automaty do gry

Social Icons

Sunday, May 18, 2014

CCNA: 1. Network Address Translation

NAT allows a host that does not have a valid registered IP address to communicate with other hosts on the Internet.
NAT translates, or changes, one or both IP addresses inside a packet as it passes through a router.

Static NAT

With static NAT:
- A particular Inside Local address always maps to the same Inside Global (public) IP address.
- If used, each Outside Local address always maps to the same Outside Global (public) IP address.
- Static NAT does not conserve public IP addresses.

Note: Although static NAT does not help with IP address conservation, static NAT does allow an engineer to make an inside server host available to clients on the Internet, because the inside server will always use the same public IP address.

For the NAT labs we will use the same topology as for all BGP labs.
Router R2 will be shutdown so that R1 will be the only exit point of the Enterprise, thus the only NAT router.
Router R102 will be shutdown so that ISP1 is the only ISP available for the Enterprise.
Routers R3, R4 and R5 will be considered hosts with the following addresses: 10.1.0.13, 10.1.0.10, 10.1.0.1.

R3(config)#no router ospf 1
R4(config)#no router ospf 1
R5(config)#no router ospf 1

So R1 will have only these interfaces UP:
R1#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol    
Serial0/0                  10.1.0.14       YES NVRAM  up                    up    
FastEthernet0/1            201.1.1.1       YES NVRAM  up                    up      
Serial0/2                  10.1.0.25       YES NVRAM  up                    up    
 
Static NAT configuration:

R1(config)#interface serial 0/0
R1(config-if)#ip nat inside 
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip nat outside 

 R1(config)#ip nat inside source static 10.1.0.13 201.1.1.1 (10.1.0.13 is the Inside Local address. 201.1.1.1 is the Inside Global address.)

R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 201.1.1.1          10.1.0.13          ---                ---

We should also consider that the host routers need a default route to reach the edge router R1.

R1(config)#ip route 10.1.0.0 255.255.255.252 10.1.0.13
R1(config)#ip route 10.1.0.8 255.255.255.252 10.1.0.13
R3(config)#ip route 0.0.0.0 0.0.0.0 10.1.0.14
R4(config)#ip route 0.0.0.0 0.0.0.0 10.1.0.9
R5(config)#ip route 0.0.0.0 0.0.0.0 10.1.0.2

Now, let's simulate some traffic from inside host R3 to the Internet address 201.1.1.2 (ISP1):

R3#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/26/56 ms

R1 records this connection (traffic) in the NAT table, also specifying the protocol (icmp):
R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 201.1.1.1:3       10.1.0.13:3        201.1.1.2:3        201.1.1.2:3
--- 201.1.1.1          10.1.0.13          ---                ---

Let's also simulate some TCP traffic from R3 to ISP1 using telnet:

R3#telnet 201.1.1.2    
Trying 201.1.1.2 ... Open


Password required, but none set

[Connection to 201.1.1.2 closed by foreign host]

R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
tcp 201.1.1.1:62630    10.1.0.13:62630    201.1.1.2:23       201.1.1.2:23
--- 201.1.1.1          10.1.0.13          ---                ---

Since we have a single static NAT mapping (for R3's IP address), other routers will not be able to reach ISP1 because they are not translated by R1:

R4#ping 10.1.0.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/56 ms

R4#ping 201.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/17/56 ms

R4#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- 201.1.1.1          10.1.0.13          ---                ---

Dynamic NAT

Dynamic NAT (without PAT), like static NAT, creates a one-to-one mapping between an Inside Local and Inside Global address.
However, unlike static NAT, it does so by defining a set or pool of Inside Local and Inside Global addresses, and dynamically mapping pairs of addresses as needed.

Dynamic NAT and PAT

NAT overloading, also known as Port Address Translation (PAT), is the NAT feature that actually provides the significant savings of IP addresses.
PAT works by making large numbers of TCP or UDP flows from many Inside Local hosts appear to be the same number of large flows from one (or a few) host’s Inside Global addresses.
With PAT, instead of just translating the IP address, NAT also translates the port numbers as necessary. And because the port number fields are 16 bits in length, each Inside Global IP address can support over 65,000 concurrent TCP and UDP flows.

=> in a network with 1000 hosts, a single public IP address used as the only Inside Global address could handle an average of six concurrent flows from each host to and from hosts on the Internet.

