Saturday, December 28, 2019

Configure Static and Dynamic (PAT) on a Cisco IOS Router

Task 1: Configure Static NAT


Configure NAT outside on interface Gig1 (WAN) and NAT inside on Loopback1 (LAN).

CSRv#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       192.168.1.140   YES NVRAM  up                    up     
GigabitEthernet2       unassigned      YES NVRAM  administratively down down   
Loopback1              10.1.1.200      YES manual up                    up  

CSRv#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CSRv(config)#interface g1
CSRv(config-if)#ip nat ?  
  allow-static-host  Allow static-ip clients
  inside             Inside interface for address translation
  outside            Outside interface for address translation

CSRv(config-if)#ip nat outside
CSRv(config-if)#interface loopback1
CSRv(config-if)#ip nat inside


Configure a Static NAT (one-to-one) translation for the internal host 10.1.1.200 (web server) to the mapped/translated IP address 192.168.1.200.

CSRv(config)#ip nat ? 
  create       Create flow entries
  inside       Inside address translation
  log          NAT Logging
  name         Rule name
  outside      Outside address translation
  pool         Define pool of addresses
  service      Special translation for application using non-standard port
  settings     NAT general settings
  switchover   NAT datapath switchover
  translation  NAT translation entry configuration

CSRv(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

CSRv(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

CSRv(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

CSRv(config)#ip nat inside source static 10.1.1.200 ?  
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

CSRv(config)#ip nat inside source static 10.1.1.200 192.168.1.200


Configure HTTP (web) server on the CSRv router.

CSRv(config)#ip http ?
  HSTS-Header                    Enable HTTP secure server HSTS header
  access-class                   Restricted http server access by access-class
  active-session-modules         Set up active http server session modules
  auth-retry                     Maximum number of authentication retry attempt
  authentication                 Set http server authentication method
  banner                         Enable http server banner
  banner-path                    HTML Banner Path
  client                         Set http client parameters
  digest                         Set http digest parameters
  help-path                      HTML help root URL
  max-connections                Set maximum number of concurrent http server connections
  path                           Set base path for HTML
  port                           Set http server port
  secure-active-session-modules  Set up active http secure server session modules
  secure-ciphersuite             Set http secure server ciphersuite
  secure-client-auth             Set http secure server with client authentication
  secure-port                    Set http secure server port number for listening
  secure-server                  Enable HTTP secure server
  secure-trustpoint              Set http secure server certificate trustpoint
  server                         Enable http server
  session-idle-timeout           Set http server session idle timeout
  session-module-list            Set up a http(s) server session module list
  timeout-policy                 Set http server time-out policy parameters
  tls-version                    Set TLS version for HTTP secure server
  upload                         File upload

CSRv(config)#ip http server


Access the web server (10.1.1.200) from the management PC (192.168.1.100).


Verify active NAT translations and statistics on the using the show ip nat translations and show ip nat statistics commands.

CSRv#show ip nat ?
  bpa           Bulk Port Allocation information
  limits        Limit statistics
  pool          Pool and port statistics
  portblock     TCP/UDP port blocks allocated for NAT
  statistics    Translation statistics
  translations  Translation entries

CSRv#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  192.168.1.200         10.1.1.200            ---                   ---
tcp  192.168.1.200:80      10.1.1.200:80         192.168.1.100:52285   192.168.1.100:52285
Total number of translations: 2

CSRv#show ip nat statistics  
Total active translations: 1 (1 static, 0 dynamic; 1 extended)
Outside interfaces:
  GigabitEthernet1
Inside interfaces:
  Loopback1
Hits: 650  Misses: 14
Expired translations: 13
Dynamic mappings:
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0


Task 2: Configure Dynamic NAT (with PAT)

Configure a Standard Named ACL for the source/interesting traffic from the 10.1.1.0/24 LAN subnet.

CSRv(config)#ip access-list ? 
  extended             Extended Access List
  helper               Access List acts on helper-address
  log-update           Control access list log updates
  logging              Control access list logging
  match-local-traffic  Enable ACL matching for locally generated traffic
  persistent           enable persistency across reload
  resequence           Resequence Access List
  role-based           Role-based Access List
  standard             Standard Access List

CSRv(config)#ip access-list standard ?
  <1-99>       Standard IP access-list number
  <1300-1999>  Standard IP access-list number (expanded range)
  WORD         Access-list name

CSRv(config)#ip access-list standard DYNAMIC_NAT
CSRv(config-std-nacl)#?    
Standard Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

CSRv(config-std-nacl)#permit ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

CSRv(config-std-nacl)#permit 10.1.1.0 ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>

CSRv(config-std-nacl)#permit 10.1.1.0 0.0.0.255


Configure a NAT pool that will use a single translated IP address of 192.168.1.201.

