Group A: Computer Network

EXPERIMENT NO.1
Title: Using a Network Simulator (e.g. packet tracer) Configure Router for...
a) Configure a router using router commands and Configure Routing Information Protocol(RIP).
b) Configure Access Control lists – Standard & Extended.
c) Network Address Translation: Static, Dynamic & PAT (Port Address Translation)

Theory:

Access control list

ACLs are basically a set of commands, grouped together by a number or name that is used to
filter traffic entering or leaving an interface.

When activating an ACL on an interface, you must specify in which direction the traffic should
be filtered:

 Inbound (as the traffic comes into an interface)

 Outbound (before the traffic exits an interface)

Inbound ACLs: Incoming packets are processed before they are routed to an outbound
interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the
packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the
tests, it is processed for routing.

Outbound ACLs: Incoming packets are routed to the outbound interface and then processed
through the outbound ACL.

Universal fact about Access control list

1. ACLs come in two varieties : Numbered and named

2. Each of these references to ACLs supports two types of filtering: standard and
extended.
3. Standard IP ACLs can filter only on the source IP address inside a packet.
4. Whereas an extended IP ACLs can filter on the source and destination IP addresses in
the packet.
 5. There are two actions an ACL can take: permit or deny.
6. Statements are processed top-down.
7. Once a match is found, no further statements are processed—therefore, order is
important.
8. If no match is found, the imaginary implicit deny statement at the end of the ACL
drops the packet.
9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped
because of the hidden implicit deny statement at the end of every ACL.

No matter what type of ACL you use, though, you can have only one ACL per protocol, per
interface, per direction. For example, you can have one IP ACL inbound on an interface and
another IP ACL outbound on an interface, but you cannot have two inbound IP ACLs on the
same interface.

Access List Ranges

Type Range
IP Standard 1–99
IP Extended 100–199
IP Standard Expanded Range 1300–1999
IP Extended Expanded Range 2000–2699

Standard ACLs
A standard IP ACL is simple; it filters based on source address only. You can filter a source
network or a source host, but you cannot filter based on the destination of a packet, the particular
protocol being used such as the Transmission Control Protocol (TCP) or the User Datagram
Protocol (UDP), or on the port number. You can permit or deny only source traffic.

Extended ACLs:
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs
check both the source and destination packet addresses. They can also check for specific
protocols, port numbers, and other parameters, which allow administrators more flexibility and
control.

Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them
by number, which is not too descriptive of its use. With a named ACL, this is not the case
because you can name your ACL with a descriptive name. The ACL named Deny Mike is a lot
more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended
named ACLs.

Another advantage to named ACLs is that they allow you to remove individual lines out of an
ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to
delete your existing access list and re-create the entire list.

Configuration Guidelines

 Order of statements is important: put the most restrictive statements at the top of the list
and the least restrictive at the bottom.
 ACL statements are processed top-down until a match is found, and then no more
statements in the list are processed.
 If no match is found in the ACL, the packet is dropped (implicit deny).
 Each ACL needs either a unique number or a unique name.
 The router cannot filter traffic that it, itself, originates.
 You can have only one IP ACL applied to an interface in each direction (inbound and
outbound)—you can't have two or more inbound or outbound ACLs applied to the same
interface. (Actually, you can have one ACL for each protocol, like IP and IPX, applied to
an interface in each direction.)
 Applying an empty ACL to an interface permits all traffic by default: in order for an ACL
to have an implicit deny statement, you need at least one actual permit or deny statement.
 Remember the numbers you can use for IP ACLs.Standard ACLs can use numbers
ranging 1–99 and 1300–1999, and extended ACLs can use 100–199 and 2000–2699.
 Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard
mask is composed of 32 bits when doing the conversion; subtract each byte in the subnet
mask from 255.

There are two special types of wildcard masks:

0.0.0.0 and 255.255.255.255

A 0.0.0.0 wildcard mask is called a host mask

255.255.255.255. If you enter this, the router will cover the address and mask to the keyword
any.

Placement of ACLs

Standard ACLs should be placed as close to the destination devices as possible.

Extended ACLs should be placed as close to the source devices as possible.

Standard access lists

Because a standard access list filters only traffic based on source traffic, all you need is the IP
address of the host or subnet you want to permit or deny. ACLs are created in global
configuration mode and then applied on an interface. The syntax for creating a standard ACL is

access-list {1-99 | 1300-1999} {permit | deny} source-address

[wildcard mask]

In this article we will configure standard access list. If you want read the feature and
characteristic of access list reads this previous article.

Access control list

In this article we will use a RIP running topology. Which we created in RIP routing practical.

Three basic steps to configure Standard Access List

  Use the access-list global configuration command to create an entry in a standard ACL.
 Use the interface configuration command to select an interface to which to apply the
ACL.
 Use the ip access-group interface configuration command to activate the existing ACL on
an interface.

With Access Lists you will have a variety of uses for the wild card masks, but typically For
CCNA exam prospective you should be able to do following:

1. Match a specific host,

2. Match an entire subnet,
3. Match an IP range, or
4. Match Everyone and anyone

Match specific hosts

Task

You have given a task to block 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must be
able to communicate with networks. Other computer from the network of 10.0.0.0 must be able to
connect with the network of 40.0.0.0.

Decide where to apply ACL and in which directions.

Our host must be able to communicate with other host except 40.0.0.0 so we will place this
access list on FastEthernet 0/1 of R2 (2811) connected to the network of 40.0.0.0. Direction will
be outside as packet will be filter while its leaving the interface. If you place this list on
R1(1841) then host 10.0.0.3 will not be able to communicate with any other hosts including
40.0.0.0.

To configure R2 double click on it and select CLI (Choose only one method result will be same)

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out

OR

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out

To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will
filter by ACL. Then ping 30.0.0.3 it should be successfully replay.

PC>ping 40.0.0.3

Pinging 40.0.0.3 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 40.0.0.3:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>ping 30.0.0.3

Pinging 30.0.0.3 with 32 bytes of data:

Request timed out.

Reply from 30.0.0.3: bytes=32 time=140ms TTL=126
Reply from 30.0.0.3: bytes=32 time=156ms TTL=126
Reply from 30.0.0.3: bytes=32 time=112ms TTL=126

Ping statistics for 30.0.0.3:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 112ms, Maximum = 156ms, Average = 136ms

As we applied access list only on specific host so other computer from the network of 10.0.0.0
must be able to connect with the network of 40.0.0.0. To test do ping from 10.0.0.2 to 40.0.0.3

PC>ipconfig

IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1

PC>ping 40.0.0.3

Pinging 40.0.0.3 with 32 bytes of data:

Request timed out.

