Cisco CCNA NAT Configuration

22 Sep 2016

Cisco CCNA- NAT Configuration

NAT = Network address translation

Remember the private IP address

10.0.0.0 — 10.255.255.255

172.16.0.0 —-172.31.255.255

192.168.0.0.—– 192.168.255.255

The goal is to convert your Private IP address to PUBLIC address so that your internal people can access the internet

I have 2 Kind:

1) Dynamic NAT – use it when you need your private network go out to internet – It has two kind

Suppose I have 6 private and then ISP give you 6 public then all six people go to internet
Suppose I have 62 private and ISP only give you 6 public in this case ; you must use the key word “OVERLOAD” ; This concept is call PAT (Port Address Translation)

2) Static NAT – use it when you need the internet people come to your webserver; that is located in private Lan =10.10.10.1; in this case you need to use STATIC NAT

Here is my LAB on NAT/PAT:

Given by ISP 6 public address 198.18.151.97

.98, .99,100,101,102 with subnet mask /29

/29=255.255.255.248

.11111000

And I have 62 internal IP address that need to go to internet

192.168.91.65—192.168.91.126 with mask /26 255.255.255.192

.11000000

Step 1) Define the pool of inside Global address (Public address)

That inside Local address will be translated to:

Hint: Always always start with IP Nat?

R1#

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip nat ?

inside Inside address translation

outside Outside address translation

pool Define pool of addresses

R1(config)#ip nat poo

R1(config)#ip nat pool ?

WORD Pool name

R1(config)#ip nat pool CCNA ?

A.B.C.D Start IP address

R1(config)#ip nat pool CCNA 198.18.151.97 ?

A.B.C.D End IP address

R1(config)#ip nat pool CCNA 198.18.151.97 198.18.151.102 ?

netmask Specify the network mask

R1(config)#ip nat pool CCNA 198.18.151.97 198.18.151.102 net

R1(config)#ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask ?

A.B.C.D Network mask

R1(config)#ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248 ?

<cr>

R1(config)#ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248

R1(config)#

Here is my show run:

Continue

ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248

Hint: any time you see the word POOL it will tell you ; that is PUBLIC ip address

Step 2) Define the source of the inside local address and bind it to CCNA defined in part 1

Hint: ip nat ?

R1#

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip nat ?

inside Inside address translation

outside Outside address translation

pool Define pool of addresses

R1(config)#ip nat

% Incomplete command.

R1(config)#ip nat ins

R1(config)#ip nat inside ?

source Source address translation

R1(config)#ip nat inside sou

R1(config)#ip nat inside source ?

list Specify access list describing local addresses

static Specify static local->global mapping

R1(config)#ip nat inside source list ?

<1-199> Access list number for local addresses

WORD Access list name for local addresses

R1(config)#ip nat inside source list 1 ?

interface Specify interface for global address

pool Name pool of global addresses

R1(config)#ip nat inside source list 1 poo

R1(config)#ip nat inside source list 1 pool ?

WORD Name pool of global addresses

R1(config)#ip nat inside source list 1 pool CCNA ?

overload Overload an address translation

<cr>

R1(config)#ip nat inside source list 1 pool CCNA ove

R1(config)#ip nat inside source list 1 pool CCNA overload ?

<cr>

R1(config)#ip nat inside source list 1 pool CCNA overload

Hint: if ISP has given you a single IP address after LIST 1 ? I will use

interface s0/0

Hint: when you see the word LIST that should tell you ; I need to have ACL 1 that will define my local address

Step 3) now define you ACL 1

Hint: I have /26

255.255.255.255-

255.255.255.192

————–

0.0.0.63 as wild cards

R1(config )# access-list 1 permit 192.168.91.64 0.0.0.63

subnet ID wild cards

R1(config)#

R1(config)#acc

R1(config)#access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

R1(config)#access-list 1 ?

deny Specify packets to reject

permit Specify packets to forward

remark Access list entry comment

R1(config)#access-list 1 permi

R1(config)#access-list 1 permit ?

A.B.C.D Address to match

any Any source host

host A single host address

R1(config)#access-list 1 permit 192.168.91.69 0.0.0.63

Here I intentionally put wrong subnet ID; but IOS will fix it for me:

Here is my show run:

ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248

ip nat inside source list 1 pool CCNA overload

ip classless

access-list 1 permit 192.168.91.64 0.0.0.63

Step 4) Tell router which side is Inside and which side is outside and make sure be under interface and give:

Int f0/0

Ip nat inside

Int s0/0

Ip nat outside

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#int f0/0

R1(config-if)#ip nat

R1(config-if)#ip nat ?

inside Inside interface for address translation

outside Outside interface for address translation

R1(config-if)#ip nat ins

R1(config-if)#ip nat inside

R1(config-if)#

R1(config-if)#int s0/0

R1(config-if)#ip nat ?

inside Inside interface for address translation

outside Outside interface for address translation

R1(config-if)#ip nat out

R1(config-if)#ip nat outside

Now let’s look at show run:

interface FastEthernet0/0

ip address 192.168.91.126 255.255.255.192

ip nat inside

duplex auto

speed auto

interface Serial0/0

ip address 192.0.1.109 255.255.255.252

ip nat outside

clock rate 64000

ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248

ip nat inside source list 1 pool CCNA overload

ip classless

access-list 1 permit 192.168.91.64 0.0.0.63

last two steps is done to check and make sure life is good;

Step 5) make sure your router has a default route to ISP.

