All in One Cisco CCIE Lab Guide
Stephen Hutnik and Michael Satterlee, CCIE #3980
 $79.99  0-07-135108-6

Reserve your copy at a
Bet@ Bookstore near you!
Contact Bet@ Books
© 1999 The McGraw-Hill Companies, Inc. All rights reserved.
Any use of this Bet@ Book(TM) is subject to the rules stated in the Terms of Use.

Chapter 15

Network Address Translation

Introduction

Network Address Translation is a router function that provides the translation from one IP address to another. Address translation is required for customers who have private (or unregistered addresses) and wish to access a public service (where publicly registered addresses are used). This chapter will explore NAT capabilities available through the Cisco IOS.

Network Address Translation Overview

One of the greatest problems facing the Internet today is the issue of address depletion. Network Address Translation promises to relieve some of this pressure by allowing organizations to reuse globally unique registered IP addresses in other parts of their network.

NAT will allow organizations to reuse registered IP addresses within multiple domains, as long as the addresses are translated to globally unique Internet registered addresses before they leave that domain. The figure 15-1 below shows how basic NAT works. Both stub networks are using the class A address 10.0.0.0 for their internal network. Each organization is assigned an Internet registered unique class C address. This address is used when traffic wishes to flow off the private Intranet onto the public Internet.


Figure 15-1: Network Address Translation

In figure 15-1 when HostA (10.1.1.1) wishes to send a packet to HostB (10.2.2.2), it uses HostB’s globally unique address 196.1.1.1 as the packets destination. When the packet arrives at RouterA the source address of 10.1.1.1 is translated to the globally unique address of 195.1.1.1. When the packet arrives at RouterB the destination address is translated to the unregistered IP address 10.2.2.2. Likewise, packets on the return path go through similar address translation.

This requires no additional configuration to hosts on the internal network, as far as HostA is concerned 196.1.1.1 is the IP address of the HostB (10.2.2.2) on networkB. As far as HostB is concerned 195.1.1.1 is the IP address of hostA (10.1.1.1) on network A.

NAT Terminology

When dealing with NAT on a Cisco router it is important to understand the terminology

used.


Figure 15-2: NAT Terminology

Commands Discussed in this Chapter

clear ip nat :This exec command is used to clear all or specific active NAT translations.

ip nat: This command is used to enable Network Address Translation for packets originating from (inside) or destined to (outside) interfaces.

ip nat inside destination list: This global command enables Network Address Translation of the inside destination address. This command can be configured for both dynamic and static address translations.

ip nat inside source: This global command enables Network Address Translation of the inside source address. This command can be configured for both dynamic and static address translations.

ip nat outside source: This global command enables Network Address Translation of outside source addresses. This command can be configured for both dynamic and static address translations.

ip nat pool name: This global command defines a pool of IP addresses used for network translations. The pool could define either an inside global pool, an outside local pool, or a rotary pool.

ip nat translation: This global command is used to change the amount of time after which Network Address Translations time out.

show ip nat statistics: This command is used to display Network Address Translation statistics.

show ip nat translations: This command displays all active Network Address Translations.

IOS Requirements

NAT first became available in IOS 11.2.

Lab#59: Static Inside Source Address Translation

Equipment Needed

The following equipment is need to perform this lab exercise:

Configuration Overview

This configuration will demonstrate Network Address Translation of an unregistered inside IP address to a globally unique outside address. RouterA will translate the inside source address of 10.1.1.1 to the globally unique address of 195.1.1.1.


Figure 15-3: Inside Source Address Translation.

RouterA and RouterB are connected serially via a crossover cable. RouterA will act as the DCE supplying clock to RouterB. The IP addresses are assigned as per figure 15-4. A PC with an Ethernet NIC (or an additional router) is connected to an Ethernet LAN attached to RouterA. RouterA is configured for NAT and will translate source IP address 10.1.1.1 to 195.1.1.1.


Figure 15-4: Inside Source Address Translation

Router Configurations

The configurations for the two routers in this example are as follows (key NAT configurations for RouterA are highlighted in bold).

RouterA

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname routerA

!

ip nat inside source static 10.1.1.1 195.1.1.1 ¬ Translates the inside source address 10.1.1.1 to 195.1.1.1

!

interface Ethernet0

ip address 10.1.1.2 255.255.255.0

ip nat inside ¬ Marks the interface as connected to the inside.

!

interface Serial0

ip address 195.1.1.2 255.255.255.0

ip nat outside ¬ Marks the interface as connected to the outside.

