Here is a sample dynamic NAT configuration for the scenario in Figure 10-3.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat pool MyPool 67.210.97.2 67.210.97.4 ?
netmask Specify the network mask
prefix-length Specify the prefix length
R1(config)#ip nat pool MyPool 67.210.97.2 67.210.97.4 netmask 255.255.255.0
R1(config)#access-list 1 permit host 192.168.1.2
R1(config)#access-list 1 permit host 192.168.1.3
R1(config)#access-list 1 permit host 192.168.1.4
R1(config)#ip nat inside source list 1 pool MyPool
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#interface FastEthernet0/1
R1(config-if)#ip address 67.210.97.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#end
R1#
There are three parts of the above configuration.
First, the command ip nat pool MyPool 67.210.97.2 67.210.97.4 netmask 255.255.255.0 is used to create a pool of inside global addresses from 67.210.97.2 to 67.210.97.4. That is a total of 3 addresses only with a subnet mask of 255.255.255.0. Please note that we chose MyPool as NAT pool name but this choice is arbitrary and NAT pool name can be anything you like, even your first name. Also note that a network mask has to be specified using netmask keyword when defining a NAT pool.
Second, the ip access-list 1 commands create a standard access list matching interesting traffic for address translation. The access list would match IP addresses of the three inside hosts.
Third and last, the ip nat inside source list 1 pool MyPool command instructs the router to dynamically translate source IP addresses of packets coming in at the inside interface that match access-list 1 to an address found in the ip nat pool named MyPool.
Exam Concept – Dynamic NAT allows one-to-one mapping of local addresses to global addresses from a pool of global addresses.
Let’s verify it now:
R1#show ip nat translations
There is no output so far as there are no static mappings between inside local and inside global addresses. Let’s generate some traffic from each of the three inside hosts and run the show ip nat translations command again:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 67.210.91.2:15 192.168.1.2:15 173.194.67.102:15 173.194.67.102:15
— 67.210.91.2 192.168.1.2 — —
icmp 67.210.91.3:16 192.168.1.3:16 173.194.67.102:16 173.194.67.102:16
— 67.210.91.3 192.168.1.3 — —
icmp 67.210.91.4:17 192.168.1.4:17 173.194.67.102:17 173.194.67.102:17
— 67.210.91.4 192.168.1.4 — —
Let’s issue the clear ip nat translations * command and view tha translation table again:
R1#clear ip nat translation *
R1#show ip nat translations
The translation table is empty now as there were no entries as a result of static mapping.
If you can recall what we learned in the chapter on access lists, access lists were presented as tools to match packets comprising of interesting traffic. The access lists here is also being used to match interesting traffic for address translation. The access list is not used for traffic filtering because the access list was never applied to an interface using ip access-group command.
Please keep in mind that both static and dynamic NAT create one-to-one mapping of inside local and inside global addresses. The only difference is that for static NAT we need to specify explicitly which inside local address maps to which inside global address. While, for dynamic NAT we just have to create an access list to identify inside local addresses and a pool to specify inside global addresses. The actual mapping is done dynamically as the router performing NAT receives interested packets.
0 comments:
Post a Comment