•Instructor Materials Chapter 9: NAT for IPv4 CCNA Routing and Switching Routing and Switching Essentials v6.0 Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §This PowerPoint deck is divided in two parts: §Instructor Planning Guide •Information to help you become familiar with the chapter •Teaching aids §Instructor Class Presentation •Optional slides that you can use in the classroom •Begins on slide # 21 § §Note: Remove the Planning Guide from this presentation before sharing with anyone. Instructor Materials – Chapter 9 Planning Guide ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Chapter 9: NAT for IPv4 Routing and Switching Essentials 6.0 Planning Guide Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •What activities are associated with this chapter? • • • Chapter 9: Activities The password used in the Packet Tracer activities in this chapter is: PT_ccna5 Page # Activity Type Activity Name Optional? 9.0.1.2 Class Activity Conceptual NAT Optional 9.1.1.6 Interactive Activity Identify NAT Terminology 9.1.2.6 Packet Tracer Investigating NAT Operation Recommended 9.2.1.1 Syntax Checker Configuring Static NAT 9.2.1.4 Packet Tracer Configuring Static NAT 9.2.2.2 Syntax Checker Configure Dynamic NAT 9.2.2.5 Packet Tracer Configuring Dynamic NAT Recommended 9.2.2.6 Lab Configuring Dynamic and Static NAT Optional 9.2.3.1 Syntax Checker Configuring PAT Using an Address Pool ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •What activities are associated with this chapter? • • • Chapter 9: Activities (Cont.) The password used in the Packet Tracer activities in this chapter is: PT_ccna5 Page # Activity Type Activity Name Optional? 9.2.3.2 Syntax Checker Configuring PAT Using a Single Address 9.2.3.5 Interactive Activity Identify the Address Information at Each Hop 9.2.3.6 Packet Tracer Implementing Static and Dynamic NAT Optional 9.2.3.7 Lab Configuring Port Address Translation (PAT) Recommended 9.2.4.4 Packet Tracer Configuring Port Forwarding on a Wireless Router Optional 9.3.1.4 Packet Tracer Verifying and Troubleshooting NAT Configurations Recommended 9.3.1.5 Lab Troubleshooting NAT Configurations Optional 9.3.1.5 Lab Troubleshooting NAT Configurations Optional ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •What activities are associated with this chapter? • • • Chapter 9: Activities (Cont.) The password used in the Packet Tracer activities in this chapter is: PT_ccna5 Page # Activity Type Activity Name Optional? 9.4.1.1 Class Activity NAT Check Optional 9.4.1.2 Packet Tracer Skills Integration Challenge Recommended ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Students should complete Chapter 9, “Assessment” after completing Chapter 9. §Quizzes, labs, Packet Tracers and other activities can be used to informally assess student progress. Chapter 9: Assessment ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential •Prior to teaching Chapter 9, the instructor should: §Complete Chapter 9, “Assessment.” §The objectives of this chapter are: •Explain the purpose and function of NAT. •Explain the operation of different types of NAT. •Describe the advantages and disadvantages of NAT. •Configure static NAT using the CLI. •Configure dynamic NAT using the CLI. •Configure PAT using the CLI. •Configure port forwarding using the CLI. •Explain how NAT is used with IPv6 networks. •Troubleshoot NAT. § Chapter 9: Best Practices ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Draw a picture of a small company network with a couple of routers. Draw another router and label it ISP. Draw a cloud that passes through half the ISP router and label it “The World.” Draw a WAN connection between the ISP router and one of the small company routers. Label the small company router Border Router. Draw a circle around the small company network with part of the circle passing through the Border router. Otherwise show 9.1.1.2 in the curriculum. •Explain how private IP addresses are used within company networks of all sizes. •Remind students that private IP addresses cannot be use to communicate with network devices out on the Internet. •Remind the students what addresses are considered private and how all of their labs have made use of private addresses inside companies. Write the private IP address ranges. •192.168.x.x •172.16.x.x – 172.31.x.x •10.x.x.x Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Explain how public IP addresses are leased from a service provider, one provided as part of a service connection, or one provided upon request. §Reiterate how all public IPv4 addresses that traverse the Internet must be registered with a Regional Internet Registry (RIR). §IPv4 has a theoretical maximum of 4.3 billion addresses. §A long term solution is IPv6, but Network Address Translation (NAT) provides a short term solution used by the majority of businesses and some home connections. §Describe how NAT is performed by the device labeled “Border Router” or by the device that connects to the provider. Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.1 Terms •Define the four types of NAT addresses – always remember that you must think of the internal (private address) device sending data to an external (public address) device when thinking of the that term is applied. Show the graphic of 9.1.1.3 in the curriculum. •Inside local address – the private number inside a company. •Outside local address - the public address of the destination device (that is beyond the border router or outside the local company or home; it is local because it is an address that appears in the packet header when the packet is going out to the Internet in order to reach the destination device. •Inside global address – the public IP address assigned to the inside local address when packets from the internal device travel to the outside network (past the border router). •Outside global address – the public IP address assigned to the destination device. •Remember that the addresses can be broken up into two sections •Inside or outside address – inside is the address of the device that has the private IP address assigned “inside” the company. Outside is the public address of the destination. •Local or global address – A local address is any address that appears inside the company. It can be the private address of the company network device or the public address of the destination device. A global address is any address that appears on the outside of the company. These are public addresses when they are routed to the Internet because that is required. • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.1 Terms •Do activity 9.1.1.6 together to see if the students have the basic concepts about NAT addresses. §Section 9.1.2 Types of NAT •One public (global) IP address can provide over 65,000 translations for internal company devices that have a private IP address assigned. •Types of NAT •Static NAT – one private address mapped to one public address - one device (usually a server) inside a company that has a private IP address is assigned a public address so that the device is reachable from outside networks. •Dynamic NAT – many private addresses mapped to a smaller number of public addresses. •Port Address Translation (PAT) – many private addresses mapped to one public address – also known as NAT overloading •Note that as an instructor, you may want to just cover Static NAT and show the configuration of it. Then explain/demonstrate PAT. • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.1.2 Types of NAT (Cont.) •Review how source and destination port numbers are assigned at Layer 4 by TCP and UDP. •Source port numbers can be used by PAT, if it has not been used. •If source port number has been used, a port number is assigned from one of the following groups: 0-511, 512-1023, 1024-65,535 •Describe how ICMP can still be translated and the packet sent to a network device that has a public (global) IP address because PAT assigns port numbers for the translation. •Activity 9.2.3.5 might be good to use to review this information. •Section 9.1.3 Advantages/Disadvantages of NAT •Ask the students what they think an advantage of NAT is after hearing about it (conserves public IP addresses, allows consistent (non-changing) private IP addressing, allows flexibility when changing providers or types of connections to the public network, and provides network security). •Ask the students what they think a disadvantage of NAT would be for a company (degraded performance, degraded end-to-end functionality, lack of traceability of a packet, tunneling is challenging, and initiating TCP connections can be disrupted). This one is tougher for them so maybe bring up the graphic to 9.1.1.2 and point to where NAT is implemented and ask how might the device be affected by so much work/traffic. Talk about the packet flow and how traceability becomes difficult…maybe bring up shows like CSI Las Vegas or NCIS and how someone couldn’t trace a packet inside a company. • • • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.2 Configuration •Start with static NAT. Write the commands to do on the board. •Really emphasize where the ip nat inside and ip nat outside commands go. Have a couple of network drawings from the Internet or that you draw and ask the class to decide which command each interface on the border router would have applied if static NAT was being used. •Have a Packet Tracer created that already has private IP addresses assigned to the company devices. Have a server cabled to a switch inside the company. Ensure the server has a private IP address assigned. Ensure one company router connects to an ISP router. On the ISP, don’t forget to have a static route to the public IP address used by the server. Create a note on the Packet Tracer as to what the public IP address is. Maybe label the private IP address under or above the server as well. Connect a PC to the ISP router with a crossover cable. Be sure to have a default route on the company border router. • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.2 Static NAT Configuration (cont.) •Have the students configure and test static NAT in the classroom. Have them bring up a web browser on the PC connected to the ISP router and input the public IP address of the server. Review which device gets NAT configured right before they start. Give them 15 minutes to do. Those that cannot do in 15 minutes with or without peer help can submit as homework. •Something fun to do in this exercise is to customize the message that appears on the web browser when static NAT is configured correctly. On the server, select the Services tab. Select HTTP from the left menu. Locate line 5 or the