Difference between revisions of "Cisco NAT for IPv4"
Jump to navigation
Jump to search
| (5 intermediate revisions by the same user not shown) | |||
| Line 25: | Line 25: | ||
R1(config)# '''ip nat inside source static 192.168.4<span style="color: blue">.10</span> 209.165.200<span style="color: red">.229</span>''' | R1(config)# '''ip nat inside source static 192.168.4<span style="color: blue">.10</span> 209.165.200<span style="color: red">.229</span>''' | ||
R1(config)# '''interface gi0/0''' | R1(config)# <span style="color: red">'''interface gi0/0'''</span> | ||
R1(config-if)# '''ip nat outside''' | R1(config-if)# '''ip nat outside''' | ||
R1(config)# '''interface gi0/1''' | R1(config)# <span style="color: blue">'''interface gi0/1'''</span> | ||
R1(config-if)# '''ip nat inside''' | R1(config-if)# '''ip nat inside''' | ||
R1(config)# '''ip route 0.0.0.0 0.0.0.0 gi0/0''' | R1(config)# '''ip route 0.0.0.0 0.0.0.0 gi0/0''' | ||
| Line 33: | Line 33: | ||
;Verify | ;Verify | ||
Before any translations occur | |||
R1#'''show ip nat translations''' | R1#'''show ip nat translations''' | ||
Pro Inside global Inside local Outside local Outside global | Pro Inside global Inside local Outside local Outside global | ||
--- 209.165.200<span style="color: red">.229</span> 192.168.4<span style="color: blue">.10</span> --- --- | --- 209.165.200<span style="color: red">.229</span> 192.168.4<span style="color: blue">.10</span> --- --- | ||
Trigger translation by accessing WebServer '''<nowiki>http:</nowiki>//209.165.200<span style="color: red">.229</span>''' from PC1 | |||
R1#'''show ip nat translations''' | R1#'''show ip nat translations''' | ||
Pro Inside global Inside local Outside local | Pro Inside global Inside local Outside local Outside global | ||
--- 209.165.200<span style="color: red">.229</span> 192.168.4<span style="color: blue">.10</span> --- | --- 209.165.200<span style="color: red">.229</span> 192.168.4<span style="color: blue">.10</span> --- --- | ||
tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>: | tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>:1079 209.165.200<span style="color: green">.230</span>:1079 | ||
tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>: | tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>:1080 209.165.200<span style="color: green">.230</span>:1080 | ||
tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>: | tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>:1081 209.165.200<span style="color: green">.230</span>:1081 | ||
tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>: | tcp 209.165.200<span style="color: red">.229</span>:80 192.168.4<span style="color: blue">.10</span>:80 209.165.200<span style="color: green">.230</span>:1082 209.165.200<span style="color: green">.230</span>:1082 | ||
= Dynamic NAT = | |||
<syntaxhighlight lang="go"> | |||
R1(config)# ip ant pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 !defines a pool of public IPv4 addresses | |||
R1(config)# access-list 1 permit 192.168.0.0 0.0.255.255 !defines addresses eligible to be translated | |||
R1(config)# ip nat inside source list 1 pool NAT-POOL1 !binds NAT-POOL1 with ACL1 | |||
R1(config)# interface Gi0/0 | |||
R1(config-if)# ip nat outside | |||
R1(config)# interface Gi0/1 | |||
R1(config-if)# ip nat inside | |||
</syntaxhighlight> | |||
= Troubleshooting = | = Troubleshooting = | ||
I had problem with a static nat and suddenly it started working, not sure what was related to but I issued following commands on R1: | I had problem with a static nat and suddenly it started working, not sure what was related to but I issued following commands on R1: | ||
R1#clear mac-address-table | R1# clear mac-address-table | ||
R1#dynamic clear arp-cache | R1# dynamic clear arp-cache | ||
;Hits and Misses In IP NAT Statistics | |||
r1#'''show ip nat translations''' | |||
Pro Inside global Inside local Outside local Outside global | |||
icmp 100.0.0.1:3 10.0.0.2:3 100.0.0.2:3 100.0.0.2:3 | |||
r1#'''show ip nat statistics''' | |||
Total active translations: 1 (0 static, 1 dynamic; 1 extended) | |||
Outside interfaces: | |||
Serial0/0 | |||
Inside interfaces: | |||
FastEthernet0/0 | |||
Hits: 3 Misses: 1 | |||
CEF Translated packets: 4, CEF Punted packets: 0 | |||
Expired translations: 0 | |||
Dynamic mappings: | |||
— Inside Source | |||
[Id: 3] access-list 99 interface Serial0/0 refcount 1 | |||
Queued Packets: 0 | |||
*'''Hits''' - occur when NAT looks for a mapping, and finds one. Here 2x ICMP packets have been sent each outbound and inbound ''echo and echo replay'' packets increase ''hits counter''. These caused 1x Misses counter and 3x Hits. | |||
*'''Misses''' - occur when NAT looks for a NAT table entry, does not find one, and then needs to dynamically add one | |||
= References = | = References = | ||
* more in [[Cisco_weird_interfaces#NVI_-_NAT_Virtual_Interface]] | * more in [[Cisco_weird_interfaces#NVI_-_NAT_Virtual_Interface]] | ||
* [http://computernetworkingnotes.com/wan-protocols-hdlc-ppp-frame-really-nat-pat/configuration-of-nat.html Static NAT] Packet Tracer example | * [http://computernetworkingnotes.com/wan-protocols-hdlc-ppp-frame-really-nat-pat/configuration-of-nat.html Static NAT] Packet Tracer example | ||
Latest revision as of 16:33, 6 April 2015
Port Forwarding
Port forwarding is a static NAT translation with a specified TCP or UDP port number.
