Category Archives: CCNP – NAT

Port Address Translation (PAT) explained, easy configuration, brief NVI0 mention, and thats it for the video series!

IP_SLA_Tracking_RFC_Eth

This topology has served me well so far through NAT / PAT so I will stick with it!

Now PAT also known as Port Address Overload allows private IP addresses of inside hosts on your network to be translated to a single routable address with a random port number, so that a single address can be used for all your inside hosts!

You still need the “ip nat inside” and “ip nat outside” on your interfaces, but instead of needing a pool configuration and such, you simply identify the outside interface to overload (you will still need an ACL to define the traffic allowed to overload):

R2(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

R2(config)#ip nat inside source list 2 ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

R2(config)#ip nat inside source list 2 interface ?
  Async              Async interface
  BVI                Bridge-Group Virtual Interface
  CDMA-Ix            CDMA Ix interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  Lex                Lex interface
  Loopback           Loopback interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Null               Null interface
  Port-channel       Ethernet Channel of interfaces
  Serial             Serial
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-PPP        Virtual PPP interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing

R2(config)#ip nat inside source list 2 interface s0/0 ?
  oer         Use with vtemplate only.  On new translation, if OER BR is UP,
              OER will select IP from outgoing Interface.  All packets matching
              translation are forwarded over Interface for duration of
              translation.
  overload    Overload an address translation
  reversible  Allow out->in traffic
  vrf         Specify vrf
  <cr>

R2(config)#ip nat inside source list 2 interface s0/0 overload ?
  oer  Use with vtemplate only.  On new translation, if OER BR is UP, OER will
       select IP from outgoing Interface.  All packets matching translation are
       forwarded over Interface for duration of translation.
  <cr>

R2(config)#ip nat inside source list 2 interface s0/0 overload
R2(config)#

So with the previous ACL in place, I’ll run an extended ping again from R4 and SW1, and check out what we see on R2:

R4(config)#do ping 172.12.123.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASR#6
[Resuming connection 6 to sw1 … ]

SW1#ping 172.12.123.1 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.12.123.2:6    10.1.1.4:6         172.12.123.1:6     172.12.123.1:6
icmp 172.12.123.2:2    10.1.1.100:2       172.12.123.1:2     172.12.123.1:2
R2#

This really surprised me, as once we are using overload the pings go right on through successfully, I suppose because they are coming from the source interface of 172.12.123.2 instead of a random mapping that I assigned it.

Again you can use “sh ip nat stat” here to verify what you have cooking for NAT:

R2#sh ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  Serial0/0
Inside interfaces:
  FastEthernet0/0
Hits: 4766  Misses: 6
CEF Translated packets: 4772, CEF Punted packets: 0
Expired translations: 5
Dynamic mappings:
— Inside Source
[Id: 1] access-list 2 interface Serial0/0 refcount 0
Queued Packets: 0
R2#

Inside and outside source interfaces, nothing is utilizing PAT currently, the interface Serial0/0 highlighted shows that it is indeed using PAT, and just an overall great starting point in troubleshooting NAT / PAT.

Now, about NVI0 quick, it stands for “NAT Virtual Interface 0”, and does not impact the operation of NAT, but is used for topics beyond the scope of the CCNP ROUTE so I won’t go into too much detail. Just know that it is a type of specialized NAT, used only under certain circumstances.

AAAAAAND THAT DOES IT FOR CHRIS BRYANTS ROUTE VIDEO SERIES! I already have a pretty good start on the ebook, and will be spending the next week and a half reading and labbing as much as possible up to the day before the exam – Then as it’s said the dye is cast and I am going to just loosen up for the ROUTE the following day.

I’ll continue to post other things worth noting along the way pertinent to ROUTE, until 4/28, at which point after a short break it will be SWITCH posts!

Dynamic NAT (DNAT) configuration, explanations along the way, verification commands, and important info for exam day!

IP_SLA_Tracking_RFC_Eth

Once again I will be using R2 as our Dynamic NAT router for the Ethernet network, and the fundamentals of it are really just that it operates exactly like Static NAT, except we configure a pool of outside or “global” addresses that the inside “local” addresses can dynamically get used as needed.