line that has the index.html file name. Select the word (edit) on the row that contains the index.html file name. Change the words “Cisco Packet Tracer” or “Welcome to Cisco Packet Tracer. Opening doors to new opportunities. Mind Wide Open.” to a customized message to the students. •Make sure the students do the show ip nat translations command so they can see that it stays in the translation table all the time. • • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.2 Configuration (Cont.) •When covering PAT, write the commands to do on the board related to the graphic you have drawn or a sample scenario. •Describe packet flow and translation again. •Explain that there are two common implementations of PAT: (1) using a pool of one or more public addresses or (2) using the public IP address on the external interface of the border router/device that connects to the public network. •Have a Packet Tracer created that already has private IP addresses assigned to the company devices. This can be the same one used when teaching static NAT. Have a server cabled to a switch inside the company. Ensure the server has a private IP address assigned. Ensure one company router connects to an ISP router. On the ISP, don’t forget to have a static route to the public IP addresses (pool) used by the company. Create a note on the Packet Tracer as to what the public IP addresses are. Connect a PC to the ISP router with a crossover cable. Be sure to have a default route on the company border router and distribute that route to any internal company routers. Have the students configure and test PAT in the classroom. Have them ping from an inside device to the PC connected to the ISP router. Give them 30 minutes to do. Those that cannot do in 30 minutes with or without peer help can submit as homework. This exercise works well with teams of two. • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Section 9.2 Configuration (Cont.) •Lastly, write the commands for how to configure PAT using the external interface of the border router/device that connects to the public network. •Have a Packet Tracer created that already has private IP addresses assigned to the company devices. This can be the same one used when teaching static NAT. Ensure one company router connects to an ISP router. Be sure to use public IP addresses on the network between the company router and the ISP router. It is a good idea to label this in the Packet Tracer. Connect a PC to the ISP router with a crossover cable. Be sure to have a default route on the company border router and distribute that route to any internal company routers. Have the students configure and test PAT in the classroom. Have them ping from an inside device to the PC connected to the ISP router. Give them 15 minutes to do if they have done the PAT off of a pool of addresses exercise. Those that cannot do in 15 minutes with or without peer help can submit as homework. This exercise works well with teams of two or individually. •Make sure to cover how errors in PAT configurations requires clearing the NAT translations or waiting until they time out in order to remove the erroneous configuration(s). • • Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §NAT show and debug commands •Most important commands to know •show ip nat translations – review what to do if no translations occur: check NAT/PAT configuration; see if the device can ping internal devices (there will not be any translations for these); verify the ip nat inside or ip nat outside commands have been properly applied; try another device closer to the border router to see if it can get outside; ensure the border router can reach the outside device (which takes the NAT/PAT configuration out of the problem because if the border router cannot reach the outside device, the NAT/PAT configuration is NOT the problem). •clear ip nat translation * - used to initiate a new test and see the results in the NAT translation table. •show ip nat statistics – shows how many translations are currently being monitored. •debug ip nat – shows if the router received a packet that is destined for an external network and whether NAT was applied. •show access-lists – shows the access list used to define what private IP addresses get translated to public addresses and if any internal devices were permitted to be translated. •If no matches are found on the permit statement, check the access list to ensure it matches for the IP addresses used within the company or change the access list to permit any to ensure the access list is not the problem. •Show 9.3.1.2 Figure 2 in the curriculum. Chapter 9: Best Practices (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §For additional help with teaching strategies, including lesson plans, analogies for difficult concepts, and discussion topics, visit the CCNA Community at: https://www.netacad.com/group/communities/community-home §Best practices from around the world for teaching CCNA Routing and Switching. https://www.netacad.com/group/communities/ccna §If you have lesson plans or resources that you would like to share, upload them to the CCNA Community in order to help other instructors. §Students can enroll in Introduction to Packet Tracer (self-paced). §Students preparing for chapter exams, the RSE final, or the CCENT certification, could view the 15 