2. 1
1 Table of Contents
2 VLSM (Variable Length Subnet Masking): ..........................................................................................................3
2.1 VLSM Practical Example .............................................................................................................................4
3 Super netting or Route Summarization .............................................................................................................6
4 CIDR (RFC: 4632) .................................................................................................................................................8
4.1 A simple example: ......................................................................................................................................8
4.2 CIDR in Depth! ............................................................................................................................................9
4.3 MeritRADb routing asset Database: ........................................................................................................ 11
5 NAT (Network Address translation) ................................................................................................................ 12
5.1 Introduction: ............................................................................................................................................ 12
5.2 NAT Working: .......................................................................................................................................... 12
6 Types of NAT:................................................................................................................................................... 13
Dynamic NAT: ...................................................................................................................................................... 13
Dynamic NAT with overload or PAT: ................................................................................................................... 13
Static NAT: ........................................................................................................................................................... 14
6.1 Some of the terminology of NAT worth remembering: ........................................................................... 14
6.2 A few more things regarding NAT ! ......................................................................................................... 14
7 NAT Practical Implementation: ....................................................................................................................... 15
7.1 Dynamic NAT Configurations:.................................................................................................................. 16
7.1.1 Step 1: .............................................................................................................................................. 16
7.1.2 Step 2: .............................................................................................................................................. 17
7.1.3 Step 3: .............................................................................................................................................. 17
7.1.4 Now let’s see what’s happening on R2: .......................................................................................... 18
7.2 NAT Overload (PAT): ................................................................................................................................ 19
7.3 Static NAT: ............................................................................................................................................... 21
7.4 Troubleshooting NAT:.............................................................................................................................. 21
8 Some additional NAT settings: ........................................................................................................................ 22
8.1 SNAT: Statefull Network Address Translation: ........................................................................................ 23
3. 2
Introduction
We assume that you have read our introductory manual of IP Addressing and familiar with topics like IP
Addressing, Subnetting, classes of IP Addresses , public and private IP Addresses. In this manual we will
introduce you with advanced topics in IP Addressing like VLSM, Supernetting, Route Summarization, CIDR and
NAT.
Before that lets revise your IP addressing concepts by doing the following exercises of subnetting .
Class C:
We have an IP of 192.168.2.0 /24; our network design requirement is 16 subnets!
We have an IP of 192.168.150.0 /24; our network design requirement is 14 hosts per network!
We have an IP of 192.168.100.0 /24; our network design requirement is 32 subnets!
Class B:
We have an IP of 172.168.0.0 /16; our network design requirement is 16 subnets!
We have an IP of 172.78.0.0 /16; our network design requirement is 14 hosts per network!
We have an IP of 172.10.0.0 /16; our network design requirement is 32 subnets!
Class A:
We have an IP of 15.0.0.0 /8; our network design requirement is 16 subnets!
We have an IP of 10.0.0.0 /8; our network design requirement is 14 hosts per network!
We have an IP of 13.0.0.0 /8; our network design requirement is 32 subnets!
4. 3
2 VLSM (Variable Length Subnet Masking):
We have a very scarce resource of IP v4, that’s why private addresses were created, that’s why sub netting was
introduce and that’s why NATing is done to preserve the IP addresses. What if we design our network carelessly
and waste many precious IP addresses? This can happen if we don’t take precautions in network design and
don’t use VLSM. VLSM give us a facility to use different subnet mask networks in our topology, and believe me
VLSM can save us a lot of address space. To understand this further, please consider the following network:
Suppose we are using 192.168.10.0 Class C Address in above network and have made 8 subnets like:
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.30 192.168.10.31
192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.62 192.168.10.63
192.168.10.64 192.168.10.64 192.168.10.65 192.168.10.94 192.168.10.95
192.168.10.96 192.168.10.96 192.168.10.97 192.168.10.126 192.168.10.127
192.168.10.128 192.168.10.128 192.168.10.129 192.168.10.158 192.168.10.159
192.168.10.160 192.168.10.160 192.168.10.161 192.168.10.190 192.168.10.191
192.168.10.192 192.168.10.192 192.168.10.193 192.168.10.222 192.168.10.223
Do you feel anything wrong with above network? Hmm, apparently there is nothing wrong according to
addressing point of view in above network but we are wasting a lot of IP addresses. How? Okay look at the serial
connection of Router0 and Router1, we are using a subnet of 192.168.10.32/27, this subnet can give us the
following host addresses:
192.168.10.33
192.168.10.34
192.168.10.35
192.168.10.36
192.168.10.37
192.168.10.38
----- Till 192.168.10.62!