ip nat inside source {static {tcp | udp} local-ip local-port global-ip global-port} [extendable]
interface s0/0/0
ip nat outside
interface fa0/0
ip nat inside
- extendable - option applied automatically, allows the user to configure several ambiguous static translations, where ambiguous translations are translations with the same local or global address. It allows the router to extend the translations to more than one port if necessary
NAT overload
A PAT-enabled router maintains a table that consists of a mapping of inside local IP addresses and TCP/UDP port numbers to outside local addresses and TCP/UDP port numbers. When traffic returns to the router from the public network, the router would compare the destination port to the PAT mapping table to determine to which inside host the traffic should be sent.
Static NAT
:
:
Outside : Inside
Gi0/0 : Gi0/1
PC1 --- 209.165.200.224/29 ------- [ R1 ] ------- 192.168.4.0/24 ---------- WebServer
.230 .225 : .1 .10
: Inside 192.168.4.10/24
: Outside 209.165.200.229
INTERNET : LOCAL LAN
:
R1(config)# ip nat inside source static 192.168.4.10 209.165.200.229
R1(config)# interface gi0/0
R1(config-if)# ip nat outside
R1(config)# interface gi0/1
R1(config-if)# ip nat inside
R1(config)# ip route 0.0.0.0 0.0.0.0 gi0/0
- Verify
Before any translations occur
R1#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 209.165.200.229 192.168.4.10 --- ---
Trigger translation by accessing WebServer http://209.165.200.229 from PC1
R1#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 209.165.200.229 192.168.4.10 --- --- tcp 209.165.200.229:80 192.168.4.10:80 209.165.200.230:1079 209.165.200.230:1079 tcp 209.165.200.229:80 192.168.4.10:80 209.165.200.230:1080 209.165.200.230:1080 tcp 209.165.200.229:80 192.168.4.10:80 209.165.200.230:1081 209.165.200.230:1081 tcp 209.165.200.229:80 192.168.4.10:80 209.165.200.230:1082 209.165.200.230:1082
Dynamic NAT
R1(config)# ip ant pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 !defines a pool of public IPv4 addresses R1(config)# access-list 1 permit 192.168.0.0 0.0.255.255 !defines addresses eligible to be translated R1(config)# ip nat inside source list 1 pool NAT-POOL1 !binds NAT-POOL1 with ACL1 R1(config)# interface Gi0/0 R1(config-if)# ip nat outside R1(config)# interface Gi0/1 R1(config-if)# ip nat inside
Troubleshooting
I had problem with a static nat and suddenly it started working, not sure what was related to but I issued following commands on R1:
R1# clear mac-address-table R1# dynamic clear arp-cache
- Hits and Misses In IP NAT Statistics
r1#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 100.0.0.1:3 10.0.0.2:3 100.0.0.2:3 100.0.0.2:3
r1#show ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 1 extended) Outside interfaces: Serial0/0 Inside interfaces: FastEthernet0/0 Hits: 3 Misses: 1 CEF Translated packets: 4, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: — Inside Source [Id: 3] access-list 99 interface Serial0/0 refcount 1 Queued Packets: 0
- Hits - occur when NAT looks for a mapping, and finds one. Here 2x ICMP packets have been sent each outbound and inbound echo and echo replay packets increase hits counter. These caused 1x Misses counter and 3x Hits.
- Misses - occur when NAT looks for a NAT table entry, does not find one, and then needs to dynamically add one
References
- more in Cisco_weird_interfaces#NVI_-_NAT_Virtual_Interface
- Static NAT Packet Tracer example