Lab 3 - NAT Pool

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

http://www.howtonetwork.

net

Lab 3 - NAT Pool


Lab 3: NAT lab NAT pool
The physical topology is as shown in Figure 143.

Figure 143: NAT pool

Lab exercise
Your task is to configure the network in Figure 143 to allow the hosts on the 172.16.0.0 LAN (we will
simulate this with the loopback address and secondary address) to access the

Internet'sing the NAT pool 10.0.0.1 to 10.0.0.10. Please feel free to try the lab without following

the lab walk-through section.

Purpose
Being able to configure NAT is a fundamental CCNA skill. Any client who needs to access

the Internet will want to use NAT. The key is to understand the client's requirements and

then design a solution to fit his/her needs.

Lab objectives
1. Use the IP addressing scheme depicted in Figure 143. Router A needs a clock rate on

interface serial 0: set this to 64000.

2. Set telnet access for the router to use the local login permissions of username banbury and the
password ccna (optional).

3. Put a static route on the router.

4. Configure the inside and outside NAT interfaces on the router.

5. Configure a pool of addresses the router will use as a NAT pool.

6. Test the NAT config with a ping and debug.

Lab walk-through
1. To set the IP addresses for an interface, you will need to do the following:
Router#config t

Router(config)#hostname RouterA

RouterA(config)#

RouterA(config)#interface serial 0

RouterA(config-if)#ip address 192.168.1.1 255.255.255.252

RouterA(config-if)#clock rate 64000 If this is the DCE side

RouterA(config-if)#no shutdown

RouterA(config-if)#ip nat outside The outside NAT network

RouterA(config-if)#interface loopback 0 No need for no shutdown on loopback interfaces

RouterA(config-if)#ip address 172.16.1.1 255.255.0.0

RouterA(config-if)#ip address 172.16.1.2 255.255.0.0 secondary

The secondary address will act as a second host on the LAN.

RouterA(config-if)#ip nat inside The inside NAT network

RouterA(config-if)#^Z

RouterA#

Router B:

Router#config t

Router(config)#hostname RouterB

RouterB(config)#interface serial 0

RouterB(config-if)#ip address 192.168.1.2 255.255.255.252

RouterB(config-if)#no shutdown

RouterB(config-if)#exit

RouterB(config)#ip route 0.0.0.0 0.0.0.0 serial 0

RouterB(config)#^Z

RouterB#

To set the clock rate on a serial interface (DCE connection only) you need to use the clock rate #
command on the serial interface, where # indicates the speed:

RouterA(config-if)#clock rate 64000

Ping across the serial link now.


2. To set telnet access, you need to configure the VTY lines to allow telnet access. To do

this, type (from configuration mode):

RouterA(config)#line vty 0 4 Enters the VTY line configuration

RouterA(config-line)#login local This will use local usernames

and passwords for telnet access

RouterA(config-line)#exit Exit the VTY config mode

RouterA(config)#username banbury password ccna Creates username

and password for telnet access (login local)

Router B:

RouterB(config)#line vty 0 4

RouterB(config-line)#login local

RouterB(config-line)#exit

RouterB(config)#username banbury password ccna

3. To set the enable password, do the following:

RouterA(config)#enable secret cisco Sets the enable password

(encrypted)

Router B:

RouterB(config)#enable secret cisco

4. You need to configure a NAT pool and then tell the pool which access-list to access to

determine what traffic you want to be NATted:

RouterA(config)#ip nat pool internet_out 10.0.0.1 10.0.0.10 prefixlength 24

(or you could have written ip nat pool internet_out 10.0.0.1 10.0.0.10

netmask 255.255.255.0)

RouterA(config)#ip nat inside source list 1 pool internet_out

RouterA(config)#access-list 1 permit 172.16.0.0 0.0.255.255

RouterA(config)#^Z

5. To see if NAT is working, we need to turn on a debug with debug ip nat. Now

imagine that the loopback address of 172.16.1.1 is a host on the LAN that wants to

get out to the Internet. When the packet from the NATted LAN passes through the

router, it will match the access-list and be translated to an address from the NAT pool.
RouterA#debug ip nat Turn on the NAT debug

