosts f or
which no static translation has been def ined. The conf iguration above reserves IP addresses
200.200.100.251 to 200.200.100.254 f or use in f urther static NAT mappings. Static translations are
of ten used with an internal server to enable external access to it by way of a f ixed external IP.

Now, designate the inside NAT interf ace and the outside NAT interf ace. In more complex topologies,
it is possible to have more than one inside NAT interf ace.

Step 5
NAT(config)#interface fastethernet 0/0
NAT(config-if)#ip nat inside
NAT(config-if)#interface serial 0/0
NAT(config-if)#ip nat outside

There are several show commands that can be used to see if NAT is working: show ip nat
translations, show ip nat statistics, and show ip nat translations verbose.

From the two Internal User workstations, ping WebServer (200.200.50.2). Then check that
WebServer is accessible by connecting f rom an Internal User workstation using a browser with the
WebServer IP address, 200.200.50.2. Issue the three NAT show commands listed above on the NAT
router. Sample outputs are shown below.

NAT#show ip nat translations


Pro Inside global Inside local Outside local Outside global
--- 200.200.100.129 192.168.1.5 --- ---
--- 200.200.100.252 192.168.1.2 --- ---

NAT#show ip nat statistics


Total active translations: 2 (1 static, 1 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 131 Misses: 9
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 pool public refcount 1
pool public: netmask 255.255.255.128
start 200.200.100.129 end 200.200.100.250
type generic, total addresses 122, allocated 1 (0%), misses 0

NAT#show ip nat translations verbose


Pro Inside global Inside local Outside local Outside global
--- 200.200.100.129 192.168.1.5 --- ---
create 00:02:55, use 00:02:55, left 23:57:04, Map-Id(In): 2,
flags:
none, use_count: 0
--- 200.200.100.252 192.168.1.2 --- ---
create 00:40:36, use 00:02:59,
flags:
static, use_count: 0

Notice that the Internal User with IP address 192.168.1.5 had its address dynamically translated to
200.200.100.129, the f irst available address in the “public” pool. The command clear ip nat
translation * can be used to clear all dynamic NAT translatio ns :

NAT#clear ip nat translation *


NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 200.200.100.252 192.168.1.2 --- ---

Save the conf igurations f or NAT and ISP1.


ip route 200.200.100.128 255.255.255.128 200.200.100.1

ip route : This is the command used to configure IP routing.


200.200.100.128 : This is the destination IP address for the specific route.
255.255.255.128: This is the subnet mask associated with the destination IP address. It defines the
range of IP addresses covered by this route.
200.200.100.1 : This is the next-hop IP address. It specifies where the network device should send the
traffic destined for the specified range (200.200.100.128 to 200.200.100.255).
NAT(config)#ip route 0.0.0.0 0.0.0.0 200.200.100.2

0.0.0.0 0.0.0.0 : This represents the destination IP address and subnet mask. In this context,
0.0.0.0 with a subnet mask of 0.0.0.0 signifies the default route. It means that any traffic that
doesn't match a more specific route in the routing table will be directed to the next-hop specified.
200.200.100.2 : This is the next-hop IP address. It indicates that any traffic not matching a more
specific route should be sent to the device with the IP address 200.200.100.2 .

You might also like