nat

Answered Question
Aug 7th, 2009
User Badges:
  • Bronze, 100 points or more

Hi every body.

i have few questions about nat.


static nat:


please consider the following case:


h1(10.10.10.1)----f0(Route)So----internet


Router:


int fo

10.10.10.2/24

ip nat inside


Int so

ip address 200.200.200.1/24

ip nat outside.


ip nat inside source static 10.10.10.2 int s0


Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?



How about the following :

ip nat inside source int so.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?


thanks a lot.


Correct Answer by Jon Marshall about 7 years 8 months ago

Sarah


"int e0

ip address 10.10.1.1/8

ip nat inside


int s0

ip address 200.200.200.1/24


access-list 1 permit host 10.10.1.1


ip nat inside source list 1 int s0


will the above config work ?"


Yes it does work altho i did have my doubts as i thought it might not because the traffic doesn't actually go through the router rather the packet originates on the router. Obviously to test it i used a ping and specified the source address as 10.10.1.1


Your second example will also work although you need to modify your config -


ip nat pool zee 200.1.1.1 200.1.1.254 netmask 255.255.255.0


ip nat inside source list 1 pool zee overload


What will happen here is the 200.1.1.1 -> 200.1.1.253 will be used for the first 253 one to one NAT connections then .254 will be used to PAT the rest of them.


Both your examples are a bit misleading in that your access-list defines the e0 router interface address whereas usually NAT is used for addresses connected to the interface rather than the actual interface address. But it all still works.


Have a good weekend yourself.


Jon


Correct Answer by Jon Marshall about 7 years 8 months ago

Sarah


"That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2"


Yes, except in your acl you have 199.199.199.0, but your understanding is correct :-)


"If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111."


This is not correct however. The acl 111 is not used to deny or allow packets, it is merely used to decide which packets to NAT. So any machine on 198.198.198.0/24 network that telnets to another machine on the other side of the router will be allowed to. It's just that 198.198.198.x address will not be natted to the s0 interface ie. it the source address will remain unchanged.


Jon

Correct Answer by Edison Ortiz about 7 years 8 months ago

Sarah,


Your understanding is correct. That's often called 'conditional natting'


HTH,


__


Edison.

Correct Answer by Edison Ortiz about 7 years 8 months ago

Sarah,


You sure can but you are statically assigning 10.10.10.1 to interface s0 and you can't assign other internal IPs (10.10.10.x/24) statically to the same internal interface.


On this situation, you have to do PAT (Port Address Translation) and the source IP addresses would be called from a ACL instead of static NAT.


You must also add the overload keyword to activate PAT. Without the overload keyword, the first address on the translation will take over the process and it will not allow others to be translated.


HTH,


__


Edison.

Correct Answer by Jon Marshall about 7 years 8 months ago

Sarah


"Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?"


Yes it will.


"How about the following :

ip nat inside source int so.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?"


No it won't as there is no option to put the "int" keyword straight after the "source" keyword.


To achieve what you want you need -


access-list 1 permit any


ip nat inside source list 1 int s0/0 overload


Note if you want to be more specific than just any in acl 1 you can use specific source IP's and you can also use extended acls if you want src/dst IP/ports.


Jon

Correct Answer by Edison Ortiz about 7 years 8 months ago

Sarah,


Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?


Yes.


How about the following :

ip nat inside source int so.


The source must be internal - in your case that's the external interface.


My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?


You will need the following:


access-list 101 permit ip 10.10.10.0 0.0.0.255 any


ip nat inside source list 101 interface s0 overload



Correct Answer by John Blakley about 7 years 8 months ago

Sarah,


The easiest way is:


access-list 10 permit ip 10.10.10.0 0.0.0.255


ip nat inside source list 10 int s0 overload


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
Correct Answer
John Blakley Fri, 08/07/2009 - 08:45
User Badges:
  • Purple, 4500 points or more

Sarah,


The easiest way is:


access-list 10 permit ip 10.10.10.0 0.0.0.255


ip nat inside source list 10 int s0 overload


HTH,

John

sarahr202 Fri, 08/07/2009 - 09:52
User Badges:
  • Bronze, 100 points or more

Thanks John.


My intention is learn how different parameters in the command " ip nat inside source " work.


My book mentioned different forms of nat. One of nat , i was studying is static nat.

The book only mention one way to perform static nat. So i was left wondering if i could perform static nat as:


ip nat inside source 10.10.10.1 int s0

I found out i can.


Thanks a lot John and you have a nice weekend.

Correct Answer
Edison Ortiz Fri, 08/07/2009 - 10:16
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sarah,


You sure can but you are statically assigning 10.10.10.1 to interface s0 and you can't assign other internal IPs (10.10.10.x/24) statically to the same internal interface.


On this situation, you have to do PAT (Port Address Translation) and the source IP addresses would be called from a ACL instead of static NAT.


