Friday, January 15, 2016

Lab 2-2: Internet connections - Static NAT




Lab pre-requisites:

Lab 2-1 Packet Tracer Topology Download.

Topology Diagram


Connecting a LAN to the Internet requires a little thought as there are few ways of doing it. Here we are going to explore three of them:
  • Static NAT (one-to-one translation)
  • Dynamic NAT (many-to-many translation)
  • Dynamic NAT Overload or PAT (many-to-one translation)


Task 1: Defining static IP addresses and setting a static default route.
Task 2: Configure NAT.
Task 3: Configure PAT.

STATIC NAT
Solution

Let's tackle the first one.

Task 1: Defining static IP addresses and setting a static default route.

In this type of NAT we allow the Internet to connect to our private host in both directions. NAT table will contain a static entry presenting our local host address (inside local) with public IP address (inside global). Typically we register the public IP address in DNS database allowing users on the Internet to communicate with our local host.

In this task let's assume that our extra public IP Address is: 209.165.20.1.10.

Roll up your sleeves and let's make it work.

First, what is necessary to connect a router to the Internet?
  1. Router must have its interface facing the Internet configured with public IP Address. This can be done manually or a router can obtain public IP address from a DHCP server located at the ISP.
  2. Router must know how to access all unknown addresses on the Internet. This can be accomplished by learning Internet networks via BGP protocol or by using 'default route'. Here we're going to use the latter.
  3. CCNA courses do not use the latest methods of doing NAT which utilizes a NVI interface. The older method is used which requires signifying which interface is private (ip nat inside), and which interface is connected to the Internet (ip nat outside).
  4. Appropriate NAT method must be configured.
STATIC NAT (one-to-one translation)


In our first approach let's allow Branch router to learn public IP Address using DHCP pool configured on HQ. The pool will only have one IP Address (209.165.201.1). In order to do that, type the following configuration on HQ:

HQ Configuration:

HQ#ena
HQ#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HQ(config)#ip dhcp pool BRANCH
HQ(dhcp-config)#network 209.165.201.0 255.255.255.224
HQ(dhcp-config)#default-router 209.165.201.2
HQ(dhcp-config)#exit
HQ(config)#ip dhcp excluded-address 209.165.201.2 209.165.201.254
HQ(config)#

We're off to a good start now.

Assign public IP Address on Branch Fas0/1 interface using DHCP

Branch#
Branch#ena
Branch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#int fas0/1
Branch(config-if)#ip address dhcp
Branch(config-if)#exit
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address 209.165.201.1, mask 255.255.255.224, hostname Branch

Notice that apart from IP Address 209.165.201.1/27, the Branch router also received the 'default route' as per HQ DHCP configuration. Now it can send the packets towards all unknown IP Addresses using HQ as its next-hop router (209.165.201.2).



Now, let's assume that ISP (Internet Service Provider) has given us another public IP Address for our public server purpose (WWW, SMTP, FTP, etc.). 

Server IP Addresses:

Inside Local: 10.1.1.100 (private)
Inside Global: 209.165.201.10 (host will be seen as this public address)

Since our router has already IP Address dynamically assigned and default route has been installed in the routing table, the next step is to signify which interface is private and which one is public.

Branch(config)#int fas0/0
Branch(config-if)#ip nat inside
Branch(config-if)#
Branch(config-if)#int fas0/1
Branch(config-if)#ip nat outside
Branch(config-if)#exit

This is where a lot of beginners make mistakes by doing this in the opposite way. Remember the 'ip nat inside' interfaces are the ones facing LAN (private network), the 'ip nat outside' interface is the one connected to ISP.

Finally, static NAT configuration:

Branch(config)#ip nat inside source static 10.1.1.100 209.165.201.10
Branch(config)#end

Branch#

Let's observe what was installed in the NAT table.




It looks good. Whenever Branch router receives IP packet destined to 209.165.201.10 will redirect the packet towards its inside local IP Address 10.1.1.100 as signified by NAT entry.



NOTICE!
This entry never ages out. It means that the router can send the packets to your public server 10.1.1.100 whenever it receives IP packet on its OUTSIDE interface (Fas0/1) with IP Address destination 209.165.201.10.



Now we can check if HQ router is able to ping 209.165.201.10.



The first two packets were lost on ARP request. The second ping worked 100%.

After two rounds of ping here's what we find in NAT table on Branch.



Here's the final configuration of Both HQ and Branch.

HQ Configuration:

!
ip dhcp excluded-address 209.165.201.2 209.165.201.254
!
ip dhcp pool BRANCH
 network 209.165.201.0 255.255.255.224
 default-router 209.165.201.2
!

Branch Configuration:

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
!
ip nat inside source static 10.1.1.100 209.165.201.10 
!

In the next exercise we're going to us Dynamic NAT configuration (many-to-many translation).

Cisco Is Easy - Main

  Cisco Basics (CCNA level)  Lessons: Watch Video Tutorials on Youtube 01 - Connecting to Cisco Console Port with MINICOM 02 - Navigatin...