CSRv(config)#ip nat pool ?
  WORD  Pool name

CSRv(config)#ip nat pool NAT_POOL ?
  A.B.C.D        Start IP address
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 ?
  A.B.C.D  End IP address

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 ?
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask ?
  A.B.C.D  Network mask

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask 255.255.255.0


Configure Dynamic NAT (NAT overload) for the inside network. 

This would allow multiple inside hosts using a dynamic high number (ephemeral) source ports to be translated to a pool of global IP address.

CSRv(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

CSRv(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

CSRv(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool ?
  WORD  Pool name for global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL ?
  oer         Use with vtemplate only.  On new translation, if OER BR is UP, OER will select IP from
              outgoing Interface.  All packets matching translation are forwarded over Interface for
              duration of translation.
  overload    Overload an address translation
  redundancy  NAT redundancy operation
  vrf         Specify vrf
  <cr>

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL overload


Remove the Static NAT policy and clear previous NAT translations and statistics.

Notice the global or translated IP address is now 192.168.1.201.

CSRv(config)#no ip nat inside source static 10.1.1.200 192.168.1.200
CSRv(config)#end
CSRv#
Dec 14 15:00:47.837: %SYS-5-CONFIG_I: Configured from console by admin on vty2 (192.168.1.100)
CSRv#clear ip nat ?
  statistics   Clear translation statistics
  translation  Clear dynamic translation

CSRv#clear ip nat translation ?
  *           Delete all dynamic translations
  esp         Encapsulating Security Payload
  forced      Delete all dynamic translations (forcefully)
  inside      Inside addresses (and ports)
  outside     Outside addresses (and ports)
  redundancy  Delete all dynamic translation in an RG instance (forcefullly)
  tcp         Transmission Control Protocol
  udp         User Datagram Protocol
  vrf         Delete all dynamic translation in a VRF instance

CSRv#clear ip nat translation *

CSRv#ping 8.8.8.8 source 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/14 ms

CSRv#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
icmp 192.168.1.201:1       10.1.1.200:1          8.8.8.8:1             8.8.8.8:1
Total number of translations: 1

CSRv#show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
  GigabitEthernet1
Inside interfaces:
  Loopback1
Hits: 1361  Misses: 34
Expired translations: 17
Dynamic mappings:
-- Inside Source
[Id: 2] access-list DYNAMIC_NAT pool NAT_POOL refcount 1
 pool NAT_POOL: id 1, netmask 255.255.255.0
        start 192.168.1.201 end 192.168.1.201
        type generic, total addresses 1, allocated 1 (100%), misses 0
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0


Enable NAT debug.

CSRv#debug ip nat ?
  <1-99>  Access list forced
  WORD    Access list name
  ha      High Availability debugging

CSRv#debug ip nat DYNAMIC_NAT ?
  alg       NAT ALG events
  bind      NAT dynamic translation create/delete events
  detailed  NAT detailed events for ACL based debugging
  drop      NAT Drop events
  ipsec     NAT IPSec events
  limit     NAT max-limit policy events
  mapping   NAT mapping create/delete events
  pap       NAT Paired-address-pooling events
  pool      NAT pool events
  port      NAT PORT events
  route     NAT Static route events
  session   NAT session events
  wlan-nat  WLAN NAT events
  <cr>

CSRv#debug ip nat DYNAMIC_NAT detailed
IP NAT detailed debugging is on for access list DYNAMIC_NAT

CSRv#ping 8.8.8.8 source 10.1.1.200  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms

Dec 14 15:11:58.398: NAT: attempting to setup alias for 192.168.1.201 (redundancy_name , idb GigabitEthernet1, flags 0x2), rg_id 0 tableid 0 use_tableid 0
Dec 14 15:11:58.398: NAT: installing alias for address 192.168.1.201, addr_flags 0x2, tableid 0
Dec 14 15:11:58.398: NAT: insert dynamic alias 192.168.1.201, addr_flags 0x2
Dec 14 15:11:58.398: NAT: Checking for aliases needed for IPAD list update, IDB(Gi1) address(192.168.1.201) mask(255.255.255.255) type(4) tableid(0) is_delete(FALSE)
Dec 14 15:11:58.398: NAT: IPAD type(4) is not an interface(1)
Dec 14 15:11:58.399: NAT: Notify platform for ipalias address 192.168.1.201 route download

No comments:

Post a Comment