Now for the configuration, here is a list in order of how / what to configure:

  • NAT in and out on the proper interfaces
  • Defining the NAT pool of outside address available for use
  • An ACL to narrow down who may use the pool for Dynamic NAT mappings
  • Applying the ACL to the “ip nat inside source… ” configuration

So I’ve left fa0/1 as the ip nat in interface with the NBMA S0/0 interface as ip nat out, and lets first configure the pool:

R2(config)#ip nat ?
  Stateful           Stateful NAT configuration commands
  create             Create flow entries
  inside             Inside address translation
  log                NAT Logging
  outside            Outside address translation
  piggyback-support  NAT Piggybacking Support
  pool               Define pool of addresses
  service            Special translation for application using non-standard
                     port
  sip-sbc            SIP Session Border Controller commands
  source             Source address translation
  translation        NAT translation entry configuration

R2(config)#ip nat pool ?
  WORD  Pool name

R2(config)#ip nat pool CCNP ?
  A.B.C.D        Start IP address
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

R2(config)#ip nat pool CCNP 172.12.123.50 ?
  A.B.C.D  End IP address

R2(config)#ip nat pool CCNP 172.12.123.50 172.12.123.100 ?
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

R2(config)#ip nat pool CCNP 172.12.123.50 172.12.123.100 netmask ?
  A.B.C.D  Network mask

R2(config)#$ CCNP 172.12.123.50 172.12.123.100 netmask 255.255.255.0 ?
  accounting  Specify the accounting
  add-route   Add special route to Virtual Interface
  arp-ping    WLAN ARP Ping
  type        Specify the pool type
  <cr>

R2(config)#$ CCNP 172.12.123.50 172.12.123.100 netmask 255.255.255.0
R2(config)#

That line specifies 172.12.123.50-100 on the subnet 172.12.123.0 to be used, which the pool size vs kids allowed in the pool should be a red flag on exam day to pay clear attention to, now to configure the access-list of kids in my pool that can use it.

  • Note we use a ‘netmask’ on the pool config and not a wildcard mask, those are coming up on the ACL’s!

Now to configure a little access-list for SW1 and R4 to take a dip in the DNAT pool:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 2 permit 10.1.1.4
R2(config)#access-list 2 permit 10.1.1.100

Now to tie that ACL into the DNAT Pool to define which hosts may access it:

R2(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

R2(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

R2(config)#ip nat inside source list 2 ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

R2(config)#ip nat inside source list 2 pool ?
  WORD  Pool name for global addresses

R2(config)#ip nat inside source list 2 pool CCNP ?
  mapping-id  Associate a mapping id to this mapping
  oer         Use with vtemplate only.  On new translation, if OER BR is UP,
              OER will select IP from outgoing Interface.  All packets matching
              translation are forwarded over Interface for duration of
              translation.
  overload    Overload an address translation
  reversible  Allow out->in traffic
  vrf         Specify vrf
  <cr>

R2(config)#ip nat inside source list 2 pool CCNP
R2(config)#

We see NAT overload there and start grinding our teeth but not yet, not just yet. Note we also see up there we can use a pretty wide range of ACL’s, including extended ones!

So at the point, Dynamic NAT should be setup, time for testing and verification!

R2(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.12.123.50:1   10.1.1.100:1       172.12.123.1:1     172.12.123.1:1
— 172.12.123.50      10.1.1.100         —                —

The port # next to the IP address has been solved, which is :1 here, that being an “ICMP Iden #”, which should increment the more traffic that is sent through it, which is specific to ICMP.

So why isn’t R4 getting in on this:

R4#sh ip route

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, FastEthernet0/0
L        10.1.1.4/32 is directly connected, FastEthernet0/0
R4#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R4#ping 172.12.123.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
……
Success rate is 0 percent (0/6)

Ahhhhh, the “ip route …” I set for the usual 172.12.23.0/24 to point at R2, after adjusting and verifying on R2 what we see:

R4(config)#no ip route 172.12.123.0 255.255.255.0 172.12.123.2
R4(config)#ip route 172.12.123.0 255.255.255.0 10.1.1.2
R4(config)#do ping 172.12.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
.
ASR#2
[Resuming connection 2 to r2 … ]

R2(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.12.123.51:5   10.1.1.4:5         172.12.123.1:5     172.12.123.1:5
— 172.12.123.51      10.1.1.4           —                —
icmp 172.12.123.50:1   10.1.1.100:1       172.12.123.1:1     172.12.123.1:1
— 172.12.123.50      10.1.1.100         —                —
R2(config)#

The weird thing is those icmp id numbers that are supposed to be incrementing, not sure if it is as traffic flows or per traffic flow, but small detail I am not concerned about knowing its behavior more than just knowing its a thing.

So now we have both addresses translated and bugging R1, and I will spare the output, but those two addresses are hitting it and getting the failed encapsulation message or whatever it is.