Using the same topology, the same IP addresses, the same default routes and the same active links, we will first erase the static NAT config and configure PAT:

R1(config)#no ip nat inside source static 10.1.0.13 201.1.1.1
R1#clear ip nat translation *
R1#clear ip nat statistics

 R1(config)#interface serial 0/0
R1(config-if)#ip nat inside 
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip nat outside

Let's create the address pool:

R1(config)#ip nat pool CCNPLABS 201.1.1.1 201.1.1.1 netmask 255.255.255.25

Let's specify the allowed inside local addresses - we will permit the IP addresses of R3 and R5 and deny everything else (R4).

R1(config)#access-list 1 permit 10.1.0.12 0.0.0.3
R1(config)#access-list 1 permit 10.1.0.0 0.0.0.3
(The ACL ending implicit deny takes care of all other source addresses)

Now we should make the NAT connection between the Inside Local allowed addresses and the Inside Global pool:

R1(config)#ip nat inside source list 1 pool CCNPLABS overload

Verification:

R1#show ip nat translations 

R1#

The NAT statistics show that no hits or misses have occurred. Hits occur when NAT looks for a mapping, and finds one. Misses occur when NAT looks for a NAT table entry, does not find one, and then needs to dynamically add one.

R1#show ip nat statistics   
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  Serial0/0
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool CCNPLABS refcount 0
 pool CCNPLABS: netmask 255.255.255.252
        start 201.1.1.100 end 201.1.1.101
        type generic, total addresses 2, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Now, let's verify the translation process by ping-ing to R101 from R3 and R5 (both should be allowed) and from R4 (should be denied):

R3#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/52 ms

R5#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/64 ms

R4#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 201.1.1.1:6       10.1.0.1:6         201.1.1.2:6        201.1.1.2:6
icmp 201.1.1.1:9       10.1.0.13:9        201.1.1.2:9        201.1.1.2:9

R1#show ip nat statistics   
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  Serial0/0
Hits: 18  Misses: 2
CEF Translated packets: 20, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 pool CCNPLABS refcount 2
 pool CCNPLABS: netmask 255.255.255.252
        start 201.1.1.1 end 201.1.1.1
        type generic, total addresses 1, allocated 1 (100%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Above, the 2 “misses” mean that the first packet from each ping (one from R3 and one from R5 / each host sends 5 ping requests and receives 5 ping replies, thus the total is 18+2=20 translated packets) did not have a matching entry in the table, but that packet triggered NAT to add an entry to the NAT table. 
The two hosts have then sent and received 18 more packets, noted as “hits” because there was an entry in the table.

Now let's see some nat translations and statistics for telnet sessions opened from R3 and R5 to R101.

R1#clear ip nat statistics 
R1#clear ip nat translation *

 R101(config)#line vty 0 4
R101(config-line)#password ccnp
R101(config-line)#login

R3#telnet 201.1.1.2
Trying 201.1.1.2 ... Open


User Access Verification

Password:
R101>

R5#telnet 201.1.1.2
Trying 201.1.1.2 ... Open


User Access Verification

Password:
R101>

Verifying on R1:

R1#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
tcp 201.1.1.1:48613    10.1.0.1:48613     201.1.1.2:23       201.1.1.2:23
tcp 201.1.1.1:41980    10.1.0.13:41980    201.1.1.2:23       201.1.1.2:23

R1#show ip nat statistics   
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  Serial0/0
Hits: 46  Misses: 2
CEF Translated packets: 48, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 pool CCNPLABS refcount 2
 pool CCNPLABS: netmask 255.255.255.252
        start 201.1.1.1 end 201.1.1.1
        type generic, total addresses 1, allocated 1 (100%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

While making all the above configs and verifications, R4 still does not have connectivity to R101 due to the access list we configured earlier:

R4#telnet 201.1.1.2
Trying 201.1.1.2 ...
% Connection timed out; remote host not responding

R4#ping 201.1.1.2  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4's tries to reach R101 are not registered as translations, nor do those packets count for statistics (the Hits and Misses values are the same):

R1#show ip nat statistics   
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  Serial0/0
Hits: 46  Misses: 2
CEF Translated packets: 48, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 pool CCNPLABS refcount 2
 pool CCNPLABS: netmask 255.255.255.252
        start 201.1.1.1 end 201.1.1.1
        type generic, total addresses 1, allocated 1 (100%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Note: For more details about this topic, check out CCIE Routing and Switching Certification Guide, Fourth Edition, Wendell Odom, Rus Healy, Denise Donohue, Cisco Press.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)