Reply from 40.0.0.3: bytes=32 time=141ms TTL=126
Reply from 40.0.0.3: bytes=32 time=140ms TTL=126
Reply from 40.0.0.3: bytes=32 time=125ms TTL=126

Ping statistics for 40.0.0.3:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 141ms, Average = 135ms

Match an entire subnet

Task

You have given a task to the network of 10.0.0.0 from gaining access on 40.0.0.0. While 10.0.0.0
must be able to communicate with networks .

Wildcards

Wildcards are used with access lists to specify an individual host, a network, or a certain range of
a network or networks.

Formula to calculate wild card mask for access list

The key to matching an entire subnet is to use the following formula for the wildcard mask. It
goes as follows:
Wildcard mask = 255.255.255.255 – subnet
So for example if my current subnet was 255.0.0.0, the mask would be 0.255.255.255.

255.255.255.255
255 .0 .0 .0 -
----------------
0. 255 .255.255
----------------

Once you have calculated the wild card mask rest is same as we did in pervious example

R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#

To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will
filter by ACL. Then ping 30.0.0.3 it should be successfully replay.
Now do ping from 10.0.0.2 to 40.0.0.3 and further 30.0.0.2 result should be same as the packet is
filtering on network based

Match an IP range

You are a network administrator at ComputerNetworkingNotes.com. You task is to block an ip

range of 10.3.16.0 – 10.3.31.255 from gaining access to the network of 40.0.0.0

Solutions

Our range is 10.3.16.0 – 10.3.31.255. In order to find the mask, take the higher IP and subtract
from it the lower IP.

10.3.31.255
10.3.16.0 -
--------------
0.0.15.255
--------------

In this case the wildcard mask for this range is 0.0.15.255.

To permit access to this range, you would use the following:

R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.3.16.0 0.0.15.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#

One thing to note is that each non-zero value in the mask must be one less than a power of 2, i.e.
0, 1, 3, 7, 15, 31, 63, 127, 255.

Match Everyone and Anyone

This is the easiest of Access-Lists to create, just use the following:

access-list 1 permit any
or
access-list 1 permit 0.0.0.0 255.255.255.255

Secure telnet session via standard ACL

This is among the highly tested topic in CCNA exam. We could use extended ACL to secure
telnet session but if you did that, you’d have to apply it inbound on every interface, and that
really wouldn’t scale well to a large router with dozens, even hundreds, of interfaces.Here's a
much better solution:
Use a standard IP access list to control access to the VTY lines themselves.

To perform this function, follow these steps:

1. Create a standard IP access list that permits only the host or hosts you want to be able to
telnet into the routers.
2. Apply the access list to the VTY line with the access-class command

Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other telnet session should be
denied

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 3 permit host 20.0.0.2
R2(config)#line vty 0 4
R2(config-line)#password vinita
R2(config-line)#login
R2(config-line)#access-class 3 in

To test do telnet from 20.0.0.2 first is should be successful.

PC>ipconfig

IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1

PC>telnet 50.0.0.2
Trying 50.0.0.2 ...

User Access Verification

Password:
R2>

Now telnet it from any other pc apart from 20.0.0.2. it must be filter and denied

PC>ipconfig

IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...

% Connection refused by remote host

PC>

Configure Extended Access Lists

An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs
check both the source and destination packet addresses. They can also check for specific
protocols, port numbers, and other parameters, which allow administrators more flexibility and
control.

access-list access-list-number {permit | deny}

protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]

Command Parameters Descriptions

access-list Main command
Identifies the list using a number in the ranges of 100–199 or 2000–
access-list-number
2699.
permit | deny Indicates whether this entry allows or blocks the specified address.
protocol IP, TCP, UDP, ICMP, GRE, or IGRP.
source and destination Identifies source and destination IP addresses.
The operator can be lt (less than), gt (greater than), eq (equal to), or
neq (not equal to). The port number referenced can be either the
source-wildcard and source port or the destination port, depending on where in the ACL
destination-wildcard the port number is configured. As an alternative to the port number,
well-known application names can be used, such as Telnet, FTP,
and SMTP.
For inbound TCP only. Allows TCP traffic to pass if the packet is a
response to an outbound-initiated session. This type of traffic has
established
the acknowledgement (ACK) bits set. (See the Extended ACL with
the Established Parameter example.)
log Sends a logging message to the console.

Before we configure Extended Access list you should cram up some important port number

Well-Known Port Numbers and IP Protocols

 Port Number IP Protocol
20 (TCP) FTP data
21 (TCP) FTP control
23 (TCP) Telnet
25 (TCP) Simple Mail Transfer Protocol (SMTP)
53 (TCP/UDP) Domain Name System (DNS)
69 (UDP) TFTP
80 (TCP) HTTP

In this article we will configure Extended access list. If you want to read the feature and
characteristic of access list reads this previous article.

Access control list

In this article we will use a RIP running topology. Which we created in RIP routing practical.

Three basic steps to configure Extended Access List

 Use the access-list global configuration command to create an entry in a Extended ACL.
 Use the interface configuration command to select an interface to which to apply the
ACL.
 Use the ip access-group interface configuration command to activate the existing ACL on
an interface.

With Access Lists you will have a variety of uses for the wild card masks, but typically For
CCNA exam prospective you should be able to do following:
 1. Block host to host
2. Block host to network
3. Block Network to network
4. Block telnet access for critical resources of company
5. Limited ftp access for user
6. Stop exploring of private network form ping
7. Limited web access
8. Configure established keyword

Block host to host

Task

You are the network administrator at ComputerNetworkingNotes.com. Your company hire a

new employee and give him a pc 10.0.0.3. your company's critical record remain in 40.0.0.3. so
you are asked to block the access of 40.0.0.3 from 10.0.0.3. while 10.0.0.3 must be able connect
with other computers of network to perfom his task.

Decide where to apply ACL and in which directions.

As we are configuring Extended access list. With extended access list we can filter the packed as
soon as it genrate. So we will place our access list on F0/0 of Router1841 the nearest port of
10.0.0.3

To configure Router1841 (Hostname R1) double click on it and select CLI

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#

Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out. Also ping other
computers of network including 40.0.0.2. ping shuld be sucessfully.