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#

R1(config)#ip route 0.0.0.0 0.0.0.0 ?

A.B.C.D Forwarding router’s address

Ethernet IEEE 802.3

FastEthernet FastEthernet IEEE 802.3

GigabitEthernet GigabitEthernet IEEE 802.3z

Loopback Loopback interface

Null Null interface

Serial Serial

R1(config)#ip route 0.0.0.0 0.0.0.0 192.0.1.110

Step 6) make sure ISP knows your network; so ISP will need a static route back to

your network

ISP#

ISP#config t

Enter configuration commands, one per line. End with CNTL/Z.

ISP(config)#ip route ?

A.B.C.D Destination prefix

ISP(config)#ip route 198.18.151.96 ?

A.B.C.D Destination prefix mask

ISP(config)#ip route 198.18.151.96 255.255.255.248 ?

A.B.C.D Forwarding router’s address

Ethernet IEEE 802.3

FastEthernet FastEthernet IEEE 802.3

GigabitEthernet GigabitEthernet IEEE 802.3z

Loopback Loopback interface

Null Null interface

Serial Serial

ISP(config)#ip route 198.18.151.96 255.255.255.248 s0/0

ISP(config)#

As we see for ISP make sure you use the PUBLIC address not private; snice ISP does not know your private IP address

Now i go and check the ping from PC to Internet; then I go to R1#show ip nat translation

PC>

PC>ping 192.0.1.110

Pinging 192.0.1.110 with 32 bytes of data:

Reply from 192.0.1.110: bytes=32 time=13ms TTL=254

Reply from 192.0.1.110: bytes=32 time=15ms TTL=254

Reply from 192.0.1.110: bytes=32 time=11ms TTL=254

Reply from 192.0.1.110: bytes=32 time=12ms TTL=254

Ping statistics for 192.0.1.110:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 11ms, Maximum = 15ms, Average = 12ms

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 198.18.151.97:10 192.168.91.65:10 192.0.1.110:10 192.0.1.110:10

icmp 198.18.151.97:11 192.168.91.65:11 192.0.1.110:11 192.0.1.110:11

icmp 198.18.151.97:12 192.168.91.65:12 192.0.1.110:12 192.0.1.110:12

icmp 198.18.151.97:9 192.168.91.65:9 192.0.1.110:9 192.0.1.110:9

Here is the summary:

interface FastEthernet0/0

ip address 192.168.91.126 255.255.255.192

ip nat inside

duplex auto

speed auto

interface Serial0/0

ip address 192.0.1.109 255.255.255.252

ip nat outside

clock rate 64000

ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248

ip nat inside source list 1 pool CCNA overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.0.1.110

access-list 1 permit 192.168.91.64 0.0.0.63

Hint: if ISP has given you single Ip address then you do not need the pool statement ( the 1st statement) ; and also your 2nd statment will be like this

ip nat inside source list 1 int s0/0 overload

Now If I add another LAN (10.10.10.0/24) using my int f0/1

Make sure you have define AcL for Network 10.10.10.0 /24 to go out and

Make sure your apply to int f0/1 with command ip nat inside

interface FastEthernet0/0

ip address 192.168.91.126 255.255.255.192

ip nat inside

duplex auto

speed auto

interface FastEthernet0/1

ip address 10.10.10.100 255.255.255.0

ip nat inside ( Please add this)

duplex auto

speed auto

interface Serial0/0

ip address 192.0.1.109 255.255.255.252

ip nat outside

clock rate 64000

ip nat pool CCNA 198.18.151.97 198.18.151.102 netmask 255.255.255.248

ip nat inside source list 1 pool CCNA overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.0.1.110

access-list 1 permit 192.168.91.64 0.0.0.63

access-list 1 permit 10.10.10.0 0.0.0.255 (please add this Line)

Receive our Cisco CCNA Packet Tracer!
Get our complete tutorial in PDF

[bs_icon name=”glyphicon glyphicon-expand”] Watch the video and you will be able to understand Cisco NAT Configuration much better and Please subscribe to our YouTube Channel.

Want more information on how to become Cisco CCNA Certified? Learn more!
Join our Cisco CCNA facebook study group!