Exolab: Découverte NAT-RIP via Packet Tracer. Intitulé long. Activité Packet-Tracer de découverte et de mise en pratique : - Du NAT dynamique et statique - Du routage dynamique avec le protocole RIP, en version 2. Maquette à compléter par étape (au départ, équipements paramétrés au niveau des interfaces uniquement) PressCtrl-C, and enter the setup command in privileged EXEC mode (Router#). Step 1 Enter the setup command facility by using one of the following methods: From the Cisco IOS CLI, enter the setup command in privileged EXEC Pourcréer un nouveau réseau NAT, allez dans le menu : Fichier -> Préférences. Ensuite, cliquez sur "Réseau", puis sur l'icône +. Par défaut, votre nouveau réseau NAT sera nommé : NatNetwork. Pour le configurer, sélectionnez-le et cliquez sur l'icône représentant un engrenage. Pour chaque réseau NAT, vous pourrez choisir : Withdynamic NAT, you need to specify two sets of addresses on your Cisco router: the inside addresses that will be translated. a pool of global addresses. To configure dynamic NAT, the following steps are required: 1. configure the router’s inside interface using the ip nat inside command. 2. configure the router’s outside interface using 1TP NAT/PAT NAT statique Étape 1 : Représentation de la topologie réseau sur le simulateur Packet Tracer. Étape 2 : Configuration des interfaces de deux routeurs. Étape 3 : Thedocument provides a baseline security reference point for those who will install, deploy and maintain Cisco ASA firewalls. It describes the hows and whys of the way things are done. It is a firewall security best practices guideline. The document highlights best practice for firewall deployment in a secure network. . These blocks of addresses can be used by multiple organizations for their private networks but they are not routable on the Internet. For hosts with these addresses that need to access the Internet a device must be deployed at the edge of the network that performs address translation to unique public addresses. Network Address Translation NAT is used to translate Private IP addresses from the reserved private address space defined in RFC 1918 to Public IPv4 addresses which are routable on the Internet. NAT is usually implemented on a router that sits at the edge connecting a private network on side and the public network Internet on the other side. There are various types of NAT but in this lesson we will focus on the following three types of NAT. Static NAT is used to translate a private IP address to a Public IP address on a one-to-one basis. Static NAT creates a fixed translation of a private IP address or a subnet to a Public IP address or subnet. The translation is persistent and the Public IP address is same for each consecutive connection. Dynamic NAT is used translate group of private IP addresses to a pool of Public IP addresses. Dynamic NAT also establishes one-to-one mapping between private and public IP address but the translation will be temporary and after the connectivity is not required the translation will be removed and the public IP address will be returned to the pool and which can then be used to translate any other private host. Port Address Translation is used to translate multiple private IP addresses to a single public IP address. To keep each translation unique a private IP address and source port is translated to Public IP address and mapped port. Table below list various NAT terminologies NAT Terminologies Network Address Translation NAT Mapping an IP address to another IP address either statically or dynamically Port Address Translation PAT Mapping multiple IP address to a single IP address. To differentiate between connections source port is also changed. Also known as NAT overload Inside Local IP address assigned to the host on the private network Inside Global The IP address of a private host as it appears to the public network. Outside Local IP address of a public host as it appears to the private network Outside Global IP address assigned to a host on the public network by the host owner Nat Configuration We will use the network in the figure below to demonstrate the configuration of Static, Dynamic NAT and PAT. We will configure the Cisco Router to perform Static NAT on the IP address owned by Web Server and Dynamic NAT to translate the IP addresses of three hosts to dynamically to a pool of addresses. Routerconfiginterface fastethernet 0/0 Routerconfig-ifip address Routerconfig-ifip nat inside Routerconfiginterface fastethernet 0/1 Routerconfig-ifip address Routerconfig-ifip nat outside Routerconfigip nat inside source static — The command above configures static NAT for private IP address to public IP address — Routerconfigaccess-list 101 permit ip any Routerconfigaccess-list 101 permit ip any Routerconfigaccess-list 