Block host to network

Task

Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0. ( if you are doing
this practical after configuring pervious example don't forget to remove the last access list 101.
With no access-list command. Or just close the packet tracer without saving and reopen it to be
continue with this example.)

R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0 0.255.255.255

R1(config)#access-list 102 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 102 in
R1(config-if)#exit
R1(config)#

Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also
ping computers of other network. ping shuld be sucessfully.

Once you have calculated the wild card mask rest is same as we did in pervious example

R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#

To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will
filter by ACL. Then ping 30.0.0.3 it should be successfully replay.

Network to Network Access List

Task

Student’s lab is configured on the network of 10.0.0.0. While management's system remain in the
network of 40.0.0.0. You are asked to stop the lab system from gaining access in management
systems

Now we will block the network of 10.0.0.0 from gaining access on the network 40.0.0.0. ( if you
are doing this practical after configuring pervious example don't forget to remove the last access
list 101. With no access-list command. Or just close the packet tracer without saving and reopen
it to be continue with this example.)

R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255

R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It should be reqest time
out. Also ping computers of other network. ping shuld be sucessfully.

Network to host

Task

For the final scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0 To
accomplish this write an extended access list. The access list should look something like the
following.

R1(config)#interface fastethernet 0/0

R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3 0.0.0.0
R1(config)#access-list 104 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
R1(config)#

Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be reqest time out. Also
ping computers of other network. ping shuld be sucessfully.

Application based Extended Access list

In pervoius example we filter ip base traffic. Now we will filter applicaion base traffic. To do
this practical either create a topology as shown in figure and enable telnet and http and ftp
service on server or download this pre configured topology and load it in packet tracer.
 Extended Access list

The established keyword

The established keyword is a advanced feature that will allow traffic through only if it sees that
a TCP session is already established. A TCP session is considered established if the three-way
handshake is initiated first. This keyword is added only to the end of extended ACLs that are
filtering TCP traffic.
You can use TCP established to deny all traffic into your network except for incoming traffic
that was first initiated from inside your network. This is commonly used to block all originating
traffic from the Internet into a company's network except for Internet traffic that was first
initiated from users inside the company. The following configuration would accomplish this for
all TCP-based traffic coming in to interface serial 0/0/0 on the router:

R1(config)#access-list 101 permit tcp any any established

R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit

Although the access list is using a permit statement, all traffic is denied unless it is first
established from the inside network. If the router sees that the three-way TCP handshake is
successful, it will then begin to allow traffic through.

To test this access list double click on any pc from the network 10.0.0.0 and select web brower.
Now give the ip of 30.0.0.2 web server. It should get sucessfully access the web page. Now go
30.0.0.2 and open command prompt. And do ping to 10.0.0.2 or any pc from the network the
10.0.0.0. it will request time out.

Stop ping but can access web server

We host our web server on 30.0.0.2. But we do not want to allow external user to ping our server
as it could be used as denial of services. Create an access list that will filter all ping requests
inbound on the serial 0/0/0 interface of router2.

R2(config)#access-list 102 deny icmp any any echo

R2(config)#access-list 102 permit ip any any
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 102 in

To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request time out. Now open the
web browser and access 30.0.0.2 it should be successfully retrieve

Grant FTP access to limited user

You want to grant ftp access only to 10.0.0.2. no other user need to provide ftp access on server.
So you want to create a list to prevent FTP traffic that originates from the subnet 10.0.0.0/8,
going to the 30.0.0.2 server, from traveling in on Ethernet interface E0/1 on R1.

R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 20

R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 21
R1(config)#access-list 103 deny tcp any any eq 20
R1(config)#access-list 103 deny tcp any any eq 21
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 103 in
R1(config-if)#exit

Grant Telnet access to limited user

For security purpose you don’t want to provide telnet access on server despite your own system.
Your system is 10.0.0.4. create a extended access list to prevent telnet traffic that originates from
the subnet of 10.0.0.0 to server.

R1(config)#access-list 104 permit tcp host 10.0.0.4 30.0.0.2 0.0.0.0 eq 23

R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 permit ip any any
R1(config)#interface fast 0/1
R1(config-if)#ip access-group 104 in
R1(config-if)#exit

Basic Concepts of NAT

This assignment explains basic concepts of static NAT, dynamic NAT, PAT, inside local,
outside local, inside global and outside global in detail with examples.
Basic overview of NAT

There are several situations where we need address translation such as, a network which do not
have sufficient public IP addresses want to connect with the Internet, two networks which have
same IP addresses want to merge or due to security reason a network want to hide its internal IP
structure from the external world. NAT (Network Address Translation) is the process which
translates IP address. NAT can be performed at firewall, server and router. In this assignment we
will understand how it is performed at Cisco router.

NAT Terminology

Before we understand NAT in details let’s get familiar with four basic terms used in NAT.

Term Description
Before translation source IP address located
Inside Local IP Address
inside the local network.
After translation source IP address located
Inside Global IP Address
outside the local network.
Before translation destination IP address
Outside Global IP Address
located outside the remote network.
After translation destination IP address located
Outside Local IP Address
inside the remote network.

Let’s understand these terms with an example. Suppose a user is browsing a website from his
home computer. The network which connects his computer with internet is considered as a local
network for him. Same as the network which connects the webserver where the website is
located with internet is considered as a local network for webserver. The network which
connects both networks on internet is considered as a global network.

On router the interface which is connected with local network will be configured with inside
local IP address and the interface which is connected with global network will be configured
with inside global IP address. Inside and outside depend on where we are standing right now. For
example in above network for user router R1 is inside and router R2 is outside.
While for webserver router R2 is inside and router R1 is outside.

Basically on a NAT enabled router there are two types of interface inside local and inside global.

So, what about outside global and outside local? Well… these terms are used to explain the NAT
process theoretically. Practically we never need to configure the outside local and outside global
as they sound. For example let’s discuss above example once again.

On R1 we will configure inside local address (10.0.0.1) and inside global address (100.0.0.1)
which will become outside local address (10.0.0.1) and outside global address (100.0.0.1) for R2
respectively.

Same way on R2 we will configure inside local address (192.168.1.1) and inside global address
(100.0.0.2) which will become outside local address (192.168.1.1) and outside global address
(100.0.0.2) for R1 respectively.