5. 4
Suppose we assign 192.168.10.33 and 192.168.10.34 to our Connected WAN interfaces, what about the rest of
28 addresses? They are simply wasted! The same thing is happening on our Switch0 and Switch4, we are
allocating more addresses than actually required! So how can we protect these IP addresses from getting
wasted? That’s where VLSM comes handy.
2.1 VLSM Practical Example
By using a different subnet mask for each router interface, we can create the IP addresses according to the
network requirements. Like for the WAN interface only two IP addresses are required. So if we use a mask of /30
for this Class C address 192.168.10.0, we can have 2 host bits, which are 2^2-2 = 2 hosts per subnet! Any subnet
from /30 mask will full fill our requirements of two IP addresses for the two connected serial WAN interfaces.
So if we take 192.168.10.0 and use 255.255.255.252 as the subnet mask, we can have
Subnets: 2^6 = 64 subnets, an 2^2-2 = 2 hosts /subnet
Block Size = 256-252 = 4. So 0, 4, 8, 12, ----
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.2 192.168.10.3
192.168.10.4 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7
192.168.10.8 192.168.10.8 192.168.10.9 192.168.10.10 192.168.10.11
192.168.10.12 192.168.10.12 192.168.10.13 192.168.10.14 192.168.10.15
192.168.10.16 192.168.10.16 192.168.10.17 192.168.10.18 192.168.10.19
192.168.10.20 192.168.10.20 192.168.10.21 192.168.10.22 192.168.10.23
Continues Continues Continues Continues Continues
192.168.10.252 192.168.10.252 192.168.10.253 192.168.10.254 192.168.10.255
We have chosen below address for our WAN Connection:
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.4 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7
Okay, if we take a careful look on our switches, Switch0 requirement is 10 hosts, so we need to create a subnet
according to this requirement. If we take 4 bits for our subnet, we are remaining with 4 host bits, which are
sufficient to fulfill our requirements because 2^4-2 = 14 hosts! So repeating the above process, a subnet mask of
/28 is enough for this:
So if we take 192.168.10.0 and use 255.255.255.240 as the subnet mask, we can have
Subnets: 2^4 = 16 subnets, an 2^4-2 = 14 hosts /subnet
Block Size = 256-240 = 16. So 0, 16, 32, 48, ----
6. 5
These subnets can be summarized as:
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.14 192.168.10.15
192.168.10.16 192.168.10.16 192.168.10.17 192.168.10.30 192.168.10.31
192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.46 192.168.10.47
192.168.10.48 192.168.10.48 192.168.10.49 192.168.10.78 192.168.10.79
192.168.10.80 192.168.10.80 192.168.10.81 192.168.10.94 192.168.10.95
Continues Continues Continues Continues Continues
192.168.10.239 192.168.10.239 192.168.10.240 192.168.10.254 192.168.10.255
As we have already used 192.168.10.4/30 subnet for WAN, we can use the below IP subnet from /28 mask to
fulfill our requirement:
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.16 192.168.10.16 192.168.10.17 192.168.10.30 192.168.10.31
And we can use the same subnet (/28) to fulfill our IP addressing requirements on Switch4; it will not only
preserve the IP addresses but will also give us room for a few more IPs, if we expand our network in the future.
We will use the following IP addresses for Switch4:
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.46 192.168.10.47
So our network with VLSM will look like:
The above network, with different Subnet masks, is known as a Classless Network! And to route packets on such
a network we use routing protocols which support classless networks. RIPv2, EIGRP, and OSPF support classless
networks. Using VLSM, care should be taken to avoid IP address conflict. This can be achieved via proper
documentation of the IP addressing scheme used in the network or any method that seems convenient for you.
But a proper documentation is always recommended!
Please remember: in VLSM , always start from the largest host requirement network!
