Scribd Logo
Importer

Bienvenue sur Scribd !

  • Configuring NAT Overload On A Cisco Router

    Transféré par

    Arocha Cesarin
    97 vues4 pages
    NAT (network address translation) is a method that allows the translation (modification) of IP addresses while packets / datagrams are traversing the network. NAT Overload is essentially NAT with the added feature of TCP / UDP ports translation.

    Description originale:

    Titre original

    Configuring NAT Overload on a Cisco Router

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    NAT (network address translation) is a method that allows the translation (modification) of IP addresses while packets / datagrams are traversing the network. NAT Overload is essentially NAT with the added feature of TCP / UDP ports translation.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    97 vues4 pages

    Configuring NAT Overload On A Cisco Router

    Transféré par

    Arocha Cesarin
    NAT (network address translation) is a method that allows the translation (modification) of IP addresses while packets / datagrams are traversing the network. NAT Overload is essentially NAT with the added feature of TCP / UDP ports translation.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 4

    4/30/2016

    ConfiguringNATOverloadOnACiscoRouter

    CONFIGURING NAT OVERLOAD ON A CISCO ROUTER


    WRITTENBYADMINISTRATOR.POSTEDINCISCOROUTERSCONFIGURINGCISCOROUTERS

    Rating4.55(31Votes)
    Share

    Tweet

    NAT(NetworkAddressTranslation)isamethodthatallowsthetranslation(modification)ofIPaddresseswhilepackets/datagramsare
    traversingthenetwork.NATOverload,alsoknownasPAT(PortAddressTranslation)isessentiallyNATwiththeaddedfeatureof
    TCP/UDPportstranslation.
    ThemainpurposeofNATistohidetheIPaddress(usuallyprivate)ofaclientinordertoreservethepublicaddressspace.Forexample
    a complete network with 100 hosts can have 100 private IP addresses and still be visible to the outside world (internet) as a single IP
    address.OtherbenefitsofNATincludesecurityandeconomicalusageoftheIPaddressrangesathand.
    The following steps explain basic Cisco router NAT Overload configuration. NAT overload is the most common operation in most
    businessesaroundtheworld,asitenablesthewholenetworktoaccesstheInternetusingonesinglerealIPaddress.Ifyouwouldliketo
    know more about the NAT theory, be sure to read our popular NAT articles, which explain in great depth the NAT functions and
    applicationsintoday'snetworks.

    EXAMPLE SCENARIO
    ThediagrambelowrepresentsourexamplenetworkwhichconsistsofanumberofinternalclientsandarouterconnectedtoourISPvia
    itsserialinterface.ThecompanyhasbeenassignedthefollowingClassCsubnet:200.2.2.0/30(255.255.255.252).
    ThistranslatestooneusablerealIPaddress200.2.2.1configuredonourrouter'sserialinterface.IPaddress200.2.2.2willbeusedon
    theotherend,thatis,theISP'srouter.OurISPhasalsoprovideduswiththenecessarydefaultgatewayIPaddress(configuredonour
    routernotshown)inordertoroutealltraffictotheInternet.
    OurgoalinthisexampleistoconfigureNATOverload(PAT)andprovideallinternalworkstationswithInternetaccessusingonepublicIP
    address(200.2.2.1).

    CONFIGURE NAT OVERLOAD PAT (PORT ADDRESS TRANSLATION)


    'Overloading'meansthatthesinglepublicIPassignedtoyourroutercanbeusedbymultipleinternalhostsconcurrently.Thisisdoneby
    translatingsourceUDP/TCPportsinthepacketsandkeepingtrackofthemwithinthetranslationtablekeptintherouter(R1inourcase).
    ThisisatypicalNATconfigurationforalmostalloftoday'snetworks.
    Inaddition,NATOverload(PAT)iscoveredingreatdepthonFirewall.cx.ThoseinterestedcanvisitourNATOverload(PAT)article.

    ThefirststepinanyNATconfigurationistodefinetheinsideandoutsideinterfaces.Itisimperativethatwedefinethetheseinterfaces

    http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html

    forNAToverloadtofunction.

    1/4

    4/30/2016

    ConfiguringNATOverloadOnACiscoRouter

    Setthefastethernet0/0interfaceastheinsideinterface:
    R1#configureterminal
    R1(config)#interfacefastethernet0/0
    R1(configif)#ipnatinside

    NextstepistosettheserialinterfaceS0/0astheoutsideinterface:
    R1(configif)#interfaceserial0/0
    R1(configif)#ipnatoutside
    R1(configif)#exit

    WenowneedtocreateanAccessControlList(ACL)thatwillincludelocal(private)hostsornetwork(s).ThisACLwilllateronbeapplied
    totheNATservicecommand,effectivelycontrollingthehoststhatwillbeabletoaccesstheInternet.Youcanusestandardorextended
    accesslistsdependingonyourrequirements:
    R1(config)#accesslist100remark==[ControlNATService]==
    R1(config)#accesslist100permitip192.168.0.00.0.0.255any
    Theabovecommandinstructstheroutertoallowthe192.168.0.0/24networktoreachanydestination.NotethatCiscorouterstandard
    andextendedACLsalwaysusewildcards(0.0.0.255).
    Allthat'sleftnowistoenableNAToverloadandbindittotheoutsideinterfacepreviouslyselected:
    R1(config)#ipnatinsidesourcelist100interfaceserial0/0overload
    From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to the
    Internet.