So practically we only configure inside local and inside global. What is inside for one side is the
outside for other side.

Types of NAT
There are three types of NAT; Static NAT, Dynamic NAT and PAT. These types define how
inside local IP address will be mapped with inside global IP address.

Static NAT
In this type we manually map each inside local IP address with inside global IP address. Since
this type uses one to one mapping we need exactly same number of IP address on both sides.
Dynamic NAT
In this type we create a pool of inside global IP addresses and let the NAT device to map inside
local IP address with the available outside global IP address from the pool automatically.

PAT
In this type a single inside global IP address is mapped with multiple inside local IP addresses
using the source port address. This is also known as PAT (Port Address Translation) or NAT
over load.

Situations where NAT is used

There are no hard and fast rules about where we should use NAT or where we should not use the
NAT. Whether we should use the NAT or not is purely depends on network requirement for
example NAT is the best solution in following situations: -

 Our network is built with private IP addresses and we want to connect it with internet.
As we know to connect with internet we require public IP address. In this situation we
can use NAT device which will map private IP address with public IP address.
 Two networks which are using same IP address scheme want to merge. In this
situation NAT device is used to avoid IP overlapping issue.
 We want to connect multiple computers with internet through the single public IP
address. In this situation NAT is used to map the multiple IP addresses with single IP
address through the port number.

How NAT Works

To understand how NAT works, let’s take one more example. In this example a user is accessing
a web server. User and Webserver both are connected through the NAT devices. Both user and
webserver are using private IP addresses which are not routable on the internet. Now let’s
understand how NAT makes this communication possible.

User generates a data packet for web server. This packet has source address 10.0.0.1 and
destination address 100.0.0.2.

Here source address is the correct address but why the packet has destination address 100.0.0.2
instead of actual destination address 192.168.1.1?
When a system needs to connect with the website, it uses DNS server to resolve the IP address of
the website. DNS server advertises the global IP address of the website. Outsider can connect
with the website through the advertised IP address only. In our example the global IP address of
web server is 100.0.0.2. For this reason the packet has the destination address 100.0.0.2 instead
of 192.168.1.1.

This packet reaches at R1. Since this packet contains private IP address in source filed which is
not routable on internet, R1 has to update the private IP address with a routable public IP address
before forwarding this packet.

R1 checks NAT table for available public IP addresses. Depending on what type of NAT (Static,
Dynamic or PAT) is configured one routable public IP will be picked from NAT table for this
packet.

In our example 100.0.0.1 is picked for this packet. Now R1 will replace 10.0.0.1 with 100.0.0.1
in the source filed of the packet and forward it to the R2.

R2 receives this packet and reads the destination IP address. R2 looks in NAT table to find out
the actual IP address of the destination. Since the NAT table of R2 has an entry for the address
100.0.0.2 which maps it with the address 192.168.1.1, R2 will replace the destination address
100.0.0.2 with the address 192.168.1.1 and forward it to the web server.

Webserver will process this packet and reply with its own packet. This packet has source address
192.168.1.1 and destination address 100.0.0.1.

Since webserver received this packet from 100.0.0.1 so it will reply to it instead of 10.0.0.1.

R2 receives this packet. Before forwarding this packet R2 will replace the source IP address with
the mapped IP address in NAT table. In this example 192.168.1.1 will be replaced with
100.0.0.2.

R1 receives this packet and checks its destination address. R1 will perform a query in NAT table
to figure out the IP address which is associated with this destination IP address. Since this
destination IP address 100.0.0.1 is mapped with 10.0.0.1, R1 will replace this destination IP
address 100.0.0.1 with 10.0.0.1 and forward it to the PC.

From user’s point of view the IP address of the webserver is 100.0.0.2. While from web server’s
point of view the IP address of the user is 100.0.0.1. This way both user and webserver will
never know to whom they are communicating actually.
Advantages and disadvantages of NAT
Nat provides following advantages: -

 NAT solves IP overlapping issue.

 NAT hides internal IP structure from external world.
 NAT allows us to connect with any network without changing IP
address.
 NAT allows us to connect multiple computers wi th internet through the
single the public IP address.

NAT has following disadvantages: -

 NAT adds additional delay in network.

 Several applications are not compatible with NAT.
 End to end IP traceability will not work with NAT.
 NAT hides actual end device.

That’s all for this article. In next part of this assignment we will learn how to configure static
NAT and dynamic NAT in Cisco router.

How to Configure Static NAT in Cisco Router

This assignment explains how to configure static NAT (Network Address Translation) in Cisco
Router step by step with Packet Tracer examples.

In order to configure NAT we have to understand four basic terms; inside local, inside global,
outside local and outside global. These terms define which address will be mapped with which
address.

Term
Inside Local IP Address
Inside Global IP Address
Outside Global IP Address
Outside Local IP Address
Description
Before translation source IP address located inside the local
network.
After translation source IP address located outside the local
network.
Before translation destination IP address located outside the
remote network.
After translation destination IP address located inside the
remote network.
Static NAT Practice LAB Setup
In this assignment I will use Packet Tracer network simulator software for demonstration.

Create a lab as illustrates in following figure.

Initial IP Configuration
Device / Interface IP Address Connected With

Laotop0 10.0.0.10/8 Fa0/0 of R0

Laptop1 10.0.0.20/8 Fa0/0 of R0

Laptop2 10.0.0.30/8 Fa0/0 of R0

Server0 192.168.1.10/24 Fa0/0 of R1

Serial 0/0/0 of R1 100.0.0.1/8 Serial 0/0/0 of R2

Serial 0/0/0 of R2 100.0.0.2/8 Serial 0/0/0 of R2

To assign IP address in Laptop click Laptop and click Desktop and IP configuration and Select
Static and set IP address as given in above table.

Following same way configure IP address in Server.

To configure IP address in Router1 click Router1 and select CLI and press Enter key.
Two interfaces of Router1 are used in topology; FastEthernet0/0 and Serial 0/0/0.

By default interfaces on router are remain administratively down during the start up. We need to
configure IP address and other parameters on interfaces before we could actually use them for
routing. Interface mode is used to assign the IP address and other parameters. Interface mode can
be accessed from global configuration mode. Following commands are used to access the global
configuration mode.

Router>enable

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#

Before we configure IP address in interfaces let’s assign a unique descriptive name to router.

Router(config)#hostname R1

R1#

Now execute the following commands to set IP address in FastEthernet 0/0 interface.

