Wednesday, July 17, 2013

Dynamic NAT cheat-sheet

Dynamic NAT - translate one subnet to a pool of addresses, often used when combining two networks with overlapping subnets.

1)  Define inside NAT interface
2)  Define outside NAT interface
3)  Create pool of addresses to use for NAT
4)  Create standard ACL for inside subnet
5)  NAT statement using ACL and pool as source and destination

Example:

R1(config)#int fa 0/0
R1(config-if)#ip nat inside
R1(config-if)#int ser 0/1
R1(config-if)#ip nat outside
R1(config-if)#exit

R1(config)#ip nat pool POOL2 192.168.2.200 192.168.2.225 prefix-length 24

R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255

R1(config)#ip nat inside source list 1 pool POOL2
R1(config)#end


Verify:

R1#debug ip nat
IP NAT debugging is on
R1#
*Mar  1 00:16:55.147: NAT*: s=10.1.1.10->192.168.2.200, d=192.168.2.2 [0]
*Mar  1 00:16:55.163: NAT*: s=192.168.2.2, d=192.168.2.200->10.1.1.10 [0]
*Mar  1 00:16:55.647: NAT*: s=10.1.1.100->192.168.2.201, d=192.168.2.2 [52471]
*Mar  1 00:16:55.667: NAT*: s=192.168.2.2, d=192.168.2.201->10.1.1.100 [52471]
*Mar  1 00:16:56.155: NAT*: s=10.1.1.10->192.168.2.200, d=192.168.2.2 [0]
*Mar  1 00:16:56.167: NAT*: s=192.168.2.2, d=192.168.2.200->10.1.1.10 [0]
*Mar  1 00:16:56.655: NAT*: s=10.1.1.100->192.168.2.201, d=192.168.2.2 [52472]
*Mar  1 00:16:56.679: NAT*: s=192.168.2.2, d=192.168.2.201->10.1.1.100 [52472]
*Mar  1 00:16:57.131: NAT*: s=10.1.1.10->192.168.2.200, d=192.168.2.2 [0]
*Mar  1 00:16:57.159: NAT*: s=192.168.2.2, d=192.168.2.200->10.1.1.10 [0]
*Mar  1 00:16:57.699: NAT*: s=10.1.1.100->192.168.2.201, d=192.168.2.2 [52473]
*Mar  1 00:16:57.699: NAT*: s=192.168.2.2, d=192.168.2.201->10.1.1.100 [52473]


sho ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.2.200:6659 10.1.1.10:6659    192.168.2.2:6659   192.168.2.2:6659
--- 192.168.2.200      10.1.1.10          ---                ---
icmp 192.168.2.201:63436 10.1.1.100:63436 192.168.2.2:63436  192.168.2.2:63436
icmp 192.168.2.201:63692 10.1.1.100:63692 192.168.2.2:63692  192.168.2.2:63692
icmp 192.168.2.201:63948 10.1.1.100:63948 192.168.2.2:63948  192.168.2.2:63948
icmp 192.168.2.201:64204 10.1.1.100:64204 192.168.2.2:64204  192.168.2.2:64204
icmp 192.168.2.201:64460 10.1.1.100:64460 192.168.2.2:64460  192.168.2.2:64460
--- 192.168.2.201      10.1.1.100         ---                ---
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)