Configuring Static NAT - Lab 1.6.1: Getting Started and Building Start.TXT

Singapore

Lab 11.5.1: Configuring Static NAT

1 - 5 Semester 6: Remote Access v2.0 - Lab 11.5.1 Copyright  2001, Cisco Systems, Inc.

2 - 5 Semester 6: Remote Access v2.0 - Lab 11.5.1 Copyright  2001, Cisco Systems, Inc.

Step 2

Verify your configurations with the show running-config command.

Verify that SanJose1 can ping ISP1’s serial interface (10.0.0.5) and that ISP1 can ping SanJose1’s serial interface (10.0.0.6).

At this time, ISP1 cannot ping either workstation or SanJose1’s Fast Ethernet interface (192.168.0.1).

1. Both workstations can ping each other and 10.0.0.6, but cannot ping 10.0.0.5. Why does the latter ping fail?

In fact, the ping request should be getting to 10.0.0.5. Because ISP1 has no entry in its routing table for the 192.168.0.0 /24, ISP1 cannot reply. You will configure a static route to solve this problem in Step 7.

Step 3

SanJose1 is the boundary router where you will configure NAT. The router will be translating the inside local addresses to inside global addresses, essentially converting the internal private addresses into legal public addresses for use on the Internet.

On SanJose1, create static translations between the inside local addresses (the servers to be shared) and the inside global addresses using the following commands:

SanJose1(config)#ip nat inside source static 192.168.0.3 42.0.0.49 SanJose1(config)#ip nat inside source static 192.168.0.4 42.0.0.50 SanJose1(config)#ip nat inside source static 192.168.0.5 42.0.0.51 1. If you needed a static translation for a fourth server, 192.168.0.6, what would be the

appropriate command?

Step 4

Next, specify an interface on SanJose1 to be used by inside network hosts requiring address translation:

SanJose1(config)#interface fastethernet0/0 SanJose1(config-if)#ip nat inside

You must also specify an interface to be used as the outside NAT interface:

SanJose1(config)#interface serial0/0 SanJose1(config-if)#ip nat outside Step 5

To see the translations, use the show ip nat translations command. The results should look something like this:

SanJose1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 42.0.0.49 192.168.0.3 --- --- --- 42.0.0.50 192.168.0.4 --- --- --- 42.0.0.51 192.168.0.5 --- ---

3 - 5 Semester 6: Remote Access v2.0 - Lab 11.5.1 Copyright  2001, Cisco Systems, Inc.

To see what NAT activity has occurred, use the show ip nat statistics command.

The results should look something like this:

SanJose1#show ip nat statistics

Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces:

Serial0/0

Inside interfaces:

FastEthernet0/0 Hits: 0 Misses: 0 Expired translations: 0 Dynamic mappings:

SanJose1#

Note that the Hits value is currently 0.

Step 6

From Host A, ping 10.0.0.5 (ISP1’s serial interface). The pings should still fail because ISP1 has no route for 192.168.0.0 /24 in its routing table.

Return to the console connection of SanJose1 and type show ip nat statistics, as shown here:

SanJose1#show ip nat statistics

Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces:

Serial0/0

Inside interfaces:

FastEthernet0/0 Hits: 4 Misses: 0 Expired translations: 0 Dynamic mappings:

You should now see the hits equal 4. This tells you that the translation was made even though you didn’t get a response. Remember that the ping replies are not sent because ISP1 does not have route back to SanJose1. It’s time to remedy this.

Step 7

On ISP1, configure the following static route to the global addresses used by SanJose1 for NAT:

ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6

The subnet mask defines the pool of IP addresses as 42.0.0.48 /28.

You should now be able to successfully ping 42.0.0.51. Which is the translated address of the shared server, 192.168.0.5.

The show ip route command confirms that the static route is present, as shown here:

ISP1#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS

inter area

* - candidate default, U - per-user static route, o - ODR

4 - 5 Semester 6: Remote Access v2.0 - Lab 11.5.1 Copyright  2001, Cisco Systems, Inc.

P - periodic downloaded static route Gateway of last resort is not set

42.0.0.0/28 is subnetted, 1 subnets S 42.0.0.48 [1/0] via 10.0.0.6 10.0.0.0/30 is subnetted, 2 subnets

C 10.0.1.0 is directly connected, Loopback0/0 C 10.0.0.4 is directly connected, Serial0/0

Step 8

From Host A, ping the ISP1 router at 10.0.0.5. This ping should now be successful.

You should also be able to ping ISP1’s loopback address, 10.0.1.2, as well.

From the console connection to SanJose1, issue the show ip nat statistics command and look over the statistics. The number of hits should be much larger than before.

Try the show ip nat translations verbose command. The results should look something like this:

SanJose1#show ip nat translations verbose

Pro Inside global Inside local Outside local Outside global --- 42.0.0.49 192.168.0.3 --- ---

create 00:40:25, use 00:40:25, flags:

static, use_count: 0

--- 42.0.0.50 192.168.0.4 --- --- create 00:40:25, use 00:40:25,

flags:

static, use_count: 0

--- 42.0.0.51 192.168.0.5 --- --- create 00:40:25, use 00:06:46,

flags:

static, use_count: 0

Note: The verbose option includes information about how recently each translation was used.

Step 9

From SanJose1, use the show ip nat statistics command and make a note of the number of hits.

From Host B, ping both 10.0.0.5 and 10.0.1.2.

1. Both should fail. Why?

From SanJose1, issue the show ip nat statistics command again and note that the number of hits hasn’t changed. The problem is that NAT did not translate Host B’s IP address (192.168.0.20) to one of the global addresses. The show ip nat

translations command should confirm this.

5 - 5 Semester 6: Remote Access v2.0 - Lab 11.5.1 Copyright  2001, Cisco Systems, Inc.

You haven’t set up a static translation for Host B, which represents a LAN user. While you could quickly configure a static translation for this single end user, configuring a static translation for every user on the LAN could be a huge task, resulting in hundreds of configuration commands. Dynamic NAT allows you to configure the router to assign global addresses dynamically, on an as-needed basis. While static translation may be appropriate for servers, dynamic translation is almost always used with end-user stations.

You will explore dynamic NAT in the next lab exercise.

1 - 4 Semester 6: Remote Access v2.0 - Lab 11.5.2 Copyright  2001, Cisco Systems, Inc.

Dalam dokumen Lab 1.6.1: Getting Started and Building Start.TXT (Halaman 132-137)