SlideShare une entreprise Scribd logo

NAT Ccna

S
singhsukdeep

Learn NAT'ing for CCNA exams

Formation
1  sur  10
Télécharger pour lire hors ligne
Eng. Mohammed Alani http://www.certificationist.com NAT (Network Address Translation) & PAT (Port Address Translation) First let’s define NAT terms: • Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address. • Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world. • Outside local address – The IP address of an outside host as it is known to the hosts on the inside network. • Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address. Now let’s remember the ranges of private addresses:
Eng. Mohammed Alani http://www.certificationist.com NAT and PAT main features: NAT translations can be used for a variety of purposes and can be either dynamically or statically assigned. Static NAT is designed to allow one-to-one mapping of local and global addresses. This is particularly useful for hosts which must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices. Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assigned to a network host. Overloading, or Port Address Translation (PAT), maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. The port number is encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000. PAT will attempt to preserve the original source port. If this source port is already used, PAT will assign the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses. Note: Cisco IOS NAT does NOT support the following traffic types: Routing table updates, DNS zone transfers, BOOTP, Talk and ntalk protocols, and SNMP.
Eng. Mohammed Alani http://www.certificationist.com Configuring NAT and PAT Static Translation: configure a static NAT between the private IP 10.6.1.2 & the public 171.69.68.10 Configuration steps: 1. Establish static translation between an inside local add. & an inside global add. Router(config)#ip nat inside source static <inside local add.> < inside global add.> 2. Specify the inside interface.
Eng. Mohammed Alani http://www.certificationist.com Router(config)#int <type & no.> Router(config-if)#ip nat inside 3. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside An example is the following: Router(config)#ip nat inside source static 10.6.1.2 171.69.68.10 Router(config)#int e0 Router(config-if)#ip nat inside Router(config-if)#int s0 Router(config-if)#ip nat outside Dynamic Translation: To configure dynamic inside source address translation an access list must permit only those addresses that are to be translated. Remember that there is an implicit “deny all” at the end of each access list. An access list that is too permissive can lead to unpredictable results. Cisco advises against configuring access lists referenced by NAT commands with the permit any command. Using permit any can result in NAT consuming too many router resources, which can cause network problems. Configuration steps: 1. Define a pool of global addresses to be allocated as needed Router(config)#ip nat pool <name> <start-IP> <end-IP> netmask <netmask> 2. Define the Access list Router(config)#access-list <number> permit <IPs> <wildcard> 3. Establish dynamic source translation, specifying the access list defined in the prior step. Router(config)#ip nat inside sourse list <ACL number> pool <name> 4. Specify the inside interface. Router(config)#int <type & no.> Router(config-if)#ip nat inside 5. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside
Eng. Mohammed Alani http://www.certificationist.com Note: NAT will not translate any host that is not permitted for translation by the access list. Overloading: Overloading is configured in two ways depending on how many public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Configuration steps: 1. Define a standard Access list Router(config)#access-list <number> permit <IPs> <wildcard> 2. Establish dynamic source translation, specifying the access list defined in the prior step. Router(config)#ip nat inside sourse list <ACL number> interface <type & no> overload 3. Specify the inside interface. Router(config)#int <type & no.> Router(config-if)#ip nat inside 4. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside
Eng. Mohammed Alani http://www.certificationist.com Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded. 1. Define a standard Access list Router(config)#access-list <number> permit <IPs> <wildcard> 2. Spacify the global address as a pool to be used for overloading. Router(config)#ip nat pool <name> <start-IP> <end-IP> netmask <netmask> 3. Establish overload translation. Router(config)#ip nat inside sourse list <ACL number> pool <name> overload 4. Specify the inside interface. Router(config)#int <type & no.> Router(config-if)#ip nat inside 5. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside Troubleshooting NAT and PAT configuration: • Router#show ip nat translation • Router#show ip nat statistics • Router#show run • Router#debug ip nat • Router#debug ip nat detailed