101 permit ip any Routerconfigip nat pool DYN_NAT_POOL prefix-length 24 Routerconfigip nat inside source list 101 pool DYN_NAT_POOL — The commands above configure Dynamic NAT for a group three hosts which are assigned public IP addresses from a pool of three public IP addesses — We can also configure Port Address Translation for the three hosts such that all three of them will be overloaded to a single IP address. To configure PAT use the following command Routerconfigip nat inside source list 101 interface fastethernet 0/1 overload Today we covered Network Address Translation and configuration, NAT is a very important lesson and students must have thorough conceptual and practical knowledge of NAT as almost all enterprise networks connected to the Internet use NAT. Configuration de la traduction d'adresse de port PAT sur les appareils Cisco Avec la traduction d'adresse de port PAT, une seule adresse IP publique est utilisée pour toutes les adresses IP privées internes, mais un port différent est attribué à chaque adresse IP privée. Ce type de NAT est également connu sous le nom de surcharge NAT et est la forme typique de NAT utilisée dans les réseaux d'aujourd'hui. Il est même pris en charge par la plupart des routeurs grand public. PAT vous permet de prendre en charge de nombreux hôtes avec seulement quelques adresses IP publiques. Il fonctionne en créant un mappage NAT dynamique, dans lequel une adresse IP globale publique et un numéro de port unique sont sélectionnés. Le routeur conserve une entrée de table NAT pour chaque combinaison unique de l'adresse IP et du port privés, avec traduction vers l'adresse globale et un numéro de port unique. Vous pourrez créer les commandes de configuration correspondantes à l'aide de l'application Network Configuration Manager. Cela vous aidera à effectuer la même opération sur plusieurs appareils simultanément. Si vous n'avez pas installé NCM, veuillez cliquer ici pour télécharger et installer l'application. Pour configurer PAT, les commandes suivantes sont requises Configurez l'interface interne du routeur à l'aide de la commande ip nat inside. Configurez l'interface externe du routeur à l'aide de la commande ip nat outside. Configurez une liste d'accès qui inclut une liste des adresses source internes qui doivent être traduites. Activez PAT avec l'ip nat à l'intérieur de la liste de source ACL_NUMBER interface TYPE surcharge commande de configuration globale. Étapes pour configurer PAT pour l'image réseau ci-dessus à l'aide de CLI. Connectez-vous à l'appareil à l'aide de SSH / TELNET et passez en mode activation. Passez en mode config. Routerconfigure terminal Entrez les commandes de configuration, une par ligne. Terminez avec CNTL / Z. Routerconfig l'interface interne du routeur Routerconfiginterface Gi0/0 Routerconfig-ifip nat inside Routerconfig-ifexit Configurer l'interface externe du routeur Routerconfiginterface Gi0/1 Routerconfig-ifip nat outside Définissez une liste d'accès qui inclura toutes les adresses IP privées que vous souhaitez traduire en mode de configuration d'interface Routerconfig-ifaccess-list 1 permit Routerconfig-ifexit Activez NAT et faites référence à l'ACL créée à l'étape précédente et à l'interface dont l'adresse IP sera utilisée pour les traductions Routerconfigip nat inside source list 1 interface Gi0/1 overload Quitter le mode de configuratione Routerconfigexit Router Exécutez la commande show ip nat translations » pour afficher la configuration NAT. Notez que la même adresse IP a été utilisée pour traduire trois adresses IP privées et Le numéro de port de l'adresse IP publique est unique pour chaque connexion. Ainsi, lorsque S1 répond à R1 examine sa table de traductions NAT et transmet la réponse à Copiez la configuration en cours dans la configuration de démarrage à l'aide de la commande ci-dessous Routerwrite memory Building configuration... [OK] Router Le configlet correspondant peut être créé dans l'application NCM comme indiqué dans la capture d'écran ci-dessous. Vous pouvez également cliquer sur le bouton ci-dessous pour télécharger le configlet au format XML et l'importer dans l'application NCM à l'aide de l'option d'importation de fichiers. Nom du configlet Configurer PAT - Traduction d'adresse de port - Cisco Description Ce configlet est utilisé pour configurer le PAT de traduction d'adresse de port sur les périphériques Cisco Mode d'exécution Mode d'exécution de script Contenu du configlet configure terminal interface $INSIDE_INTF ip nat inside exit interface $OUTSIDE_INTF ip nat outside exit access-list $ACL_ID permit $SOURCE_ADDRESS $SUBNET_MASK ip nat pool $POOL_NAME $POOL_ADDRESS $POOL_ADDRESS netmask $NETMASK ip nat inside source list $ACL_ID pool $POOL_NAME overload exit show ip nat translations write memory You are here