7. 6
3 Super netting or Route Summarization
Route summarization is all about minimizing processing load of the routers and for the robust operation of
networks. Via route summarization, instead of advertising individual network IDs, a router advertises summary
of the similar subnets. By sending this summary of the addresses, the neighbor routers are able to send data to
all the networks related to the summary advertised. That summary route is a sort of superset of all the networks
for which we have configured it, that’s why it’s also called Supernetting. The other common term for route
summarization is Route Aggregation, used in BGP! There could be various route summaries for the given set of
IP addresses, but the best summary is the one which narrows down the IP address space as much as possible.
Let’s understand this via an example:
Let suppose the following addresses are connected to our Corporate router:
192.168.16.0/24
192.168.17.0/24
192.168.18.0/24
192.168.19.0/24
172.1.4.0/24
172.1.5.0/24
172.1.6.0/24
172.1.7.0/24
If the router advertises each address individually to its connected routers, it will increase routing processing not
only on our Corporate router but also on the connected routers. As each router had to parse individual IP
addresses, also maintaining big routing table is a hefty task for a router.
8. 7
In the given network, we have a total of 8 Network Addresses in the routing table. We will use route
summarization to summarize these addresses into only two addresses of 192.168.X.X address space and
172.1.X.X! So how can we create a summary route for the first block i.e.:
192.168.16.0/24
192.168.17.0/24
192.168.18.0/24
192.168.19.0/24
Hmm, in above address, the first two octets are same, converting our addresses into binary:
Address 1st Octet 2nd Octet 3rd Octet 4th Octet
192.168.16.0 11000000 10101000 00010000 00000000
192.168.17.0 11000000 10101000 00010001 00000000
192.168.18.0 11000000 10101000 00010010 00000000
192.168.19.0 11000000 10101000 00010011 00000000
Subnet Mask 255 255 252 0
Okay, 1st and 2nd Octets are similar, and first 6 bits (highlighted in red) are similar in 3rd Octet. Our summary
address would be the lowest of the addresses i.e. 192.168.16.0 and our modified subnet mask would be /22 i.e.
255.255.252.0 (the 6 similar bits in the 3rd octet are considered as 1 while calculating the revised subnet)! The
same process can be repeated for the Class B Address:
172.1.4.0/24
172.1.5.0/24
172.1.6.0/24
172.1.7.0/24
Address 1st Octet 2nd Octet 3rd Octet 4th Octet
172.1.4.0 10101100 00000001 00000100 00000000
172.1.5.0 10101100 00000001 00000101 00000000
172.1.6.0 10101100 00000001 00000110 00000000
172.1.7.0 10101100 00000001 00000111 00000000
Subnet Mask 255 255 252 0
So our Summary route is: 172.1.4.0/22 or 172.1.4.0 255.255.252.0. Once these summary routes are configured
on our above network, it would advertise all the networks connected to it in the form of following super netted
IP Addresses:
192.168.16.0/22 & 172.1.4.0/22
Route summarization is one of the main feature in OSPF, the routes are summarized at the ABRs (Area border
routers) and advertised to the backbone area by all other connected regular areas. BGP also uses the route
aggregation. Care should be taken while implementing route summarization, we should try to minimize the risk
of creating room for IP addresses which doesn’t belong to our network. If care is not considered, we will begin
getting packets for the addresses which are not configured in our network.
9. 8
4 CIDR (Classless Inter Domain Routing)
Classless inter domain routing (CIDR) is like supernetting route summarization and VLSM at the ISP end that’s
why it is called Classless inter domain routing. Confusing? Okay let us discuss it via an example; it will help us
picture the whole concept. As we learned in route summarization, instead of advertising each address, a router
makes a block of addresses and advertise it, it minimizes load on routers and enhances network efficiency.
Instead of assigning addresses according to the Classful subnet boundaries, the ISPs begin to assign IP addresses
in the form of blocks. Then it was the duty of the ISPs to assign smaller blocks to its customers from the big
block. In CIDR the routers were given the ability to process the IP addresses according to the classless subnet
prefix instead of the starting 0 and 1s in each IP address. Or in the other words, the routers were programmed
to understand the prefix through which it can decide to which domain (major block of IPs) these addresses are
assigned.