    VERIFYING NAT OVERLOAD OPERATION


    Viewing the NAT translation table can sometimes reveal a lot of important information on your network's activity. Here you'll be able to
    identifytrafficthat'snotsupposedtoberoutedtotheInternetortrafficthatseemssuspicious.
    AspacketsstarttraversingtherouteritwillgraduallybuildupitsNAT/PATtranslationtableasshownbelow:
    R1#showipnattranslations
    ProInsideglobalInsidelocalOutsidelocalOutsideglobal
    udp200.2.2.1:53427192.168.0.6:5342774.200.84.4:5374.200.84.4:53
    udp200.2.2.1:53427192.168.0.6:53427195.170.0.1:53195.170.0.1:53
    tcp200.2.2.1:53638192.168.0.6:5363864.233.189.99:8064.233.189.99:80
    tcp200.2.2.1:57585192.168.0.7:5758569.65.106.48:11069.65.106.48:110
    tcp200.2.2.1:57586192.168.0.7:5758669.65.106.48:11069.65.106.48:110

    Asshown,thefirst2translationsdirectedto74.200.84.4&195.170.0.1areDNSrequestsfrominternalhost192.168.0.6.The third entry


    seemstobeanhttprequesttoawebserverwithIPaddress64.233.189.99.
    http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html
    2/4
    Lookingatthefourthandfifthtranslationentry,youshouldidentifythemaspop3requeststoanexternalserver,possiblygeneratedbyan

    4/30/2016

    ConfiguringNATOverloadOnACiscoRouter

    emailclient.
    Becausetheseentriesarealldynamicallycreated,theyaretemporaryandwillberemovedfromthetranslationtableaftersometime.
    Anotherpointyoumightwanttokeepinmindisthatwhenweuseprogramsthatcreatealotofconnectionse.gUtorrent,Limewire,etc.,
    youmightseesluggishperformancefromtherouterasittriestokeepupwithallconnections.Havingthousandsofconnectionsrunning
    throughtheroutercanputsomeseriousstressontheCPU.
    Inthesecases,wemightneedtocleartheIPNATtablecompletelytofreeupresources.
    Thisiseasilydoneusingthefollowingcommand:
    R1#clearipnattranslation*

    Assumingnorequesthasbeensentrightafterthecommandwasentered,theNATtranslationtableshouldbeempty:

    R1#showipnattranslations
    ProInsideglobal...........Insidelocal.....Outsidelocal.......Outsideglobal

    Lastly,youcanobtainstatisticsontheoverloadNATservice.ThiswillshowyoutheamountofcurrenttranslationstrackedbyourNAT
    table,plusalotmore:

    R1#showipnatstatistics
    Totalactivetranslations:200(0static,200dynamic200extended)
    Outsideinterfaces:
    Serial0/0
    Insideinterfaces:
    FastEthernet0/0
    Hits:163134904Misses:0
    CEFTranslatedpackets:161396861,CEFPuntedpackets:3465356
    Expiredtranslations:2453616
    Dynamicmappings:
    InsideSource
    [Id:2]accesslist100interfaceserial0/0refcount195
    Appldoors:0
    Normaldoors:0
    QueuedPackets:0

    ARTICLE SUMMARY
    Inthisarticlewe'vecoveredconfigurationofNATOverloadonCiscorouters.WealsosawhowyoucancontroltheNATOverloadservice
    usingACLs and obtain detailed statistics on the NAT service. The configuration and commands presented here is compatible with all
    CiscoroutermodelsandIOS's.
    Ifyouhavefoundthearticleuseful,wewouldreallyappreciateyousharingitwithothersbyusingtheprovidedservicesonthetopleft
    corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such
    services.
    http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html

    ABOUT THE WRITERS

    3/4

    4/30/2016

    ConfiguringNATOverloadOnACiscoRouter

    AmmarMuqaddasisaCCNAcertifiedEngineer,CCNAInstructorandmemberoftheFirewall.cxTeam.
    ChrisPartsenidisisaCCNAcertifiedEngineer,MCP,LCP,Founder&SeniorEditorofFirewall.cx

    http://www.firewall.cx/ciscotechnicalknowledgebase/ciscorouters/260ciscorouternatoverload.html

    4/4

    Vous aimerez peut-être aussi