Eng. Mohammed Alani http://www.certificationist.com How to Change the Dynamic NAT Configuration: Sometimes you receive these messages when you change the Network Address Translation (NAT) configuration: • Dynamic mapping in use, cannot remove • %Pool out pool in use, cannot destroy The following will demonstrate how to change the NAT configuration if you receive these messages on the console. Dynamic NAT creates active translation entries in a table when a packet crosses from an IP NAT inside interface to an IP NAT outside interface, or vice versa. This dynamic NAT entry can be seen using the show ip nat translation command. Cisco IOS® software checks for any existing active NAT translations in the translations table when either of the following existing dynamic NAT configurations is removed: • no ip nat pool name • no ip nat {inside | outside}source {list {access−list−number | name} pool name [overload] | static local−ip global−ip} If a translation entry matches, then the %Dynamic Mapping in Use, Cannot remove message or the %Pool out pool in use, cannot destroy message are respectively echoed on the console. The reason you receive these error messages is because you are trying to change part of a NAT configuration that is responsible for creating dynamic translations that still exist in the translation table. In order to change the NAT configuration in this situation, you need to clear the table of translations that are being used before the change is accepted.
Eng. Mohammed Alani http://www.certificationist.com Sometimes this is not easy because the router configured with NAT may be continuously receiving packets that create translations in the table; this can happen so quickly that you don't have time to change the configuration. Using the clear ip nat translation Command: This solution involves clearing the IP NAT translations using the clear ip nat translation command, and then replacing the NAT configuration quickly, before any new NAT entries are populated into the translation table due to active NAT traffic. To do this, create a script with the configuration commands written in a text format. For example: Router#clear ip nat translation * Router(config)#config terminal Router(config)#no ip nat pool old pool name Router(config)#ip nat pool new pool ………. Once you have the script, cut and paste the script into the router enable mode (Router#). Note: This may take more than one try since it is still possible that the router will create a translation after the translation has been cleared. Disabling NAT on the Router: This solution involves disabling NAT on the router so that it cannot create any more NAT translations. Do this by removing the ip nat inside or ip nat outside commands on the interfaces. Then clear the translation table and change the configuration. Follow these steps to use this solution: • Use the no ip nat {inside | outside} command to disable future translations from taking place. • Use the clear ip nat translation command to clear IP NAT translations. • Change the NAT configuration. • Restore the NAT {inside | outside} arguments with the ip nat {inside | outside} configuration command.
Eng. Mohammed Alani http://www.certificationist.com An Example The ISP will give the company the public IP range (199.99.9.33…..39/27) for static allocation. & the range (199.99.9.40……62/27) for dynamic allocation. *Configure each router with basic configuration. ISP(config)# ip route 199.99.9.32 255.255.255.224 200.2.2.18 ISP(config)#int loopback 1 ISP(config-if)#ip address 172.16.1.5 255.255.255.255 Gateway(config)# ip route 0.0.0.0 0.0.0.0 200.2.2.17 Gateway(config)#ip nat pool public_access 199.99.9.40 199.99.9.62 netmask 255.255.255.224 *S.M. could be 255.255.255.255 just as taken from ISP Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Gateway(config)#ip nat inside source list 1 pool public_access overload [PAT] Gateway(config)#int e0 Gateway(config-if)#ip nat inside Gateway(config)#int s0 Gateway(config-if)#ip nat outside From host A: ping 172.16.1.5 Reply From host B: ping 172.16.1.5 Reply Gateway#sh ip nat translation Gateway#sh ip nat statistic Gateway#sh run Gateway#debug ip nat For static NAT: Gateway(config)#ip nat inside source static 10.10.10.11 199.99.9.33 From ISP: ping 10.10.10.11 Request timed out From ISP: ping 199.99.9.33 Reply From ISP: ping 199.99.9.40 Request timed out
Eng. Mohammed Alani http://www.certificationist.com Notes: 1. Suppose you have only 1 public IP which is the address of interface S0: Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Gateway(config)#ip nat inside source list 1 interface s0 overload Gateway(config)#int e0 Gateway(config-if)#ip nat inside Gateway(config)#int s0 Gateway(config-if)#ip nat outside 2. Suppose that you have 1 registered IP (199.99.9.33) & you need to configure it with PAT: Gateway(config)#ip nat pool public_access 199.99.9.33 199.99.9.33 netmask 255.255.255.252 *S.M. could be 255.255.255.255 just as taken from ISP Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Gateway(config)#ip nat inside source list 1 pool public_access overload Gateway(config)#int e0 Gateway(config-if)#ip nat inside Gateway(config)#int s0 Gateway(config-if)#ip nat outside