You must also add the overload keyword to activate PAT. Without the overload keyword, the first address on the translation will take over the process and it will not allow others to be translated.


HTH,


__


Edison.

Correct Answer
Edison Ortiz Fri, 08/07/2009 - 08:45
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sarah,


Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?


Yes.


How about the following :

ip nat inside source int so.


The source must be internal - in your case that's the external interface.


My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?


You will need the following:


access-list 101 permit ip 10.10.10.0 0.0.0.255 any


ip nat inside source list 101 interface s0 overload



Correct Answer
Jon Marshall Fri, 08/07/2009 - 08:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sarah


"Will the above config perform nat by replacing host address 10.10.10.2 by ip address on s0 ( 200.200.200.1) ?"


Yes it will.


"How about the following :

ip nat inside source int so.

My intention is tell the Nat router to perform nat for any host located on f0 by replacing the source ip address by s0's ip address . will it work ?"


No it won't as there is no option to put the "int" keyword straight after the "source" keyword.


To achieve what you want you need -


access-list 1 permit any


ip nat inside source list 1 int s0/0 overload


Note if you want to be more specific than just any in acl 1 you can use specific source IP's and you can also use extended acls if you want src/dst IP/ports.


Jon

sarahr202 Fri, 08/07/2009 - 10:07
User Badges:
  • Bronze, 100 points or more

Thanks John.


just out of curiosity, if i have following config.


ip nat inside source list 111 int s0 overload.


access-list 111 permit tcp 199.199.199.0 0.0.0.255 host 2.2.2.2 eq www


Does the above config tell the router perform nat only for hosts which fulfil the criteria set out in access-list 111. That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2.

If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111.


Is my understanding correct ?


thanks a lot .



Correct Answer
Edison Ortiz Fri, 08/07/2009 - 10:27
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sarah,


Your understanding is correct. That's often called 'conditional natting'


HTH,


__


Edison.

Correct Answer
Jon Marshall Fri, 08/07/2009 - 10:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sarah


"That is, performs NAT for any host with ip address with in 198.198.198.0 that wants to access web server 2.2.2.2"


Yes, except in your acl you have 199.199.199.0, but your understanding is correct :-)


"If my understanding is correct, then any host on 198.198.198.0 which wants to telnet say some other machine , will not be able to do so, as the host will not fulfil the criteria set out in acess-list 111."


This is not correct however. The acl 111 is not used to deny or allow packets, it is merely used to decide which packets to NAT. So any machine on 198.198.198.0/24 network that telnets to another machine on the other side of the router will be allowed to. It's just that 198.198.198.x address will not be natted to the s0 interface ie. it the source address will remain unchanged.


Jon

sarahr202 Fri, 08/07/2009 - 13:44
User Badges:
  • Bronze, 100 points or more

Very good catch John.


How about following config;

int e0

ip address 10.10.1.1/8

ip nat inside


int s0

ip address 200.200.200.1/24


access-list 1 permit host 10.10.1.1


ip nat inside source list 1 int s0


will the above config work ?


===============================


How about if i configure:


ip nat pool zee 200.1.1.0 netmask 255.255.255.0


ip nat inside source list 1 pool zee overload


Is the above config correct?


thanks and have a nice weekend.

Correct Answer
Jon Marshall Fri, 08/07/2009 - 15:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sarah


"int e0

ip address 10.10.1.1/8

ip nat inside


int s0

ip address 200.200.200.1/24


access-list 1 permit host 10.10.1.1


ip nat inside source list 1 int s0


will the above config work ?"


Yes it does work altho i did have my doubts as i thought it might not because the traffic doesn't actually go through the router rather the packet originates on the router. Obviously to test it i used a ping and specified the source address as 10.10.1.1


Your second example will also work although you need to modify your config -


ip nat pool zee 200.1.1.1 200.1.1.254 netmask 255.255.255.0


ip nat inside source list 1 pool zee overload


What will happen here is the 200.1.1.1 -> 200.1.1.253 will be used for the first 253 one to one NAT connections then .254 will be used to PAT the rest of them.


Both your examples are a bit misleading in that your access-list defines the e0 router interface address whereas usually NAT is used for addresses connected to the interface rather than the actual interface address. But it all still works.


Have a good weekend yourself.


Jon


sarahr202 Sat, 08/08/2009 - 07:53
User Badges:
  • Bronze, 100 points or more

Hi John.


First of all thank for repying to my lond winded post.


I am little confused here, as you mentioned Acl has no effect on locally generated packets. Acl only affects the transit packets. My weird example, I briefly describe again as follows for reference:







"int e0

ip address 10.10.1.1/8

ip nat inside



int s0

ip address 200.200.200.1/24


access-list 1 permit host 10.10.1.1


ip nat inside source list 1 int s0



as you mentioned in your post, router still able to peform nat for a locally generated packet.

The question is why?

i am thinking and in the meantime if someone finds or knows the answer ,please share with us



Thanks a lot.



Actions

This Discussion