Δευτέρα, 2 Ιανουαρίου 2012

How to Configure NAT and PAT on a Cisco Router

How to Configure NAT and PAT on a Cisco Router


There are two types of NAT that can be configured on a Cisco router; static, and dynamic.
 Static NAT Configuration:
 This type is used when you want to do one-to-one assignment of local IP addresses to global IP addresses.
 
1. Establish static translation between an inside local address and an inside global address,
 Router(config)#ip nat inside source static XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
 where,
 XXX.XXX.XXX.XXX is the (inside) local address
 YYY.YYY.YYY.YYY is the (inside) global address
 
2. Specify the local interface. This is done by going to the interface configuration mode and issuing,
 Router(config-if)#ip nat inside
 
3. Specify the global address. This is done by going to the interface configuration mode and issuing,
 Router(config-if)#ip nat outside
 
Dynamic NAT Configuration:
 This type is used when you want the router to do the mapping dynamically. This method is useful when you have too many global and local addresses and you do not want to do the mapping manually, or when the number of global addresses available is less than the local addresses.
This would lead us to two different scenarios,
 
A. The number of global IP addresses is equal or less than the local addresses and more than one. (global >= local >1)
 
1. Define a pool of global addresses that would be employed in the translation,
Router(config)#ip nat pool NAME XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY netmask ZZZ.ZZZ.ZZZ.ZZZ
where,
NAME is the name of the pool
XXX.XXX.XXX.XXX is the starting IP address of the pool
YYY.YYY.YYY.YYY is the end IP address of the pool
ZZZ.ZZZ.ZZZ.ZZZ is the subnet mask of the network that the pool is part of.
 
2. Define the range of local addresses permitted to participate in the translation using an access-list.
Router(config)#access-list NO permit XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
where,
NO is the number of the access-list, which is usually a standard access list
XXX.XXX.XXX.XXX is the network address of the local network or the starting IP address of the range.
YYY.YYY.YYY.YYY is the wildcard mask used to define the range
You can issue more than one access-list sentence in the same access-list to define the specific IP address range(s).
 
3. Associate the pool and the local range in a dynamic NAT translation command,
Router(config)#ip nat inside source list NO pool NAME [overload]
where,
NO is the number of the access list
NAME is the name of the global pool
overload This parameter MUST be used when you have global IP addresses less than local IP addresses (which is known as PAT).
 
4. Specify the local interface. This is done by going to the interface configuration mode and issuing,
Router(config-if)#ip nat inside
 
5. Specify the global address. This is done by going to the interface configuration mode and issuing,
Router(config-if)#ip nat outside
 
B. There is only one global IP address and a group of local IP addresses.
 
In this case, the only global IP address is assigned to the interface connected to the global network.
 
1. Define the range of local addresses permitted to participate in the translation using an access-list.
Router(config)#access-list NO permit XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
where,
NO is the number of the access-list, which is usually a standard access list
XXX.XXX.XXX.XXX is the network address of the local network or the starting IP address of the range.
YYY.YYY.YYY.YYY is the wildcard mask used to define the range
You can issue more than one access-list sentence in the same access-list to define the specific IP address range(s).
 
2. Associate the pool and the local range in a dynamic NAT translation command,
Router(config)#ip nat inside source list NO interface TYPE INTNO overload
where,
NO is the number of the access list
TYPE is the type of the interface that has the global IP address (ex: serial , or Ethernet)
INTNO the number of the interface
An example of the interface type and number is serial 0, or Ethernet 0.
 
3. Specify the local interface. This is done by going to the interface configuration mode and issuing,
Router(config-if)#ip nat inside
 
4. Specify the global address. This is done by going to the interface configuration mode and issuing,
Router(config-if)#ip nat outside
Troubleshooting commands:
Router#show ip nat translation
To show the current translations preformed by NAT
 
Router#show ip nat static
To show the static translations of NAT
 
Router#debug ip nat
To watch the instantaneous interactions of NAT
 
Note: To disable NAT, you need to do the following steps:
1. Disable NAT on the local and global interfaces
Router(config-if)#no ip nat inside
on the local, and
Router(config-if)#no ip nat outside
on the global interface.
 
2. Clear the contents of the translation table,
Router#clear ip nat translations
 
3. Remove the NAT assignment command by preceding it with a ‘no
 
4. Remove the access-list, if any.

0 σχόλια:

Δημοσίευση σχολίου

Σημείωση: Μόνο ένα μέλος αυτού του ιστολογίου μπορεί να αναρτήσει σχόλιο.