Let’s take a look at how to configure static NAT on a Cisco router. Here’s the topology I will use:
Above you see 3 routers called Host, NAT and Web1. Imagine our host is on our LAN and the webserver is somewhere on the Internet. Our NAT router in the middle is our connection to the Internet.
There’s a cool trick on our routers that we can use. It’s possible to disable “routing” on a router which turns it into a normal host that requires a default gateway. This is very convenient because it will save you the hassle of connecting real computers/laptops to GNS3.
Host(config)#no ip routingWeb1(config)#no ip routing
Use no ip routing to disable the routing capabilities. The routing table is now gone, let me show you:
Host#show ip route
Default gateway is not set
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is emptyWeb1#show ip route
Default gateway is not set
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
As you can see the routing table is gone. We’ll have to configure a default gateway on router Host and Web1 or they won’t be able to reach each other:
Host(config)#ip default-gateway 192.168.12.2Web1(config)#ip default-gateway 192.168.23.2
Both routers can use router NAT as their default gateway. Let’s see if they can reach each other:
Host#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
Reachability is no issue as you can see. Now let me show you a neat trick:
Web1#debug ip packet
IP packet debugging is on
I can use debug ip packet to see the IP packets that I receive. DON’T do this on a production network or you’ll be overburdened with traffic! Now let’s send that ping again…
Web1#
IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
Above you see that our router has received an IP packet with source IP address 192.168.12.1 and destination IP address 192.168.23.3.
IP: tableid=0, s=192.168.23.3 (local), d=192.168.12.1 (FastEthernet0/0), routed via RIB
And it will reply with an IP packet that has source address 192.168.23.3 and destination address 192.168.12.1.
Now let’s configure NAT so you can see the difference:
NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat insideNAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat outside
First we’ll have to configure the inside and outside interfaces. Our host is the “LAN” side so it’s the inside. Our webserver is “on the Internet” so it’s the outside of our network. Now we can configure our static NAT rule:
NAT(config)#ip nat inside source static 192.168.12.1 192.168.23.2
We use the ip nat inside command to translate an inside IP address (192.168.12.1) to an outside IP address (192.168.23.2).
NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.23.2 192.168.12.1 --- ---
You can use the show ip nat translations command to verify our configuration. Now let’s send another ping and see if this configuration does anything…
Host#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 msWeb1#
IP: s=192.168.23.2 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
See the difference? The packet that the webserver receives from the host has source IP address 192.168.23.2.
Web1#
IP: tableid=0, s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), routed via RIB
And when it responds the destination IP address is 192.168.23.2.
Now we know that static NAT is working.
In the example I just showed you our webserver doesn’t require a default gateway anymore. The packets are translated to 192.168.23.2 and this network is directly connected for the webserver.
hostname Host
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
no ip routing
!
ip default-gateway 192.168.12.2
!
endhostname NAT
!
interface FastEthernet0/0
ip address 192.168.23.2 255.255.255.0
ip nat outside
!
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0
ip nat inside
!
ip nat inside source static 192.168.12.1 192.168.23.2
!
endhostname Web1
!
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
!
no ip routing
!
ip default-gateway 192.168.23.2
!
endI hope this helps you to understand NAT. In another lesson I will demonstrate dynamic NAT and PAT to you. If you enjoyed this lesson please share it or leave a comment!
No comments:
Post a Comment