lessons and videos contained at the Cisco Networking/CCENT Wikiversity site: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT Chapter 9: Additional Help Chapter 9: NAT for IPv4 CCNA Routing and Switching Routing and Switching Essentials v6.0 Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §9.1 NAT Operation •Explain how NAT provides IPv4 address scalability in a small to medium-sized business network •Explain the purpose and function of NAT. •Explain the operation of different types of NAT. •Describe the advantages and disadvantages of NAT. §9.2 Configure NAT •Configure NAT services on the edge router to provide IPv4 address scalability in a small to medium-sized business network. •Configure static NAT using the CLI. •Configure dynamic NAT using the CLI. Chapter 9 - Sections & Objectives Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §9.2 Configure NAT (Cont.) •Configure PAT using the CLI. •Configure port forwarding using the CLI. §9.3 Troubleshoot NAT •Troubleshoot NAT issues in a small to medium-sized business network. •Troubleshoot NAT • • Chapter 9 - Sections & Objectives (Cont.) Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.1 NAT Operation 9 – NAT for IPv4 9.1 – NAT Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Private IP addresses are used within an organization and home networks. • NAT Characteristics IPv4 Private Address Space Did you ever notice how all your labs were based on these addresses? These are the IP addresses you will see assigned to company devices. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.1 – IPv4 Private Address Space ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Private IP addresses cannot be routed over the Internet. §NAT is used to translate private IP addresses to public addresses that can be routed over the Internet. §One public IPv4 address can be used for thousands of devices that have private IP addresses. • NAT Characteristics IPv4 Private Address Space (Cont.) 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.1 – IPv4 Private Address Space ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Private IP addresses cannot be routed over the Internet. §NAT is used to translate private IP addresses used inside a company to public addresses that can be routed over the Internet. §NAT hides internal IPv4 addresses from outside networks. •Companies use the same private IPv4 addresses so outside devices cannot tell one company’s 10.x.x.x network from another company’s 10.x.x.x network. §A NAT-enabled router can be configured with a public IPv4 address. §A NAT-enabled router can be configured with multiple public IPv4 addresses to be used in a pool or NAT pool for internal devices configured with private addresses. NAT Characteristics What is NAT? Important Concept—NAT is enabled on one device (normally the border or edge router) 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.2 – What is NAT? ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Four types of addresses: inside, outside, local, and global •Always consider the device that is having its private address translated to understand this concept. •Inside address – address of the company network device that is being translated by NAT •Outside address – IP address of the destination device •Local address – any address that appears on the inside portion of the network •Global address – any address that appears on the outside portion of the network NAT Characteristics NAT Terminology 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.3 –NAT Terminology ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Characteristics NAT Terminology (Cont.) 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.4 –NAT Terminology (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Characteristics How NAT Works 1. The private (internal) IP address gets translated to a public IP address used to reach the external server. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Characteristics How NAT Works (Cont.) 2. The translated public address is used by the server to send the requested information to the device that actually has a private IP address assigned to it. 3. The NAT-enabled router consults the routing table to see what private address requested the data. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Static NAT §Static address translation (static NAT) assigns one public IP address to one private IP address §Commonly used for servers that need to be accessed by external devices or for devices that must be accessible by authorized personnel when offsite §One-to-one address mapping between local and global addresses • 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.1 – Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Dynamic NAT §Dynamic NAT assigns a public IP address from a pool of addresses to each packet that originates from a device that has a private IP address assigned when that packet is destined to a network outside the company. •Addresses are assigned on a first-come, first serve basis •The number of internal devices that can transmit outside the company is limited to the number of public IP addresses in the pool. 