Help with NAT lab

whiteford · ‎10-16-2008

Hi,

I'm trying to built a setup where I can practice NAT and NAT Pools, but am not sure I have the equipment to do this.

I know it is common for 2 subnets to have the same IP range and at some stage these 2 networks need to route to each other for what ever reason, so the network need to NAT'ed?

I have the following equipment, is t possible to set up a NAT environment here for me to practice with?

2 x 2620 routers (1 FE and 2 x WIC-1T)

1 x 1721 router (1 FE and 1 x WIC-1T)

1 x 2950 switch

1 x 3550 switch

1 x 515 pix

Also what I NAT Pools used for?Many thanks in advance for your guidence.

Giuseppe Larosa · ‎10-16-2008

Hello Andy,

the short answer is yes

to build a lab setup you can use:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic12

! complete reference

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html#wp1073436

You can build a good lab with your equipment:

have the two C2620 used as border routers doing NAT (only one or both in different times) use the C1721 as it was an host connected via lan switch to C2620

the C3550 if has enterprise edition can be the host on the other network

Connect all FE ports to the two switches and have the two switches connected to each other.

Use FE subifs on the C2620 to get inside and outside logical interfaces : the switch ports will be 802.1Q trunks to carry multiple Vlan tagged frames.

Hope to help

Giuseppe

whiteford · ‎10-19-2008

Hi Thanks for the links,

I'm nit sure though I understand you lab? The routers only have 1 FE each.

Any chance of a simple diag?

I think once I can prove I can do one NAT then I we be fine.

Giuseppe Larosa · ‎10-19-2008

Hello Andy,

the idea is to use Vlan subinterfaces 802.1Q and so you can get as many L3 links as you need: most of features work the same on the subifs.

This is very handy for setting up labs: once that every router is connected to lan switch and to FR switch it is easy to build new topologies as required in each scenario.

So each router uses Vlan subifs and switch port to which is connected is configured as a L2 trunk with the same trunking encapsulation (802.1Q for example of ISL but 2950 supports only the first)

A simple diagram can be:

C1720 --- Switch_2950 --- C2620_1

C2620_2 --- Switch_3550--- FW

also between Switch_2950 and Switch_3550 you configure an 802.1Q trunk.

then:

use Vlan 10 for a link between C1720 and C2620_1.

use Vlan 20 for the logical link between C2620_2 and FW/C3550

use vlan 30 for the L3 logical link between C2620_1 and C_2620_2

use vlan 40 to create an IP subnet on C1720 that will be overlapping with

vlan 45 on C3550 (if routing capable)

associate a distinct ip subnet to each vlan with only exception vlan 40 and vlan 45

then you configure routing in the two domains: static routes or RIP as you did in another lab.

the two 2620 are the two border routers that need to do NAT.

You can choice to do NAT:

all in a single device to translate both source and destination

OR

both routers do NAT and perform translation of only source (this is more used).

the goal is to be able to make communicate

C1720:f0/0.40 ip 10.10.10.1 with

FW or C3550 in vlan 45 with same ip address 10.10.10.1 in the right side

Hope to help

Giuseppe