Once again I will be using R2 as our Dynamic NAT router for the Ethernet network, and the fundamentals of it are really just that it operates exactly like Static NAT, except we configure a pool of outside or “global” addresses that the inside “local” addresses can dynamically get used as needed.
Now for the configuration, here is a list in order of how / what to configure:
- NAT in and out on the proper interfaces
- Defining the NAT pool of outside address available for use
- An ACL to narrow down who may use the pool for Dynamic NAT mappings
- Applying the ACL to the “ip nat inside source… ” configuration
So I’ve left fa0/1 as the ip nat in interface with the NBMA S0/0 interface as ip nat out, and lets first configure the pool:
R2(config)#ip nat ?
Stateful Stateful NAT configuration commands
create Create flow entries
inside Inside address translation
log NAT Logging
outside Outside address translation
piggyback-support NAT Piggybacking Support
pool Define pool of addresses
service Special translation for application using non-standard
port
sip-sbc SIP Session Border Controller commands
source Source address translation
translation NAT translation entry configuration
R2(config)#ip nat pool ?
WORD Pool name
R2(config)#ip nat pool CCNP ?
A.B.C.D Start IP address
netmask Specify the network mask
prefix-length Specify the prefix length
R2(config)#ip nat pool CCNP 172.12.123.50 ?
A.B.C.D End IP address
R2(config)#ip nat pool CCNP 172.12.123.50 172.12.123.100 ?
netmask Specify the network mask
prefix-length Specify the prefix length
R2(config)#ip nat pool CCNP 172.12.123.50 172.12.123.100 netmask ?
A.B.C.D Network mask
R2(config)#$ CCNP 172.12.123.50 172.12.123.100 netmask 255.255.255.0 ?
accounting Specify the accounting
add-route Add special route to Virtual Interface
arp-ping WLAN ARP Ping
type Specify the pool type
<cr>
R2(config)#$ CCNP 172.12.123.50 172.12.123.100 netmask 255.255.255.0
R2(config)#
That line specifies 172.12.123.50-100 on the subnet 172.12.123.0 to be used, which the pool size vs kids allowed in the pool should be a red flag on exam day to pay clear attention to, now to configure the access-list of kids in my pool that can use it.
- Note we use a ‘netmask’ on the pool config and not a wildcard mask, those are coming up on the ACL’s!
Now to configure a little access-list for SW1 and R4 to take a dip in the DNAT pool:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 permit 10.1.1.4
R2(config)#access-list 2 permit 10.1.1.100
Now to tie that ACL into the DNAT Pool to define which hosts may access it:
R2(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
R2(config)#ip nat inside source list ?
<1-2699> Access list number for local addresses
WORD Access list name for local addresses
R2(config)#ip nat inside source list 2 ?
interface Specify interface for global address
pool Name pool of global addresses
R2(config)#ip nat inside source list 2 pool ?
WORD Pool name for global addresses
R2(config)#ip nat inside source list 2 pool CCNP ?
mapping-id Associate a mapping id to this mapping
oer Use with vtemplate only. On new translation, if OER BR is UP,
OER will select IP from outgoing Interface. All packets matching
translation are forwarded over Interface for duration of
translation.
overload Overload an address translation
reversible Allow out->in traffic
vrf Specify vrf
<cr>
R2(config)#ip nat inside source list 2 pool CCNP
R2(config)#
We see NAT overload there and start grinding our teeth but not yet, not just yet. Note we also see up there we can use a pretty wide range of ACL’s, including extended ones!
So at the point, Dynamic NAT should be setup, time for testing and verification!
R2(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 172.12.123.50:1 10.1.1.100:1 172.12.123.1:1 172.12.123.1:1
— 172.12.123.50 10.1.1.100 — —
The port # next to the IP address has been solved, which is :1 here, that being an “ICMP Iden #”, which should increment the more traffic that is sent through it, which is specific to ICMP.
So why isn’t R4 getting in on this:
R4#sh ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
L 10.1.1.4/32 is directly connected, FastEthernet0/0
R4#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R4#ping 172.12.123.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
……
Success rate is 0 percent (0/6)
Ahhhhh, the “ip route …” I set for the usual 172.12.23.0/24 to point at R2, after adjusting and verifying on R2 what we see:
R4(config)#no ip route 172.12.123.0 255.255.255.0 172.12.123.2
R4(config)#ip route 172.12.123.0 255.255.255.0 10.1.1.2
R4(config)#do ping 172.12.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
.
ASR#2
[Resuming connection 2 to r2 … ]
R2(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 172.12.123.51:5 10.1.1.4:5 172.12.123.1:5 172.12.123.1:5
— 172.12.123.51 10.1.1.4 — —
icmp 172.12.123.50:1 10.1.1.100:1 172.12.123.1:1 172.12.123.1:1
— 172.12.123.50 10.1.1.100 — —
R2(config)#
The weird thing is those icmp id numbers that are supposed to be incrementing, not sure if it is as traffic flows or per traffic flow, but small detail I am not concerned about knowing its behavior more than just knowing its a thing.
So now we have both addresses translated and bugging R1, and I will spare the output, but those two addresses are hitting it and getting the failed encapsulation message or whatever it is.
***A VERY GOOD SHOW COMMAND FOR NAT, IS “SH IP NAT STAT AS SHOWN***
R2#sh ip nat stat
Total active translations: 3 (0 static, 3 dynamic; 1 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 479 Misses: 2
CEF Translated packets: 481, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
— Inside Source
[Id: 1] access-list 2 pool CCNP refcount 3
pool CCNP: netmask 255.255.255.0
start 172.12.123.50 end 172.12.123.100
type generic, total addresses 51, allocated 2 (3%), misses 0
Queued Packets: 0
R2#
Interfaces configured with NAT in / out, # of translations, the pool size, the ACL it references and pool Name itself, the percentage of allocated addresses, it has it all!
So to go through the steps one at a time once more for setting this up
- Designate the in / out interfaces
- Create the DNAT Pool
- Create the ACL allowing which hosts can use pool
- Link ACL to pool using “ip nat inside …” command
One more behavior to note before the end of this article, is removing the DNAT pool:
R2(config)#no ip nat pool CCNP
%Pool CCNP in use, cannot destroy
R2(config)#
I’d like to note this is the message on 12.x IOS, however the 15.x version of it is similar, and will not let you tear down dynamic NAT’s unless you clear the entries.
To keep it in my mind, you can’t destroy the pool until the kids are out!
So to get the kids out of your DNAT translation table, the command is as follows:
R2#clear ip nat trans *
R2#sh ip nat trans
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip nat pool CCNP
R2(config)#
Tadaaaaa. So that will be the end of that, onto my last video series for Chris Bryants CCNP ROUTE video series, PAT Overload and I am finished with videos!!! 🙂
The DEVNET GRIND! 