Recommandé

Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationHamed Moghaddam
 
Nat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with exampleNat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with exampleunixhowto
 
Storm-Control
Storm-ControlStorm-Control
Storm-ControlNetProtocol Xpert
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
Ccna command
Ccna commandCcna command
Ccna commandSiddhartha Rajbhatt
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00vinaydewangan11
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
Static NAT
Static NATStatic NAT
Static NATNetProtocol Xpert
 

Recommandé

Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationHamed Moghaddam
 
Nat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with exampleNat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with exampleunixhowto
 
Storm-Control
Storm-ControlStorm-Control
Storm-ControlNetProtocol Xpert
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
Ccna command
Ccna commandCcna command
Ccna commandSiddhartha Rajbhatt
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00vinaydewangan11
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
Static NAT
Static NATStatic NAT
Static NATNetProtocol Xpert
 
Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchHamed Moghaddam
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on StickHamed Moghaddam
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab GuideSalachudin Emir
 
CCNA- Router on stick, VLAN and Trunking
CCNA- Router on stick, VLAN and TrunkingCCNA- Router on stick, VLAN and Trunking
CCNA- Router on stick, VLAN and TrunkingRafat Khandaker
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505IT Tech
 
Libro cisco ios
Libro cisco iosLibro cisco ios
Libro cisco iosGabriel Andrés Riquelme Pérez
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN RoutingNetwax Lab
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
How to configure vlan, stp, dtp step by step guide
How to configure vlan, stp, dtp step by step guideHow to configure vlan, stp, dtp step by step guide
How to configure vlan, stp, dtp step by step guideIT Tech
 
ccna cheat_sheet
ccna cheat_sheetccna cheat_sheet
ccna cheat_sheetGuntaka Reddy
 
Sub Netting
Sub NettingSub Netting
Sub NettingLilesh Pathe
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Acl
AclAcl
AclRaghu Kiran
 
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?臺灣塔米歐
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructurePrince Gautam
 
VRF (virtual routing and forwarding)
VRF (virtual routing and forwarding)VRF (virtual routing and forwarding)
VRF (virtual routing and forwarding)Netwax Lab
 
Static Routing
Static RoutingStatic Routing
Static RoutingKishore Kumar
 
Laboratorio packet tracer dhcp-dns-http
Laboratorio packet tracer dhcp-dns-httpLaboratorio packet tracer dhcp-dns-http
Laboratorio packet tracer dhcp-dns-httphhlezana
 
Ccn unit-2- data link layer by prof.suresha v
Ccn unit-2- data link layer by prof.suresha vCcn unit-2- data link layer by prof.suresha v
Ccn unit-2- data link layer by prof.suresha vSURESHA V
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2 Asish Verma
 

Contenu connexe

Tendances

Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchHamed Moghaddam
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on StickHamed Moghaddam
 
CCNA- Router on stick, VLAN and Trunking
CCNA- Router on stick, VLAN and TrunkingCCNA- Router on stick, VLAN and Trunking
CCNA- Router on stick, VLAN and TrunkingRafat Khandaker
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505IT Tech
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN RoutingNetwax Lab
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
How to configure vlan, stp, dtp step by step guide
How to configure vlan, stp, dtp step by step guideHow to configure vlan, stp, dtp step by step guide
How to configure vlan, stp, dtp step by step guideIT Tech
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?臺灣塔米歐
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructurePrince Gautam
 
VRF (virtual routing and forwarding)
VRF (virtual routing and forwarding)VRF (virtual routing and forwarding)
VRF (virtual routing and forwarding)Netwax Lab
 
Laboratorio packet tracer dhcp-dns-http
Laboratorio packet tracer dhcp-dns-httpLaboratorio packet tracer dhcp-dns-http
Laboratorio packet tracer dhcp-dns-httphhlezana
 

Tendances (20)

Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer Switch
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
 
CCNA- Router on stick, VLAN and Trunking
CCNA- Router on stick, VLAN and TrunkingCCNA- Router on stick, VLAN and Trunking
CCNA- Router on stick, VLAN and Trunking
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505
 
Libro cisco ios
Libro cisco iosLibro cisco ios
Libro cisco ios
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
Inter VLAN Routing
Inter VLAN RoutingInter VLAN Routing
Inter VLAN Routing
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
How to configure vlan, stp, dtp step by step guide
How to configure vlan, stp, dtp step by step guideHow to configure vlan, stp, dtp step by step guide
How to configure vlan, stp, dtp step by step guide
 
ccna cheat_sheet
ccna cheat_sheetccna cheat_sheet
ccna cheat_sheet
 
Sub Netting
Sub NettingSub Netting
Sub Netting
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Acl
AclAcl
Acl
 
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
為什麼在網址列輸入TOTOLINK路由器的IP位址192.168.1.1,卻無法顯示網頁?
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
 