Clock rate 500000

!

no ip classless

ip route 152.1.1.1 255.255.255.255 Serial0

!

line con 0

line vty 0 4

login

!

end

RouterB

Current configuration:

!

version 11.1

service udp-small-servers

service tcp-small-servers

!

hostname RouterB

!

enable password cisco

!

interface Ethernet0/0

ip address 152.1.1.1 255.255.255.0

!

interface Serial0/0

ip address 195.1.1.3 255.255.255.0

!

line con 0

line aux 0

line vty 0 4

password cisco

login

Monitoring and Testing the Configuration

From HostA ping HostB (152.1.1.1), analyze the packets coming from into RouterB with the debug ip packet command. Below is the output from the command note the source address of the ICMP Ping packet is 195.1.1.1.

IP: s=195.1.1.1 (Serial0/0), d=152.1.1.1, len 104, rcvd 4 ¬ ICMP ECHO

IP: s=152.1.1.1 (local), d=195.1.1.1 (Serial0/0), len 104 ¬ ICMP ECHO REPLY

From the debug ip nat output on RouterA, we can see that the source IP address 10.1.1.1 has been translated to 195.1.1.1. We also see this is a two way process, the return packet which is destined for 195.1.1.1, destination IP address is changed to back to 10.1.1.1.

NAT: s=10.1.1.1->195.1.1.1, d=152.1.1.1 [2542]

NAT*: s=152.1.1.1, d=195.1.1.1->10.1.1.1 [2542]

In the section above, we covered a one-to-one mapping between an inside local

address and an inside global address. This method is very inefficient and does not scale,

because each registered IP addresses can only be used by one endstation. Static translation is most often used when a host on inside needs to be accessed by a fixed IP address from the outside world.

Figure 15-5 shows an example of when static address mapping is required. HostA wishes to access files on the FTP server, however the FTP server resides on an inside network and does not have a unique globally significant IP address. Static mapping is used to define the globally significant address of 195.1.1.1 to the locally significant address of 10.1.1.1.


Figure 15-5: Static Mapping

Lab#60: Dynamic Inside Source Address Translation

Equipment Needed

The following equipment is needed to perform this lab exercise:

Overview

The other type of inside address translation is Dynamic translation, which establishes a mapping between a group of inside local addresses and a pool of global addresses. This is very useful when you have a large group of unregistered users who wish to access off net services.

Dynamic inside address translation dynamically translates an unregistered IP address to a registered IP address, using a predefined pool. This is a one-to-one relationship, as an outside connection is requested, an IP address is used from the pool. When the connection is finished the globally significant IP address is released back into the pool, were it can be used for another connection. Dynamic address translation is very efficient, because the same global IP address can be used over and over as needed, by multiple end-stations. This is in contrast to the previous static translation were only one particular end-station can use the global address.

Figure 15-6: Dynamic Address Translation

Figure 15-6 shows three workstations on a LAN, all of which need access to the outside network. As packets arrive at RouterA, the source address is translated to an Internet registered address, using the predefined pool. This is still a one-to-one mapping, you need an Internet registered IP address for each workstation that wishes to communicate outside the private network. However, not all PCs will access the Internet at the same time. For example depending on the traffic pattern 10 registered IP addresses possibly could service 40 PCs.

.

Note: Although Dynamic Address translation is more scalable, efficient, and simpler to administer, outside users can not access inside addresses, because there is no static mapping between IP address. After each session is closed the Global IP address is released back into the pool, where it can be used by other sessions. Each end station can and most likely will be mapped to a different global address when it opens a new connection. Therefore, it is impossible to reference a particular inside address with a global address.

This problem can be avoided by using a combination of dynamic and static translations. All hosts that need to be accessed by outside users, such as FTP and HTTP servers, will be configured using static translations, all other endstations will use dynamic translations.

Configuration Overview

This configuration will demonstrate dynamic translation of inside source addresses to outside global addresses. RouterA will translate any source address within the range of 10.1.1.1 to 10.1.1.3 to any of the three global address defined in the address pool "globalpool".

Two Cisco routers are connected serially. RouterA is connected to RouterB via a crossover cable. RouterB acts as the DCE providing clock for RouterA. A PC running


a terminal emulation program is connected to the console port of RouterA. All IP addresses are as per figure 15-7.

Figure 15-7: Dynamic Address Translation

RouterA is configured for Network Address Translation, and will dynamically translate any inside source address within the range specified by access-list 1, to a unique Internet registered global address, which is predefined by the pool "globalpool".

Router Configurations

The configurations for the two routers in this example are as follows (key NAT configurations for RouterA are highlighted in bold).

RouterA

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname routerA

!