Home / Cisco Routers / Configuring NAT on Cisco Routers Step-by-Step PAT, Static NAT, Port Redirection The depletion of the public IPv4 address space has forced the internet community to think about alternative ways of addressing networked hosts. Network Address Translation NAT therefore was introduced to overcome these addressing problems that occurred with the rapid expansion of the Internet. Even if NAT was suggested as a temporary solution, it has been adopted by all network hardware manufacturers, and it is considered a very useful technology, not only for IP address conservation, but also for many other purposes including security. Basically NAT allows a single network device a router, firewall etc to act as an agent between a private local area network and a public network such as the Internet. The purpose of this NAT device is to translate the source IP addresses of the internal network hosts into public routable IP addresses in order to communicate with the Internet. Some of the advantages of using NAT in IP networks are the following NAT helps to mitigate the depletion of the global public IP address space Networks can now use the RFC 1918 private address space internally and still have a way to access the Internet using NAT. NAT increases security by hiding the internal network topology and addressing scheme. Cisco IOS routers support different types of NAT as will be explained below. NAT has many forms and can work in several ways, but in this post I will explain the most important types of NAT. For the next 2 scenarios we will be using the following simple network 1. Overloading or Port Address Translation PAT This is the most frequently used form of NAT in IP networks. It uses the concept of “many-to-one” translation where multiple connections from different internal hosts are “multiplexed” into a single registered public IP address using different source port numbers. This type of NAT allows a maximum of 65,536 internal connections to be translated into a single public IP. This type of NAT is very useful in situations where our ISP has assigned us only a single public IP address, as shown on the diagram below. All IP addresses of the LAN network will be translated using the public IP of the router interface FastEthernet0/0 ip address ip nat outside ! interface FastEthernet0/1 ip address ip nat inside ! access-list 1 permit ip nat inside source list 1 interface FastEthernet0/0 overload 2. Static Port Address Translation Port Redirection Assume now that we have only one public IP address which is the one configured on the outside interface of our border router. We want traffic hitting our router’s public IP on port 80 to be redirected to our internal Web Server at IP interface FastEthernet0/0 ip address ip nat outside ! interface FastEthernet0/1 ip address ip nat inside ! ip nat inside source static tcp 80 80 3. Configuring Static NAT NAT can be performed both statically and dynamically. Static NAT simply maps one private IP address to a single public IP address, and this is the flavor of NAT we are discussing in this section. A Cisco router performing NAT divides its universe into the inside and the outside. Typically the inside is a private enterprise, and the outside is the public Internet. In addition to the notion of inside and outside, a Cisco NAT router classifies addresses as either local or global. A local address is an address that is seen by devices on the inside, and a global address is an address that is seen by devices on the outside. Given these four terms, an address may be one of four types Inside local addresses are assigned to inside devices. These addresses are not advertised to the outside. Inside global are addresses by which inside devices are known to the outside. Outside local are addresses by which outside devices are known to the inside. Outside global addresses are assigned to outside devices. These addresses are not advertised to the inside. Let’s jump right into static NAT configuration on a Cisco router as shown in the Figure below R1 is the router performing Network Address Translation NAT and has two interfaces Fa0/0 on the inside and Fa0/1 on the outside. The specific IP addresses involved are NAT Address Type IP Address Inside local Inside global Outside local Outside global Table 1 NAT Addresses for Figure Above You probably know very well how to configure IP addresses on router interfaces, so we skip those configuration steps and move straight to the interesting stuff. First, we have to assign Fa0/0 as NAT inside interface and Fa0/1 as NAT outside interface on R1. This would tell the router that interesting traffic entering or exiting these two interfaces will be subject to address translation. R1conf term Enter configuration commands, one per line. End with