Configuration
of static NAT is very straight forward. In this example we have a web
server connected with Router 1. Our web server is using the IP
address 10.0.0.2. But due to various reasons discussed in pervious
article our company want to use 50.0.0.1 IP address for this server.
Now our task is to configure NAT on Router 1 which translate 10.0.0.2
[ inside local web server address] to 50.0.0.1 [ inside global ip
address ].
To configure static NAT follow this step by step guide
Either
download this pre configured topology or create your own topology as
shown in this figure
Download
File
Configure ip address on PC and Server as given in figure
Configure ip address on PC and Server as given in figure
Now configure R1 exactly given here
Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 20.0.0.2 255.0.0.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.1 R1(config)#ip nat inside source static 10.0.0.2 50.0.0.1 R1(config)#interface fastEthernet 0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#
Now configure R0 exactly given here
Router>enable Router#configure terminal Router(config)#hostname R0 R0(config)#interface fastethernet 0/0 R0(config-if)#ip address 30.0.0.1 255.0.0.0 R0(config-if)#no shutdown R0(config-if)#exit R0(config)#interface serial 0/0/0 R0(config-if)#ip address 20.0.0.1 255.0.0.0 R0(config-if)#clock rate 64000 R0(config-if)#bandwidth 64 R0(config-if)#no shutdown R0(config-if)#exit R0(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2 R0(config)#
As
you have seen in configuration there is not direct route for
10.0.0.2. So PC from network of 30.0.0.0 will never know about it.
They will access 50.0.0.1 as the web server IP. To test it double
click on any computer and ping from 50.0.0.1 and you will get replay.
Packet Tracer PC Command Line 1.0 PC>ping 50.0.0.1 Pinging 50.0.0.1 with 32 bytes of data: Reply from 50.0.0.1: bytes=32 time=141ms TTL=126 Reply from 50.0.0.1: bytes=32 time=80ms TTL=126 Reply from 50.0.0.1: bytes=32 time=109ms TTL=126 Reply from 50.0.0.1: bytes=32 time=125ms TTL=126 Ping statistics for 50.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 80ms, Maximum = 141ms, Average = 113ms
Now
ping from 10.0.0.2 and you will get destination host unreachable
error.
PC>ping 10.0.0.2 Pinging 10.0.0.2 with 32 bytes of data: Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Ping statistics for 10.0.0.2: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
This
demonstration show how the companies use NAT to hide their internal
network from the outside of the world. Now open web browser from any
PC in 30.0.0.0 network and brows the 50.0.0.1 site
As you can see in image you can easily access the 50.0.0.1
I
have uploaded a configured and tested topology in case you are unable
to locate the problem spot then download this configuration file. And
try to find out where have you committed mistake
Step by Step Configuration of Dynamic NAT
With
dynamic NAT, you must manually define two sets of addresses on your
address translation device. One set defines which inside addresses
are allowed to be translated (the local addresses), and the other
defines what these addresses are to be translated to (the global
addresses).
For
practice either download this pre created topology or create your own
on packet tracer.
In
this example our internal network is using 192.168.0.0 network. We
have five public ip address 50.0.0.1 to 50.0.0.5 to use.Router1(1841
Router0) is
going to be NAT device. Double click on Router1(1841
Router0) and
configure it as given below
Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 192.168.0.1 255.0.0.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 30.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255 R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0 R1(config)#ip nat inside source list 1 pool test R1(config)#interface fastEthernet 0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#exit
Now
double click on R2(1841 Router1) and configure it as given below
Router>enable Router#configure terminal Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 20.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface serial 0/0/0 Router(config-if)#ip address 30.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 Router(config)#hostname R2
For
testing of NAT go R1 and enable debug for NAT from privilege mode
R1#debug ip nat
Now
go on pc and ping to 20.0.0.2
When
ICMP ping packet reach to R1. It examines its source address against
the access list 1. As this packet is generated form the network of
192.168.0.0 so it will pass the access list. Now router will check
NAT pools for free address to translate with this address. Which you
can check in the output of debag command in R1
IP NAT debugging is on NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
As
you can see in output 192.168.0.5 is translate with 50.0.0.1 before
leaving the router.
Now
check for web access from any client pc
In
real life its best practices to turn off debug after testing so go on
Router 1 and turn off debug mode.
R1#no debug ip nat IP NAT debugging is off R1#
I
have uploaded a configured and tested topology in case you are unable
to locate the problem spot then download this configuration file. And
try to find out where have you committed mistake
Step by Step Configuration of PAT
In
dynamics Nat translations is made IP to IP. so you need as much
global IP address as you have inside local address. That's an issue
if you have few global IP address and hundred of inside local address
to translate. In such a situation you need to use PAT.
For
demonstration we are going to configure the same topology which we
used in dynamic NAT but this time we are using only one global IP
address 50.0.0.1
Download
this Pre created topology
IP
address of PC are already configured double click on R1 and
configured it as given here
Now
configure to R2 as given below
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.0.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 30.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255 R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0 R1(config)#ip nat inside source list 1 pool test overload R1(config)#interface fastEthernet 0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#
Now
configure to R2 as given below
Router>enable Router#configure terminal Router(config)#interface serial 0/0/0 Router(config-if)#ip address 30.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 20.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#hostname R2 R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Now
go on pc and ping to 20.0.0.2
To
verify PAT go on R1 and run show ip nat translations
R1#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1 icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2 icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3 icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4
As
you can see this time address translation is done with port address
instead of IP
I
have uploaded a configured and tested topology in case you are unable
to locate the problem spot then download this configuration file. And
try to find out where have you committed mistake