PAT, internal hosts can share a single public IP
address for all external communications. In this type of
configuration, very few external addresses are required to
support many internal hosts, thereby conserving IP
addresses. Protects network security. Because private
networks do not advertise their addresses or internal topology,
they remain reasonably secure when used in conjunction with NAT
to gain controlled external access. Interactive
Media Activity Drag and Drop: Network Address Translation
with Overload (NAT) When the student has completed this
activity, the student will be able to identify the IP address
and port translations that occur when using PAT. Web
Links About NAT http://www.homenethelp.com/web/explain/
about-NAT.asp
Content 1.1 Scaling Networks with
NAT and PAT 1.1.4 Configuring NAT and PAT
Static Translation
To configure static inside source
address translation, perform the tasks in Figures and . Figure
shows the use of static NAT translation. The router will
translate packets from host 10.1.1.2 to a source address of
192.168.1.2. Dynamic Translation
To configure
dynamic inside source address translation, perform the tasks in
Figure . The access list must permit only those addresses that
are to be translated. Remember that there is an implicit “deny
all” at the end of each access list. An access list that is too
permissive can lead to unpredictable results. Cisco advises
against configuring access lists referenced by NAT commands
with the permit any command. Using permit any
can result in NAT consuming too many router resources, which
can cause network problems. Figure translates all source
addresses passing access list 1, which have source address from
10.1.0.0/24, to an address from the pool named nat-pool1. The
pool contains addresses from 179.9.8.80/24 to 179.9.8.95/24.
Note: NAT will not translate the host 10.1.1.2, as it is
not permitted for translation by the access list.
Overloading
Overloading is configured in two ways
depending on how public IP addresses have been allocated. An
ISP can allocate a network only one public IP address, and this
is typically assigned to the outside interface which connects
to the ISP. Figure shows how to configure overloading in this
situation. Another way of configuring overload is if the ISP
has given one or more public IP addresses for use as a NAT
pool. This pool can be overloaded as shown in the configuration
in Figure . Figure shows an example configuration of PAT.
Lab Activity Lab Exercise: Configuring NAT In this lab, a
router will be configured to use network address translation
(NAT). Lab ActivityLab Exercise: Configuring PAT In
this lab, a router will be configured to use Port Address
Translation (PAT). Lab ActivityLab Exercise:
Configuring static NAT Addresses In this lab, a router will be
configured to use network address translation (NAT) to convert
internal IP addresses, typically private addresses, into
outside public addresses. Lab Activity e-Lab Activity:
Configuring NAT In this lab, the student will configure NAT.
Lab Activity e-Lab Activity: Configuring PAT In this
lab, the students will configure a router to use Port Address
Translation (PAT) to convert internal IP addresses, typically
private addresses, into an outside public address Lab
Activity e-Lab Activity: Configuring Static NAT Addresses
In this lab, the student will configure a router to use network
address translation (NAT) to convert internal IP addresses,
typically private addresses, into outside public addresses.
Web Links Configuring Network Address Translation:
Getting Started http://www.cisco.com/en/US/tech/tk648/
tk361/technologies_tech_ note09186a0080094e77.shtml
Content 1.1 Scaling Networks with NAT and PAT
1.1.5 Verifying PAT configuration Once NAT is
configured, use the clear and show commands to
verify that it is operating as expected.By default, dynamic
address translations will time out from the NAT translation
table after a period of non-use. When port translation is not
configured, translation entries time out after 24 hours, unless
reconfigured with the ip nat translation command. Clear
the entries before the timeout by using one of the commands in
Figure . Translation information may be displayed by
performing one of the tasks in EXEC mode. Alternatively, use
the show run command and look for NAT, access list,
interface, or pool commands with the required values. Lab
Activity Lab Exercise: Verifying NAT and PAT Configuration
In this lab, the student will configure a router for Network
Address Translation (NAT) and Port Address Translation (PAT).
Lab Activity e-Lab Activity: Verifying NAT and PAT
Configuration In this lab, the student will configure a router
for Network Address Translation and Port Address Translation.
Content 1.1 Scaling Networks with NAT and
PAT 1.1.6 Troubleshooting NAT and PAT
configuration When IP connectivity problems in a NAT
environment exist, it is often difficult to determine the cause
of the problem. Many times NAT is mistakenly blamed, when in
reality there is an underlying problem. When trying to
determine the cause of an IP connectivity problem, it helps to
rule out NAT. Use the following steps to determine whether NAT
is operating as expected: - Based on the configuration,
clearly define what NAT is supposed to achieve.
- Verify
that correct translations exist in the translation table.
- Verify the translation is occurring by using
show and debug commands.
- Review in
detail what is happening to the packet and verify that routers
have the correct routing information to move the packet
along.
Use the debug ip nat command to verify
the operation of the NAT feature by displaying information
about every packet that is translated by the router. The
debug ip nat detailed command generates a
description of each packet considered for translation. This
command also outputs information about certain errors or
exception conditions, such as the failure to allocate a global
address. Figure shows a sample debug ip nat output. In
this example, the first two lines of the debugging output show
that a Domain Name System (DNS) request and reply were
produced. The remaining lines show the debugging output of a
Telnet connection from a host on the inside of the network to a
host on the outside of the network. Decode the debug
output by using the following key points: - The
asterisk next to NAT indicates that the translation is
occurring in the fast-switched path. The first packet in a
conversation will always go through the slow path, which means
this first packet is process-switched. The remaining packets
will go through the fast-switched path if a cache entry exists.
- s = a.b.c.d is the source address.
- Source address a.b.c.d is translated to w.x.y.z.
- d = e.f.g.h is the destination address.
- The
value in brackets is the IP identification number. This
information may be useful for debugging. This is useful, for
example, because it enables correlation with other packet
traces from protocol analyzers.
Lab
Activity Lab Exercise: Troubleshooting NAT and PAT In this
lab, the student will configure a router for Network Address
Translation (NAT) and Port Address Translation (PAT). Lab
Activity e-Lab Activity: Troubleshooting NAT and PAT In
this lab, the student will configure a router for Network
Address Translation and Port Address Translation. Web
Links Verifying NAT Operation and Basic NAT
Troubleshooting http://www.cisco.com/en/US/tech/
tk648/tk361/technologies_tech_ note09186a0080094c32.shtml
Content 1.1 Scaling Networks with NAT and PAT
1.1.7 Issues with NAT NAT has several
advantages, including: - NAT conserves the legally
registered addressing scheme by allowing the privatization of