***A VERY GOOD SHOW COMMAND FOR NAT, IS “SH IP NAT STAT AS SHOWN***

R2#sh ip nat stat
Total active translations: 3 (0 static, 3 dynamic; 1 extended)
Outside interfaces:
  Serial0/0
Inside interfaces:
  FastEthernet0/0
Hits: 479  Misses: 2
CEF Translated packets: 481, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
— Inside Source
[Id: 1] access-list 2 pool CCNP refcount 3
 pool CCNP: netmask 255.255.255.0
        start 172.12.123.50 end 172.12.123.100
        type generic, total addresses 51, allocated 2 (3%), misses 0
Queued Packets: 0
R2#

Interfaces configured with NAT in / out, # of translations, the pool size, the ACL it references and pool Name itself, the percentage of allocated addresses, it has it all!

So to go through the steps one at a time once more for setting this up

  • Designate the in / out interfaces
  • Create the DNAT Pool
  • Create the ACL allowing which hosts can use pool
  • Link ACL to pool using “ip nat inside …” command

One more behavior to note before the end of this article, is removing the DNAT pool:

R2(config)#no ip nat pool CCNP
%Pool CCNP in use, cannot destroy
R2(config)#

I’d like to note this is the message on 12.x IOS, however the 15.x version of it is similar, and will not let you tear down dynamic NAT’s unless you clear the entries.

To keep it in my mind, you can’t destroy the pool until the kids are out!

So to get the kids out of your DNAT translation table, the command is as follows:

R2#clear ip nat trans *
R2#sh ip nat trans

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#no ip nat pool CCNP
R2(config)#

Tadaaaaa. So that will be the end of that, onto my last video series for Chris Bryants CCNP ROUTE video series, PAT Overload and I am finished with videos!!! 🙂

RFC 1918 Range refresher, NAT Terminology, Static NAT fundamentals, configuration, and demo of SNAT in use!

IP_SLA_Tracking_RFC_Eth

I will use the IP SLA Track lab Topology to use SW1 as a host to perform the NAT on R2, however I have given the Ethernet segment a sub-network makeover!

So to preface this I thought it was a good idea just to throw up the RFC 1918 IP address ranges, as they are easy to forget when you took your CCNA when dinosaurs roamed the internet:

RFC Ranges:

10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16

That being said, NAT is no different today than it was in your CCNA studies, but here is a quick reminder of the terminology of address types:

  • Inside Local = Non-Routable LAN address locally
  • Inside Global = Routable Translated Local LAN address
  • Outside local = Non-Routable LAN address at a remote location
  • Outside Global = Routable Translated Remote LAN address

The term “inside” and “outside” are really about perspective as defined above, if you are on the LAN being translated it is the “inside” local, however if your a network admin on the remote LAN they’d consider your LAN an “outside” LAN.

Now Global just refers to which side the Translation took place on, taking an RFC1918 address, and translating it to a routable internet address.

The private address is never seen on the outside of the network, and the local host has no idea that NAT has occurred either, it is totally transparent except on the local router. The local router stores the NAT Mappings of “inside local” to “inside global” addresses, and when the packets come back with that “inside global” address, it checks the NAT table for the mapping to the “inside local” address and routes the packets accordingly.

Static NAT (SNAT)

Static is only appropriate if you have very few hosts that require a static NAT entry, such as web facing servers, as this requires a one-to-one mapping of “inside local” to “inside global” addresses (meaning your company will need a larger IP block from the ISP to accommodate each entry needed).

IP NAT Mappings go closest to the host that they are being translated, obviously.

Now to configure Static NAT, the best place to start is assigning the appropriate interfaces with NAT, as that is the easiest part of the config to overlook while troubleshooting:

R2(config)#int fa0/0
R2(config-if)#ip nat inside
*Mar 30 20:46:38.938: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R2(config-if)#
R2(config-if)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.2        YES manual up                    up
Serial0/0                  172.12.123.2    YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial0/1                  unassigned      YES NVRAM  administratively down down
NVI0                       unassigned      NO  unset  up                    up <—- Whaaat?
Loopback2                  2.2.2.2         YES NVRAM  up                    up
R2(config-if)#
R2(config-if)#int s0/0
R2(config-if)#ip nat out
R2(config-if)#

So two strange things here, I have not seen that NVI0 form when configuring “ip nat in” on an interface (to the point it creates a new logical interface), and also that the “ip nat out” on the serial interface went through without a hiccup.

From what I researched briefly, it explains that the NVI0 interface is created to NAT addresses over different VRF domains, and that is a can of worms I am not opening tonight – So on with the configuration I proceed.