VRF (virtual routing and forwarding)
VRF (virtual routing and forwarding)VRF (virtual routing and forwarding)
VRF (virtual routing and forwarding)
 
Static Routing
Static RoutingStatic Routing
Static Routing
 
Laboratorio packet tracer dhcp-dns-http
Laboratorio packet tracer dhcp-dns-httpLaboratorio packet tracer dhcp-dns-http
Laboratorio packet tracer dhcp-dns-http
 

En vedette

Ccn unit-2- data link layer by prof.suresha v
Ccn unit-2- data link layer by prof.suresha vCcn unit-2- data link layer by prof.suresha v
Ccn unit-2- data link layer by prof.suresha vSURESHA V
 
Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011Dân Chơi
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7VISHNU N
 
ppt on 6 weeks summer training
ppt on 6 weeks summer training ppt on 6 weeks summer training
ppt on 6 weeks summer training Pulkit Mahajan
 
Ccn unit1-Prof .suresha v
Ccn unit1-Prof .suresha vCcn unit1-Prof .suresha v
Ccn unit1-Prof .suresha vSURESHA V
 
What is Content centric networking
What is Content centric networkingWhat is Content centric networking
What is Content centric networkingpraison
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Duane Bodle
 
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...thesakshi12
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkAhmed Habib
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2samis
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersNetProtocol Xpert
 
Ccn unit1 for 7th SEM EC by Prof. suresha V
Ccn unit1 for 7th SEM EC by Prof. suresha VCcn unit1 for 7th SEM EC by Prof. suresha V
Ccn unit1 for 7th SEM EC by Prof. suresha VSURESHA V
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsVuz Dở Hơi
 

En vedette (20)

Ccn unit-2- data link layer by prof.suresha v
Ccn unit-2- data link layer by prof.suresha vCcn unit-2- data link layer by prof.suresha v
Ccn unit-2- data link layer by prof.suresha v
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2
 
Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7
 
ppt on 6 weeks summer training
ppt on 6 weeks summer training ppt on 6 weeks summer training
ppt on 6 weeks summer training
 
Ccn unit1-Prof .suresha v
Ccn unit1-Prof .suresha vCcn unit1-Prof .suresha v
Ccn unit1-Prof .suresha v
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 acl
 
What is Content centric networking
What is Content centric networkingWhat is Content centric networking
What is Content centric networking
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
ccna project
ccna projectccna project
ccna project
 
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
6 weeks/months project training from CMC Faridabad - Ppt of ccna project from...
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
Ccn unit1 for 7th SEM EC by Prof. suresha V
Ccn unit1 for 7th SEM EC by Prof. suresha VCcn unit1 for 7th SEM EC by Prof. suresha V
Ccn unit1 for 7th SEM EC by Prof. suresha V
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control Lists
 

Similaire à NAT Ccna

NAT and PAT
NAT and PATNAT and PAT
NAT and PATMuuluu
 
NAT- Network Address Translation
NAT- Network Address TranslationNAT- Network Address Translation
NAT- Network Address TranslationEng. Emad Al-Atoum
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxGeorgeThoreJr
 
Packet Tracer: Nat protocol
Packet Tracer: Nat protocolPacket Tracer: Nat protocol
Packet Tracer: Nat protocolRafat Khandaker
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9Waqas Ahmed Nawaz
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccnarobertoxe
 
Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall NetProtocol Xpert
 
Chapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfChapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfBuntha Chhay
 
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity3Anetwork com
 

Similaire à NAT Ccna (20)

NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
 
Nat 03
Nat 03Nat 03
Nat 03
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5
 
NAT- Network Address Translation
NAT- Network Address TranslationNAT- Network Address Translation
NAT- Network Address Translation
 
Nat pat
Nat patNat pat
Nat pat
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
 
Nat 07
Nat 07Nat 07
Nat 07
 
Day 17 nat and pat
Day 17 nat and patDay 17 nat and pat
Day 17 nat and pat
 
Packet Tracer: Nat protocol
Packet Tracer: Nat protocolPacket Tracer: Nat protocol
Packet Tracer: Nat protocol
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 9
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
 
Day 17.1 nat pat
Day 17.1 nat pat Day 17.1 nat pat
Day 17.1 nat pat
 
Nat cisco
Nat ciscoNat cisco
Nat cisco
 
Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall
 
Chapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfChapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdf
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
 
