Chapter 18
Configure and Verify Inside Source NAT
This chapter ensures that you are ready for questions related to Network Address Translation (NAT) on the CCNA 200-301 exam from Cisco Systems. NAT is a critical protocol that is used in almost every IPv4 network you can find.
This chapter covers the following essential terms and components:
▸ NAT
▸ Source NAT
▸ Static NAT
▸ Unidirectional NAT
▸ Bidirectional NAT
▸ NAT pools
▸ Dynamic NAT
▸ PAT
Topic: Configure, verify, and troubleshoot inside source NAT
CramSaver
If you can correctly answer these CramSaver questions, save time by skimming the ExamAlerts in this section and then completing the CramQuiz at the end of this section and the Review Questions at the end of the chapter. If you are in doubt at all, read everything in this chapter!
1. What is a classic example of using unidirectional, or one-way, NAT?
_________
2. With inside source, dynamic NAT, what is the pool used for?
_________
3. Examine the topology and configuration shown here. In this topology, 10.2.2.0/24 is the inside segment, and 10.1.1.0/24 is the outside segment. R1 (10.2.2.1) cannot trigger a NAT translation on R2 when pinging R3. The configuration should also permit PAT, if needed. What are four issues with the NAT configuration on R2?
_________
_________
_________
_________
R2# R2# show running-config Building configuration... Current configuration : 1406 bytes ! ... ! hostname R2 ! ... ! interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 ip nat inside ip virtual-reassembly ! ! interface FastEthernet1/0 ip address 10.2.2.2 255.255.255.0 ip nat outside ip virtual-reassembly ! ! interface FastEthernet1/1 no ip address shutdown duplex auto speed auto ! ! router rip version 2 network 10.0.0.0 no auto-summary ! ... ! ip nat inside source list 10 interface FastEthernet0/0 ! access-list 1 permit host 10.2.1.1 access-list 1 permit host 10.2.1.100 no cdp log mismatch duplex ! ... R2#
Answers
1. Allowing many private IP addresses on an inside network to dynamically access public IP addresses on an outside Internet network.
2. The NAT pool is used to specify the outside addresses to be used in the translation.
3. The inside and outside interface commands are reversed.
The access list specifies the incorrect internal device.
The NAT statement is missing the overload keyword.
The incorrect list is specified in the NAT statement.
The RFC 1918 address space we reviewed in Chapter 5 helped delay the depletion of IPv4 address space. But private addresses that aren’t routable over the Internet, combined with the slow adoption of IPv6, necessitated another change: the introduction of Network Address Translation (NAT). A private IP address must be converted to a public IP address to allow communication on the public Internet. Specifically, the private inside source IP address must be converted to an address that is valid on the Internet. When configuring NAT on a device in such a case, we specify interfaces as “inside” and “outside” as part of the configuration.
Although there are many different variations of NAT, the CCNA exam focus is very specific to inside source NAT. This involves starting with IPv4 packets sourced from inside devices and translating the source IP addresses for public communication. Keep in mind that the reverse process is also applied to return traffic.
ExamAlert
Unidirectional NAT, or one-way NAT, permits devices on the inside to initiate connections and communicate to devices on the public network, but devices on the public network cannot initiate a connection with a device on the inside network. If you configure NAT to permit connections initiated from the Internet as well, you are configuring bidirectional NAT. Many applications running on inside hosts that require discovery from the outside (for example, BitTorrent, Skype, multiplayer games, botnet malware) utilize UPnP to automatically configure bidirectional NAT.
The first configuration approach we examine is static NAT. With static NAT, you configure a manual mapping from an inside address to an outside address. Figure 18.1 shows the topology used for the examples in this chapter. This bidirectional translation allows connections to be initialized by devices on the inside or outside.
Figure 18.1 The NAT Topology
The configuration begins by identifying the inside network. In this case, you can pretend that 10.2.2.0/24 is the inside segment. Next, you identify the outside segment. You can pretend the outside network is the 10.1.1.0/24 segment. You are now ready for the configuration shown in Example 18.1.
