Hi, and welcome to this CertificationKits CCNA Training video on Network Address Translation. We are going to talk about what NAT is. We will cover some terms you are going to know for NAT such as static NAT configuration, dynamic NAT configuration, and what we used most often Port Address Translation; as well as some troubleshooting tips.
NATallows us to eliminate some of the stress on the public addressing scheme by allowing us to use private addresses on the inside of our network. So inside of our network, we can use private addresses. And when we communicate with the outside world or the public world, we can substitute the IP address. Let’s say the source machine might be 10.0.0.12, a private address and the public address might have been given by our service provider. So our internal machine can still communicate effectively with the outside world even though it has a private IP address that cannot technically be used on the public domain. There are a few different ways we can do NAT.
We can do NAT statically where we manually map an internal IP address to an external IP address given to us by our service provider. It might be 5.44. NAT itself or NAT technically is taking one internal IP address and mapping it to one external IP address. So every internal machine that had a private IP address that wanted to communicate with the outside world would technically have a different external IP address that it would use when it was communicating with the outside world. So NAT itself technically translates one-to-one IP address. And so this guy has his own public IP; this guy has got his own public IP, and they don’t have to share. There is a couple of different ways to do that. Statically, I can manually say, “Hey, computer C, when you go out to the outside world, you are going to use this IP address right here. Computer B, when you go out, you are going to use “.46” address.”
Or I could dynamically allow NAT to take place. There is three O’s in there. So I can dynamically allow NAT to take place, and what I would do is I would create an address pool, let’s say, “.44” to “.49”, and I would tell these computers A, B, or C, “Hey, when you are going out, grab any of these available addresses. This says 44 is taken, use 45. Next time you go out, you don’t have to use 45. Use whatever is available,” and that way, they use what’s available and get more than the number of machines, less IPs than the number of machines as long as they are able to share. And all the machines aren’t going out at one time.
Now what typically we do is we can do what’s called Port Address Translation where each machine on the internal network shares the same IP address when it goes out and the router simply keeps track of who is asking for what based on the source port number. Like this guy might be asking for something based on 3893. That’s the source port. His source port might be 4792. This guy’s source port might be 2167. So based on this source port, the router would keep track of where this computer was trying to communicate with or what machine this computer is trying to communicate with and what application layer service this machine is trying to access and keep track of. That’s called Port Address Translation. So we are going to go over each one of these different types of Network Address Translation as well as configuring Port Address Translation which is again typically what we use in most environments.
Before we get into the CCNA configuration of static NAT and dynamic and Port Address Translation, we need to know some terms that Cisco uses to describe the different addresses. The first one is Inside Local. What does that mean? Inside down here if you look means a machine behind the NAT. So inside is referring to one of these machines like PC1 or PC2 that is an inside machine and local means the IP address that represents this machine inside of the network. So 10.0.0.99 might be this guy’s IP address. That’s actually assigned to this machine. This would be considered the inside local IP address.
Inside Global would be, again, inside referring to the machine inside so PC1, but the Global would be the IP address the machine uses when it goes out. So if we are using static NAT one-to-one mapping; so when this machine goes out, he uses out the IP address 200.1.1.2, so that 200.1.1.2 represents this machine in the global arena, and in outside the local network, this would be considered PC1 inside global address. Outside refers to a machine outside. So maybe there is a web server out here; you are hitting in a port 80; the IP address is 2.9.8.63. So outside means a machine outside the private network. So in the public domain is where this machine exists. So here is that machine in the public domain. That’s where the outside comes from.
Local would be the IP address that the internal machine uses to connect to this external address. So actually, if on PC1, I typed in my web browser 2.9.8.63 and it took me to this external machine, the outside local address would be 2.9.8.63. So again, outside is the machine outside the network that I am connecting to and local is the IP address that my internal machine uses to connect to that external resource. Outside Global, again, a machine outside the private network and Global meaning the IP address it actually uses in the public domain.
These two addresses often times match; the Outside Local and Outside Global addresses match. In some situations, you might have some sort of relay that your machine internal can only access; an Internal IP; so you might give this outside machine and IP address internally of 10.0.0., I don’t know whatever, 57, and this address actually represents a machine on the Outside network. So your internal machine would connect to this IP and what would happen is it would get relayed to this public address. Not a very common scenario. Most of the time, the Outside Local and Outside Global IP addresses are going to match. Again, Outside just means machine outside of the private network. Local means the IP address the local machine uses to get to it which most of the time is the public address and Global means the actual public address that that external machine uses.
So it’s important to understand these terms as far as CCNA goes and as well as being able to read literature and things like that from Cisco on Network Address Translation. Let’s go in and take a look at a CCNA level scenario and configure static NAT. Okay, so this is what I have got configured in my CCNA simulator right now. We are going to be doing Static NAT. Static meaning we are manually going to map an Internal IP to an external IP. I have one machine out here that represents the public domain of 20.1.97.38. That’s just the public domain. It’s just one machine, one IP. Obviously, there would be a lot of IPs out there, millions of them, but we are just using one to represent the outside world to be able to test our connectivity.