If a whole Class A, B or C address is assigned to an organization, there is a chance of the wastage of IP addresses,
so IP address conservation was one of the main reasons behind CIDR development by IANA. IANA suggested
assignment of IPs address ranges other than the conventional class paradigm. These policies not only helped in
preserving the wastage of IP addresses but also reduced the load of the global routing tables. So the two goals
behind CIDR creation by IANA were:
• To reduce the global routing table size
• To preserve the IP address space
4.1 A simple example:
Let understand the first point via an example. Suppose we have a block of addresses as given below:
192.168.20.0/24
192.168.21.0/24
192.168.22.0/24
192.168.23.0/24
We can summarize this address as:
Our block size is 4, so our best subnet choice at 3rd octet is 256-4 = 252, so we can summarize the above network
IDs with following subnet IP:
192.168.20.0
255.255.252.0 OR
192.168.20.0/22
Have you noticed one interesting thing, we have moved backward from standard Class C boundary. We have an
IP address 192.168.20.0 with the prefix 22 which represents a block of 4 IP addresses of 24 subnets. Now the
router will only advertise with /22 addresses and the same process are repeated from our side to our ISP. Our
ISP does the same route aggregation and advertises a single block to higher networks and the process goes on.
Without this process we would have millions of routing tables for the global IP traffic! And how the IP addresses
10. 9
are conserved? Well they are conserved when a specific block of IP addresses is assigned to customers. An ISP
will never assign a Classful address to any corporation, as a lot of addresses will go waste and the ISP can’t take
back the non-used addresses. For the solution of this problem, IP address Ownership an IP address Lending
scheme was introduced but they are still in review amidst much heated debate on it.
4.2 CIDR in Depth!
Suppose our ISP owns an address block: 200.24.0.0/16. What this means?
An address block comprises of different addresses that the ISP can allocate and sell to its customers. The IP
address block 200.24.0.0/16 can represent 2^16 = 65, 536 IP addresses. Suppose from this block it wants to
allocate 200.24.15.0/20 address block. So how much address space is this in reality? Simple, 2^12 = 4096 or 16
/24s, how? The block size is /20 or in other words 255.255.240.0 so the block size can be calculated as 256-240 =
16 , this means the given /20 block comprises of 16 /24 addresses if we are considering a Class full environment.
200.24.15.0
200.24.16.0
200.24.17.0
200.24.18.0
200.24.19.0
200.24.20.0
200.24.21.0
200.24.22.0
200.24.23.0
200.24.24.0
200.24.25.0
200.24.26.0
200.24.27.0
200.24.28.0
200.24.29.0
200.24.30.0
Each address has the capacity to represent 255 addresses so 255*16 = 4096, as already mentioned above. So if
the ISP distributes these among 3 organizations named A, B, C—the distribution would be as follows:
200.24.15.0
200.24.16.0
200.24.17.0 Block size of 4, 256-4=252 so the whole block would be 200.24.15.0/30
200.24.18.0 The block 200.24.15.0/30 will be assigned to the Organization A
200.24.19.0
200.24.20.0
200.24.21.0
200.24.22.0 Block size of 8. 256-8 = 248 so the whole block would be 200.24.19.0/21
11. 10
200.24.23.0 The block 200.24.19.0/21 will be assigned to organization B
200.24.24.0
200.24.25.0
200.24.26.0
200.24.27.0
200.24.28.0Block size of 4, 256-4=252, so the whole block would be 200.24.27.0/30
200.24.29.0 The block 200.24.27.0/30 will be assigned to organization C
200.24.30.0
So the above hierarchy, in a CIDR environment works like:
200.24.0.0/16
ISP
Internet
200.24.15.0/20
200.24.19.0/21
200.24.27.0/30
200.24.15.0/30
200.24.15.0 200.24.27.0
200.24.19.0 200.24.16.0 200.24.28.0
200.24.20.0 200.24.17.0 200.24.29.0
200.24.21.0 200.24.18.0 200.24.30.0
200.24.22.0
200.24.23.0
200.24.24.0 A - Org C - Org
200.24.25.0
200.24.26.0
Believe me, by doing above process, we have cracked all the route aggregation and summarization at the Global,
ISP and Organization level.
