How to configure Dynamic NAT on Cisco IOS Router

kisangap · January 10, 2022, 4:23pm

Thanks for the explanation.

gregcastillo89 · November 17, 2022, 6:09am

Hi Rene, first of all great lesson. However, on the last portion beneath the command of #show nat translations, it says “And as you can see host2 has been translated to IP address 192.168.2.11.” It should be 192.168.23.11, right?

One more question. for the ip nat pool range creation, the prefix-length is the same as the subnet mask, correct? I am seeing in my packet tracer it wants the netmask command instead of the prefix-lenght at the end:
#ip nat pool MYPOOL 192.168.23.1 192.168.23.20 netmask 255.255.255.0

thanks!
Greg

lagapidis · November 19, 2022, 6:36am

Hello Greg

Yes, you are correct, thanks for catching that! I’ll let @ReneMolenaar know to make the change…

You can specify the network to which this range belongs by using either the netmask keyword or the prefix-length keyword. Both do the same thing, they just indicate it in different ways. For example, the following two commands are identical:

ip nat pool MYPOOL 192.168.23.1 192.168.23.20 netmask 255.255.255.0
ip nat pool MYPOOL 192.168.23.1 192.168.23.20 prefix-length 24

More info about this command can be found at this Cisco command reference:

Because packet tracer is a simulator (and not an emulator) it does not have the full commands and feature sets that real devices have. For this reason, it seems that the designers considered it superfluous to have both the netmask and prefix-length keywords available.

I hope this has been helpful!

Laz

jallen314 · December 14, 2022, 12:18pm

I think the IP address that host 2 is translated to is 192.168.23.11.

I have always been a bit confused by the prefix command at the end of the pool command.
I wondered why I only had 10 ip addresses but such a huge prefix-length. I thought I would mention what I discovered here.

when using Dynamic NAT you have two goals.

You need an inside global(an IP that you translate to)
You need to be in the same subnet as the router interfaces on that link.

so when the translation happens you will end up translating the IP address to some ip between 192.168.23.10-192.168.23.20 with a mask of /24

lagapidis · December 15, 2022, 4:43pm

Hello Justin

Yes, you are correct, the lesson has a typo, and I’ll let Rene know to make the correction.

Also, thanks for sharing your understanding of the prefix-length keyword. Indeed it is not used to define the range of addresses, since the range is clearly stated by the “start IP” and “end IP” addresses in the ip nat pool command. The prefix length does indeed indicate the mask of the translated address to determine if a packet needs to be sent directly to the host (if it is in the same subnet) or to the next hop router (if it is in a different subnet).

I will create a new NetworkLessons note soon that describes this and I will reference your post.

Thanks so much!

Laz

lagapidis · January 12, 2023, 9:36am

Hello Justin

Here’s the NetworkLessons note on the prefix-length keyword at the end of the nat pool command.

Thanks for your input!

Laz

amranhamdan92 · January 28, 2023, 3:30pm

Hi Rene, I unable to show NAT Translation and unable to ping between Host-Web. What did i do wrong?
dnat

lagapidis · January 31, 2023, 11:46am

Hello Amran

From the information you have shared here, I don’t see any reason for this not to work. The only difference you have from the lesson is that you are using the netmask instead of prefix-length keyword, but in both cases, the result is the same. (Take a look at this NetworkLessons note about how the prefix-length keyword is used with NAT for more info.)

I hope this has been helpful!

Laz

ntwrkstudy · May 30, 2024, 10:43am

What if 254 host (for example:192.168.123.0/24) tries connecting Web server at same time and we have configured a dynamic NAT pool of 10 IPs (for example:192.168.23.10 to 192.168.23.20). Then will the NAT operation will perform properly? If yes, then can you explain how it will connect. As I am assuming if first 10 private host connect, it would be translated to 10 public IP and after that the NAT pool will be exhausted.

lagapidis · June 3, 2024, 4:57am

Hello Debabrata

If all 254 hosts try to connect at the same time, and you have only 10 IP outside addresses in your dynamic NAT pool for translation, then only 10 of the hosts will be able to successfully communicate. The NAT pool will indeed become exhausted.