¯ Name of the pool

ip nat pool globalpool 195.1.1.1 195.1.1.3 netmask 255.255.255.0 ¬ Defines the pool of address

¯ List 1 reference access-list 1 and defines which addresses will be translated

ip nat inside source list 1 pool globalpool ¬ Globalpool references the pool of addresses defined in the previous line.

!

interface Ethernet0

ip address 10.1.1.1 255.255.255.0 secondary

ip address 10.1.1.2 255.255.255.0 secondary

ip address 10.1.1.3 255.255.255.0 secondary ® Secondary IP addresses are used as test points

ip address 10.1.1.4 255.255.255.0 secondary

ip address 10.1.1.5 255.255.255.0

ip nat inside ® Defines the inside interface

!

interface Serial0

ip address 195.1.1.4 255.255.255.0

ip nat outside ® Defines the outside interface

!

no ip classless

ip route 152.1.1.1 255.255.255.255 Serial0

access-list 1 permit 10.1.1.2

access-list 1 permit 10.1.1.3

access-list 1 permit 10.1.1.1 ® Access list 1 defines which inside source addresses will be translated

access-list 1 permit 10.1.1.4

!

line con 0

line vty 0 4

login

!

end

RouterB

Current configuration:

!

version 11.1

service udp-small-servers

service tcp-small-servers

!

hostname RouterB

!

enable password cisco

!

interface Ethernet0/0

ip address 152.1.1.1 255.255.255.0

!

interface Serial0/0

ip address 195.1.1.10 255.255.255.0

clock rate 500000 ® Defines the clock rate for the DCE interface

!

line con 0

line aux 0

line vty 0 4

password cisco

login

Monitoring and Testing the Configuration

To test to configuration use the extended ping command on RouterA. This command will allow you to source the ping packet from any active IP address on the router. To use this command simply type in ping at the privileged level.

routerA#ping

Protocol [ip]:

Target IP address: 152.1.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1.1.2

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

The following examples all use the extended ping command on RouterA to source the packets from the Secondary IP addresses defined in the configuration. This is used instead of multiple PC’s on RouterA’s LAN.

  1. From RouterA ping 152.1.1.1 using source address 10.1.1.2
  2. From RouterA ping 152.1.1.1 using source address 10.1.1.1
  3. From RouterA ping 152.1.1.1 using source address 10.1.1.3

From the debug ip nat translations output on RouterA we see that the source address 10.1.1.2 has been translated to 195.1.1.1 which is the first address in the pool. The global IP addresses from the pool are assigned in the order that they are requested.

NAT: s=10.1.1.2->195.1.1.1, d=152.1.1.1 [20]

NAT: s=10.1.1.1->195.1.1.2, d=152.1.1.1 [25]

NAT: s=10.1.1.3->195.1.1.3, d=152.1.1.1 [35]

The following output from the debug ip nat translation command on RouterA, shows what happens when a fourth end station wishes to access the outside network but all of the global addresses are being used.

NAT: translation failed (L), dropping packet s=10.1.1.4 d=152.1.1.1

From the above examples you can see that although dynamic address translation provides

more efficient use of Global addresses then static translations, each translation still requires a its own address. Therefore the network administrator must accurately gauge the amount of off net traffic and define the address pool accordingly.

Lab#61Overloading an Inside Global Address

Equipment Needed

The following equipment is needed to perform this lab exercise:

Overview

The Cisco IOS allows you to overload a Global address, thereby bypassing the need for a one-to-one mapping between the local address and the global address. This greatly reduces the number of registered IP address needed.

When overloading is configured, the router maintains enough information from higher-level protocols (for example, TCP or UDP port numbers) to translate the global address back to the correct local address. When multiple local addresses map to one global address, the TCP or UDP port numbers of each inside host are used to distinguish between the local addresses.

Figure 15-8: Overloading an Inside Global Address

In figure 15-8 all of the local address on the LAN are translated to one global IP address 195.1.1.1. The router reuses the inside global address for each translation and uses the TCP or UDP port number to differentiate between end stations.

The following steps are taken by RouterA when overloading is enabled:

  1. HostA ( 10.1.1.1) opens a connection to Host 152.1.1.1 on the Internet.
  2. The first packet that the RouterA receives from HostA causes the router to check its NAT table.
  3. If no translation exists, RouterA replaces the source address with the global address of 195.1.1.1.
  4. When the router receives a packet from host 152.1.1.1 destined for 195.1.1.1, it performs a NAT table lookup using the protocol, inside global address and port number, and outside address and port number as a key. With this key RouterA is able to translate the destination address 195.1.1.1 to inside local address 10.1.1.1, and forwards the packet to Host 10.1.1.1.