B - Org
12. 11
You will feel that CIDR has the same look like VLSM. Yes, it’s right to some extent. Both allow us to change the IP
dynamics according to our requirements, but VLSM is invisible to the global internet. The VLSM can be felt only
in our internal network topology. On the other side, CIDR is visible to the global internet. A global Internet
Registry can assign any CIDR block or prefix block to any top level ISP, to a medium level ISP or to any private
organization.
4.3 MeritRADb routing asset Database:
Okay now some interesting stuff. If you want to see all this CIDR, route summarization in action, visit MeritRADb
the routing asset database online website. This website provides information related to all the routed networks
and ASs (Autonomous Systems) on the internet up to this very instant! For example if we want to dig this IP:
173.194.67.104, go to MeritRADb website: http://www.ra.net/ and will query this IP using Query the RADb box.
The output is quite interesting:
route: 173.194.67.0/24
descr: Google
origin: AS15169
notify: radb-contact@google.com
mnt-by: MAINT-AS15169
changed: radb-contact@google.com 20121119
source: RADB
This IP (173.194.67.104) is owned by Google incorporations!! Okay one more IP: 205.134.232.114
route: 205.134.224.0/19
descr: Corporate Colocation, Inc.
origin: AS17139
notify: netops@mzima.net
mnt-by: MAINT-CORPCOLO
changed: noc@corporatecolo.com 20071108
source: RADB
The above IP (173.194.67.104) is somehow part of the major route shown in the RADb output. The Routing
Asset Database website is one of a great place to spend your weekend time on!
Please remember that IANA or Internet Assigned Numbers Authority is the organization responsible for taking
care of the global IP address allocation and other IP related activities.
13. 12
5 NAT (Network Address translation)
5.1 Introduction:
In simple words NAT is about IP address translation or conversion. This translation is for two purposes:
• Translation of Private addresses into Public addresses
• Translation of internal addresses to avoid duplication or for Topology hiding
As you know private IP addresses are not routable on the internet, that’s why we need to configure NAT on our
gateways to talk to the public internet domain. The duplication of addresses can take place if we merge two
organizations and they both have the same IP plan, in such case NAT is used to avoid such issues via a DNS
server. As discussed in VLSM and CIDR, IP address preservation was also one of the main causes behind the
induction of NAT.
5.2 NAT Working:
To understand NAT (Network Address Translation) working, please consider below block diagram:
Global Network
Private Address Space Gateway
Inside Local IPs --- > Inside Global IPs
Local Network
The above diagram explains NAT in its simple form. NAT is configured on the Gateway where address translation
or mapping take place. The Global Network is unaware of the internal local addresses of our network, that’s why
it’s helpful in hiding our network topology.
For an interesting demonstration of NAT, please check http://www.cisco.com/image/gif/paws/6450/nat.swf
URL.
14. 13
6 Types of NAT:
There are three types of NAT, mostly used in network design.
• Dynamic NAT
• Dynamic NAT with overload (also called PAT: Port Address Translation)
• Static NAT
While implementing NAT on a router, we first define an ACL (normally a standard Access Control list) to define
the internal IPs that we are going to translate. These addresses are technically called Inside Local addresses.
Then we apply our NAT commands in global configuration mode, specifying the list of addresses in our ACL and
the public addresses in which we want to translate it. These public addresses are technically called Inside Global.
Dynamic NAT:
In dynamic NAT, as the name suggests the address translation take place by allocating available Public IPs from a
pool dynamically. We define a pool of global IP addresses for NAT and then this pool is associated with address
local IPs for translation. The address translation works, until all of the addresses in the pool are consumed and
network established via it.
Dynamic NAT with overload or PAT:
Overloading is used to enhance the addressing capability of NAT and for this magic, PAT is used. PAT stands for
Port address translation, so as the name implies, port numbers are used with local hosts. At the same time, port
numbers are also used with the global inside IP. Via this association, a single global IP can be used for around
65000 addresses! This could be better explained via below chart:
Protocol Inside Local IP : Port Inside Global IP : Port
TCP 192.168.3.2:1723 170.16.3.2:1456
TCP 192.168.3.1:1744 170.16.3.2:1098
TCP 192.168.3.10:1764 170.16.3.2:4432
As you can see we have a single global IP, but with different port numbers. This table is maintained by the router
and it forwards the packet accordingly. Suppose if IP 192.168.3.2:1723 has established a global connection via
170.16.3.2:1456, once any packet is received on this IP (170.16.3.2:1456) with relevant port number, it's
forwarded according to the above table to 192.168.3.2:1723. You must be aware of the fact that port numbers
are used by a host to establish different connections to the outside world and keep track of each established
connection. Suppose a connection to the web server port 80 would be like:
Inside Global IP : Port Outside Global IP address: Port
170.16.3.2:1456 173.194.23.4:80
170.16.3.2:1098 173.194.23.4:80
15. 14
Static NAT:
Static NAT is a one to one mapping of internal addresses with the global IP addresses. In network design, static
NAT is best if we are going to host some server inside our network and want it to be accessible from global
internet.