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.2 – Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Port Address Translation (PAT) §PAT (otherwise known as NAT overload) can use one public IPv4 address to allow thousand of private IPv4 addresses to communicate with outside network devices. §Uses port numbers to track the session 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.3 – Port Address Translation (PAT) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Next Available Port §PAT tries to preserve the original source port number. •If that port number is already use, PAT will assign the first available port number for the appropriate port group •0 - 511 •512 - 1023 •1024 - 65,535 •When there are no more port numbers available, PAT moves to the next public IP address in the pool if there is one. 1. Notice how traffic is from two different internal devices using the same port number. 2. Notice how PAT uses the same public address, but two different port numbers. 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.4 – Next Available Port ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Comparing NAT and PAT §Static NAT translates address on a 1:1 basis §PAT uses port numbers so that one public address can be used for multiple privately addressed devices •PAT can still function with a protocol such as ICMP that does not use TCP or UDP 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.5 – Comparing NAT and PAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Packet Tracer – Investigating NAT Operation 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.6 – Packet Tracer – Investigating NAT Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Advantages Advantages of NAT §Conserves the legally registered addressing scheme •Every company can use the private IP addresses §Increases the flexibility of connections to the public network •Multiple NAT pools, backup pools, and load-balancing across NAT pools §Provides consistency for internal network addressing schemes •Do not have to readdress the network if a new ISP or public IP address is assigned §Provides network security •Hides user private IPv4 addresses 9.1 – NAT Operation 9.1.3 – NAT Advantages 9.1.3.1 – Advantages of NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Advantages Disadvantages of NAT §Performance is degraded. •The NAT-enabled border device must track and process each session destined for an external network. §End-to-end functionality is degraded. •Translation of each IPv4 address within the packet headers takes time. §End-to-end IP traceability is lost. •Some applications require end-to-end addressing and cannot be used with NAT. •Static NAT mappings can sometimes be used. •Troubleshooting can be more challenging. §Tunneling becomes more complicated. §Initiating TCP connections can be disrupted. 9.1 – NAT Operation 9.1.3 – NAT Advantages 9.1.3.2 – Disadvantages of NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.2 Configure NAT 9 – NAT for IPv4 9.2 – Configure NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Configure Static NAT 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.1 – Configure Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Configure Static NAT (Cont.) Remember that any interface on the border router that is on the inside network must be configured with the ip nat inside command. This is a common mistake for those new to NAT. 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.1 – Configure Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Analyzing Static NAT 1.Client opens a web browser for a connection to a web server. 2.R2 receives the packet on the outside interface and checks the NAT table. 3.R2 replaces the inside global address with inside local address of 192.168.10.254 (the server’s address). 4.Web server responds to the client. 5.(a) R2 receives the packet from the server on the inside address. (b) R2 checks NAT table and translates the source address to the inside global address of 209165.201.5 and forwards the packet. 6.The client receives the packet. 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.2 – Analyzing Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Verifying Static NAT A best practice is to clear statistics when verifying that NAT is working. Important commands: •show ip nat translations •show ip nat statistics 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.3 – Verifying Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Packet Tracer – Configuring Static NAT 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.4 – Packet Tracer – Configuring Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Dynamic NAT Operation §Remember that dynamic NAT uses a pool of public IPv4 addresses. §Use the same concepts of inside and outside NAT interfaces as static NAT. 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.1 – Dynamic NAT Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Configuring Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.2 – Configuring Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Configuring Dynamic NAT (Cont.) 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.2 – Configuring Dynamic NAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Analyzing Dynamic NAT 1.PC1 and PC2 open a web browser for a connection to a web server. 2.R2 receives the packets on the inside interface and checks if translation should be performed (via an ACL). R2 assigns a global address from the NAT pool and creates a NAT table entry for both packets. 