R1(config)#interface FastEthernet0/0

R1(config-if)#ip address 10.0.0.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit

interface FastEthernet 0/0 command is used to enter in interface mode.

ip address 10.0.0.1 255.0.0.0 command assigns IP address to interface.

no shutdown command is used to bring the interface up.

exit command is used to return in global configuration mode.

Serial interface needs two additional parameters clock rate and bandwidth. Every serial cable has
two ends DTE and DCE. These parameters are always configured at DCE end.

We can use show controllers interface command from privilege mode to check the cable’s end.

R1(config)#exit

R1#show controllers serial 0/0/0

Interface Serial0/0/0

Hardware is PowerQUICC MPC860

DCE V.35, clock rate 2000000

[Output omitted]

Fourth line of output confirms that DCE end of serial cable is attached. If you see DTE here
instead of DCE skip these parameters.

Now we have necessary information let’s assign IP address to serial interface.

R1#configure terminal

R1(config)#interface Serial0/0/0

R1(config-if)#ip address 100.0.0.1 255.0.0.0

R1(config-if)#clock rate 64000

R1(config-if)#bandwidth 64

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#

Router#configure terminal Command is used to enter in global configuration mode.

Router(config)#interface serial 0/0/0 Command is used to enter in interface mode.

Router(config-if)#ip address 100.0.0.1 255.0.0.0 Command assigns IP address to interface.

Router(config-if)#clock rate 64000

In real life environment this parameter controls the data flow between serial links and need to be
set at service provider’s end. In lab environment we need not to worry about this value. We can
use any valid rate here.

Router(config-if)#bandwidth 64

Bandwidth works as an influencer. It is used to influence the metric calculation of EIGRP or any
other routing protocol which uses bandwidth parameter in route selection process.

Router(config-if)#no shutdown Command brings interface up.

Router(config-if)#exit Command is used to return in global configuration mode.

We will use same commands to assign IP addresses on interfaces of Router2. We need to

provided clock rate and bandwidth only on DCE side of serial interface. Following command
will assign IP addresses on interface of Router2.

Initial IP configuration in R2

Router>enable

Router#configure terminal

Router(config)#hostname R2

R2(config)#interface FastEthernet0/0

R2(config-if)#ip address 192.168.1.1 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface Serial0/0/0

R2(config-if)#ip address 100.0.0.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#
That’s all initial IP configuration we need. Now this topology is ready for the practice of static
nat.
Configure Static NAT
Static NAT configuration requires three steps: -
 Define IP address mapping
 Define inside local interface
 Define inside global interface
Since static NAT use manual translation, we have to map each inside local IP address (which
needs a translation) with inside global IP address. Following command is used to map the inside
local IP address with inside global IP address.

Router(config)#ip nat inside source static [inside local ip address] [inside global IP address]

For example in our lab Laptop1 is configured with IP address 10.0.0.10. To map it with
50.0.0.10 IP address we will use following command

Router(config)#ip nat inside source static 10.0.0.10 50.0.0.10

In second step we have to define which interface is connected with local the network. On both
routers interface Fa0/0 is connected with the local network which need IP translation.
Following command will define interface Fa0/0 as inside local.

Router(config-if)#ip nat inside

In third step we have to define which interface is connected with the global network. On both
routers serial 0/0/0 interface is connected with the global network. Following command will
define interface Serial0/0/0 as inside global.

Router(config-if)#ip nat outside

Following figure illustrates these terms.

Let’s implement all these commands together and configure the static NAT.

R1 Static NAT Configuration

R1(config)#ip nat inside source static 10.0.0.10 50.0.0.10

R1(config)#interface FastEthernet 0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#

R1(config)#interface Serial 0/0/0

R1(config-if)#ip nat outside

R1(config-if)#exit

For testing purpose I configured only one static translation. You may use following commands to
configure the translation for remaining address.

R1(config)#ip nat inside source static 10.0.0.20 50.0.0.20

R1(config)#ip nat inside source static 10.0.0.30 50.0.0.30

R2 Static NAT Configuration

R2(config)#ip nat inside source static 192.168.1.10 200.0.0.10

R2(config)#interface FastEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#

R2(config)#interface Serial 0/0/0

R2(config-if)#ip nat outside

R2(config-if)#exit
Before we test this lab we need to configure the IP routing. IP routing is the process which
allows router to route the packet between different networks. Following assignment explain
routing in detail with examples

Routing concepts Explained with Examples

Configure static routing in R1

R1(config)#ip route 200.0.0.0 255.255.255.0 100.0.0.2

Configure static routing in R2

R2(config)#ip route 50.0.0.0 255.0.0.0 100.0.0.1

Testing Static NAT Configuration

In this lab we configured static NAT on R1 and R2. On R1 we mapped inside local IP address
10.0.0.10 with inside global address 50.0.0.10 while on R2 we mapped inside local IP address
192.168.1.10 with inside global IP address 200.0.0.10.

Inside Global IP
Device Inside Local IP Address
Address

Laptop0 10.0.0.10 50.0.0.10

Server 192.168.1.10 200.0.0.10

To test this setup click Laptop0 and Desktop and click Command Prompt.

 Run ipconfig command.

 Run ping 200.0.0.10 command.
 Run ping 192.168.1.10 command.

First command verifies that we are testing from correct NAT device.

Second command checks whether we are able to access the remote device or not. A ping reply
confirms that we are able to connect with remote device on this IP address.
Third command checks whether we are able to access the remote device on its actual IP address
or not. A ping error confirms that we are not able to connect with remote device on this IP
address.

Let’s do one more testing. Click Laptop0 and click Desktop and click Web server and access
200.0.0.10.

Above figure confirms that host 10.0.0.10 is able to access the 200.0.0.10.

Now run ping 200.0.0.10 command from Laptop1.

Why we are not able to connect with the remote device from this host?

Because we configured NAT only for one host (Laptop0) which IP address is 10.0.0.10. So only
the host 10.0.0.10 will be able to access the remote device.

To confirm it again, let’s try to access web service from this host.

If you followed this assignment step by step, you should get the same output of testing. Although
it’s very rare but some time you may get different output. To figure out what went wrong you can
use my practice topology with all above configuration. Download my practice topology

Download NAT Practice LAB with Static NAT configuration

We can also verify this translation on router with show ip nat translation command.

Following figure illustrate this translation on router R1.