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2 Ping router B

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: loopback 0 Source is the LAN

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms

RouterA#

02:12:37: NAT: s=172.16.1.1->10.0.0.1, d=192.168.1.2 [20]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1->172.16.1.1 [20]

02:12:37: NAT: s=172.16.1.1->10.0.0.1, d=192.168.1.2 [21]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1->172.16.1.1 [21]

02:12:37: NAT: s=172.16.1.1->10.0.0.1, d=192.168.1.2 [22]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1->172.16.1.1 [22]

02:12:37: NAT: s=172.16.1.1->10.0.0.1, d=192.168.1.2 [23]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1->172.16.1.1 [23]

02:12:37: NAT: s=172.16.1.1->10.0.0.1, d=192.168.1.2 [24]

02:12:37: NAT*: s=192.168.1.2, d=10.0.0.1->172.16.1.1 [24]

RouterA#show ip nat translations

Pro Inside global Inside local Outside local Outside


global

--- 10.0.0.1 172.16.1.1 --- ---

RouterA#

You can see that the NAT debug shows the source (s=) as the loopback interface, which is
translated to 10.0.0.1. The destination (d=) is the serial address for router B

192.168.1.2. The * shows the returning packet that is translated back.

The numbers in brackets [20, etc.] are the IP identification numbers of the packets.

If we want to check that the pool is allocating addresses correctly, we can source a second ping
this time from the secondary address. There should be another address allocated from the NAT
pool.

RouterA#ping

Protocol [ip]:

Target IP address: 192.168.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.16.1.2

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/68 ms

RouterA#

04:09:23: NAT: s=172.16.1.2->10.0.0.2, d=192.168.1.2 [45]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2->172.16.1.2 [45]

04:09:23: NAT: s=172.16.1.2->10.0.0.2, d=192.168.1.2 [46]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2->172.16.1.2 [46]


, [ ]
04:09:23: NAT: s=172.16.1.2->10.0.0.2, d=192.168.1.2 [47]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2->172.16.1.2 [47]

04:09:23: NAT: s=172.16.1.2->10.0.0.2, d=192.168.1.2 [48]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2->172.16.1.2 [48]

04:09:23: NAT: s=172.16.1.2->10.0.0.2, d=192.168.1.2 [49]

04:09:23: NAT*: s=192.168.1.2, d=10.0.0.2->172.16.1.2 [49]

RouterA#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 10.0.0.1 172.16.1.1 --- ---

--- 10.0.0.2 172.16.1.2 --- ---

6. Now please enter reload at the Router# prompt and type yes to confirm.

Show runs
RouterA#show run

Building configuration...

Current configuration : 749 bytes

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname RouterA

ip subnet-zero

interface Loopback0

ip address 172.16.1.1 255.255.0.0

ip address 172.16.1.2 255.255.0.0 secondary

ip nat inside

interface Ethernet0

no ip address

shutdown
!

interface Ethernet1

no ip address

shutdown

interface Serial0

ip address 192.168.1.1 255.255.255.252

clockrate 64000

ip nat outside

interface Serial1

no ip address

shutdown

ip nat pool internet_out 10.0.0.1 10.0.0.10 prefix-length 24

ip nat inside source list 1 pool internet_out

ip classless

no ip http server

access-list 1 permit 172.16.0.0 0.0.255.255

line con 0

line aux 0

line vty 0 4

end

RouterA#

---

RouterB#show run

Building configuration...

Current configuration : 456 bytes


!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname RouterB

ip subnet-zero

interface Serial0

ip address 192.168.1.2 255.255.255.252

interface Serial1

no ip address

shutdown

interface TokenRing0

no ip address

shutdown

ip classless

ip route 0.0.0.0 0.0.0.0 Serial 0

no ip http server

ip pim bidir-enable

line con 0

line aux 0

line vty 0 4

end

RouterB#
2006-2011 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited.

You might also like