So between the two routers here, I have a subnet of 20.1.97.0 subnet with a 255.255.255.252 mask which is a “/30” mask; and what that does is it just allows two IPs within this one subnet. And this is basically my service provider right here. This router right here that I am connecting to is the ISP which is my gateway to the Outside world. So what I have done as far as routing goes, on Palaestra1, I have put one static route, a default route saying, “Hey, I don’t care where the traffic is going. Send it out this way. I don’t have any routing protocol set up in this scenario.” Palaestra1 knows no matter where the traffic is going, send it to this next hop router.
Since we are going to be doing NAT, so we are going to be running NAT, this private network is hidden from the public world. So on this machine right here, this router, we don’t have to put any routing protocols or anything on there because this router happens to be directly connected to both of our subnets. We have one subnet here that it knows of which is 20.1.97.32 subnet and we are using a “/28” bit mask. So that’s 255.255.255.240. And again, there would be routing protocols on this router here because it is routing with the rest of the world. So that whatever routing protocol is using in his internal autonomous system demand and all that stuff. We are just showing what’s going on in this scenario. I have just got three subnets in here, this public subnet which is represented by this, the private subnet which is over here and then the subnet in between the routers here.
So what usually happens on this, depending on what our needs are, if we do need some public IPs, what would happen is our service provider would assign us a subnet, a public subnet range. So what we have done is the private network is represented publicly by the 20.1.97.48 subnet with the “/28” mask. Again, that mask is 255.255.255.240. So that’s the subnet that is the outside world knows our private network by. Internally, though, we just have a bunch of private addresses so we can use millions of internal private addresses, all represented by this one subnet with 14 available good addresses. Maybe we have a few public servers like a web server and exchange server or whatever that needs to have a public address and cannot share that public address with a bunch of other machines. So in this situation, our service provider would assign us a subnet, but we don’t have to actually put those IP addresses on our machines. We can use NAT for that.
So what we are going to be doing first is static NAT and I am going to say, “Hey, this machine right here 10.0.0.11 is going to be using the public IP address of 20.1.97.49 when it goes out to the public world.” So the router here will strip of this as a source address and put that as a source address, and 10.0.0.12 will be using IP address 20.1.97.50. So we are just going to tell the router, “Hey, when this machine internally goes out, change the source address to this “.49”. When this “.12” internal machine goes out, change the source address to “.50”.” So let’s go into the CCNA simulator and take a look at how we are going to do that.
I have my trusted CCNA simulator in front of me here, so this is Palaestra1. All the IPs are configured and the default route is configured. So I have to configure NAT. The first thing I am going to do is tell it what interface is the internal interface. So I do that by go typing in ip nat inside on the interface and it says, “Hey, interface Ethernet0, that’s your inside interface.” Then I go to Interface Sr0 and I type ip nat outside. Now there is only one other command I have to do and it’s the Global mode command and – well, two because I want to map two, but I just basically knew my map command telling it when 10.0.0.11 goes outside, it’s going to be using whatever public IP. So I go ip nat inside so internal addresses source, so the internal source addresses static mapping 10.0.0.11 will be using the public IP address or be known as a public IP address 20.1.97.49 when it goes to the outside.
And then I am going to edit this command again and say, “Hey, when “.12” is going out, it’s going to be using the IP address of “.50”.” That’s it. That’s NATting statically with valid external public IP’s one for each internal IP. So again, Ethernet0 is the inside address, Sr0 is the outside address. And then I say, “Hey, when 10.0.0.11 goes out, I want it to be known as this. 10.0.0.12 goes out, I want it to be known as this.” Now let’s test it and see how we can view that NAT action as it’s taking place.
So I go PC1 and I type ping 20.1.97.38 and that represents our public IP address and notice, I get a response back. If we go back to Palaestra1, I do show ip nat translations, and check it out. It says, “Hey, you had some action going on there. 10.0.0.12 is the inside local address meaning the internal machine known by this local IP and that’s the actual IP assigned to the internal machine. When it went outside, the internal machine when it went to the global network, it was using this IP address, 20.1.97.50.” So I ping from actually PC2 and when it went out, it used 20.1.97.50. So I am pretty cool. If I ping from the other one, it will show me that mapping. Show ip nat translations is how we view that and eventually it times out, so this mapping won’t be in there anymore. But again, this allows me to go in and troubleshoot. I can use the show my IP translations to make sure things are translating.
