Task 1: Configure Static NAT
Configure
NAT outside on interface Gig1 (WAN) and NAT inside on Loopback1 (LAN).
CSRv#show
ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.1.140 YES NVRAM
up up
GigabitEthernet2 unassigned YES NVRAM
administratively down down
Loopback1 10.1.1.200 YES manual up up
CSRv#configure
terminal
Enter
configuration commands, one per line.
End with CNTL/Z.
CSRv(config)#interface
g1
CSRv(config-if)#ip
nat ?
allow-static-host Allow static-ip clients
inside Inside interface for address
translation
outside Outside interface for address
translation
CSRv(config-if)#ip
nat outside
CSRv(config-if)#interface
loopback1
CSRv(config-if)#ip
nat inside
Configure
a Static NAT (one-to-one) translation for the internal host 10.1.1.200 (web server)
to the mapped/translated IP address 192.168.1.200.
CSRv(config)#ip
nat ?
create
Create flow entries
inside
Inside address translation
log
NAT Logging
name
Rule name
outside
Outside address translation
pool
Define pool of addresses
service
Special translation for application using non-standard port
settings
NAT general settings
switchover
NAT datapath switchover
translation
NAT translation entry configuration
CSRv(config)#ip
nat inside ?
destination
Destination address translation
source
Source address translation
CSRv(config)#ip
nat inside source ?
list
Specify access list describing local addresses
route-map
Specify route-map
static
Specify static local->global mapping
CSRv(config)#ip
nat inside source static ?
A.B.C.D
Inside local IP address
esp
IPSec-ESP (Tunnel mode) support
network
Subnet translation
tcp
Transmission Control Protocol
udp
User Datagram Protocol
CSRv(config)#ip
nat inside source static 10.1.1.200 ?
A.B.C.D
Inside global IP address
interface
Specify interface for global address
CSRv(config)#ip nat inside source static 10.1.1.200
192.168.1.200
Configure HTTP (web) server on the CSRv router.
CSRv(config)#ip
http ?
HSTS-Header Enable HTTP secure server
HSTS header
access-class Restricted http server
access by access-class
active-session-modules Set up active http server session
modules
auth-retry Maximum number of
authentication retry attempt
authentication Set http server authentication
method
banner Enable http server
banner
banner-path HTML Banner Path
client Set http client
parameters
digest Set http digest
parameters
help-path HTML help root URL
max-connections Set maximum number of
concurrent http server connections
path Set base path for
HTML
port Set http server port
secure-active-session-modules Set up active http secure server session
modules
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client
authentication
secure-port Set http secure server port
number for listening
secure-server Enable HTTP secure server
secure-trustpoint Set http secure server
certificate trustpoint
server Enable http server
session-idle-timeout Set http server session idle timeout
session-module-list Set up a http(s) server session
module list
timeout-policy Set http server time-out
policy parameters
tls-version Set TLS version for HTTP
secure server
upload File upload
CSRv(config)#ip
http server
Access
the web server (10.1.1.200) from the management PC (192.168.1.100).
Verify
active NAT translations and statistics on the using the show ip nat translations and show ip nat statistics commands.
CSRv#show
ip nat ?
bpa
Bulk Port Allocation information
limits
Limit statistics
pool
Pool and port statistics
portblock
TCP/UDP port blocks allocated for NAT
statistics
Translation statistics
translations
Translation entries
CSRv#show
ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.1.200 10.1.1.200 --- ---
tcp
192.168.1.200:80
10.1.1.200:80
192.168.1.100:52285
192.168.1.100:52285
Total
number of translations: 2
CSRv#show
ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 1
extended)
Outside
interfaces:
GigabitEthernet1
Inside
interfaces:
Loopback1
Hits: 650
Misses: 14
Expired
translations: 13
Dynamic
mappings:
nat-limit
statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out
drops: 0 Out-to-in drops: 0
Pool
stats drop: 0 Mapping stats drop: 0
Port
block alloc fail: 0
IP alias
add fail: 0
Limit
entry add fail: 0
Task 2: Configure Dynamic NAT (with PAT)
Configure
a Standard Named ACL for the source/interesting traffic from the 10.1.1.0/24
LAN subnet.
CSRv(config)#ip
access-list ?
extended Extended Access List
helper Access List acts on
helper-address
log-update Control access list log updates
logging Control access list logging
match-local-traffic Enable ACL matching for locally generated
traffic
persistent enable persistency across reload
resequence Resequence Access List
role-based Role-based Access List
standard Standard Access List
CSRv(config)#ip
access-list standard ?
<1-99> Standard IP access-list number
<1300-1999> Standard IP access-list number (expanded
range)
WORD
Access-list name
CSRv(config)#ip
access-list standard DYNAMIC_NAT
CSRv(config-std-nacl)#?
Standard
Access List configuration commands:
<1-2147483647> Sequence Number
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration
mode
no Negate a command or set its
defaults
permit Specify packets to forward
remark Access list entry comment
CSRv(config-std-nacl)#permit
?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
CSRv(config-std-nacl)#permit
10.1.1.0 ?
A.B.C.D
Wildcard bits
log
Log matches against this entry
<cr>
CSRv(config-std-nacl)#permit
10.1.1.0 0.0.0.255
Configure
a NAT pool that will use a single translated IP address of 192.168.1.201.
CSRv(config)#ip
nat pool ?
WORD
Pool name
CSRv(config)#ip
nat pool NAT_POOL ?