6.1 Some of the terminology of NAT worth remembering:
Inside Local: the host address inside the network that we want to translate
Outside Local: translated address of the outside hosts, as seen inside their network
Inside Global: the addresses used to translate the inside addresses
Outside Global: addresses of outside hosts as seen on the outside
The above mentioned three types of NAT can be summed up as:
Static NAT Dynamic NAT Overload NAT
One to one mapping Many to many Allow multiple hosts to use single Address
Creates a permanent entry in the NAT Fewer address then hosts Around 65000 addresses per Global IP
table
Enable bidirectional initiation Entries dynamically created
Entries timeout after some
time
Configure using pool
6.2 A few more things regarding NAT !
A few more terminologies of NAT:
• Policy based NAT
• Port redirection (one to one mapping for a single port, also called Static PAT)
• NVIs or NAT virtual interfaces (a newer method of NAT configuration in which there is no need for
inside/outside definition on an interface. NAT table is maintained on per interface basis)
I think we have covered enough of the terminology regarding Network Address translation, now it’s time to
practically implement all of the above concepts for getting a strong technical grasp of it.
16. 15
7 NAT Practical Implementation:
For the practical implementation of NAT on a Cisco router, follow the following three steps:
• Designate the interfaces for inside/outside the NAT
• Define an ACL for the local host IPs
• Implemented NAT from the global configuration mode
In VoIP packets, as it’s not possible to modify the source header, for this we had to enable some special services
of NAT to support SIP or Skinny protocols etc. There are also some other issues that might arise from changing
the IP in a packet as it will change the packet checksum value, encapsulated data and hence breaking the
meaning of the application.
In our lab, we are using c2691 series of routers in GNS3. We will emulate our ISP. Loopback interfaces are
created on R1 to emulate different connected networks. R2 is our gateway router, and all of the NATing is done
on this router. The ACL and different sort of NAT will be configured on this (R2) router. S
Please note, RIP is running on our current topology. You can run any routing protocol as you feel convenient.
R1 interfaces are configured as follows:
Interface IP Subnet Mask
Loopback2 192.168.2.1 255.255.255.0
Loopback3 192.168.3.1 255.255.255.0
Loopback4 192.168.4.1 255.255.255.0
FastEthernet0/1 192.168.1.1 255.255.255.0
17. 16
RIP enabled for routing of the addresses:
router rip
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
Some of the output is omitted. So as is evident from above configurations, we have created three loop back
interfaces:
192.168.3.1/24
192.168.2.1/24
192.168.4.1/24
And Fa 0/0 is assigned: 192.168.1.1/24 address. RIP is configured and all the routes known to R1 are advertised!
7.1 Dynamic NAT Configurations:
In this part we are going to configure Dynamic NAT on our gateway router ( R2). We will follow the above
mentioned three steps :
1. Labeling the interfaces
2. Configuring the ACL for hosts
3. Implementing the NAT from the global config mode
So here we go, and you will see it’s not that difficult to implement it practically:
Suppose we want to configure Dynamic NAT on R2. For this purpose, we need a pool of global IP addresses that
would be dynamically mapped with our local hosts. So we need to buy these addresses from our ISP ( just
assume, we bought the following IP pool from our ISP:
171.16.10.52 - 171.16.10.56
We will follow above mentioned three steps to implement dynamic NAT on our current network topology:
7.1.1 Step 1:
Labeling the interfaces:
Interface FastEthernet0/0
IP address 192.168.1.2 255.255.255.0
ip nat inside
Interface Serial1/0
IP address 171.16.10.1 255.255.255.0
18. 17
ip nat outside
7.1.2 Step 2:
An ACL needed to be created for local hosts IPs that we want to translate:
ip access-list standard NAT_IPs
permit 192.168.3.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 192.168.4.0 0.0.0.255
7.1.3 Step 3:
Once ACL is created, we need to configure our IP pool and dynamic NAT from global configuration like:
ip nat pool Global_IP_Pool 171.16.10.52 171.16.10.56 netmask 255.255.255.0
ip nat inside source list NAT_IPs pool Global_IP_Pool
Our pool name is: Global_IP_Pool
ACL name is: NAT_IPs
Some of the other things done on R2 are: static route to ISP and RIP ( for routing on the network):
!