CNTL/Z. R1configinterface Fa0/0 R1config-ifip nat inside R1config-ifinterface Fa0/1 R1config-ifip nat outside R1config-ifend Now we would tell the router how to perform address translation and mention which IP addresses source or destination to re-write in packets moving between the inside and outside interfaces. Here we go R1configip nat inside source static Here, we are telling the router to perform NAT on packets coming into the router on the inside interface Fa0/0. More specifically the router would identify which of these packets have a source IP address of and would change it to before forwarding the packet out the outside interface Fa0/1. Similarly, return packets coming in at outside interface Fa0/1 would undergo translation of destination IP address. Let’s now verify if NAT is actually working as it is supposed to work. There are a couple of very useful Cisco IOS commands that can be used to do just that. Command show ip nat statistics displays the number of static and dynamic NAT translations, inside and outside interfaces, and the number of hits and misses. R1show ip nat statistics Total active translations 1 1 static, 0 dynamic; 0 extended Outside interfaces FastEthernet0/1 Inside interfaces FastEthernet0/0 Hits 0 Misses 0 CEF Translated packets 0, CEF Punted packets 0 Expired translations 0 Dynamic mappings Appl doors 0 Normal doors 0 Queued Packets 0 Command show ip nat translations displays the IP addresses for NAT translations. R1show ip nat translations Pro Inside global Inside local Outside local Outside global — — — As you see in the above output, we have one NAT entry configured with Inside global address and Inside local address specified. Outside local and Outside global addresses are blank because our NAT configuration does not change those addresses. Let’s now go to the PC and ping the Server before running the command show ip nat translations again to see if it makes any difference. R1show ip nat statistics Total active translations 2 1 static, 1 dynamic; 1 extended Outside interfaces FastEthernet0/1 Inside interfaces FastEthernet0/0 Hits 10 Misses 0 CEF Translated packets 10, CEF Punted packets 0 Expired translations 0 Dynamic mappings Appl doors 0 Normal doors 0 Queued Packets 0 R1show ip nat translations Pro Inside global Inside local Outside local Outside global icmp — — — As you can see in the above output, NAT is active as manifested by the appearance of an additional dynamic entry for ICMP protocol and some additional hits, corresponding to our ping attempt from PC to Server. We just configured and verified a simple NAT scenario translating only the source or destination not both at the same time IP addresses of packets moving between inside and outside interfaces. This sort of NAT configuration is called static NAT as a single inside local IP address is statically mapped to a single outside local IP address. Another important feature of NAT is static Port Address Translation PAT. Static PAT is designed to allow one-to-one mapping between local and global addresses. A common use of static PAT is to allow Internet users from the public network to access a Web server located in the private network. Let’s assume we intend to host a Web server on the inside on the same PC, that has an IP address The following configuration line would allow us to do just that R1configip nat inside source static tcp 80 80 This configuration line performs the static address translation for the Web server. With this configuration line, users that try to reach port 80 www are automatically redirected to port 80 www. In our case, is the IP address of the PC which is also the Web server. This configuration can be verified using the same two NAT verification commands show ip nat translations and show ip nat statistics. Notice that the address with port number 80 HTTP translates to port 80, and vice versa. Therefore, Internet users can browse the Web server even though the Web server is on a private network with a private IP address. Related Posts Comparison of Static vs Dynamic Routing in TCP/IP Networks Cisco OSPF DR-BDR Election in Broadcast Networks – Configuration Example How to Configure Port Forwarding on Cisco Router With Examples Adjusting MSS and MTU on Cisco 800 routers for PPPoE over DSL The Most Important Cisco Show Commands You Must Know Cheat Sheet Network Address Translation or NAT is a mechanism of mapping local address on the inside interface of a router with global address on the outside interface. For outgoing packets, router will translate the source local address to a global address. Reversely, router will forward incoming packets for a global address to its local address. This is usually the scenario to enable hosts on LAN to communicate with the internet. In Cisco device, there are several methods