Let’s go in and take a look at Dynamic NAT Configuration. So just to reiterate static IP NAT inside, IP NAT out, and then now what I will have to do is say, “ip nat inside source static 10.0.0.11, when it goes out, I want it to be known as this 10.0.0.12. When it goes to the public network, it will be known as this.” So that’s static NAT. Let’s go in and look at Dynamic NAT Configuration where either one of these internal machines could use any available IP address that’s from the IP addressing pool we will create. So that way, 12 doesn’t always have to use 15, and 11 doesn’t always have to use 49. So we are going to create an IP address pool that our internal machines can use.
All right, back to our diagram and this time, we are going to be running dynamic NAT, meaning we don’t manually map an internal IP to an external IP. What we do is we create an IP address pool. Remember, this subnet here right, the 10.0.0.0 private network, as far as the public world is concerned is known as 20.1.97.48/28 mask, which is 255.255.255.240. So what I can do is I can say, “Hey, any internal IP address, anything that’s internal, 10.whatever.whatever.whatever, when it goes out, it can use this address range of 20.1.97.49 to 20.1.97.62.” 63 is the broadcast. So that’s my valid range of IPs that these internal machines can use. And again, what’s nice about this is I can have more internal machines than public IPs. And as long as not all of the machines are going out at one time, it will function just fine, but it won’t allow more than 14 machines at a time.
So let’s go in and take a look at that, and what we are going to have to do is we are going to have to create a pool of addresses and we are going to have to tell our router what internal IPs can go out and again what address pool they are going to be using when they go to the outside. And we shop to specify this as the outside interface and this as the inside interface. So let’s go into the CCNA simulator and configure dynamic NAT.
I am back at the CCNA router simulator. I have gotten rid of the static NAT configuration and we are going to do in the dynamic NAT configuration with the NAT pool. So the first thing, again, I want to do is go to interface Ethernet0 and say, “Hey, this is the inside address.” Then I want to go to interface Sr0 and say, “Hey, this is the outside address.” And now I will create my pool of addresses that the router can use and I type ip nat pool and we call it Palaestra and then I say the first IP address in the pool is going to be 20.1.97.49. The last IP address in the pool is going to be 20.1.97.62. The network mask, Netmask command, is going to be 255.255.255.240. So that’s the pool of addresses that I have created.
Next thing I want to do is I want to say, “Hey, ip nat Inside and what I am doing is I am saying the internal addresses or the source internal addresses that match the access list 1 will be permitted to use pool Palaestra. So what it’s saying here is the internal addresses that match access list 1 can use the IP addresses from the NAT pool Palaestra. So that’s basically mapping internal addresses to the external addresses. Again, external addresses are specified by this NAT pool and the internal addresses are going to be specified by an access list. So at that point, we hit Enter and now what we have to do is go in and create access list 1. For more information on access list and how it works, go to the access list video that comes along with this series.
So I am going to go access list 1. If I don’t create an access list 1, it will not work. And I am going to go it’s a permit access list 10.0.0.0.255.255.255. Just a little bit info on this. Again, this is wildcard mask and it means internal IPs that match the 10 in the first octet. That’s what the 0 in the wildcard mask means that matches the 10 in the first octet. It’s good. And the 255 just means it doesn’t care what’s in the last octet. So any internal address that has a 10 in the first octet will be permitted.
And now I can go to my machine and test the ping and then see my IP NAT translation. I have brought PC1 and I am going to ping the public address 20.1.97.38. See if I get a reply. I get a reply back so I know NAT is working. What I can do is I can go to Palaestra1, get in there and do a show ip nat translations and I can see my ping go out. And what it’s saying is inside local address the 10.0.0.11, when the source port of 9392 went to the outside ICMP, Internet Control Message Protocol is the type of packet ping is, and it went to use this IP address, the 20.1.97.49 at this port and that’s how it keeps track of this; it’s keeping track of it based on the port number now because again, 11 isn’t the only internal source machine that can use this IP address. It just uses it for a little bit of time and then it gives it up back to the NAT pool where another machine can use that. So again, show IP NAT translation allows me to view that.
If I look at show run, it shows ip nat inside, ip nat outside; it shows my pools; the simulator doubled up on my command here. But IP Nat Pool Palaestra shows my range of IP addresses 20.1.97.49 to 62 with my Netmask 255.255.255.240 and then ip nat inside source list 1 pool Palaestra, so that’s the address pool, that’s Palaestra. And again list 1 is saying, “Hey, this access list 1 permitting all internal IPs can use this address pool of 49 to 62,” and that’s dynamic NAT. Let’s go in and take a look at our slide and see what Port Address Translation is and then we are going to come back here and configure it.
