Network Address Translation
When you have internal IP addresses routing to another network and you don't want someone to know the originating IP address, you can use NAT. Or if you have internal IP addresses mapping to the Internet and you have a limited number of Public IP addresses to give out.
NAT operates on a Cisco Layer 3 and designed for IP address simplification and conservation by converting private IP addresses into public IP addresses. Apparently, NAT is not to be used with tunneling protocols or IPSec.
STATIC NAT
This means statically assigned by a network adminstrator I presume, one by one. The steps include, applying the NAT to the interface
LAB SUMMARY
Configure Static NAT on Router 1, inside and outside interfaces, x = 2 for my Pod 2
usage: conf t
ip nat inside source static 192.168.xx.10 172.16.xx.10
int fa 0/0
ip nat inside
int serial 1/1
ip nat outside
end
show ip nat translations
debug ip nat
ping 10.1.1.1
show ip nat statistics
Remove Static NAT from Router 1
usage: conf t
no ip nat inside source static 192.168.xx.10 172.16.xx.10
DYNAMIC NAT
Use the IP address assignment by DHCP. The quickest way would be to use a DHCP server. Create a pool name, range
Create a standard ACL to permit traffic from the switch network and deny everyone else.
usage: conf t
access-list 3 permit 192.168.xx.0 0.0.0.255
ip nat pool LAN 172.16.xx.65 172.16.xx.126 netmask 255.255.255.192
Enable the translation by tying the access list (3) to the pool (LAN) and leave config mode
ip nat inside source list 3 pool LAN
end
show ip nat translations
debug ip nat
ping 10.1.1.1
show ip nat statistics
To clear the entire NAT table usage: clear ip nat translations *
To remove Dynamic NAT from router 1 usage: no ip nat inside source list 3 pool LAN
Another day, I'll add more info about PAT
PAT is many-to-one dynamic translation.
Bonus
I wonder if this is the same way to NAT IPv4 addresses with IPv6. In fact, on newer computers and laptops, the Network Settings Info will also include an IP v6 address. In the late 1990's the US DOD issued a command that all new computer systems being purchased must be IP v6 compatible. Most are, as the IPv6 address is formed from the MAC address. It's HEX and the initial digit assigned is a 2 (the number 2) which indicates planet Earth. Now that's planning ahead for future implementation, scalable to include the rest of the galaxies. To Infinity and Beyond!
Troubleshooting NAT
* Determine if there are enough addresses in the NAT pool
* Verify that the router interfaces are appropriately defined as NAT inside or NAT outside
* Verify that the ACL referenced by NAT command is permiting the necessary inside local IP addresses
No comments:
Post a Comment