Following figure illustrate this translation on router R2

Pay a little bit extra attention on outside local address filed. Have you noticed one interesting
feature of NAT in above output? Why actual outside local IP address is not listed in this filed?

The actual IP address is not listed here because router is receiving packets after the translation.
From R1’s point of view remote device’s IP address is 200.0.0.10 while from R2’s point of view
end device’s IP address is 50.0.0.10.

This way if NAT is enabled we would not be able to trace the actual end device.

That’s all for this assignment. In next part we will learn dynamic NAT configuration step by step
with examples.

How to Configure Dynamic NAT in Cisco Router

Initial IP Configuration

Device / Interface IP Address Connected With

Laotop0 10.0.0.10/8 Fa0/0 of R0

Laptop1 10.0.0.20/8 Fa0/0 of R0

Laptop2 10.0.0.30/8 Fa0/0 of R0

Server0 192.168.1.10/24 Fa0/0 of R1

Serial 0/0/0 of R1 100.0.0.1/8 Serial 0/0/0 of R2

Serial 0/0/0 of R2 100.0.0.2/8 Serial 0/0/0 of R2

Alternatively you can download my practice topology which is configured with this initial IP
configuration.

Download NAT Practice LAB with initial IP configuration

To assign IP address in Laptop click Laptop and click Desktop and click IP configuration and
Select Static and set IP address as given in above table.
Following same way configure IP address in Server.

To configure IP address in Router1 click Router1 and select CLI and press Enter key.

Run following commands to set IP address and hostname.

Router>enable

Router# configure terminal

Router(config)#

Router(config)#hostname R1

R1(config)#interface FastEthernet0/0

R1(config-if)#ip address 10.0.0.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface Serial0/0/0

R1(config-if)#ip address 100.0.0.1 255.0.0.0

R1(config-if)#clock rate 64000

R1(config-if)#bandwidth 64

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#

Same way access the command prompt of R2 and run following commands to set IP address and
hostname.
Router>enable

Router#configure terminal

Router(config)#hostname R2

R2(config)#interface FastEthernet0/0

R2(config-if)#ip address 192.168.1.1 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface Serial0/0/0

R2(config-if)#ip address 100.0.0.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#

That’s all initial IP configuration we need. Now this topology is ready for the practice of
dynamic nat.

Configure Dynamic NAT

Dynamic NAT configuration requires four steps: -

 Create an access list of IP addresses which need translation

 Create a pool of all IP address which are available for t ranslation
 Map access list with pool
 Define inside and outside interfaces

In first step we will create a standard access list which defines which inside local addresses are
permitted to map with inside global address.

To create a standard numbered ACL following global configuration mode command is used:-

Router(config)# access-list ACL_Identifier_number permit/deny matching-parameters

Let’s understand this command and its options in detail.

Router(config)#

This command prompt indicates that we are in global configuration mode.

access-list

Through this parameter we tell router that we are creating or accessing an access list.

ACL_Identifier_number

With this parameter we specify the type of access list. We have two types of access list; standard
and extended. Both lists have their own unique identifier numbers. Standard ACL uses numbers
range 1 to 99 and 1300 to 1999. We can pick any number from this range to tell the router that
we are working with standard ACL. This number is used in groping the conditions under a single
ACL. This number is also a unique identifier for this ACL in router.

permit/deny

An ACL condition has two actions; permit and deny. If we use permit keyword, ACL will allow
all packets from the source address specified in next parameter. If we use deny keyword, ACL
will drop all packets from the source address specified in next parameter.

matching-parameters

This parameter allows us to specify the contents of packet that we want to match. In a standard
ACL condition it could be a single source address or a range of addresses. We have three options
to specify the source address.

 Any
 host
 A.B.C.D

Any

Any keyword is used to match all sources. Every packet compared against this condition would
be matched.

Host
Host keyword is used to match a specific host. To match a particular host, type the keyword host
and then the IP address of host.

A.B.C.D

Through this option we can match a single address or a range of addresses. To match a single
address, simply type its address. To match a range of addresses, we need to use wildcard mask.

Wildcard mask

Just like subnet mask, wildcard mask is also used to draw a boundary in IP address. Where
subnet mask is used to separate network address from host address, wildcard mask is used to
distinguish the matching portion from the rest. Wildcard mask is the invert of Subnet mask.
Wildcard can be calculated in decimal or in binary from subnet mask.

We have three hosts in lab. Let’s create a standard access list which allows two hosts and denies
one host.

R1(config)#access-list 1 permit 10.0.0.10 0.0.0.0

R1(config)#access-list 1 permit 10.0.0.20 0.0.0.0

R1(config)#access-list 1 deny any

In second step we define a pool of inside global addresses which are available for translation.

Following command is used to define the NAT pool.

Router(config)#ip nat pool [Pool Name] [Start IP address] [End IP address] netmask [Subnet
mask]

This command accepts four options pool name, start IP address, end IP address and Subnet mask.

Pool Name: - This is the name of pool. We can choose any descriptive name here.

Start IP Address: - First IP address from the IP range which is available for translation.
End IP Address: - Last IP address from the IP range which is available for translation. There is
no minimum or maximum criteria for IP range for example we can have a range of single IP
address or we can have a range of all IP address from a subnet.

Subnet Mask: - Subnet mask of IP range.

Let’s create a pool named ccna with an IP range of two addresses.

R1(config)#ip nat pool ccna 50.0.0.1 50.0.0.2 netmask 255.0.0.0

This pool consist two class A IP address 50.0.0.1 and 50.0.0.2.

In third step we map access list with pool. Following command will map the access list with pool
and configure the dynamic NAT.

Router(config)#ip nat inside source list [access list name or number] pool [pool name]

This command accepts two options.

Access list name or number: - Name or number the access list which we created in first step.

Pool Name: - Name of pool which we created in second step.

In first step we created a standard access list with number 1 and in second step we created a pool
named ccna. To configure a dynamic NAT with these options we will use following command.

R1(config)#ip nat inside source list 1 pool ccna

Finally we have to define which interface is connected with local network and which interface is
connected with global network.

To define an inside local we use following command

Router(config-if)#ip nat inside

Following command defines inside global

Router(config-if)#ip nat outside

Let’s implement all these commands together and configure the dynamic NAT.