The NAT operation will perform properly, but only for those 10 hosts, the rest will be unable to communicate.

Now I understand that your question focuses on the idea that 254 hosts connect “at the same time” so the question has to do with, how the NAT router deals with all these simultaneous connection attempts, right?

Well, in a network, things rarely happen simultaneously. Packets are always sent sequentially. Even if a switch receives multiple frames at the same time that are destined to the same egress port, it will queue them and send them out one at a time. In the same way, the inside port of the NAT router will always receive packets in sequential order. So even if 254 hosts try to connect to the web at EXACTLY the same time, the network will sort out those packets into a specific sequence. So the NAT router will receive them sequentially, and only the first 10 connection attempts will be translated. The 11th and above will fail. Does that make sense?

I hope this has been helpful!

Laz

shivam0367 · June 20, 2024, 11:18pm

Hi Laz ,

Are you configure the NAT translation for the destination host can you advised what command you placed on NAT router ip nat outside source x.x.x.x x.x.x.x .(Traffic is from inside to outside ).

If traffic is from outside to inside means a webserver try to access to our local host then how nat translation can be acheived , i have share a snap , can you tell me how ip nat outside source static will work here and which interface should be ip nat inside and ip nat outside on NAT router shown as below

[Network Diagram removed - (see link below)]

Here is the overview can you provide some more insights

On the outside interface (S1) of Router 2514X, the ping packet shows up with a Source Address (SA) of 172.16.89.32 and a Destination Address (DA) of 172.16.68.1.
NAT translates the SA to the Outside Local Address 172.16.68.5 (correspondent to the ip nat outside source static command configured on Router 2514X).
Router 2514X then checks its routing table for a route to 172.16.68.1.
If the route does not exist, Router 2514X drops the packet. In this case, Router 2514X has a route to 172.16.68.1 through the static route to 172.31.1.0. It forwards the packet to the destination.
Router 2501E sees the packet on its incoming interface (E0) with an SA of 172.16.68.5, and a DA of 172.16.68.1.
It sends an Internet Control Message Protocol (ICMP) echo reply to 172.16.68.5. If it does not have a route, it drops the packet.
However, in this case it has the (default) route.
Therefore, it sends a reply packet to Router 2514X, with an SA of 172.16.68.1, and a DA of 172.16.68.5.
Router 2514X sees the packet and checks for a route to the 172.16.68.5 address.
If it does not have one, it responds with an ICMP unreachable reply.
In this case, it has a route to 172.16.68.5 (due to the static route).
It therefore translates the packet back to the 172.16.89.32 address, and forwards it out its outside interface (S1).

Best Regards
Shivam Chaudhary

brandubh628 · June 22, 2024, 1:14pm

Hello Rene, Laz, forum members.

I rebuild this lab in GN3: c3620-a3jk8s-mz.122-26c.image
Again de outcome is different then what is shown in the lessons. I am sure that the configurations are right.

host 1 config.txt (898 Bytes)
host 2 config.txt (896 Bytes)
Ip nat translations outcome.txt (6.5 KB)
NAT config.txt (1.4 KB)
web1 config with and without IP routing.txt (1.7 KB)

What is the reason for the different outcome?

I played with an extra host pc 1 and changed the IP address a few times. You can see that NAT gives out new IP addresses every time I changed te IP address of PC1.

I enabled debug IP nat on the NAT device.

When I give the command show ip nat tranlation the outcome is different then the outcome in de lesson! I don’t see the Outside local of global ip addresses.

See configs and topology attached to this ticket.

Please can someone explain why I get a different outcome while the configurations are identical?