3.R2 replaces the inside local source address on each packet with the translated inside global address from the pool. 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.3 – Analyzing Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Analyzing Dynamic NAT (Cont.) 4.The server responds to PC1 using the destination address of 209.165.200.226 (the NAT-assigned address) and to PC2 using the destination address of 209.165.200.227. 5.(a and b) R2 looks up each received packet and forwards based on the private IP address found in the NAT table for each of the destination addresses. 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.3 – Analyzing Dynamic NAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Verifying Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.4 – Verifying Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Verifying Dynamic NAT (Cont.) 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.4 – Verifying Dynamic NAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Packet Tracer – Configuring Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.5 – Packet Tracer – Configuring Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Configuring Dynamic and Static NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.6 – Lab – Configuring Dynamic and Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Configuring PAT: Address Pool The pool contains the public addresses. The ACL defines which private IP addresses gets translated. The ip nat inside source list acl# pool name overload command ties Step 1 with Step 2. The overload command is what allows the router to track port numbers (and do PAT instead of dynamic NAT). 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.1 – Configuring PAT: Address Pool ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Configuring PAT: Address Pool (Cont.) 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.1 – Configuring PAT: Address Pool (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Configuring PAT: Single Address §When a public address is assigned to the external interface on the border router, that public address can be used for PAT and translate internal private IP addresses to the public IP address. Still need an ACL to define which private IP addresses gets translated. Instead of associating an ACL with a pool, the ACL is associated with an interface that has a public IP address assigned. The overload command is always needed for PAT. 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.2 – Configuring PAT: Single Address ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Analyzing PAT 1.PC1 and PC2 open a web browser for a connection to a web server. 2.R2 receives the packets on the inside interface and checks if translation should be performed (via an ACL). R2 assigns the IP address of the outside interface, adds a port number, and creates a NAT table entry for both packets. 3.R2 replaces the inside local source address on each packet with the translated inside global address. 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.3 – Analyzing PAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Analyzing PAT (Cont.) 4.Each server responds to PC1 and PC2 using the destination address of the public address assigned to the external interface on the border router. 5.R2 looks up the received packet and forwards to PC1 because that is the private IP address found in the NAT table for the destination address and port number. 6.R2 looks up the received packet and forwards to PC2 because that is the private IP address found in the NAT table for the destination address and port number. 7. 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.3 – Analyzing PAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Verifying PAT 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.4 – Verifying PAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Packet Tracer – Implementing Static and Dynamic NAT 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.6 – Packet Tracer – Implementing Static and Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Configuring Port Address Translation (PAT) 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.7 – Lab – Configuring Port Address Translation (PAT) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Port Forwarding Port Forwarding §Port forwarding allows an external device to reach a device on a specific port number and the device is located on an internal (private) network. •Required for some peer-to-peer file-sharing programs and operations such as web serving and outgoing FTP •Solves the problem of NAT only allowing translations for traffic destined for external networks at the request of internal devices. 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.1 – Port Forwarding ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Port Forwarding Wireless Router Example §Port forwarding can be enabled for specific applications •Must specify the inside local address that requests should be forwarded to 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.2 – Wireless Router Example ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Port Forwarding Configuring Port Forwarding with IOS 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.3 – Configuring Port Forwarding with IOS ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Port Forwarding Configuring Port Forwarding with IOS (Cont.) 