The following is output from the show ip nat translations on RouterA, notice the port number after the address. The port number 1029 after the inside global address is the ephemeral port that HostA chooses, port number 23 after the outside address is the well known port for telnet.

routerA# show ip nat translations

Pro I inside global Inside local Outside local Outside global

icmp 195.1.1.1:256 10.1.1.1:256 152.1.1.1:256 152.1.1.1:256

tcp 195.1.1.1:1029 10.1.1.1:1029 152.1.1.1:23 152.1.1.1:23

Configuration Overview

This configuration will demonstrate overloading one outside global address. RouterA will translate any source address within the range of 10.1.1.1 to 10.1.1.3 to the global address 195.1.1.1.

Two Cisco routers are connected serially. RouterA is connected to RouterB via a crossover cable. RouterB acts as the DCE providing clock for RouterA. A PC running a terminal emulation program is connected to the console port of RouterA. All IP address are as figure15-9.


Figure 15-9: Overloading an Inside Global Address

RouterA is configured for Network Address Translation, and will dynamically translate any inside source address within the range specified, to the unique Internet registered global address 195.1.1.1.

Router Configurations

The configurations for the two routers in this example are as follows (key NAT configurations for RouterA are highlighted in bold).

RouterA

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname routerA

!

¯ Name of the pool

ip nat pool globalpool 195.1.1.1 195.1.1.1 netmask 255.255.255.0 ¬ Defines range on pool, in this case

there is only one address in the pool

¯ List 1 references access list 1 and defines which address will be translated

ip nat inside source list 1 pool globalpool overload ¬ Allows multiple inside local addresses to be translated to one ! outside global address.

­ Defines what global address to use.

!

interface Ethernet0

ip address 10.1.1.1 255.255.255.0 secondary

ip address 10.1.1.2 255.255.255.0 secondary

ip address 10.1.1.3 255.255.255.0 secondary ® Secondary IP addresses are used as test points

ip address 10.1.1.4 255.255.255.0 secondary

ip address 10.1.1.5 255.255.255.0

ip nat inside ® Defines the inside interface

!

interface Serial0

ip address 195.1.1.4 255.255.255.0

ip nat outside ® Defines the outside interface

!

no ip classless

ip route 152.1.1.1 255.255.255.255 Serial0

access-list 1 permit 10.1.1.2

access-list 1 permit 10.1.1.3

access-list 1 permit 10.1.1.1 ® Access list 1 defines which inside source addresses that will be translated

access-list 1 permit 10.1.1.4

!

line con 0

line vty 0 4

login

!

end

RouterB

Current configuration:

!

version 11.1

service udp-small-servers

service tcp-small-servers

!

hostname RouterB

!

enable password cisco

!

interface Ethernet0/0

ip address 152.1.1.1 255.255.255.0

!

interface Serial0/0

ip address 195.1.1.10 255.255.255.0

clock rate 500000

!

line con 0

line aux 0

line vty 0 4

password cisco

login

Monitoring and Testing the Configuration

To test the configuration ping RouterB (195.1.1.3) using the extended ping command on RouterA, source the packet form 10.1.1.1 and 10.1.1.2. Monitor the translation using the command debug ip nat.

Below is the output from the command, notice that both the inside source addresses 10.1.1.1 and 10.1.1.2 have been translated to 195.1.1.1.

NAT: s=10.1.1.1->195.1.1.1, d=195.1.1.3 [5]

NAT: s=10.1.1.2->195.1.1.1, d=195.1.1.3 [10]

Now show the NAT table using the command show ip nat translations. Below is the output from the command, notice the port number after each IP address, this is port number along with the address are used as a key to map return packets to the correct inside local IP address.

RouterA#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 195.1.1.1:9 10.1.1.2:4 195.1.1.3:4 195.1.1.3:9

icmp 195.1.1.1:8 10.1.1.2:3 195.1.1.3:3 195.1.1.3:8

icmp 195.1.1.1:7 10.1.1.2:2 195.1.1.3:2 195.1.1.3:7

icmp 195.1.1.1:6 10.1.1.2:1 195.1.1.3:1 195.1.1.3:6

icmp 195.1.1.1:5 10.1.1.2:0 195.1.1.3:0 195.1.1.3:5

icmp 195.1.1.1:4 10.1.1.1:4 195.1.1.3:4 195.1.1.3:4

icmp 195.1.1.1:3 10.1.1.1:3 195.1.1.3:3 195.1.1.3:3

icmp 195.1.1.1:2 10.1.1.1:2 195.1.1.3:2 195.1.1.3:2

icmp 195.1.1.1:1 10.1.1.1:1 195.1.1.3:1 195.1.1.3:1

icmp 195.1.1.1:0 10.1.1.1:0 195.1.1.3:0 195.1.1.3:0

Lab#62: Translating Overlapping Addresses

Equipment Needed

The following equipment is needed to perform this lab exercise:

Overview

Overlapping occurs when an inside local address overlaps with an address of the destination that you are trying to reach. In figure 15-10 HostA (148.1.1.1) opens a connection to HostB by name, requesting a name to address lookup from the DNS server. The DNS server responds with the address of HostB 148.1.1.1. The inside local address overlaps with the outside address.