So now to actually configure the NAT statement itself:

R2(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

R2(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

R2(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R2(config)#ip nat inside source static 10.1.1.100 ?
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

R2(config)#ip nat inside source static 10.1.1.100 172.12.123.100 ?
  extendable  Extend this translation when used
  mapping-id  Associate a mapping id to this mapping
  no-alias    Do not create an alias for the global address
  no-payload  No translation of embedded address/port in the payload
  redundancy  NAT redundancy operation
  route-map   Specify route-map
  vrf         Specify vrf
  <cr>

R2(config)#ip nat inside source static 10.1.1.100 172.12.123.100
R2(config)#

As you can see there are a variety of options, but being this is static, I chose static instead of an ACL or Route-Map to define some addresses. I am using SW1 as my “inside local” host, and I chose the 172.12.123.100 as the “outside global” mapping as it is a /24 address space,  though it is important to understand in the real world 1:1 static NAT’s require larger IP blocks that cost your employer more money per block so plan carefully!

To verify your NAT mappings, use command “sh ip nat translation” :

R2#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
—      172.12.123.100     10.1.1.100                      —                   —
R2#

Now to test the NAT to see if it works! Lots of output here, I will try to separate it to make sense:

SW1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
SW1(config)#do sh ip route

Gateway of last resort is 10.1.1.2 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 10.1.1.2

Verified the default route points at my NAT router:
SW1#ping 172.12.123.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
SW1#

It is not responding correctly, so I run “debug ip pack” on R1 to see if the packets are even arriving on its S0/0 interface:

R1#debug ip pack
IP packet debugging is on
R1#
ASR#6
[Resuming connection 6 to sw1 … ]

SW1#ping 172.12.123.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
.
ASR#1
[Resuming connection 1 to r1 … ]

*Mar 31 17:52:23.863: IP: tableid=0, s=172.12.123.100 (Serial0/0), d=172.12.123.1 (Serial0/0), routed via RIB
*Mar 31 17:52:23.863: IP: s=172.12.123.100 (Serial0/0), d=172.12.123.1 (Serial0/0), len 100, rcvd 3
*Mar 31 17:52:23.863: IP: tableid=0, s=172.12.123.1 (local), d=172.12.123.100 (Serial0/0), routed via RIB
*Mar 31 17:52:23.863: IP: s=172.12.123.1 (local), d=172.12.123.100 (Serial0/0), len 100, sending
*Mar 31 17:52:23.867: IP: s=172.12.123.1 (local), d=172.12.123.100 (Serial0/0), len 100, encapsulation failed
R1#
*Mar 31 17:52:25.862: IP: tableid=0, s=172.12.123.100 (Serial0/0), d=172.12.123.1 (Serial0/0), routed via RIB
*Mar 31 17:52:25.866: IP: s=172.12.123.100 (Serial0/0), d=172.12.123.1 (Serial0/0), len 100, rcvd 3
*Mar 31 17:52:25.866: IP: tableid=0, s=172.12.123.1 (local), d=172.12.123.100 (Serial0/0), routed via RIB
*Mar 31 17:52:25.866: IP: s=172.12.123.1 (local), d=172.12.123.100 (Serial0/0), len 100, sending
*Mar 31 17:52:25.866: IP: s=172.12.123.1 (local), d=172.12.123.100 (Serial0/0), len 100, encapsulation failed

So this debug shows the Static NAT definitely is working, as the source address and destination of packets being received / sent are 172.12.123.100, however there is some sort of encapsulation failure that I just do not care to troubleshoot this late / early.

Lets see if the translation table looks any different for SNAT, I think it only really gets interesting when using Dynamic NAT.

So I’m going to repeat 10,000 pings 10 172.12.123.1 from SW1 and look at R2’s NAT table to see if it changes at all from what we saw above:

SW1#ping 172.12.123.1 repeat 10000

Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
.
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.12.123.100:4  10.1.1.100:4       172.12.123.1:4     172.12.123.1:4
— 172.12.123.100     10.1.1.100         —                —
R2#

So from this, when there is not information flowing through a Static NAT, the Outside values in this “sh ip nat trans” table will be empty, but when it is in use it will show you the outside local / global addresses of the destination host / network.

So now I can tell that left column is Protocol, not sure what port 4 is about (is ICMP port 4?), as that shouldn’t be a random port number I wouldn’t think until we get into PAT (Port Address Translation) or “Port Overload”

However, that is Static Nat in a nut-shell, even though I didn’t get full L3 connectivity across the NBMA I did get it to translate and at 2am on a work night that’s all that matters 🙂