Example 18.1 Configuring Inside Source Static NAT
R2# R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# interface fa1/0 R2(config-if)# ip nat inside R2(config-if)# exit R2(config)# interface fa0/0 R2(config-if)# ip nat outside R2(config-if)# exit R2(config)# ip nat inside source static 10.2.2.1 10.1.1.100 R2(config)# end R2#
Notice the commands this configuration requires:
▸ ip nat inside: Configures the inside interface for the device and enables NAT there.
▸ ip nat outside: Configures the outside interface for the device and enables NAT there.
▸ ip nat inside source static 10.2.2.1 10.1.1.100: Provides the static instructions for translation; 10.2.2.1 is the source IP address from the inside for translation, and 10.1.1.100 is the new source IP address for the translated packet.
For verification of this configuration, we ping from R1 (10.2.2.1) to R3 (10.1.1.3). This creates the translation on R2 that we can view with show ip nat translation (see Example 18.2).
Example 18.2 Verifying the Inside Source Static NAT Configuration
R1# R1# ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 200/221/244 ms R1# R2# R2# show ip nat translation Pro Inside global Inside local Outside local Outside global icmp 10.1.1.100:0 10.2.2.1:0 10.1.1.3:0 10.1.1.3:0 --- 10.1.1.100 10.2.2.1 --- --- R2#
Notice from the output in Example 18.2 that your exact NAT instructions were followed. The inside local source address of 10.2.2.1 was translated to the global address 10.1.1.100.
Note
It is interesting that the ping succeeds since there is no device with the IP address 10.1.1.100 in this topology! This is because when the traffic returns to R2 (the NAT device), it sees that 10.1.1.100 actually maps to the device at 10.2.2.1, and it replaces the original source address.
In addition to static NAT, there is also dynamic NAT. Example 18.3 demonstrates a dynamic NAT configuration on R2, using the topology in Figure 18.1. Note that before Example 18.3 can be run, all previous NAT commands must have been removed from R2.
ExamAlert
A simple method to check for NAT configurations in a running configuration is to use show run | include nat. This returns any commands, including the term NAT.
Example 18.3 Configuring Inside Source Dynamic NAT
R2# R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# interface fa1/0 R2(config-if)# ip nat inside R2(config-if)# exit R2(config)# interface fa0/0 R2(config-if)# ip nat outside R2(config-if)# exit R2(config)# access-list 1 permit 10.2.2.1 R2(config)# access-list 1 permit 10.2.2.100 R2(config)# ip nat pool MYNATPOOL 10.1.1.100 10.1.1.101 netmask 255.255.255.0 R2(config)# ip nat inside source list 1 pool MYNATPOOL R2(config)# end R2#
Notice what is unique about this configuration:
▸ access-list 1: This access list defines the inside source addresses that can be translated.
▸ ip nat pool MYNATPOOL: This NAT pool defines the starting IP address and ending IP address to which R2 will translate the source address.
▸ ip nat inside source list 1 pool MYNATPOOL: This is the NAT instruction that ties the access list to the NAT pool you created.
With Example 18.3, verification occurs in exactly the same way as in Example 18.2. A ping from R1 to R3 results in the translation of 10.2.2.1 to 10.1.1.100. Of course, this time there is a dynamic element to the translation. For example, if there were another host on the inside network at 10.2.2.100, and this device were to communicate first across the R2 device, it could translate to 10.1.1.100, which is the first address in the pool.
But even inside source dynamic NAT is not the most popular form of NAT. What is then? It is Port Address Translation (PAT), also sometimes termed NAT overloading.
With PAT, you permit many inside devices to communicate on the outside network, using the single public address on the outside address. The IP address on the outside interface can even be used. This is possible because unique port numbers are assigned to each translation entry. Example 18.4 shows this configuration, based on the topology shown in Figure 18.1, which takes place after all previous NAT configurations have been removed.