Figure15-10: IP Address Overlapping

The Cisco IOS solves this problem by translating the outside global address to an outside local address.

The following steps are taken by RouterA :

  1. HostA opens a connection to HostB using its name, a request is sent to the DNS server for a name-to address resolution.
  2. The DNS server responds, resolving HostB to IP address148.1.1.1.
  3. RouterA intercepts the packet and translates the global source address to a local address from the outside local address pool.
  4. RouterA keeps a simple table mapping the global address to the outside local address.
  5. When HostA sends a packet to HostB the destination IP address is the outside local address.
  6. When RouterA receives a packet destined for the outside local address, it translates the local address back to the global address.

The following is output from the show ip nat translations on RouterA, the outside Global address 148.1.1.1 is mapped to outside local address of 2.2.2.2 which is defined in the router configuration.

routerA#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 2.2.2.2 148.1.1.1

tcp 195.1.1.1:1071 10.1.1.1:1071 148.1.1.1:23 148.1.1.1:23

Configuration Overview

This configuration demonstrates outside global address translation. RouterA monitors all DNS responses and if the resolved address overlaps with the inside local address (101.1.1) RouterA translates that address to 2.2.2.2.

Two Cisco routers are connected serially. RouterA is connected to RouterB via a crossover cable. RouterB acts as the DCE providing clock for RouterA. A PC running a terminal emulation program is connected to the console port of RouterA. All IP address are as figure 15-11.

HostA is configure with a default route of 10.1.1.5 and a DNS entry of 152.1.1.2. RouterA is configured for Network Address Translation, and will monitor all DNS responses. If the resolved address overlaps with 10.1.1.1 it will statically translate the address of the resolved host to 2.2.2.2.


Figure 15-11: IP Address Overlapping

The second workstation is configured as a Domain Name Server and will resolve the name HostB to 10.1.1.1.

Router Configurations

The following configuration defines a static mapping between the outside global address of 10.1.1.1 and the outside local address of 2.2.2.2.

RouterA

!

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname routerA

!

!

ip nat pool globalpool 195.1.1.1 195.1.1.3 netmask 255.255.255.0

ip nat inside source list 1 pool globalpool overload

ip nat outside source static 10.1.1.1 2.2.2.2 ¬ Defines translation from the outside global address 10.1.1.1 to the

outside local address of 2.2.2.2

!

interface Ethernet0

ip address 10.1.1.2 255.255.255.0 secondary

ip address 10.1.1.3 255.255.255.0 secondary

ip address 10.1.1.4 255.255.255.0 secondary

ip address 10.1.1.5 255.255.255.0

ip nat inside ¬ Defines the inside interface

!

interface Serial0

ip address 195.1.1.4 255.255.255.0

ip nat outside ¬ Defines the outside interface

!

no ip classless

ip route 152.1.1.1 255.255.255.255 Serial0

access-list 1 permit 10.1.1.2

access-list 1 permit 10.1.1.3

access-list 1 permit 10.1.1.1

access-list 1 permit 10.1.1.4

!

line con 0

line vty 0 4

login

!

end

RouterB

Current configuration:

!

version 11.1

service udp-small-servers

service tcp-small-servers

!

hostname RouterB

!

enable password cisco

!

interface Ethernet0/0

ip address 152.1.1.1 255.255.255.0

!

interface Serial0/0

ip address 195.1.1.10 255.255.255.0

clock rate 500000

!

line con 0

line aux 0

line vty 0 4

password cisco

login

The following configuration defines a dynamic mapping between a pool of outside local addresses to a group of outside global addresses defined by an access list.

RouterA

Current configuration:

!

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname routerA

!