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.3 – Configuring Port Forwarding with IOS (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Port Forwarding Packet Tracer – Configuring Port Forwarding on a Wireless Router 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.4 – Packet Tracer – Configuring Port Forwarding on a Wireless Router ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT and IPv6 NAT for IPv6? §IPv6 was developed with the intention of making NAT for IPv4 unnecessary §IPv6 does have its own form of NAT •IPv6 has its own private address space 9.2 – Configure NAT 9.2.5 – NAT and IPv6 9.2.5.1 – NAT for IPv6? ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT and IPv6 IPv6 Unique Local Addresses §IPv6 unique local addresses (ULAs) are similar to IPv4 private addresses •ULAs are to provide IPv6 address space for communications within a local site. •First 64 bits of a ULA •Prefix of FC00::/7 (FC00 to FDFF) •Next bit is a 1 if the prefix is locally assigned •Next 40 bits define a global ID •Next 16 bits is a subnet ID •Last 64 bits of a ULA is the interface ID or host portion of the address §Allows sites to be combined without address conflicts §Allows internal connectivity §Not routable on the Internet 9.2 – Configure NAT 9.2.5 – NAT and IPv6 9.2.5.2 – IPv6 Unique Local Addresses ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT and IPv6 NAT for IPv6 §Provide access between IPv6-only and IPv4-only networks (not translating private address to public addresses as NAT for IPv4 was) §Techniques available •Dual-stack – both devices run protocols for both IPv4 and IPv6 •Tunneling – Encapsulate the IPv6 packet inside an IPv4 packet for transmission over an IPv4-only network •NAT for IPv6 (translation) •Should not be used as a long term strategy •The older Network Address Translation-Protocol Translation (NAT-PT) •NAT64 • 9.2 – Configure NAT 9.2.5 – NAT and IPv6 9.2.5.3 – NAT for IPv6 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.3 Troubleshoot NAT 9 – NAT for IPv4 9.3 – Troubleshoot NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Commands The show ip nat Commands 1.Determine what NAT is supposed to achieve and compare with configuration. This may reveal a problem with the configuration. 2.Verify translations using the show ip nat translations command. 3.Use the clear and debug commands to verify NAT. 4.Review what is happening to the packet and verify routing. 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.1 – The show ip nat Commands ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Commands The debug ip nat Commands §Common commands •debug ip nat •debug ip nat detailed §Output symbols and values •* - The translation is occurring in the fast-switched path •s= - Source IPv4 address •a.b.c.d--->w.x.y.z – Source a.b.c.d is translated to w.x.y.z. •d= - Destination IPv4 address •[xxxx] - IPv4 identification number §Check the ACL to ensure the correct private addresses are designated. • • 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.2 – The debug ip nat Commands ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Commands NAT Troubleshooting Scenario §Internal hosts cannot contact external servers. • • 1. No translations in NAT table 2. Outside and inside interfaces are reversed 3. Incorrect ACL Translations working! 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.3 – NAT Troubleshooting Scenario ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Commands Packet Tracer – Verifying and Troubleshooting NAT Configurations 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.4 – Packet Tracer – Verifying and Troubleshooting NAT Configurations ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Commands Troubleshooting NAT Configurations 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.5 – Lab – Troubleshooting NAT Configurations ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.4 Chapter Summary 9 – NAT for IPv4 9.4 – Summary ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conclusion Packet Tracer - Skills Integration Challenge 9.4 – Summary 9.4.1 – Conclusion 9.4.1.2 – Packet Tracer - Skills Integration Challenge ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential § §Explain how NAT provides IPv4 address scalability in a small to medium-sized business network. §Configure NAT services on the edge router to provide IPv4 address scalability in a small to medium-sized business network. §Troubleshoot NAT issues in a small to medium-sized business network. § Conclusion Chapter 9: NAT for IPv4 9.4 – Summary 9.4.1 – Conclusion 9.4.1.3 – NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Module 9 New Terms and Commands •NAT •RFC 1918 •Inside local address •Inside global address •Outside local address •Outside global address •Static NAT •Dynamic NAT •PAT •Next available port number •ip nat inside source static • •ip nat inside •ip nat outside •show ip nat translations •show ip nat statistics •clear ip nat statistics •NAT pool •ip nat pool •ip nat inside source list •show ip nat translations timeout •show ip nat translations verbose • •Port forwarding •NAT for IPv6 •IPv6 ULAs •Dual-stack •Tunneling •NAT-PT •NAT64 •clear ip nat translation * •debug ip nat •debug ip nat detailed • • Module 9 - New Terms and Commands