User Tools

Site Tools


master:cnd:nat-lab

Network Address Translation (NAT)

NOTE: Make sure you replace X with your Campus number.

Create a pool of addresses to use for NAT:

ip nat pool CAMPUSX 100.68.X.33 100.68.X.46 prefix-length 28

Create an access list that defines the addresses that should be translated:

ip access-list extended NATplus
 remark Do not NAT the NREN address range
 deny   ip 100.68.0.0 0.0.0.255 any 
 remark Do not NAT our public addresses
 deny   ip 100.68.X.0 0.0.0.255 any
 remark Do not NAT traffic that stays internal
 deny   ip 172.2X.0.0 0.0.255.255 172.2X.0.0 0.0.255.255
 remark NAT traffic which goes to the Internet
 permit ip 172.2X.0.0 0.0.255.255 any
 remark Do not NAT anything else - and log anything that gets this far
 deny   ip any any log

Link the access list and the address pool together:

ip nat inside source list NATplus pool CAMPUSX overload

The command you have just entered will look for incoming packets matching the NATplus list, and translate them into the address specified in CAMPUSX. The “overload” command ensures that the router can map many internal addresses to the small range of external public addresses. Without “overload”, the router NAT will simply map one internal address to one external address - and with only 14 addresses in the CAMPUSX pool, that would mean only 14 internal addresses would be NATed before the pool is exhausted.

Now add address translation to the network interfaces:

interface FastEthernet0/0
 description Link to NREN
 ip nat outside
! 
interface FastEthernet0/1
 description Link to Core Router
 ip nat inside
! 

Testing

Log into one of your switches. These have addresses in the 172.2X.0.0/16 range.

Can you ping your border router?

Now try to ping one of the NREN Transit routers on 10.10.0.201 or 10.10.0.202 - does it work?

Can you ping 10.10.0.254? This is the default gateway in the workshop network.

The Transit routers don't know anything about your 172.2X.0.0/16 so if the Network Address Translation is working then the original IP address of the packet has been translated into the range:

100.68.X.33 100.68.X.46

You can use the command

show ip nat translations

on your Border router to see what's happening.

Can you ping hosts on the wider Internet from one of your switches? For example, can you ping 8.8.8.8?

If the ping works, try using trace to 8.8.8.8. What do you see?

master/cnd/nat-lab.txt · Last modified: 2016/03/24 10:04 by philip