How to configure PAT on Cisco IOS Router


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(Rene Molenaar) #2

tyvm Sir Rene … :slight_smile:


(EMMA K) #3

#ip nat inside source list 1 interface fastEthernet 1/0 overload

I do not know which interface fa1/0 meant.
Can you please describe more specifically.


(EMMA K) #4

N#interface fastEthernet 0/0

Are you sure the interface is correct Sir?
Please shed some light.
I will take CCNA in this month.


(system) #5

on the NAT router, there are 2 fastethernet1/0 (inside and outside)


(Rene Molenaar) #6

Hi Ted,

I just changed the picture so the fastethernet interface match with the configs. It should make more sense now.

Rene


(Rene Molenaar) #7

Hi Dinh,

I just fixed it, the picture matches with the configs now.

Rene


(system) #8

very thank you sensei


(Srinivasan C) #9

Hi Rene,
I assume source ports in the output of "show ip nat translation " is opened by Host.
What happens two hosts opens Source port with same ID conneting to http server with Destination port 80?

Thanks,
Srini


(Rene Molenaar) #10

Hi Srini,

PAT will try to use the original source port that the host selected. If it is already in use then it will select the first available port number.

Rene


(Jean H) #11

You think would be a good practice to deny translation to RFC1918 addresss?

For example:
Deny ip any 10.0.0.0 0.255.255.255
And so on…


(Lazaros Agapides) #12

Hello Jean.

If I understand your question correctly, you’re asking if it is good practice to deny translation of private addresses on the INSIDE to public addresses on the OUTSIDE. If this is your question, this depends on what you want to do. First of all, the very purpose of NAT/PAT is to translate private addresses on the INSIDE to public addresses on the OUTSIDE. However, you may want to restrict which internal addresses can be translated. You can do this with the example access list that you stated previously.

If I misunderstood your question, please clarify.

I hope this has been helpful!

Laz


(Karthik R) #13

Can someone help me understand Outside global and Inside global Ip addresses? Thank you


(Andrew P) #14

Hi Karthik,
These terms can be quite confusing–I am still baffled why Cisco continues to use them! This is what has helped me …

As you know, there are four possible varieties:

  1. Inside Local
  2. Inside Global
  3. Outside Local
  4. Outside Global

Notice the left word is always either “Inside” or “Outside.” Think of this as the origin of the packet with respect to a NAT. Did the packet originate inside or outside the NAT?

The word on the right is always either “Local” or “Global.” Think of this as where you have captured the packet you are looking at with respect to the NAT. Have you captured it within your own network so it would be local, or did you capture it beyond your own network so it would be global?

So, using this understanding, let’s talk about Outside Global and Inside Global.

Outside Global: We are talking about a packet that originated outside the NAT and you are viewing this packet NOT within your own network. This means that Outside Global address is IP address the packet is using, as assigned by someone else, while it traverses an external network. In Internet terms, this would be an globally unique, routable IP address.

Inside Global: We are talking about a packet that originated inside the NAT, but you happen to be looking at it from beyond your network. To understand what kind of address this might be, you would have to know whether your NAT is translating packets that come from your inside network onto an external network. If the NAT does NOT, then the Inside Global address is probably the same as the Inside Local address (this would rarely be the case). If you have a policy that changes the source address of packets as they leave network, then the Inside Global address will come from the address (or pool) you defined for that policy. In the case of using NAT to access the Internet, the Inside Global address would be a unique, routable IP address as assigned by your NAT.


(blue p) #15

Hi Rene,

Can you create an example of private IP addresses being translated to the public IP address that is not used as a physical interface? Is that possible? For example the ISP gave you a chunk of 1.1.1.0/29 and the physical interface will use 1.1.1.1 for the ISP and 1.1.1.2 for our NAT router. Can the LAN subnets be translated to 1.1.1.3 - 6?

Thanks,


(Lazaros Agapides) #16

Hello Blue

Yes, this can easily be done. There is no special configuration necessary, just put those IP addresses in the nat translation and you’re working great. The range 1.1.1.3 - 6 will function on the same interface as the 1.1.1.1 address.

I hope this has been helpful!