Nat
NatNat
Nat
 
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
 

Dernier

What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 

Dernier (20)

What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 

NAT Ccna

  • 1. Eng. Mohammed Alani http://www.certificationist.com NAT (Network Address Translation) & PAT (Port Address Translation) First let’s define NAT terms: • Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address. • Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world. • Outside local address – The IP address of an outside host as it is known to the hosts on the inside network. • Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address. Now let’s remember the ranges of private addresses:
  • 2. Eng. Mohammed Alani http://www.certificationist.com NAT and PAT main features: NAT translations can be used for a variety of purposes and can be either dynamically or statically assigned. Static NAT is designed to allow one-to-one mapping of local and global addresses. This is particularly useful for hosts which must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices. Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assigned to a network host. Overloading, or Port Address Translation (PAT), maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. The port number is encoded in 16 bits. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000. PAT will attempt to preserve the original source port. If this source port is already used, PAT will assign the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses. Note: Cisco IOS NAT does NOT support the following traffic types: Routing table updates, DNS zone transfers, BOOTP, Talk and ntalk protocols, and SNMP.
  • 3. Eng. Mohammed Alani http://www.certificationist.com Configuring NAT and PAT Static Translation: configure a static NAT between the private IP 10.6.1.2 & the public 171.69.68.10 Configuration steps: 1. Establish static translation between an inside local add. & an inside global add. Router(config)#ip nat inside source static <inside local add.> < inside global add.> 2. Specify the inside interface.
  • 4. Eng. Mohammed Alani http://www.certificationist.com Router(config)#int <type & no.> Router(config-if)#ip nat inside 3. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside An example is the following: Router(config)#ip nat inside source static 10.6.1.2 171.69.68.10 Router(config)#int e0 Router(config-if)#ip nat inside Router(config-if)#int s0 Router(config-if)#ip nat outside Dynamic Translation: To configure dynamic inside source address translation an access list must permit only those addresses that are to be translated. Remember that there is an implicit “deny all” at the end of each access list. An access list that is too permissive can lead to unpredictable results. Cisco advises against configuring access lists referenced by NAT commands with the permit any command. Using permit any can result in NAT consuming too many router resources, which can cause network problems. Configuration steps: 1. Define a pool of global addresses to be allocated as needed Router(config)#ip nat pool <name> <start-IP> <end-IP> netmask <netmask> 2. Define the Access list Router(config)#access-list <number> permit <IPs> <wildcard> 3. Establish dynamic source translation, specifying the access list defined in the prior step. Router(config)#ip nat inside sourse list <ACL number> pool <name> 4. Specify the inside interface. Router(config)#int <type & no.> Router(config-if)#ip nat inside 5. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside
  • 5. Eng. Mohammed Alani http://www.certificationist.com Note: NAT will not translate any host that is not permitted for translation by the access list. Overloading: Overloading is configured in two ways depending on how many public IP addresses have been allocated. An ISP can allocate a network only one public IP address, and this is typically assigned to the outside interface which connects to the ISP. Configuration steps: 1. Define a standard Access list Router(config)#access-list <number> permit <IPs> <wildcard> 2. Establish dynamic source translation, specifying the access list defined in the prior step. Router(config)#ip nat inside sourse list <ACL number> interface <type & no> overload 3. Specify the inside interface. Router(config)#int <type & no.> Router(config-if)#ip nat inside 4. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside
  • 6. Eng. Mohammed Alani http://www.certificationist.com Another way of configuring overload is if the ISP has given one or more public IP addresses for use as a NAT pool. This pool can be overloaded. 1. Define a standard Access list Router(config)#access-list <number> permit <IPs> <wildcard> 2. Spacify the global address as a pool to be used for overloading. Router(config)#ip nat pool <name> <start-IP> <end-IP> netmask <netmask> 3. Establish overload translation. Router(config)#ip nat inside sourse list <ACL number> pool <name> overload 4. Specify the inside interface. Router(config)#int <type & no.> Router(config-if)#ip nat inside 5. Specify the outside interface Router(config)#int <type & no.> Router(config-if)#ip nat outside Troubleshooting NAT and PAT configuration: • Router#show ip nat translation • Router#show ip nat statistics • Router#show run • Router#debug ip nat • Router#debug ip nat detailed