!ip nat pool globalpool 195.1.1.1 195.1.1.3 netmask 255.255.255.0

¯ Pool Name

ip nat pool outsidelocal 2.2.2.1 2.2.2.4 netmask 255.255.255.0

­ Pool Range

ip nat inside source list 1 pool globalpool overload

¯ References the outside local pool

ip nat outside source list 2 pool outsidelocal (If the outside global source address matches access list 1

change to one of the addresses defined in pool outsidelocal )

­ Specifies what addresses should be changed

!

interface Ethernet0

ip address 10.1.1.1 255.255.255.0 secondary

ip address 10.1.1.2 255.255.255.0 secondary

ip address 10.1.1.3 255.255.255.0 secondary

ip address 10.1.1.4 255.255.255.0 secondary

ip address 10.1.1.5 255.255.255.0

ip nat inside ¬ Defines the inside interface

!

interface Serial0

ip address 195.1.1.4 255.255.255.0

ip nat outside ¬ Defines the outside interface

!

no ip classless

ip route 152.1.1.1 255.255.255.255 Serial0

access-list 2 permit 10.1.1.1

access-list 2 permit 10.1.1.2 ¬ If the outside global source address matches one of these change

access-list 2 permit 10.1.1.3

access-list 2 permit 10.1.1.4

no cdp run

!

line con 0

line vty 0 4

login

!

RouterB

Current configuration:

!

version 11.1

service udp-small-servers

service tcp-small-servers

!

hostname RouterB

!

enable password cisco

!

interface Ethernet0/0

ip address 152.1.1.1 255.255.255.0

!

interface Serial0/0

ip address 195.1.1.10 255.255.255.0

clock rate 500000

!

line con 0

line aux 0

line vty 0 4

password cisco

login

Monitoring and Testing the Configuration

To test the configuration, ping HostB from HostA using the domain name. Use the Debug ip nat command and the show ip nat translations command to verify that the translation is working properly.

Below is the output from the debug ip nat command, note that the DNS response is translated to 2.2.2.2.

r3#deb ip nat

01:04:23: NAT: i: udp (10.1.1.1, 1082) -> (10.10.3.111, 53) [62735]

01:04:23: NAT: s=10.1.1.1->195.1.1.1, d=10.10.3.111 [62735]

01:04:23: NAT: o: udp (10.10.3.111, 53) -> (195.1.1.1, 1082) [9227]

01:04:23: NAT: DNS resource record 10.1.1.1 -> 2.2.2.2

01:04:23: NAT: s=10.10.3.111, d=195.1.1.1->10.1.1.1 [9227]

01:04:23: NAT: o: icmp (10.1.1.100, 256) -> (10.1.1.1, 256) [21]

01:04:24: NAT: o: icmp (10.1.1.100, 256) -> (10.1.1.1, 256) [22]

01:04:25: NAT: o: icmp (10.1.1.100, 256) -> (10.1.1.1, 256) [23]

01:04:26: NAT: o: icmp (10.1.1.100, 256) -> (10.1.1.1, 256) [24]

Below is the output from the show ip nat translations on RouterA, note that the overlapping outside global address of 10.1.1.1 is translated to 2.2.2.2.

r3#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 195.1.1.1 10.1.1.1 --- ---

--- --- --- 2.2.2.2 10.1.1.1

Lab#63: Destination Address Rotary Translation

Equipment Needed

The following equipment is needed to perform this lab exercise:

Overview

Network Address Rotary translation can be used as a means to provide load sharing among multiple highly utilized hosts. Figure 15-12 illustrates this feature. Company X has multiple FTP servers that are accessed by customers to download software. The NAT translation is transparent to the user, they simply FTP to the virtual IP address 152.1.1.10.

When RouterA receives a packet destined for the virtual IP address it translates the destination address to the first FTP server. When the next FTP connection is established to the virtual IP address RouterA translates the destination address to second FTP server. These translations occur in a round robin fashion, providing equal load balancing across multiple FTP servers.

Figure 15-12: Load Balancing using NAT

RouterA takes the following steps when translating rotary address:

  1. User A (148.1.1.100) establishes a connection to virtual host 152.1.1.10.
  2. RouterA receives the packet destine for the virtual host 152.1.1.10, and translates the destination address to next real host from the pool, in this case FTP server 152.1.1.1.
  3. FTP server 152.1.1.1 receives the packet and responds.
  4. RouterA receives the response packet from FTP server 152.1.1.1, performs a NAT table lookup using the inside local address and port number, and the outside address and port number as the key.
  5. The RouterA then translates the source address to the address of the virtual host and forwards the packet.
  6. User B (196.1.1.2) establish a connection to virtual host 152.1.1.10.
  7. RouterA receives the packet destine for the virtual host 152.1.1.10, and translates the destination address to next real host from the pool, in this case FTP server 152.1.1.2.
  8. RouterA receives the response packet from FTP server 152.1.1.2, performs the NAT look up, translates the source address to the virtual address and forwards the packet.

Configuration Overview

This configuration will demonstrate load sharing using destination address rotary translation. RouterA will translate destination addresses of any packet that matches access list 2 using real host addresses from the rotary pool "loadsharing".

