| [ LiB ] |   |
Scenarios
The scenarios presented in this chapter help you gain a more complete understanding of NAT operation and configuration through practical application. You will go through the necessary configuration tasks in their logical progression. The scenarios cover the following topics:
Simple NAT topology
Simple static NAT inside-to-outside translation
Simple static NAT outside-to-inside translation
Combining static NAT translation
Overloading an IP address with NAT
Using NAT with overlapping addresses
Configuring TCP load distribution
Scenario 12-1: Simple NAT Topology
To further examine NAT, you will configure a simple network topology to examine the results of several different scenarios involving NAT. Figure 12-3 shows the topology used in this exercise.
Figure 12-3. NAT Test Topology
In this scenario, you will configure R1 to translate the inside local address of 10.10.1.100 to 10.10.15.100.
Step 1: Initial Configuration
Before configuring any of the NAT configurations, you need to perform an initial configuration of all the routers you will use throughout the scenarios. Although you need to apply these configurations, you will concentrate on R1 for now. You can do this from a terminal attached to R1's console port (line 0). You begin by entering global configuration mode. You can then configure the router name using the hostname command. It is also useful to disable the IP domain name system with the no ip domain-lookup command. This keeps the system from trying to translate domain names that have typographical errors.
You can use the enable secret command to enable a password for entering privileged EXEC mode. Here the password is cisco. This secret password provides an additional layer of security on the router. Passwords are case-sensitive strings that can be up to 80 characters long. They cannot begin with a number.
Because your router has a connection to its local network through the Ethernet 0 port, You enter interface e 0 to configure this interface. But you can also use interface ethernet 0 and int eth 0. You set the IP address for the Ethernet interface using the ip address command. You also have to include a subnet mask. You then activate the interface using the no shutdown command.
Your next configuration is to bring up the Serial 0 interface and configure its IP address. You enter interface s 0 to configure this interface. But you can also use interface serial 0 and int ser 0. You then activate the interface using the no shutdown command. You can now create two subinterfaces, Serial 0.1 and Serial 0.2, and set the appropriate IP addresses for the Serial subinterfaces using the ip address command. You also have to include a subnet mask.
You can optionally configure your console line to prevent it from automatically disconnecting you after the default 10-minute idle time. To begin configuring the console line, enter line console 0. You are now in line configuration mode. You use the no exec-timeout command to prevent the automatic disconnect after a period of inactivity. The initial configuration of the R1 router is now complete. It is shown in Example 12-1.
NOTE
Don't forget to reset the exec-timeout after the configuration is complete. Leaving it open is a potential security risk.
Example 12-1. Initial Configuration of R1
Router#configure terminal Router(config)#hostname R1 R1(config)#no ip domain-lookup R1(config)#enable secret cisco R1(config)#interface ethernet 0 R1(config-if)#ip address 10.10.1.1 255.255.255.0 R1(config-if)#no shutdown R1(config)#interface serial 0 R1(config-if)#no shutdown R1(config)#interface serial 0.1 R1(config-if)#ip address 10.10.13.1 255.255.255.0 R1(config)#interface serial 0.2 R1(config-if)#ip address 10.10.14.1 255.255.255.0 R1(config-if)#line console 0 R1(config-line)#no exec-timeout
You can refer back to this section, substituting the information for the particular router you are configuring, whenever you encounter an unconfigured router.
Step 2: NAT Translation Configuration
In this step, you configure R1 with the required NAT configuration, as shown in Example 12-2.
Example 12-2. R1 Configuration for NAT Operation Test
! Configuration items for R1: R1(config)#ip nat inside source static 10.10.1.100 10.10.15.100 R1(config)#interface serial 0.1 point-to-point R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial0.2 point-to-point R1(config-if)#ip nat outside R1(config-if)#exit
Step 3: Static Routing Configuration
The last step is to configure static routing. You could use dynamic routing to ensure connectivity for all the networks, but that is outside the scope of this chapter. See Example 12-3.
Example 12-3. R1 Configuration for Static Routing
! Configuration items for R1: R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.14.2 R1(config)#ip route 10.10.15.1 255.255.255.0 10.10.13.2
You can now view the translation table on R1 to verify that the intended translation exists by using the following command:
R1#show ip nat translation
Example 12-4 shows the results of issuing this command on your NAT router.
Example 12-4. show ip nat translation Command Output from R1
R1#show ip nat translation Pro Inside global Inside local Outside local Outside global --- 10.10.1.100 10.10.15.100 --- ---
By examining Example 12-4, you can tell that 10.10.1.100 is indeed translated to 10.10.15.100 as you intended. You begin your examination of NAT operation by issuing a ping from 10.10.1.100 to the outside interface of R7 at 192.168.47.7. To see the packets crossing the network, you need to issue the following commands on R1:
R1#debug ip packet detail R1#debug ip nat
Example 12-5 shows the output generated on R1.
Example 12-5. Debug of IP Packets and NAT on R1
R1#debug ip packet detail R1#debug ip nat NAT: s=10.10.1.100->10.10.15.100, d=192.168.47.7 [481] IP: s=10.10.15.100 (Serial0), d=192.168.47.7 (Serial1), g=172.16.47.145, len 100, forward ICMP type=8, code=0 R1#undebug all All possible debugging has been turned off
Examining Example 12-5 shows that your packets are being translated by NAT as expected. Your router must have valid routes for both the outside device and the inside device, or NAT will not be able to deliver the packets correctly. One other thing to remember is that return packets must be translated before they can be routed.