Example 18.4 The Inside Source Dynamic PAT Configuration
R2# R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# interface fa1/0 R2(config-if)# ip nat inside R2(config-if)# exit R2(config)# interface fa0/0 R2(config-if)# ip nat outside R2(config-if)# exit R2(config)# access-list 1 permit 10.2.2.1 R2(config)# access-list 1 permit 10.2.2.100 R2(config)# ip nat inside source list 1 interface fa0/0 overload R2(config)# end R2#
What is different about this configuration compared to inside source dynamic NAT? Not much, really. Notice that the ip nat inside source command now specifies interface fa0/0 overload. This instructs NAT to translate source addresses to the IP address that is on the physical outside interface and allows it to be used over and over again for the source address translation of multiple inside devices.
Example 18.5 shows the verification. The IP address on R2 fa0/0 is 10.1.1.2.
Example 18.5 Verifying the Inside Source Dynamic PAT Configuration
R1# R1# ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 200/221/ 244 ms R1# R2# R2# show ip nat translation Pro Inside global Inside local Outside local Outside global icmp 10.1.1.2:2 10.2.2.1:2 10.1.1.3:2 10.1.1.3:2 R2#
Notice that this time R1’s source address of 10.2.2.1 is translated to 10.1.1.2. Other inside hosts could translate to this same address. This type of configuration and functionality helped hold off the public IPv4 address shortage. This is also a common NAT configuration in home networks today—and it is why each of your home devices has an IP address from the 192.168.x.x range, and yet when you examine your public IP address (by typing “what is my IP address” in a search engine, for example) you invariably get an address that is not 192.168.x.x.
What about NAT troubleshooting? What can go wrong? The most common misconfigurations are failure to assign NAT inside and outside interfaces and incorrect assignment of inside versus outside interfaces.
Here are some items you should be sure to watch out for:
▸ With static inside NAT, ensure that the ip nat inside source static command lists the inside and outside addresses in the correct order.
▸ With dynamic NAT, make sure the IP address is constructed properly and matches the appropriate source addresses for translation.
▸ With PAT, don’t forget the overload keyword.
CramQuiz
1. What was the main motivation for NAT?
A. To increase the number of possible IPv4 addresses
B. To allow the RFC 1918 private address space to communicate on the Internet
C. To secure private networks from outside attackers
D. To increase the visibility possible with Internet connections
2. What is the purpose of static NAT?
A. To ensure that the destination IP address remains unchanged during translation
B. To translate a single specific inside address to a single specific outside address
C. To ensure that multiple inside addresses can translate to a single outside address
D. To pull inside addresses for translation from a pool of addresses
3. What is another name commonly used for unidirectional NAT?
A. One-way NAT
B. Synchronous NAT
C. Dual NAT
D. Static NAT
CramQuiz Answers
1. B is correct. The primary motivation for NAT was to allow RFC 1918 addresses to be used on inside networks while providing these private networks with Internet connectivity.
2. B is correct. Inside source static NAT translates a single, specific inside address to a single, specific outside address.
3. A is correct. One-way and unidirectional NAT terms are used interchangeably.
Review Questions
1. What command identifies the inside NAT interface?
A. nat inside
B. nat ip inside
C. inside
D. ip nat inside
2. What command allows you to view the NAT translations at the CLI?
A. show ip nat translations
B. show nat usage
C. show nat statistics
D. show nat all
3. Examine the following command: ip nat inside source list 1 interface fa0/0 overload. What is the inside global address for translation?
A. The IP address on interface fa0/0
B. The virtual address on interface fa0/0
C. The address in access list 1
D. The address in the NAT pool named interface
Answers to Review Questions
1. D is correct. The ip nat inside command identifies the inside NAT interface.
2. A is correct. The show ip nat translations command allows you to see all the translations currently on the device.
3. A is correct. The IP address on the interface specified here is the inside global address.
Hands-On Lab Practice Assignment
Configuring NAT
To complete this Hands-On Lab Practice Assignment, download the assigned Packet Tracer file from the book’s companion website and perform the lab on your locally installed version of Packet Tracer. For instructions on how to download and use the Packet Tracer files, see “Packet Tracer Hands-On Lab Practice Assignments” in the Introduction of this book.
Additional Resource
Port Forwarding on a Cisco Router