Download PNETLab Platform

PNETLAB Store
PNETLab.com

Configuring Static Network Address Translation

Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure static NAT.
NAT configuration is a fundamental skill. Static NAT provides a one-to-one translation between a
private IP address (RFC 1918) and a public IP address. Static NAT is typically used to provide access
to private inside hosts from outside hosts or networks. When static NAT is configured, outside
hosts or networks connect to devices on the inside using a public or external IP address. This hides
the private IP addresses of hosts on the inside. As a Cisco engineer, as well as in the Cisco CCNA
exam, you will be expected to know how to configure static NAT.

Lab Topology:
The lab network topology is illustrated below:

Task 1: Configure the hostnames on routers R1, R2 and SW1 as illustrated in the topology.

Task 2: Configure the IP addresses on the Ethernet interfaces of R1 and R2 as illustrated in the
topology.

Task 3: Configure VLAN 50 named NAT_VLAN on SW1. Assign the Ethernet0/2 interface on SW1
to this VLAN. Also, configure SW1 to allow Telnet access using a password of CISCO.
1
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Task 4: Configure interface VLAN 50 on SW1 and assign it the IP address illustrated in the
topology. The default gateway on SW1 should be 10.2.2.2. Next, configure interface Ethernet0/0
in R2 and assign it the IP address illustrated in the topology.

Task 5: Test connectivity by pinging from R1 to R2 and pinging from R2 to Sw1. These should all
be successful. However, since R1 does not know about the 10.2.2.0/27 subnet, SW1 will not be
able to ping R1. Verify this.

Task 6: Configure R2 e0/2 as the inside NAT interface and e0/0 as the outside NAT interface.
Next, create a static NAT statement on R2 mapping the inside address of 10.2.2.4 (SW1 interface
VLAN 50) to the outside address of 192.168.254.4.

Task 7: Ping from SW1 to R1 and verify that the ping is successful. Next, Telnet from R1 to
192.168.254.4 and verify that you connect to SW1 via the NAT configured on R2.

Solution
Task 1: Configure the hostnames on routers R1 and R2 as illustrated in the topology.

R1
Router>enable
Router#conf t
Router(config)#hostname R1

R2
Router>enable
Router#conf t
Router(config)#hostname R2

SW1
Switch>enable
Switch#conf t
Switch(config)#hostname SW1

2
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Task 2: Configure the IP addresses on the Ethernet interfaces of R1 and R2 as illustrated in the
topology.

R1(config)#int e0/0
R1(config-if)#ip address 192.168.254.1 255.255.255.248
R1(config-if)#no shutdown

R2(config)#int e0/0
R2(config-if)#ip address 192.168.254.2 255.255.255.248
R2(config-if)#no shutdown

Task 3: Configure VLAN 50 named NAT_VLAN on SW1. Assign the Ethernet0/2 interface on SW1
to this VLAN. Also, configure SW1 to allow Telnet access using a password of CISCO.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 50
SW1(config-vlan)#name NAT_VLAN
SW1(config-vlan)#exit
SW1(config)#int e0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 50
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW1(config)#line vty 0 4
SW1(config-line)#password CISCO
SW1(config-line)#login
SW1(config-line)#transport input telnet
SW1(config-line)#end
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------
1 default active Et0/0, Et0/1, Et0/3
50 NAT_VLAN active Et0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

3
Download PNETLab Platform
PNETLAB Store
PNETLab.com

Task 4: Configure interface VLAN 50 on SW1 and assign it the IP address illustrated in the
topology. The default gateway on SW1 should be 10.2.2.2. Next, configure interface Ethernet0/0
in R2 and assign it the IP address illustrated in the topology.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int vlan 1
SW1(config-if)#shutdown
SW1(config-if)#exit
SW1(config)#int vlan 50
SW1(config-if)#no shutdown
SW1(config-if)#ip address 10.2.2.4 255.255.255.224
SW1(config-if)#exit
SW1(config)#ip default-gateway 10.2.2.2
SW1(config)#end

R2(config)#int e0/2
R2(config-if)#ip address 10.2.2.2 255.255.255.224
R2(config-if)#no shutdown
R2(config-if)#end

Task 5: Test connectivity by pinging from R1 to R2 and pinging from R2 to Sw1. These should all
be successful. However, since R1 does not know about the 10.2.2.0/27 subnet, SW1 will not be
able to ping R1. Verify this.

R1#ping 192.168.254.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/8 ms

R2#ping 192.168.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

R2#ping 10.2.2.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.4, timeout is 2 seconds:

4
Download PNETLab Platform
PNETLAB Store
PNETLab.com

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

SW1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

SW1#ping 192.168.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Task 6: Configure R2 e0/2 as the inside NAT interface and e0/0 as the outside NAT interface.
Next, create a static NAT statement on R2 mapping the inside address of 10.2.2.4 (SW1 interface
VLAN 50) to the outside address of 192.168.254.4.

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int e0/2
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#int e0/0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip nat inside source static 10.2.2.4 192.168.254.4
R2(config)#end
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.254.4 10.2.2.4 --- ---

Task 7: Ping from SW1 to R1 and verify that the ping is successful. Next, Telnet from R1 to
192.168.254.4 and verify that you connect to SW1 via the NAT configured on R2.

SW1#ping 192.168.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:

5
Download PNETLab Platform
PNETLAB Store
PNETLab.com

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

R1#telnet 192.168.254.4
Trying 192.168.254.4 ... Open
User Access Verification
Password: CISCO
SW1>

NOTE: You can look at translations statistics using the show ip nat statistics command. If you are
having issues with NAT, this command can show you the hits versus the misses, which indicates
successful versus unsuccessful translations. Use those counters to troubleshoot Network Address
Translation.

R2#show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Peak translations: 2, occurred 00:04:11 ago
Outside interfaces:
Ethernet0/0
Inside interfaces:
Ethernet0/2
Hits: 3 Misses: 0
CEF Translated packets: 3, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Also keep in mind that because we configured static NAT, we will not see any dynamic NAT
mappings or translation statistics until we configure dynamic NAT.