So here is my CCNA slide again and we are going to be doing port address translation this time. We are not going to be using a pool of addresses. What’s happening now is any internal machine that goes to the outside world will be using the IP address that’s on the Sr0 interface which is 20.1.97.1. That way, we don’t have to go in and get additional addresses from our service provider. Again, this would be our ISP over here. We just use the one public IP to give us and have all internal machines uses one IP. That’s Port Address Translation because when each PC goes out, it’s going to keep track of that information request from the individual PCs based off of the source port number and where it’s headed. So what’s going to happen is we are going to be configuring NAT at Palaestra1 but we are using Port Address Translation. So everybody is just using this IP. Let’s go to the simulator and configure that and check it out.
All right, I have brought my CCNA router simulator up again and this time, we are going to do Port Address Translation. Just like before, I go to interface Ethernet0. I have gotten rid of the previous config and we type ip nat inside and then we go to interface Sr0, ip nat outside, again specifying the internal and external IP addresses. Now in Global mode, what we are going to do is we are going to be using the ip nat inside source list 1 again referring to an access list. So any IPs that are in access list 1 will be applied to this statement or the statement will apply to. And what we do is we say, “Hey, instead of an address pool or anything like that, we just type in interface Sr0 which is the public or external interface, and we have to type overload.”
This command right here is what tells the router to allow more than one internal address to use the same external address on Sr0.0 at one time, and what it does is it will keep track of those multiple uses based off the source port. Now all I have to do is create access list 1 permit and I am going to specify any internal “10.” address by using the wildcard mask of 0.255.255.255. Again, 0 means 10 has to be in the first octet. Other than that, it doesn’t matter. So that’s all we have to do to create Port Address Translation. Again, the keyword here is “overload” meaning more than one internal address at a time can go out. So let’s go in and ping from our stations and then we will go back and look at the IP Nat translations.
I have brought up PC1 here and we are going to try pinging 20.1.97.38. We have got to ping from that and check out PC2 and we will see how that goes with the pinging of the public address, ping 20.1.97.38. That’s again a public address. And what we can do is we can go to Palaestra1 show IP NAT translations. And we can see both different internal machines going out, 10.0.0.11 going out, 10.0.0.12 going out, but they are both using the exact same IP address. Their source ports, however, are different, or they would be a little bit more different in actual environment. They run in the same source ports right now. But this is a randomly generated port for source ports. So the odds of them using the same source port are pretty unlikely.
So when they go in, again, it shows going with the external address. Internal address goes out using this external one public address that is on the Sr0 interface for both machines are going to use it and the router keeps track based on the source port. Simulator acted a little funny. It uses a lot of same ports for this, but again in actual environment, there is not really much of a chance for a conflict there. So the router is able to keep track of who wants what. If this actually happened this way, there would be some conflict here because the outside address at port 9396, the router wouldn’t know who the heck it’s going to when the information came back if they were communicating at the same time. But again, on the real router, real NAT, all that stuff, you are not going to run into these conflicts here that you would see in the CCNA router simulator.
How we configure that, show run, again we type in ip nat outside on serial, for external, ip nat inside for Ethernet. This is our one line to turn on Port Address Translation. ip nat inside source list 1 interface Sr0 overload and then I just have to specify what IPs are permitted with access list 1. Again, list 1 refers to access list one. Let’s take a look at what we might do to troubleshoot if we can’t get out. Okay, for CCNA level troubleshooting, I have brought up a slide because a lot of these commands don’t work on the CCNA router simulator and you can jot these commands down more easily looking at the slide.
First thing if you are troubleshooting, it’s not working NAT, do a show run, check IP addressing, check NAT configuration carefully, check the NAT statement, make sure you have the appropriate interfaces labeled as inside and outside. Look at that permitting access list if you have one. Again, I say carefully. One octet off on an IP or one misplacement of a particular component of the command, it’s not going to function. If you want to view whether or not NAT translations have taken place, show IP NAT translations, you can go in and check out the NAT table. If you want to see NAT happening in real time, debug IP NAT, and what will happen is you will turn on debug IP NAT, have an internal machine ping externally, and you will see that NAT translation take place as the packet goes through the router.
Clear IP NAT translations with an asterisk that will clear the NAT table. So if you are doing a show IP NAT translations, you can clear the NAT table first, do a couple of pings and make sure that the information you are looking at isn’t old. As well as if you have to reconfigure NAT, sometimes you have to run this command because if a mapping is in use, it won’t let you go in and reconfigure a NAT statement. So sometimes you will need to run this command to get rid of any active mappings before you can go in and reconfigure NAT. Show IP NAT statistics will also allow you to view whether or not NAT translations are taking place. Again, very helpful commands when trying to figure out if NAT is really happening, if you have connectivity, things like that.
So in this video, we have talked about what NAT is, the terminology inside local, inside global, Static NAT Configuration, Dynamic NAT Configuration, Port Address Translation, as well as viewing all those translations, and some troubleshooting tips. I hope you have enjoyed this CertificationKits CCNA Training video on Network Address Translation.