R1 Dynamic NAT Configuration

R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 1 permit 10.0.0.10 0.0.0.0

R1(config)#access-list 1 permit 10.0.0.20 0.0.0.0

R1(config)#access-list 1 deny any

R1(config)#ip nat pool ccna 50.0.0.1 50.0.0.2 netmask 255.0.0.0

R1(config)#ip nat inside source list 1 pool ccna

R1(config)#interface FastEthernet 0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#interface Serial0/0/0

R1(config-if)#ip nat outside

R1(config-if)#exit

R1(config)#

For testing purpose I configured dynamic translations for two addresses only.

On R2 we can keep standard configuration or can configure dynamic NAT as we just did in R1
or can configure static NAT as we learnt in pervious part of this article.

Let’s do a quick recap of what we learnt in previous part and configure static NAT on R2.
R2>enable

R2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#ip nat inside source static 192.168.1.10 200.0.0.10

R2(config)#interface Serial 0/0/0

R2(config-if)#ip nat outside

R2(config-if)#exit

R2(config)#interface FastEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#

To understand above commands in detail please see the second part of this assignment.

Before we test this lab we need to configure the IP routing. IP routing is the process which
allows router to route the packet between different networks. Following assignment explain
routing in detail with examples

Routing Protocols Explained in details

Configure static routing in R1

R1(config)#ip route 200.0.0.0 255.255.255.0 100.0.0.2

Configure static routing in R2

R2(config)#ip route 50.0.0.0 255.0.0.0 100.0.0.1

Testing Dynamic NAT Configuration

In this lab we configured dynamic NAT on R1for 10.0.0.10 and 10.0.0.20 and static NAT on R2
for 192.168.1.10.

Device Inside Local IP Address Inside Global IP Address

 Laptop0 10.0.0.10 50.0.0.1
Laptop1 10.0.0.20 50.0.0.2
Server 192.168.1.10 200.0.0.10

To test this setup click Laptop0 and Desktop and click Command Prompt.

 Run ipconfig command.

 Run ping 200.0.0.10 command.
 Run ping 192.168.1.10 command.

First command verifies that we are testing from correct NAT device.

Second command checks whether we are able to access the remote device or not. A ping reply
confirms that we are able to connect with remote device on this IP address.

Third command checks whether we are able to access the remote device on its actual IP address
or not. A ping error confirms that we are not able to connect with remote device on this IP
address.

Let’s do one more testing. Close the command prompt and click web server and access
200.0.0.10.

Above figure confirms that host 10.0.0.10 is able to access the 200.0.0.10. You can also do the
same testing from Laptop1, result will be same.

Now run ping 200.0.0.10 command from Laptop2.

Close the command prompt and access web server from this host.

Why we are not able to connect with the remote device from this host?
Because we configured NAT only for two hosts (Laptop0 and Laptop1) which IP addresses are
10.0.0.10 and 10.0.0.20. So only the host 10.0.0.10 and 10.0.0.20 will be able to access the
remote device.

We can also verify this translation on router with show ip nat translation command.

Following figure illustrates this translation on router R1.

We did three tests one from each host, but why only two tests are listed here? Remember in first
step we created an access list. Access list filters the unwanted traffic before it reaches to the
NAT. We can see how many packets are blocked by ACL with following command

R1#show ip access-lists 1

Basically it is access list which filters the traffic. NAT does not filter any traffic it only translate
the address.

Following figure illustrate NAT translation on router R2

That’s all for this assignment. In next part we will learn NAT overload (PAT) configuration step
by step with examples.

Configure PAT in Cisco Router

This assignment explains how to configure PAT (Port Address Translation) also known NAT
Overload in Cisco Router.

Initial IP Configuration
Device / Interface IP Address Connected With
 Laotop0 10.0.0.10/8 Fa0/0 of R0
Laptop1 10.0.0.20/8 Fa0/0 of R0
Laptop2 10.0.0.30/8 Fa0/0 of R0
Server0 192.168.1.10/24 Fa0/0 of R1
Serial 0/0/0 of R1 100.0.0.1/8 Serial 0/0/0 of R2
Serial 0/0/0 of R2 100.0.0.2/8 Serial 0/0/0 of R2

Alternatively you can download my practice topology which is configured with this initial IP
configuration.

To assign IP address in Laptop click Laptop and click Desktop and click IP configuration and
Select Static and set IP address as given in above table.

Following same way configure IP address in Server.

To configure IP address in Router1 click Router1 and select CLI and press Enter key.

Run following commands to set IP address and hostname.

Router>enable

Router# configure terminal

Router(config)#

Router(config)#hostname R1

R1(config)#interface FastEthernet0/0

R1(config-if)#ip address 10.0.0.1 255.0.0.0

R1(config-if)#no shutdown

R1(config-if)#exit
R1(config)#interface Serial0/0/0

R1(config-if)#ip address 100.0.0.1 255.0.0.0

R1(config-if)#clock rate 64000

R1(config-if)#bandwidth 64

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#

Same way access the command prompt of R2 and run following commands to set IP address and
hostname.

Router>enable

Router#configure terminal

Router(config)#hostname R2

R2(config)#interface FastEthernet0/0

R2(config-if)#ip address 192.168.1.1 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface Serial0/0/0

R2(config-if)#ip address 100.0.0.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#

That’s all initial IP configuration we need. Now this topology is ready for the practice of pat.
Configure PAT (NAT Overload)
PAT configuration requires four steps: -

 Create an access list of IP addresses which need translation

 Create a pool of all IP address which are available for translation
 Map access list with pool
 Define inside and outside interfaces

In first step we will create a standard access list which defines which inside local addresses are
permitted to map with inside global address.

To create a standard numbered ACL following global configuration mode command is used:-

Router(config)# access-list ACL_Identifier_number permit/deny matching-parameters

Let’s understand this command and its options in detail.

Router(config)#

This command prompt indicates that we are in global configuration mode.

access-list

Through this parameter we tell router that we are creating or accessing an access list.

ACL_Identifier_number

With this parameter we specify the type of access list. We have two types of access list; standard
and extended. Both lists have their own unique identifier numbers. Standard ACL uses numbers
range 1 to 99 and 1300 to 1999. We can pick any number from this range to tell the router that
we are working with standard ACL. This number is used in groping the conditions under a single
ACL. This number is also a unique identifier for this ACL in router.

permit/deny

An ACL condition has two actions; permit and deny. If we use permit keyword, ACL will allow
all packets from the source address specified in next parameter. If we use deny keyword, ACL
will drop all packets from the source address specified in next parameter.
matching-parameters

This parameter allows us to specify the contents of packet that we want to match. In a standard
ACL condition it could be a single source address or a range of addresses. We have three options
to specify the source address.

