IP_SLA_Tracking_RFC_Eth

Once again I will be using R2 as our Dynamic NAT router for the Ethernet network, and the fundamentals of it are really just that it operates exactly like Static NAT, except we configure a pool of outside or “global” addresses that the inside “local” addresses can dynamically get used as needed.

Now for the configuration, here is a list in order of how / what to configure:

  • NAT in and out on the proper interfaces
  • Defining the NAT pool of outside address available for use
  • An ACL to narrow down who may use the pool for Dynamic NAT mappings
  • Applying the ACL to the “ip nat inside source… ” configuration

So I’ve left fa0/1 as the ip nat in interface with the NBMA S0/0 interface as ip nat out, and lets first configure the pool:

R2(config)#ip nat ?
  Stateful           Stateful NAT configuration commands
  create             Create flow entries
  inside             Inside address translation
  log                NAT Logging
  outside            Outside address translation
  piggyback-support  NAT Piggybacking Support
  pool               Define pool of addresses
  service            Special translation for application using non-standard
                     port
  sip-sbc            SIP Session Border Controller commands
  source             Source address translation
  translation        NAT translation entry configuration

R2(config)#ip nat pool ?
  WORD  Pool name

R2(config)#ip nat pool CCNP ?
  A.B.C.D        Start IP address
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

R2(config)#ip nat pool CCNP 172.12.123.50 ?
  A.B.C.D  End IP address

R2(config)#ip nat pool CCNP 172.12.123.50 172.12.123.100 ?
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

R2(config)#ip nat pool CCNP 172.12.123.50 172.12.123.100 netmask ?
  A.B.C.D  Network mask

R2(config)#$ CCNP 172.12.123.50 172.12.123.100 netmask 255.255.255.0 ?
  accounting  Specify the accounting
  add-route   Add special route to Virtual Interface
  arp-ping    WLAN ARP Ping
  type        Specify the pool type
  <cr>

R2(config)#$ CCNP 172.12.123.50 172.12.123.100 netmask 255.255.255.0
R2(config)#

That line specifies 172.12.123.50-100 on the subnet 172.12.123.0 to be used, which the pool size vs kids allowed in the pool should be a red flag on exam day to pay clear attention to, now to configure the access-list of kids in my pool that can use it.

  • Note we use a ‘netmask’ on the pool config and not a wildcard mask, those are coming up on the ACL’s!

Now to configure a little access-list for SW1 and R4 to take a dip in the DNAT pool:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 2 permit 10.1.1.4
R2(config)#access-list 2 permit 10.1.1.100

Now to tie that ACL into the DNAT Pool to define which hosts may access it:

R2(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

R2(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

R2(config)#ip nat inside source list 2 ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

R2(config)#ip nat inside source list 2 pool ?
  WORD  Pool name for global addresses

R2(config)#ip nat inside source list 2 pool CCNP ?
  mapping-id  Associate a mapping id to this mapping
  oer         Use with vtemplate only.  On new translation, if OER BR is UP,
              OER will select IP from outgoing Interface.  All packets matching
              translation are forwarded over Interface for duration of
              translation.
  overload    Overload an address translation
  reversible  Allow out->in traffic
  vrf         Specify vrf
  <cr>

R2(config)#ip nat inside source list 2 pool CCNP
R2(config)#

We see NAT overload there and start grinding our teeth but not yet, not just yet. Note we also see up there we can use a pretty wide range of ACL’s, including extended ones!

So at the point, Dynamic NAT should be setup, time for testing and verification!

R2(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.12.123.50:1   10.1.1.100:1       172.12.123.1:1     172.12.123.1:1
— 172.12.123.50      10.1.1.100         —                —

The port # next to the IP address has been solved, which is :1 here, that being an “ICMP Iden #”, which should increment the more traffic that is sent through it, which is specific to ICMP.

So why isn’t R4 getting in on this:

R4#sh ip route

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, FastEthernet0/0
L        10.1.1.4/32 is directly connected, FastEthernet0/0
R4#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R4#ping 172.12.123.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
……
Success rate is 0 percent (0/6)

Ahhhhh, the “ip route …” I set for the usual 172.12.23.0/24 to point at R2, after adjusting and verifying on R2 what we see:

R4(config)#no ip route 172.12.123.0 255.255.255.0 172.12.123.2
R4(config)#ip route 172.12.123.0 255.255.255.0 10.1.1.2
R4(config)#do ping 172.12.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
.
ASR#2
[Resuming connection 2 to r2 … ]

R2(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.12.123.51:5   10.1.1.4:5         172.12.123.1:5     172.12.123.1:5
— 172.12.123.51      10.1.1.4           —                —
icmp 172.12.123.50:1   10.1.1.100:1       172.12.123.1:1     172.12.123.1:1
— 172.12.123.50      10.1.1.100         —                —
R2(config)#

The weird thing is those icmp id numbers that are supposed to be incrementing, not sure if it is as traffic flows or per traffic flow, but small detail I am not concerned about knowing its behavior more than just knowing its a thing.

So now we have both addresses translated and bugging R1, and I will spare the output, but those two addresses are hitting it and getting the failed encapsulation message or whatever it is.

***A VERY GOOD SHOW COMMAND FOR NAT, IS “SH IP NAT STAT AS SHOWN***

R2#sh ip nat stat
Total active translations: 3 (0 static, 3 dynamic; 1 extended)
Outside interfaces:
  Serial0/0
Inside interfaces:
  FastEthernet0/0
Hits: 479  Misses: 2
CEF Translated packets: 481, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
— Inside Source
[Id: 1] access-list 2 pool CCNP refcount 3
 pool CCNP: netmask 255.255.255.0
        start 172.12.123.50 end 172.12.123.100
        type generic, total addresses 51, allocated 2 (3%), misses 0
Queued Packets: 0
R2#

Interfaces configured with NAT in / out, # of translations, the pool size, the ACL it references and pool Name itself, the percentage of allocated addresses, it has it all!

So to go through the steps one at a time once more for setting this up

  • Designate the in / out interfaces
  • Create the DNAT Pool
  • Create the ACL allowing which hosts can use pool
  • Link ACL to pool using “ip nat inside …” command

One more behavior to note before the end of this article, is removing the DNAT pool:

R2(config)#no ip nat pool CCNP
%Pool CCNP in use, cannot destroy
R2(config)#

I’d like to note this is the message on 12.x IOS, however the 15.x version of it is similar, and will not let you tear down dynamic NAT’s unless you clear the entries.

To keep it in my mind, you can’t destroy the pool until the kids are out!

So to get the kids out of your DNAT translation table, the command is as follows:

R2#clear ip nat trans *
R2#sh ip nat trans

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#no ip nat pool CCNP
R2(config)#

Tadaaaaa. So that will be the end of that, onto my last video series for Chris Bryants CCNP ROUTE video series, PAT Overload and I am finished with videos!!! 🙂