Best regards,
Michel

###########################################################
Update. Made the same lab in CML 2.6

NAT#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.10:2   192.168.123.1:2    192.168.23.3:2     192.168.23.3:2
--- 192.168.23.10      192.168.123.1      ---                ---
--- 192.168.23.11      192.168.123.2      ---                ---
NAT#
NAT#
*Jun 22 15:03:08.834: NAT*: s=192.168.123.2->192.168.23.11, d=192.168.23.3 [5]
*Jun 22 15:03:08.836: NAT*: s=192.168.23.3, d=192.168.23.11->192.168.123.2 [5]
*Jun 22 15:03:08.840: NAT*: s=192.168.123.2->192.168.23.11, d=192.168.23.3 [6]
*Jun 22 15:03:08.840: NAT*: s=192.168.23.3, d=192.168.23.11->192.168.123.2 [6]
*Jun 22 15:03:08.844: NAT*: s=192.168.123.2->192.168.23.11, d=192.168.23.3 [7]
*Jun 22 15:03:08.846: NAT*: s=192.168.23.3, d=192.168.23.11->192.168.123.2 [7]
*Jun 22 15:03:08.851: NAT*: s=192.168.123.2->192.168.23.11, d=192.168.23.3 [8]
*Jun 22 15:03:08.852: NAT*: s=192.168.23.3, d=192.168.23.11->192.168.123.2 [8]
*Jun 22 15:03:08.858: NAT*: s=192.168.123.2->192.168.23.11, d=192.168.23.3 [9]
*Jun 22 15:03:08.858: NAT*: s=192.168.23.3, d=192.168.23.11->192.168.123.2 [9]
*Jun 22 15:03:10.191: NAT: expiring 192.168.23.10 (192.168.123.1) icmp 2 (2)
NAT#
NAT#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.23.10      192.168.123.1      ---                ---
icmp 192.168.23.11:1   192.168.123.2:1    192.168.23.3:1     192.168.23.3:1
--- 192.168.23.11      192.168.123.2      ---                ---


NAT#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.10:2   192.168.123.1:2    192.168.23.3:2     192.168.23.3:2
--- 192.168.23.10      192.168.123.1      ---                ---
--- 192.168.23.11      192.168.123.2      ---                ---

Same configuration. In CML it is working and the outcome is as expected.

lagapidis · June 26, 2024, 10:49am

Hello Michel

The output from various commands, such as those that list the NAT translations on Cisco routers, may differ slightly based on various factors. These include:

Different IOS versions. Each version may output the translations in a slightly different manner.
The time at which you issue the commands. Because translations change over time, and will depend on what traffic has actually traversed the router, when you issue the verification show command will make the output different

The fact that the output is the same in the topology you created with CML makes sense, because Rene has created these labs using CML, so it is likely you are using the same router images.

The goal of the lab is not necessarily to recreate EXACTLY the output that we see in the lab. The point is to ensure that the lab is functioning as expected, translations are taking place, and connectivity is achieved. From a brief look at your results, it seems that you have successfully communicated across the NAT router and the translations look good. Other than the difference in the output, do you see any failures in your communication or is there anything that doesn’t seem to be working properly? If so, let us know so that we can help you further…

I hope this has been helpful!

Laz

brandubh628 · June 26, 2024, 11:20am

Hello Laz,

Thank you for your explanation. Again very clear.

I just decided to make the labs of www.networklessons.com in CML and the lessons of the GNS3 vault with GNS3 becaus like you said Rene uses them respectively. I think that makes sense.

Best regards,
Michel

lagapidis · June 27, 2024, 4:26pm

Hello Shivam

First of all, I removed the diagram from your post in order to avoid any copyright violations from Cisco. I have included a link below to the original Cisco documentation you got the diagram from as well as the text you shared.

The ip nat outside source command is used to translate traffic that ORIGINATES on the outside. When we say “originates” we mean that the communication was instigated by a device on the outside. For example, a ping was initiated from a host on the Internet towards your internal PC. If you have correctly set up the ip nat outside source command, then such a communication would be successful, and you would have a response from the PC towards the host on the Internet.

If however, you want to accommodate traffic that originates on the inside, such as from your PC, then you must also issue the ip nat inside source command. Otherwise, no NAT translations can take place for traffic originating on the inside.

The example you shared is a good step-by-step example of communication that originates on the outside and reaches the inside device. And there is a response to that with an ICMP reply packet. It is able to be translated on the way back because it is identified as a response to the original communication from the outside device.

For other readers who may be wondering, the diagram and the explanation text come from the following Cisco documentation:

I hope this has been helpful!

Laz