Scenario 12-2: Simple Static NAT Inside-to-Outside Translation
In this scenario, you configure your NAT router, R1, so that when it receives a packet with a source address of 10.10.1.100 on its inside interface, it translates it to 10.10.14.100. Example 12-6 shows the required configuration of R1 to complete this scenario.
Example 12-6. Inside-to-Outside Static Translation
! Configuration items for R1: R1(config)#ip nat inside source static 10.10.1.100 10.10.14.100 R1(config)#interface ethernet 0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0 R1(config-if)#ip nat outside
Scenario 12-3: Simple Static NAT Outside-to-Inside Translation
In this scenario, you configure R1 so that when it receives a packet with a source address of 10.10.14.200 on its outside interface, the source address is translated to 10.10.1.200. Example 12-7 shows R1's configuration required to complete this scenario.
Example 12-7. Outside-to-Inside Static NAT Translation
! Configuration items for R1: R1(config)#ip nat outside source static 10.10.14.200 10.10.1.200 R1(config)#interface ethernet 0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0 R1(config-if)#ip nat outside
Scenario 12-4: Combining Static NAT Translation
In this scenario, you combine the functionality of the previous three scenarios. In other words, you configure R1 so that when it receives a packet with a source address of 10.10.1.100 on its inside interface, it translates it to 10.10.14.100. You also configure R1 so that when it receives a packet on its outside interface with a source address of 10.10.14.200, the source address is translated to 10.10.1.200. Example 12-8 outlines a possible configuration for R1 that completes this scenario.
Example 12-8. Combining Static NAT Translations
! Configuration items for R1: R1(config)#ip nat inside source static 10.10.1.100 10.10.14.100 R1(config)#ip nat outside source static 10.10.14.200 10.10.1.200 R1(config)#interface ethernet 0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0 R1(config-if)#ip nat outside
Scenario 12-5: Overloading an IP Address with NAT
To complete this scenario, you configure R7 so that it uses Serial 0's IP address for overload. You also enable an outside e-mail server to originate traffic on port 25 to your Loopback 0 address. Example 12-9 illustrates the overload keyword in a configuration.
Example 12-9. overload Keyword
! Configuration items for R7: R7(config)#ip nat inside source list 7 interface serial 0 overload R7(config)#ip nat inside source static tcp 10.10.7.7 25 10.10.14.7 25
By using the overload keyword and associating it with an interface, you allow more than one inside local address to be dynamically translated to the same global address. You also add a second entry to statically configure NAT so that packets sourced from local address 100.133.7.7 with TCP port 25 (SMTP) are translated to Serial 0's IP address with TCP port 25. This static NAT entry gives e-mail servers on the outside the ability to originate SMTP (TCP port 25) packets to the global address of 10.10.14.7.
Scenario 12-6: Using NAT with Overlapping Addresses
In this scenario, you use the topology illustrated in Figure 12-4.
Figure 12-4. Scenario 12-4 Topology
You first need to configure R7 in a manner that will allow it to translate the inside device located at 10.10.1.200 to an address from a NAT pool you will configure. You also need to configure a second pool to translate the outside device located at 10.10.1.100 to a second NAT pool. Example 12-10 illustrates the configuration required on R7.
Example 12-10. NAT Pools for Overlapping Networks
! Configuration items for R7: R7(config)#ip nat pool inside 192.168.48.200 192.168.48.205 prefix-length 24 R7(config)#ip nat pool outside 192.168.48.210 192.168.48.215 prefix-length 24 R7(config)#ip nat inside source list 7 pool inside R7(config)#ip nat outside source list 7 pool outside R7(config)#interface loopback 0 R7(config-if)#ip address 10.10.7.7 255.255.255.0 R7(config-if)#ip nat inside R7(config-if)#exit R7(config)#interface ethernet 0 R7(config-if)#ip address 192.168.47.7 255.255.255.0 R7(config-if)#ip nat outside R7(config-if)#exit R7(config)#ip route 0.0.0.0 0.0.0.0 192.168.47.1 R7(config)#access-list 7 permit 10.10.1.0 0.0.0.255
When your inside device sends a DNS query to the DNS server residing outside the NAT domain, the DNS query source address (the address of the inside device) is translated because of the ip nat inside commands. When the DNS server sends a DNS reply, the DNS reply payload gets translated because of the ip nat outside commands. If you didn't have this static entry, NAT would not look at the DNS reply payload.
When you are trying to establish connectivity between two overlapping networks by running dynamic NAT on a single Cisco router, you must use DNS to create an outside-local-to-outside-global translation. If you choose not to use DNS, you can still gain connectivity with static NAT, but it will be more difficult for you to manage.
Scenario 12-7: Configuring TCP Load Distribution
In this scenario, your goal is to define a virtual address to distribute connections among a set of real hosts. You define a pool containing the addresses of the real hosts. You define an access control list (ACL) that specifies the virtual address. If a translation does not already exist, TCP packets from the outside network on serial 0 with destinations that match your defined ACL are translated to an address from the pool. Example 12-11 shows a configuration to complete this example.
Example 12-11. Load-Balancing Example
! Configuration items for R4: R4(config)#ip nat pool real-hosts 192.168.50.3 192.168.50.15 prefix-length 28 type rotary R4(config)#ip nat inside destination list 2 pool real-hosts R4(config)#interface serial 0 R4(config-if)#ip address 192.168.50.129 255.255.255.240 R4(config-if)#ip nat outside R4(config-if)#exit R4(config)#interface ethernet 0 R4(config-if)#ip address 192.168.50.1 255.255.255.240 R4(config-if)#ip nat inside R4(config-if)#exit R4(config)#access-list 2 permit 192.168.50.2
| [ LiB ] | |