A.B.C.D
Start IP address
netmask
Specify the network mask
prefix-length
Specify the prefix length
CSRv(config)#ip
nat pool NAT_POOL 192.168.1.201 ?
A.B.C.D
End IP address
CSRv(config)#ip
nat pool NAT_POOL 192.168.1.201 192.168.1.201 ?
netmask
Specify the network mask
prefix-length
Specify the prefix length
CSRv(config)#ip
nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask ?
A.B.C.D
Network mask
CSRv(config)#ip
nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask 255.255.255.0
Configure
Dynamic NAT (NAT overload) for the inside network.
This would allow multiple inside hosts using a dynamic high number (ephemeral) source ports to be translated to a pool of global IP address.
CSRv(config)#ip
nat inside ?
destination
Destination address translation
source
Source address translation
CSRv(config)#ip
nat inside source ?
list
Specify access list describing local addresses
route-map
Specify route-map
static
Specify static local->global mapping
CSRv(config)#ip
nat inside source list ?
<1-2699> Access list number for local addresses
WORD
Access list name for local addresses
CSRv(config)#ip
nat inside source list DYNAMIC_NAT ?
interface
Specify interface for global address
pool
Name pool of global addresses
CSRv(config)#ip
nat inside source list DYNAMIC_NAT pool ?
WORD
Pool name for global addresses
CSRv(config)#ip
nat inside source list DYNAMIC_NAT pool NAT_POOL ?
oer
Use with vtemplate only. On new
translation, if OER BR is UP, OER will select IP from
outgoing Interface. All packets matching translation are
forwarded over Interface for
duration of translation.
overload
Overload an address translation
redundancy
NAT redundancy operation
vrf
Specify vrf
<cr>
CSRv(config)#ip nat inside source list DYNAMIC_NAT
pool NAT_POOL overload
Remove
the Static NAT policy and clear previous NAT translations and statistics.
Notice
the global or translated IP address is now 192.168.1.201.
CSRv(config)#no
ip nat inside source static 10.1.1.200 192.168.1.200
CSRv(config)#end
CSRv#
Dec 14
15:00:47.837: %SYS-5-CONFIG_I: Configured from console by admin on vty2
(192.168.1.100)
CSRv#clear
ip nat ?
statistics
Clear translation statistics
translation
Clear dynamic translation
CSRv#clear
ip nat translation ?
*
Delete all dynamic translations
esp
Encapsulating Security Payload
forced
Delete all dynamic translations (forcefully)
inside
Inside addresses (and ports)
outside
Outside addresses (and ports)
redundancy
Delete all dynamic translation in an RG instance (forcefullly)
tcp
Transmission Control Protocol
udp
User Datagram Protocol
vrf
Delete all dynamic translation in a VRF instance
CSRv#clear
ip nat translation *
CSRv#ping
8.8.8.8 source 10.1.1.200
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet
sent with a source address of 10.1.1.200
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 5/7/14 ms
CSRv#show
ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.1.201:1 10.1.1.200:1 8.8.8.8:1 8.8.8.8:1
Total
number of translations: 1
CSRv#show
ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1
extended)
Outside
interfaces:
GigabitEthernet1
Inside
interfaces:
Loopback1
Hits: 1361
Misses: 34
Expired
translations: 17
Dynamic
mappings:
-- Inside
Source
[Id: 2] access-list DYNAMIC_NAT pool NAT_POOL
refcount 1
pool
NAT_POOL: id 1, netmask 255.255.255.0
start
192.168.1.201 end 192.168.1.201
type
generic, total addresses 1, allocated 1 (100%), misses 0
nat-limit
statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out
drops: 0 Out-to-in drops: 0
Pool
stats drop: 0 Mapping stats drop: 0
Port
block alloc fail: 0
IP alias
add fail: 0
Enable
NAT debug.
CSRv#debug
ip nat ?
<1-99>
Access list forced
WORD
Access list name
ha
High Availability debugging
CSRv#debug
ip nat DYNAMIC_NAT ?
alg
NAT ALG events
bind
NAT dynamic translation create/delete events
detailed
NAT detailed events for ACL based debugging
drop
NAT Drop events
ipsec
NAT IPSec events
limit
NAT max-limit policy events
mapping
NAT mapping create/delete events
pap
NAT Paired-address-pooling events
pool
NAT pool events
port
NAT PORT events
route
NAT Static route events
session
NAT session events
wlan-nat
WLAN NAT events
<cr>
CSRv#debug
ip nat DYNAMIC_NAT detailed
IP NAT
detailed debugging is on for access list DYNAMIC_NAT
CSRv#ping
8.8.8.8 source 10.1.1.200
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet
sent with a source address of 10.1.1.200
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms
Dec 14
15:11:58.398: NAT: attempting to setup alias for 192.168.1.201 (redundancy_name
, idb GigabitEthernet1, flags 0x2), rg_id 0 tableid 0 use_tableid 0
Dec 14
15:11:58.398: NAT: installing alias for address 192.168.1.201, addr_flags 0x2,
tableid 0
Dec 14
15:11:58.398: NAT: insert dynamic alias 192.168.1.201, addr_flags 0x2
Dec 14
15:11:58.398: NAT: Checking for aliases needed for IPAD list update, IDB(Gi1)
address(192.168.1.201) mask(255.255.255.255) type(4) tableid(0)
is_delete(FALSE)
Dec 14
15:11:58.398: NAT: IPAD type(4) is not an interface(1)
Dec 14
15:11:58.399: NAT: Notify platform for ipalias address 192.168.1.201 route
download