Some Useful Strategies for CISCO NAT Configuration.

CCNA 200-301

CCNA 200-301

CCNP Enterprise

CCNP Enterprise

CCNP Security

CCNP Security

CCIE Enterprise Lab

CCIE Enterprise Lab

CCIE Security Lab

CCIE Security Lab

CCNP Service Provider

CCNP Service Provider

CCNP Data Center

CCNP Data Center

CCNP Collaboration

CCNP Collaboration

CCIE DC Lab

CCIE DC Lab

ic_r
ic_l
Some Useful Strategies for CISCO NAT Configuration.
images

With the rapid development of the internet network, the shortage of IP addresses has become a very prominent problem. In order to solve this problem, a variety of solutions have emerged. The following are some of the more effective methods that SPOTO will provide in the current network environment, namely address translation (NAT).

First, NAT introduction

The function of NAT (Network Address Translation) refers to an IP address that can be customized at will within a network without requiring an application. Within the network, each computer communicates via an internal IP address. When an internal computer communicates with an external internet network, a NAT-enabled device (such as a router) is responsible for translating its internal IP address into a valid IP address (that is, the applied IP address).

Second, NAT application environment:

Case 1: A company does not want external network users to know the internal structure of its network. It can isolate the internal network from the external Internet through NAT. The external users do not know the internal IP address set by NAT.

Case 2: A company has a few legitimate Internet IP addresses and a lot of internal network users. Through the NAT function, multiple users can simultaneously share a legal IP to communicate with the external Internet.

Third, set the hardware configuration and software configuration of the router required for NAT:

The router that sets the NAT function must have at least one internal port (Inside) and one external port (Outside). The network user connected to the internal port uses the internal IP address.

The internal port can be any router port. The external port is connected to an external network, such as the Internet. The external port can be any port on the router.

The IOS of the router that sets the NAT function should support the NAT function (the router used in this example is the Cisco2501, and its IOS supports the NAT function in version 11.2 or later).

Fourth, several concepts about NAT:

Inside local address: The internal IP address assigned to a computer on the internal network.

Inside global address: A legal IP address that represents one or more internal local addresses when entering IP traffic. The IP address that you need to apply for.

Five, NAT setting method:

NAT settings can be divided into static address translation, dynamic address translation, and multiplexing dynamic address translation.

1, the environment for static address translation

Static address translation converts the internal local address to the internal legal address one-to-one, and you need to specify which legal address to convert. If the internal network has services such as an E-mail server or an FTP server that can be provided to external users, the IP addresses of these servers must be statically translated so that external users can use these services.

Basic configuration steps for static address translation:

(1) Establish a static address translation between the internal local address and the internal legal address. Enter in the global settings state:

Ip nat inside source static internal local address internal legal address

(2) Specify the internal port to connect to the network In the port setting state, enter:

Ip nat inside

(3) Specify the external port to connect to the external network Enter in the port setting state:

Ip nat outside

Note: Multiple internal ports and multiple external ports can be defined according to actual needs.

Example 1:

This example implements static NAT address translation. The 2501 Ethernet port is used as the internal port and the synchronization port 0 is used as the external port. The internal local addresses of 10.1.1.2, 10.1.1.3, and 10.1.1.4 are static address translation. The internal legal addresses correspond to 192.1.1.2, 192.1.1.3, and 192.1.1.4, respectively.

Configuration of router 2501:

Current configuration:

Version 11.3

No service password-encryption

Hostname 2501

Ip nat inside source static 10.1.1.2 192.1.1.2

Ip nat inside source static 10.1.1.3 192.1.1.3

Ip nat inside source static 10.1.1.4 192.1.1.4

Interface Ethernet0

Ip address 10.1.1.1 255.255.255.0

Ip nat inside

Interface Serial0

Ip address 192.1.1.1 255.255.255.0

Ip nat outside

No IP route-cache

Bandwidth 2000

No fair-queue

Clockrate 2000000

Interface Serial1

No IP address

Debug

No IP classless

Ip route 0.0.0.0 0.0.0.0 Serial0

Line con 0

Line aux 0

Line vty 0 4

Password cisco

End

After the configuration is complete, you can use the following statement to view:

Show IP nat statistics

Show ip nat translations

2. The environment applicable to dynamic address translation:

Dynamic address translation is also a one-to-one conversion of a local address to an internal legal address, but dynamic address translation is the process of dynamically selecting an end-user address from the internal legal address pool to translate the internal local address.

Basic configuration steps for dynamic address translation:

(1) In the global setting mode, define the internal legal address pool

Ip nat pool address pool name starting IP address terminating IP address subnet mask

The address pool name can be set arbitrarily.

(2) In the global setting mode, define a standard access-list rule to allow which internal addresses can be dynamically translated.

Access-list label permit source address wildcard

Wherein the number is an integer between 1 and 99.

(3) In the global setting mode, the internal local address specified by the access-list is translated into the address with the specified internal legal address pool.

Ip nat inside source list access list label pool internal legal address pool name

(4) Specify the internal port connected to the internal network in the port setting state:

Ip nat inside

(5) Specify an external port connected to the external network

Ip nat outside

3. Environment for multiplexing dynamic address translation:

Multiplexing dynamic address translation is first a dynamic address translation, but it can allow multiple internal local addresses to share an internal legal address. This conversion is extremely useful when you only apply for a small number of IP addresses but often have more users with legitimate addresses on the external network.

Note: When multiple users use an IP address at the same time, the external network uniquely identifies a computer through the internal router using the upper layer such as TCP or UDP port number.

Reuse dynamic address translation configuration steps:

Define the internal address pool in global settings mode

Ip nat pool address pool name starting IP address terminating IP address subnet mask

The address pool name can be arbitrarily set.

In global settings mode, define a standard access-list rule to allow which internal local addresses can be dynamically translated.

Access-list label permit source address wildcard

Wherein the number is an integer between 1 and 99.

In the global setting mode, a multiplexed dynamic address translation is established between the internal local address and the internal legal IP address.

Ip nat inside source list access list label pool internal legal address pool name overload

In the port setting state, specify the internal port connected to the internal network

Ip nat inside

In the port setting state, specify the external port connected to the external network.

Ip nat outside

Example: Multiplex dynamic NAT address translation is applied. The 2501 Ethernet port is used as the internal port and the synchronization port 0 is used as the external port. The 10.1.1.0 network segment uses multiplexed dynamic address translation. Suppose the company only applied for a legal IP address 192.1.1.1.