to configure NAT. One of the methods will be explained in this article is to configure static NAT in Cisco IOS router. Static NAT is a manual mapping of local and global address as defined by the network administrator. The way to configure static NAT in Cisco IOS router consists of two steps that will be explained using example scenario with given topology as below 1. Define the inside and outside interface Defining the inside and outside interface correctly is the key to make NAT mapping works. Simply go to the interface configuration mode and then use command ip nat inside to make the interface as an inside interface. In a similar way, use command ip nat outside to make the interface as an outside interface. For the above scenario, the way to make f0/0 on R1 as the inside interface and f0/1 as the outside interface is shown below assuming the IP address for each interface and default route to internet has been configured before R1configinterface f0/0 R1config-ifip nat inside R1config-ifexit R1configinterface f0/1 R1config-ifip nat outside R1config-ifexit 2. Configure the static NAT mapping The command to configure static NAT mapping is ip nat inside source static [local address] [global address]. The command can be repeated many times as required but note that in Cisco IOS router one local address can only be mapped to one global address and vice-versa. Additionally, note that the global address must be in range of the subnet on the outside interface. In real practice, the global address usually provided by the internet service provider. For the above scenario, the command to map Server1 IP address to one of the available global IP address R1configip nat inside source static Verifying the NAT sessions To see if static NAT works as expected, try to do a ping from Server1 to address on the internet. Before static NAT is applied, ping from Server1 to will not work because R1 will forward the packet with source address of and it is not known on the internet in this case. Server> ping icmp_seq=1 timeout After NAT is applied, the source address of is masked by and it is an address that is known on the internet in this case. Therefore, ping from Server1 is success. Server> ping 84 bytes from icmp_seq=1 ttl=252 time= ms Use command show ip nat translations on the router to see the NAT session. See this example output for the above scenario R1sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp - - - The output above shows the active sessions between local address and global address on the inside and outside interface complete with the protocol and port information. The inside global and outside global shows the IP address and ports as result of translation while the inside local and outside local shows the address and ports before the translation. From the output above we can see that static NAT mapping between local address of and global address on the inside interface has working successfully. One cool thing about static NAT is that it also works for incoming packets. To confirm this, do ping from the internet to Server1 global address. Internet>ping 84 bytes from icmp_seq=1 ttl=252 time= ms On R1, run command show ip nat translations again to see the session R1sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp - - - And that’s how you configure static NAT in Cisco IOS Router. The following two tabs change content Posts I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project. Static NAT Network Address Translation - Static NAT Network Address Translation is one-to-one mapping of a private IP address to a public IP address. Static NAT Network Address Translation is useful when a network device inside a private network needs to be accessible from internet. Dynamic NAT Network Address Translation - Dynamic NAT can be defined as mapping of a private IP address to a public IP address from a group of public IP addresses called as NAT pool. Dynamic NAT establishes a one-to-one mapping between a private IP address to a public IP address. Here the public IP address is taken from the pool of IP addresses configured on the end NAT router. The public to private mapping may vary based on the available public IP address in NAT pool. PAT Port Address Translation - Port Address Translation PAT is another type of dynamic NAT which can map multiple private IP addresses to a single public IP address by using a technology known as Port Address Translation. Here when a client from inside network communicate to a host in the internet, the router changes the source port TCP or UDP number with another port number. These port mappings are kept in a table. When the router receive from internet, it will refer the table which keep the port mappings and forward the data packet to the original sender.

configuration nat et pat cisco pdf