 Any
 host
 A.B.C.D

Any
Any keyword is used to match all sources. Every packet compared against this condition would
be matched.

Host
Host keyword is used to match a specific host. To match a particular host, type the keyword host
and then the IP address of host.

A.B.C.D
Through this option we can match a single address or a range of addresses. To match a single
address, simply type its address. To match a range of addresses, we need to use wildcard mask.

Wildcard mask
Just like subnet mask, wildcard mask is also used to draw a boundary in IP address. Where
subnet mask is used to separate network address from host address, wildcard mask is used to
distinguish the matching portion from the rest. Wildcard mask is the invert of Subnet mask.
Wildcard can be calculated in decimal or in binary from subnet mask.

We have three hosts in lab. Let’s create a standard access list which allows two hosts and denies
one host.

R1(config)#access-list 1 permit 10.0.0.10 0.0.0.0

R1(config)#access-list 1 permit 10.0.0.20 0.0.0.0

R1(config)#access-list 1 deny any

To learn standard ACL in detail you can use following assignment.

Standard ACL Explained with Examples

In second step we define a pool of inside global addresses which are available for translation.

Following command is used to define the NAT pool.

Router(config)#ip nat pool [Pool Name] [Start IP address] [End IP address] netmask [Subnet
mask]

This command accepts four options pool name, start IP address, end IP address and Subnet mask.

Pool Name: - This is the name of pool. We can choose any descriptive name here.

Start IP Address: - First IP address from the IP range which is available for translation.

End IP Address: - Last IP address from the IP range which is available for translation. There is
no minimum or maximum criteria for IP range for example we can have a range of single IP
address or we can have a range of all IP address from a subnet.

Subnet Mask: - Subnet mask of IP range.

Let’s create a pool named ccna with a single IP address.

R1(config)#ip nat pool ccna 50.0.0.1 50.0.0.1 netmask 255.0.0.0

In third step we map access list with pool. Following command will map the access list with pool
and configure the PAT.

Router(config)#ip nat inside source list [access list name or number] pool [pool name]overload

This command accepts two options.

Access list name or number: - Name or number the access list which we created in first step.

Pool Name: - Name of pool which we created in second step.

In first step we created a standard access list with number 1 and in second step we created a pool
named ccna. To configure a PAT with these options we will use following command.

R1(config)#ip nat inside source list 1 pool ccna overload

Finally we have to define which interface is connected with local network and which interface is
connected with global network.

To define an inside local we use following command

Router(config-if)#ip nat inside

Following command defines inside global

Router(config-if)#ip nat outside

Let’s implement all these commands together and configure the PAT.

R1 PAT (NAT Overload) Configuration

R1>enable

R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 1 permit 10.0.0.10 0.0.0.0

R1(config)#access-list 1 permit 10.0.0.20 0.0.0.0

R1(config)#access-list 1 deny any

R1(config)#ip nat pool ccna 50.0.0.1 50.0.0.1 netmask 255.0.0.0

R1(config)#ip nat inside source list 1 pool ccna overload

R1(config)#interface FastEthernet 0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#interface Serial 0/0/0

R1(config-if)#ip nat outside

R1(config-if)#exit

R1(config)#

For testing purpose I configured pat translations for two addresses only.

On R2 we can keep standard configuration or can configure dynamic NAT or can configure
static NAT as we learnt in pervious parts of this article.

Let’s do a quick recap of what we learnt in previous part and configure static NAT on R2.

R2>enable

R2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#ip nat inside source static 192.168.1.10 200.0.0.10

R2(config)#interface Serial 0/0/0

R2(config-if)#ip nat outside

R2(config-if)#exit

R2(config)#interface FastEthernet 0/0

R2(config-if)#ip nat inside

R2(config-if)#exit

R2(config)#

To understand above commands in detail please see the second part of this assignment.

Before we test this lab we need to configure the IP routing. IP routing is the process which
allows router to route the packet between different networks. Following assignment explain
routing in detail with examples
Routing Protocol Explained

Configure static routing in R1

R1(config)#ip route 200.0.0.0 255.255.255.0 100.0.0.2

Configure static routing in R2

R2(config)#ip route 50.0.0.0 255.0.0.0 100.0.0.1

Testing PAT Configuration

In this lab we configured PAT on R1for 10.0.0.10 and 10.0.0.20 and static NAT on R2 for
192.168.1.10.

Device Inside Local IP Address Inside Global IP Address

Laptop0 10.0.0.10 50.0.0.1
Laptop1 10.0.0.20 50.0.0.2
Server 192.168.1.10 200.0.0.10

To test this setup click Laptop0 and Desktop and click Command Prompt.

 Run ipconfig command.

 Run ping 200.0.0.10 command.
 Run ping 192.168.1.10 command.

First command verifies that we are testing from correct NAT device.

Second command checks whether we are able to access the remote device or not. A ping reply
confirms that we are able to connect with remote device on this IP address.

Third command checks whether we are able to access the remote device on its actual IP address
or not. A ping error confirms that we are not able to connect with remote device on this IP
address.

Let’s do one more testing. Close the command prompt and click web server and access
200.0.0.10.
Above figure confirms that host 10.0.0.10 is able to access the 200.0.0.10. You can also do the
same testing from Laptop1, result will be same.

Now run ping 200.0.0.10 command from Laptop2.

Close the command prompt and access web server from this host.

Why we are not able to connect with the remote device from this host?

Because we configured PAT only for two hosts (Laptop0 and Laptop1) which IP addresses are
10.0.0.10 and 10.0.0.20. So only the host 10.0.0.10 and 10.0.0.20 will be able to access the
remote device.

If you followed this assignment step by step, you should get the same output of testing. Although
it’s very rare but some time you may get different output. To figure out what went wrong you can
use my practice topology with all above configuration. Download my practice topology

Download NAT Practice LAB with PAT configuration

We can also verify this translation on router with show ip nat translation command.

Following figure illustrate this translation on router R1.

As we can see in above output same inside global IP address is used to translate all the inside
local IP addresses. For each inside local IP address a unique port number is used.

Following figure illustrate NAT translation on router R2

In above output the Outside global field also confirms that all packets are coming from single IP
address.