  • 7. Eng. Mohammed Alani http://www.certificationist.com How to Change the Dynamic NAT Configuration: Sometimes you receive these messages when you change the Network Address Translation (NAT) configuration: • Dynamic mapping in use, cannot remove • %Pool out pool in use, cannot destroy The following will demonstrate how to change the NAT configuration if you receive these messages on the console. Dynamic NAT creates active translation entries in a table when a packet crosses from an IP NAT inside interface to an IP NAT outside interface, or vice versa. This dynamic NAT entry can be seen using the show ip nat translation command. Cisco IOS® software checks for any existing active NAT translations in the translations table when either of the following existing dynamic NAT configurations is removed: • no ip nat pool name • no ip nat {inside | outside}source {list {access−list−number | name} pool name [overload] | static local−ip global−ip} If a translation entry matches, then the %Dynamic Mapping in Use, Cannot remove message or the %Pool out pool in use, cannot destroy message are respectively echoed on the console. The reason you receive these error messages is because you are trying to change part of a NAT configuration that is responsible for creating dynamic translations that still exist in the translation table. In order to change the NAT configuration in this situation, you need to clear the table of translations that are being used before the change is accepted.
  • 8. Eng. Mohammed Alani http://www.certificationist.com Sometimes this is not easy because the router configured with NAT may be continuously receiving packets that create translations in the table; this can happen so quickly that you don't have time to change the configuration. Using the clear ip nat translation Command: This solution involves clearing the IP NAT translations using the clear ip nat translation command, and then replacing the NAT configuration quickly, before any new NAT entries are populated into the translation table due to active NAT traffic. To do this, create a script with the configuration commands written in a text format. For example: Router#clear ip nat translation * Router(config)#config terminal Router(config)#no ip nat pool old pool name Router(config)#ip nat pool new pool ………. Once you have the script, cut and paste the script into the router enable mode (Router#). Note: This may take more than one try since it is still possible that the router will create a translation after the translation has been cleared. Disabling NAT on the Router: This solution involves disabling NAT on the router so that it cannot create any more NAT translations. Do this by removing the ip nat inside or ip nat outside commands on the interfaces. Then clear the translation table and change the configuration. Follow these steps to use this solution: • Use the no ip nat {inside | outside} command to disable future translations from taking place. • Use the clear ip nat translation command to clear IP NAT translations. • Change the NAT configuration. • Restore the NAT {inside | outside} arguments with the ip nat {inside | outside} configuration command.
  • 9. Eng. Mohammed Alani http://www.certificationist.com An Example The ISP will give the company the public IP range (199.99.9.33…..39/27) for static allocation. & the range (199.99.9.40……62/27) for dynamic allocation. *Configure each router with basic configuration. ISP(config)# ip route 199.99.9.32 255.255.255.224 200.2.2.18 ISP(config)#int loopback 1 ISP(config-if)#ip address 172.16.1.5 255.255.255.255 Gateway(config)# ip route 0.0.0.0 0.0.0.0 200.2.2.17 Gateway(config)#ip nat pool public_access 199.99.9.40 199.99.9.62 netmask 255.255.255.224 *S.M. could be 255.255.255.255 just as taken from ISP Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Gateway(config)#ip nat inside source list 1 pool public_access overload [PAT] Gateway(config)#int e0 Gateway(config-if)#ip nat inside Gateway(config)#int s0 Gateway(config-if)#ip nat outside From host A: ping 172.16.1.5 Reply From host B: ping 172.16.1.5 Reply Gateway#sh ip nat translation Gateway#sh ip nat statistic Gateway#sh run Gateway#debug ip nat For static NAT: Gateway(config)#ip nat inside source static 10.10.10.11 199.99.9.33 From ISP: ping 10.10.10.11 Request timed out From ISP: ping 199.99.9.33 Reply From ISP: ping 199.99.9.40 Request timed out
  • 10. Eng. Mohammed Alani http://www.certificationist.com Notes: 1. Suppose you have only 1 public IP which is the address of interface S0: Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Gateway(config)#ip nat inside source list 1 interface s0 overload Gateway(config)#int e0 Gateway(config-if)#ip nat inside Gateway(config)#int s0 Gateway(config-if)#ip nat outside 2. Suppose that you have 1 registered IP (199.99.9.33) & you need to configure it with PAT: Gateway(config)#ip nat pool public_access 199.99.9.33 199.99.9.33 netmask 255.255.255.252 *S.M. could be 255.255.255.255 just as taken from ISP Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Gateway(config)#ip nat inside source list 1 pool public_access overload Gateway(config)#int e0 Gateway(config-if)#ip nat inside Gateway(config)#int s0 Gateway(config-if)#ip nat outside