User Tools

Site Tools


master:cnd:nat-lab

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

master:cnd:nat-lab [2016/03/24 10:04] (current)
philip created
Line 1: Line 1:
 +====== Network Address Translation (NAT) ======
 +
 +**NOTE**: Make sure you replace **X** with your Campus number. ​
 +
 +Create a pool of addresses to use for NAT:
 +
 +  ip nat pool CAMPUSX 100.68.X.33 100.68.X.46 prefix-length 28
 +
 +Create an access list that defines the addresses that should be translated:  ​
 +
 +  ip access-list extended NATplus
 +   ​remark Do not NAT the NREN address range
 +   ​deny ​  ip 100.68.0.0 0.0.0.255 any 
 +   ​remark Do not NAT our public addresses
 +   ​deny ​  ip 100.68.X.0 0.0.0.255 any
 +   ​remark Do not NAT traffic that stays internal
 +   ​deny ​  ip 172.2X.0.0 0.0.255.255 172.2X.0.0 0.0.255.255
 +   ​remark NAT traffic which goes to the Internet
 +   ​permit ip 172.2X.0.0 0.0.255.255 any
 +   ​remark Do not NAT anything else - and log anything that gets this far
 +   ​deny ​  ip any any log
 +
 +Link the access list and the address pool together:
 +
 +  ip nat inside source list NATplus pool CAMPUSX overload
 +
 +The command you have just entered will look for incoming packets matching the NATplus list, and translate them into the address specified in CAMPUSX. The "​overload"​ command ensures that the router can map many internal addresses to the small range of external public addresses. Without "​overload",​ the router NAT will simply map one internal address to one external address - and with only 14 addresses in the CAMPUSX pool, that would mean only 14 internal addresses would be NATed before the pool is exhausted.
 +
 +Now add address translation to the network interfaces:
 +
 +  interface FastEthernet0/​0
 +   ​description Link to NREN
 +   ip nat outside
 +  ! 
 +  interface FastEthernet0/​1
 +   ​description Link to Core Router
 +   ip nat inside
 +  ! 
 +
 +===== Testing =====
 +
 +Log into one of your switches. These have addresses in the 172.2X.0.0/​16 range.
 +
 +Can you ping your border router?
 +
 +Now try to ping one of the NREN Transit routers on 10.10.0.201 or 10.10.0.202 - does it work?
 +
 +Can you ping 10.10.0.254?​ This is the default gateway in the workshop network.
 +
 +The Transit routers don't know anything about your 172.2X.0.0/​16 so if the Network Address Translation is working then the original IP address of the packet has been translated into the range:
 +
 +  100.68.X.33 100.68.X.46
 +  ​
 +You can use the command
 +
 +  show ip nat translations
 +
 +on your Border router to see what's happening.
 +
 +Can you ping hosts on the wider Internet from one of your switches? For example, can you ping **8.8.8.8**?​
 +
 +If the ping works, try using **trace** to **8.8.8.8**. What do you see?
  
master/cnd/nat-lab.txt ยท Last modified: 2016/03/24 10:04 by philip