router rip
Passive-interface Serial1/0 ( this command is configured to stop RIP advertisements to our emulated ISP)
Network 171.16.0.0
Network 192.168.1.0
!
IP route 171.16.0.0 255.255.0.0 171.16.10.2
!
!
And we are done with our Dynamic NAT! Now some other fun commands. In order to check the IP NAT
translations going on in the network, we just issue show ip nat translations command on R2 and see the result:
19. 18
From R1 we ping our ISP:
R1#ping 171.16.10.2 source 192.168.3.1
We get successful ping results to 171.16.10.2. The source IP was changed on R2 during the process of pinging as
we have configured NAT on R2.
7.1.4 Now let’s see what’s happening on R2:
Our ping request was originated from inside local: 192.168.3.1 and has been translated into 171.16.10.52 inside
global address. One other interesting command for your geek mind:
I hope after going through all of the above commands, you will have confidence in yourself and will see how
interesting it is to implement NAT. Just remember one thing: if dynamic NAT is used, we can’t access our local
hosts from outside the network, as the router will not be sure to where it has to route the packets , for this
purpose Static NAT is recommended, which we will discuss shortly.
Okay, as an example, please perform some practice of dynamic NAT with the following requirements:
• The routing protocol running is EIGRP with AS # 4
• The IP Pool Name is CORP-IP pool
• ACL allows only 192.168.3.0/24 network to translate
20. 19
7.2 NAT Overload (PAT):
Now we are going to implement NAT overload on R2, so we need to add overload to the end of ip nat command
like:
ip nat inside source list Whitelist_IPs pool Global_IP_Pool overload
First we will clear all IP NAT translations (that were done previously once we configured dynamic NAT) , by
issuing the following command:
R2#clear ip nat translation *
Now we will overload the NAT by using the overload key word at the end of our dynamic NAT command:
R2(config)#ip nat inside source list NAT_IPs pool Global_IP_Pool overload
To check our NAT in action, we will issue some of pings from our loop back interfaces on R1:
R1#ping 171.16.10.2 source 192.168.3.1
Successful!
R1#ping 171.16.10.2 source 192.168.3.1
Successful!
R1#ping 171.16.10.2 source 192.168.2.1
Successful!
R1#ping 171.16.10.2 source 192.168.4.1
Successful!
All of these pings were successful via NATing, to check the NAT translations on R2, we will use the following
commands:
R2#show ip nat translations
//Some of the output omitted//
icmp 171.16.10.53:4 192.168.2.1:4 171.16.10.2:4 171.16.10.2:4
icmp 171.16.10.53:3 192.168.3.1:3 171.16.10.2:3 171.16.10.2:3
icmp 171.16.10.53:5 192.168.4.1:5 171.16.10.2:5 171.16.10.2:5
21. 20
PAT can be seen in action, in below the output of show IP nat translations command:
R2#show IP nat translations
/// Some of the part omitted//
udp 171.16.10.53:49157 192.168.2.1:49157 171.16.10.2:33437 171.16.10.2:33437
udp 171.16.10.53:49158 192.168.2.1:49158 171.16.10.2:33438 171.16.10.2:33438
udp 171.16.10.53:49159 192.168.2.1:49159 171.16.10.2:33439 171.16.10.2:33439
udp 171.16.10.53:49164 192.168.2.1:49164 171.16.10.2:33437 171.16.10.2:33437
udp 171.16.10.53:49165 192.168.2.1:49165 171.16.10.2:33438 171.16.10.2:33438
udp 171.16.10.53:49166 192.168.2.1:49166 171.16.10.2:33439 171.16.10.2:33439
icmp 171.16.10.53:10 192.168.3.1:10 171.16.10.2:10 171.16.10.2:10
If we want to check the NAT in real time, all the action can be seen via debug IP Nat command on R2:
Once the debug command is issued on R2, all the IP changes happening in real time can be seen as on R2 as
follows:
R2#
*Mar 1 00:07:31.079: NAT: [0] Allocated Port for 192.168.2.1 -> 171.16.10.53: wanted 6 got 6
*Mar 1 00:07:31.083: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [30]
*Mar 1 00:07:31.087: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [30]
*Mar 1 00:07:31.087: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [30]
*Mar 1 00:07:31.115: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [30]
*Mar 1 00:07:31.115: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [30]
*Mar 1 00:07:31.147: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [31]