The pool defines the addresses of the real hosts, and the access-list defines the virtual address. If a translation does not already exist, TCP packets from serial 0 (the outside interface) whose destination address match access-list 2 are translated to an address from the pool.

RouterA and RouterB are connected serially via a crossover cable. RouterB will act as the DCE supplying clock to RouterA. The IP addresses are assigned as per figure 15-13. Secondary IP addresses are used on RouterA as test points only.


Figure 15-13: Destination Address Rotary Translation

RouterA is configured for destination address rotary translation. From RouterB telnet to virtual host 152.1.1.10. Instead of using multiple PCs off of router’s Ethernet, configure secondary IP addresses. RouterA will also be configured to allow VTY sessions, so that we can establish a telnet session to the secondary IP address on the RouterA.

Router Configurations

The configurations for the two routers in this example are as follows (key NAT configurations for RouterA are highlighted in bold).

RouterA

Current configuration:

!

version 11.2

no service udp-small-servers

no service tcp-small-servers

!

hostname RouterA

!

! ¯ Pool Name ¯ Pool Range ¯ Defines the Pool as rotary

ip nat pool loadsharing 152.1.1.1 152.1.1.2 prefix-length 24 type rotary

ip nat inside destination list 2 pool loadsharing ¬ If the destination address matches access list 2 replace with an IP ! address from pool "loadsharing"

­ References access list 2

!

interface Ethernet0

ip address 152.1.1.1 255.255.255.0 secondary ¬ Secondary IP address used for test point

ip address 152.1.1.2 255.255.255.0 secondary ¬ Secondary IP address used for test point

ip address 152.1.1.100 255.255.255.0

ip nat inside ¬ Defines the inside interface

!

interface Serial0

ip address 195.1.1.2 255.255.255.0

ip nat outside ¬ Defines the Outside interface

!

no ip classless

access-list 2 permit 152.1.1.10 ¬ Defines what destination address will be translated

!

line con 0

line vty 0 4

password cisco ¬ Sets the VTY password to cisco

login ¬ Allows telnet access into the router

!

end

RouterB

Current configuration:

!

version 11.1

service udp-small-servers

service tcp-small-servers

!

hostname RouterB

!

enable password cisco

!

!

interface Ethernet0/0

ip address 196.1.1.1 255.255.255.0

!

interface Serial0/0

ip address 195.1.1.3 255.255.255.0

clockrate 500000 ¬ Acts as DCE providing clock

Monitoring and Testing the Configuration

Perform the following steps to test the configuration:

  1. On RouterA Debug ip nat
  2. On RouterB telnet to IP address 152.1.1.10

The following is the output from the debug ip nat command on RouterA. The first line is the translation from destination 152.1.1.10 to the first address of the pool 152.1.1.1. The next line is the return packet from 152.1.1.1, note that RouterA translated the source address to the virtual IP address 152.1.1.10, before forwarding the packet to RouterB.

NAT: s=195.1.1.3, d=152.1.1.10->152.1.1.1 [0]

NAT: s=152.1.1.1->152.1.1.10, d=195.1.1.3 [0]

3. On RouterB telnet again to IP address 152.1.1.10

The following is the output from the debug ip nat command on RouterA. Note that this time destination address 152.1.1.10 is translated to the second address in the pool (152.1.1.2).

NAT: s=195.1.1.3, d=152.1.1.10->152.1.1.2 [0]

NAT: s=195.1.1.3, d=152.1.1.10->152.1.1.2 [0]

4. Show the NAT table on RouterA using the command show ip nat translations. The following is the output from the command. Note that after each address is the port number, this combined with the protocol type is used as a key, to translate the return packet back.

Pro Inside global Inside local Outside local Outside global

tcp 152.1.1.10:23 152.1.1.2:23 195.1.1.3:26658 195.1.1.3:26658

tcp 152.1.1.10:23 152.1.1.1:23 195.1.1.3:26146 195.1.1.3:26146

Change Translation Timeouts

Dynamic translation will timeout after a period of inactivity, by default simple translation not configured for overloading will timeout after 24 hours. To change the default timeout period perform the following command in global configuration mode:

ip nat translation timeout { seconds}¬ Command changes the timeout value for dynamic address translations that do

not use overloading.