Laz


(Jason W) #17

Given the topology you used in this lesson you used an access list to tag the inside traffic:

NAT(config)#access-list 1 permit 192.168.123.0 0.0.0.255
NAT(config)#ip nat inside source list 1 interface fastEthernet 1/0 overload

I understand that. But what would you do if there were more networks behind the Host 1 and Host 2 routers? Lets say you had the 10.10.10.0/24 network and the 172.16.6.0/24 network etc etc. Would you have to create an access-list for each internal network segment?


(Rene Molenaar) #18

Hi Jason,

That’s right. You’ll need to create a match statement for each source network that should be translated (or create one statement that matches multiple networks).

Your NAT router looks for the source IP address in the packets that it receives, if it matches an access-list entry, it will translate it.

Rene


(Brian C) #19

This been tested? How is host 1 which is on the 192.168.12.0/24 network going to reach the 192.168.23.0/24 network since it has no routes there? I can see it being able to reach 192.168.23.2 as its on the NAT router.

However it will not reach 192.168.23.3 which is IP address of Web1

Host1#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
…
Success rate is 0 percent (0/5)

nor can you telnet to it which makes sense as you cannot ping to it.

Host1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 …
% Connection timed out; remote host not responding

Host1#

So I think there is something missing from the configs for this to know how to get there be it static routing or a dynamic. I could not get it to work I will double check my GNS3 routers to make sure it does not have something turned off but this lab does not seem to work :x

Here is my base host configuration some of the stuff is added every time use that model router.

Host1#show run
Building configuration…

Current configuration : 988 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Host1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 192.168.123.1 255.255.255.0
no ip route-cache
duplex half
!
ip default-gateway 192.168.123.3
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

Host1#

I had went back to Static NAT and after finding an issue with typo there was able to get lab up and running so about to come back here test some things.

Ok so my guess was correct. To be able to ping the webserver here we have to do “no ip routing” on this device as well same as the host. Then we also have to setup a default gateway. Once you do that you can then ping from hosts to the webserver… which makes sense as the default-gateway is a form of static routing its basically creating a default route to NAT. I could do basically the same thing by adding default routes to host1 and web1 and not add remove routing. Saying that off top of my head without a great deal of thought but it sounds logically.

anyway in order for this lab to work you need to add the following to the web server:

no ip routing
ip default-gateway 192.168.23.2

Now I will test the PAT portion.

==========================================================

Ok good news the Lab does indeed work after those changes.

show command now works:

NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.23.2:6 192.168.123.1:6 192.168.23.3:6 192.168.23.3:6
NAT#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.123.3 YES NVRAM up up
FastEthernet0/1 192.168.23.2 YES NVRAM up up
NVI0 192.168.123.3 YES unset up up
NAT#

debug:

Sep 26 21:11:33.415: IP: s=192.168.23.2
Web1# (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
*Sep 26 21:11:33.419: IP: tableid=0, s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), routed via RIB
*Sep 26 21:11:33.419: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending
*Sep 26 21:11:33.423: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending full packet
*Sep 26 21:11:33.435: IP: s=192.168.23.2 (FastEthernet0/0), d=192.168.23.3, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 26 21:11:33.435: IP: s=192.168.23.2 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
*Sep 26 21:11:33.439: IP: tableid=0, s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), routed via RIB
*Sep 26 21:11:33.439: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending
*Sep 26 21:11:33.443: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending full packet
Web1#

telnet worked (But only after NAT was correctly setup… before NAT you could only ping)

Host1#telnet 192.168.23.3
Trying 192.168.23.3 … Open

Password required, but none set

[Connection to 192.168.23.3 closed by foreign host]
Host1#

--------------------------Be careful on your NAT command!------------------------------------------
I accidentally messed up on the NAT command the first time I did the following:

NAT(config)#ip nat source list 1 interface fastEthernet 0/1 overload

It took my command but nothing worked… lol… I had to go back and remove that and add the “inside”

After that everything worked…

NAT(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload

===================================
===================================

Btw I went ahead and removed the following items from the web server which is what was needed to get the lab to work:

no ip routing
ip default-gateway 192.168.23.2

I then added the following to the web server:

Web1(config)#no ip default-gateway
Web1(config)#ip routing
Web1(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

Web1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.23.2 to network 0.0.0.0

C 192.168.23.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.23.2
Web1#

I retested and everything still worked… So my original guess was right. It had to do with routing. So in order for this to work the following must be done though there is a few choices on how to do it.


(Meihua C) #20

Rene:
How to make sure that TCP/UDP port on each internal host can be different at the same time?
thanks
Melina