*Mar 1 00:07:31.147: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [31]
*Mar 1 00:07:31.179: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [31]
*Mar 1 00:07:31.179: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [31]
*Mar 1 00:07:31.191: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [32]
*Mar 1 00:07:31.191: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [32]
*Mar 1 00:07:31.211: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [32]
*Mar 1 00:07:31.211: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [32]
*Mar 1 00:07:31.219: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [33]
*Mar 1 00:07:31.219: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [33]
Please dont keep debug command running for long intervals on a production network.
All this action will be seen only if we issue some connectivity commands from other routers, whose packets are
going through R2. It’s one of the best way to check and troubleshoot different NAT issues. Please remember,
PAT (Port Address Translation) is a one way NAT, we can’t use it as a both way NAT solution.
22. 21
7.3 Static NAT:
In this part of NAT we will discuss the last common type of NAT, which is Static NAT. We will also discuss some of
the features and special services on NAT. The discussion ends with a brief overview of SNAT (state-full Network
Address Translation)
Now let’s suppose we have our email server on 192.168.4.1/24 on R1 ( in our GNS3 Lab topology) . Suppose we
want to create a static NAT entry to for SMTP (simple mail transfer protocol) on this server, so it can
communicate with the outside world and SMTP service should be accessible on this server from outside as well.
It is achieved by enabling Static NAT on R2; we just need to issue the following command in global configuration
mode:
ip nat inside source static tcp 192.168.4.1 25 interface Serial1/0 25
Port 25 = SMTP port or email server port
On Port 25 if any packet is received on our Router R2 interface serial 1/0, it will be forwarded to our SMPT
server 192.168.4.1 and vice versa. So if we see our NAT translations, we will see a permanent static NAT entry
for TCP port 25 in it:
This entry will not expire from the NAT table after translation timeout. All dynamic entries are deleted from the
NAT translation table after translation timeout. As we have already discussed, static mapping is mostly used for
server accessibility from outside the local network.
Please remember, STATIC NAT is both way NAT i.e. We can use it for accessing from outside our network.
7.4 Troubleshooting NAT:
Some of the points we need to keep in mind while troubleshooting NAT:
• Check the dynamic IP pools, they must contain correct IP ranges.
• Check if static IPs are overlapping with the IP pool configured.
• Check if ACL is correctly defined. The addresses to be mapped are properly specified no address left out.
23. 22
• Proper inside/outside NAT interfaces are configured.
8 Some additional NAT settings:
We can adjust the timeout values for different sorts of packets in NAT as follows:
Some special NAT services that we can enable are for SIP and other communication protocols:
These services are needed to be enabled as we can’t modify the IP header value in data packet in any special
applications SIP, H.323 etc. Because once IP value is changed in a header, it affects and renew the checksum
calculation and some other values of the packet.
24. 23
8.1 SNAT: Statefull Network Address Translation:
Okay, no network is ideal when it comes to 100 % up time, to avoid network failure; we use redundancy in our
designs. So how it’s done in NAT? For this purpose we use Statefull NAT. In SNAT we create a group of our NAT
IP addresses. The active Translator IP continuously exchanges the route maps and NAT entries with the
Redundant NAT IP, in case the active IP translator fails, the redundant IP Translator take charge immediately. It is
best represented in below network Topology:
I think that’s enough! We have had quite a discussion on NAT. NAT is one of the coolest protocols, which has
really helped in the preservation of the IP address space. If there was no NAT, we would be using IPv6 now!