When overloading is configured Cisco IOS allows finer control over translation entry timeouts because each entry contains more information about the traffic that is using it. The UDP, TCP, DNS and finish timers below can be change with the following global configuration commands:

ip nat translation udp-timeout {seconds}¬ Changes the UDP timeout value the default is 5 minutes

ip nat translation dns-timeout {seconds}¬ Changes the DNS timeout value the default is 1 minute

ip nat translation tcp-timeout (seconds) ¬ Changes the TCP timeout value the default is 24 hours

ip nat translation finrst-timeout (seconds) ¬ Changes the Finish and reset timeouts the default is 1

minute

Trouble Shooting NAT

The Cisco IOS provides many tools for trouble shooting Network Address Translation. Below is a list commands along with a sample output from each.

{show ip nat statistics}

This command displays the number of active translations along with the number of translations that have expired. An expired translation is a translation that has been inactive for a period of time and has been removed from the table. The command also shows the inside and outside configured interfaces.

RouterA#show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces: Serial0

Inside interfaces: Ethernet0

Hits: 20 Misses: 20

Expired translations: 20

Dynamic mappings:

-- Inside Source

access-list 1 pool pool refcount 0

pool pool: netmask 255.255.255.0

start 195.1.1.1 end 195.1.1.1

type generic, total addresses 1, allocated 0 (0%), misses 0

{show ip nat translations}

This command displays all active translations, the protocol of the packet translated, the inside local address, the inside global address, the outside local address and the outside global address.

From the following output we can see that a ping packet (protocol icmp) with the inside

local address of 10.1.1.1 has been translated to the inside global address of 195.1.1.1. The number after the IP address is the port number; this is used in this particular translation because the router is configured for overloading.

RouterA#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 195.1.1.1:4 10.1.1.1:4 195.1.1.3:4 195.1.1.3:4

icmp 195.1.1.1:3 10.1.1.1:3 195.1.1.3:3 195.1.1.3:3

icmp 195.1.1.1:2 10.1.1.1:2 195.1.1.3:2 195.1.1.3:2

icmp 195.1.1.1:1 10.1.1.1:1 195.1.1.3:1 195.1.1.3:1

icmp 195.1.1.1:0 10.1.1.1:0 195.1.1.3:0 195.1.1.3:0

{show ip nat translations verbose}

This command is an extension of the previous command and displays more detailed information about how long ago the translation was created and how long ago the translation was last used.

From the following output we can see that the translation was created 1 minute and 31 seconds ago and last used 31 seconds ago.

RouterA#show ip nat translations verbose

Pro Inside global Inside local Outside local Outside global

icmp 195.1.1.1:4 10.1.1.1:4 195.1.1.3:4 195.1.1.3:4

create 00:01:31, use 00:00:31, left 00:00:28, flags: extended

icmp 195.1.1.1:3 10.1.1.1:3 195.1.1.3:3 195.1.1.3:3

create 00:00:31, use 00:00:31, left 00:00:28, flags: extended

{clear ip nat translation}

This command is used to clear all or specific active translations. The following is a list of extensions that can be used with this command.

* The astrik clears all dynamic translations.
Inside Clears specific inside address and port translations
Outside Clears specific outside address and port translations
TCP Clears specific inside address by protocol
UDP Clear specific inside address by protocol

{clear ip nat statistics}

This command is used to clear the counters for all NAT statistics.

{debug ip nat}

This command is used to verify the operation of the NAT feature by displaying

information about every packet that is translated by the router. The command will also display information about certain errors or exceptional conditions, such as the failure to

allocate a global address.

From the following output of the command we can see that the source address 10.1.1.1 has been translated to the global address 195.1.1.1.

NAT: s=10.1.1.1->195.1.1.1, d=195.1.1.3 [35]

Conclusion

This chapter explores Network Address Translation (NAT). NAT allows the addresses inside one stub domain to be reused by any other stub domain. NAT allows organizations to appear from the outside as if they are using different IP address space than what it is actually used, thereby reducing the need for unique, registered IP addresses. Network Address Translation can also save private network administrators from having to renumber hosts and routers that do not confirm to global IP addressing. NAT is defined in RFC 1631.


Reserve your copy at a
Bet@ Bookstore near you!
Contact Bet@ Books
© 1999 The McGraw-Hill Companies, Inc. All rights reserved.
Any use of this Bet@ Book(TM) is subject to the rules stated in the Terms of Use.

Bet@ Books | Bet@ Bookstores | Computing McGraw-Hill

Professional Publishing Home | Contact Us | Customer Service | For Authors | International Offices | New Book Alert | Search Catalog/Order | Site Map | What's New


A Division of the McGraw-Hill Companies
Copyright © 1999 The McGraw-Hill Companies, Inc. All rights reserved. Any use is subject to the Terms of Use the corporation also has a comprehensive Privacy Policy governing information we may collect from our customers. Bet@ Books (TM) is a registered trademark of The McGraw-Hill Companies, Inc.