Config Lab: Dynamic NAT 1
Dynamic NAT – specifically, dynamic NAT without also doing PAT – creates a 1-to-1 mapping between an inside local address and an inside global address. Unlike static NAT, however, dynamic NAT does not pre-determine the specific IP addresses to map. The router adds the entries to the table, taking them from a pool and then removing them after inactivity for later re-use. Today’s lab gives you practice creating the configuration, including defining the pool of addresses.
The Lab Exercise
Requirements
Configure dynamic Network Address Translation (NAT) on R1 for devices S1, S2, and S3, as follows:
- Enable dynamic NAT for all hosts in the subnet connected to R1’s G0/1 interface, a subnet inside the enterprise network
- Create a pool of addresses to use when translating before forwarding packets towards R2, considered the outside part of the network.
- Use a name of nat_pool
- The pool should use a subset of the addresses in the subnet that sits between R1 and R2, specifically addresses 172.16.10.10 through 172.16.10.20 (inclusive)
- Configure static routes as needed on R2 so that R2 can forward packets back to these inside global addresses
- Assume all router interfaces shown in the lab are up, working, and configured with IP addresses
Figure 1: Dynamic NAT Topology
Initial Configuration
Examples 1 and 2 show the beginning configuration state of R1 and R2.
hostname R1
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
ip address 172.16.10.1 255.255.255.0
no shutdown
Example 1: R1 Config
hostname R2
!
interface GigabitEthernet0/1
ip address 172.16.10.2 255.255.255.0
no shutdown
Example 2: R2 Config
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
The CML topology matches the lab topology.
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Dynamic NAT Topology
interface GigabitEthernet0/1
ip nat inside
!
interface GigabitEthernet0/2
ip nat outside
!
ip nat pool nat_pool 172.16.10.10 172.16.10.20 netmask 255.255.255.0
ip nat inside source list 1 pool nat_pool
!
access-list 1 permit 10.1.1.0 0.0.0.255
 Example 3: R1 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
There are several ways to configure NAT, including static NAT, dynamic NAT, and Port Address Translation (PAT). Static NAT is typically used for one-to-one translations from a specific inside address (called an inside local address) to a specific outside address (called an inside global address). Dynamic NAT differs slightly because it allocates the outside address from a configured pool rather than pre-determining the specific address to use in each case. The third major type of NAT, PAT (or NAT overload), uses either a specific outside address or a configured pool.
The difference between PAT and the other types is that the mapping is not one-to-one from an inside address to an outside address. With PAT, there is a many-to-one mapping between the inside local address and the inside global address using unique TCP and UDP port numbers to decide where and how to translate the packets.
First, you have to determine which interface(s) connect to hosts inside the network and which hosts connect to the outside network. For this lab, R1’s G0/1 interface is connected to S1, S2, and S3 and is considered the inside interface. To configure this, use the ip nat inside command while in interface configuration mode. R1’s G0/2 interface is connected to R2 and is considered the outside interface. To configure this, use the ip nat outside command while in interface configuration mode.
Next, you were tasked with configuring a NAT pool called nat_pool and including addresses 172.16.10.10 through 172.16.10.20. The command ip nat pool nat_pool 172.16.10.10 172.16.10.20 netmask 255.255.255.0 global command does just that. The two addresses define the beginning and ending range of addresses in the pool.
Note that the netmask value (255.255.255.0 in this example) acts as a math check. If the two addresses are in the same subnet, then your answer is correct if you use the listed subnet mask. It does not have to match the actual subnet mask. In this case, masks 255.255.255.224, 255.255.255.192, and 255.255.255.128 would also work.
Take a quick look at the ip nat inside global command; note that it refers to an ACL (ACL 1 in the sample). The ACL should match the inside local addresses that should drive the NAT function. In this case, packets coming from hosts in subnet 10.1.1.0/24 should cause dynamic NAT to occur, so the simple ACL 1 matches packets whose source IP addresses are in that subnet with the access-list 1 permit 10.1.1.0 0.0.0.255 command.
Taking a closer look at the ip nat inside command, the fourth and final task requires this command to link the ACL logic of matching packets coming in a source interface (source list 1) to the pool to dynamically allocate an inside global address (pool nat_pool). The full command strings all the ideas together: ip nat inside source list 1 pool nat_pool.
Finally, note that the requirements tell you to configure static routes on R2 as needed for the inside global addresses. In this case, the configuration uses a range of addresses in the subnet between R1 and R2, so R2 already has a connected route that includes the addresses used by NAT. So there is no need for any additional static routes.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | CPT dynamic NAT show commands differ from real | Cisco Packet Tracer (CPT) supports dynamic NAT configuration, both without PAT (as requested in this lab) and with PAT. However, in our testing through CPT 8.0, the show ip nat translation command shows output as if you configured PAT in all cases. In particular, the output lists TCP/UDP ports numbers, which real routers do only if PAT has been configured. |
2 | Better results in CPT with configure, save, close, open, verify process. | CPT may show incorrect NAT behavior if you configure NAT and then move directly to testing. You might want to configure, then save and re-open the .pkt file before testing. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- Verify the dynamic NAT configuration by checking the reachability from S1, S2, and S3 to R2 using ping.
- At router R1, using the show ip nat translations command to verify that the NAT table begins with no entries.
- From S1/S2/S3, try the ping 172.16.10.2 command, pinging R2’s global address, which tests the static NAT configuration.
- At router R1, using the show ip nat translations command to verify a new NAT table entry appeared in support of each flow.
- Note that the entries timeout quickly with CPT.
- Use a TCP or UDP app to test from S1/S2/S3 to router R2. For instance, use Telnet.
- Because the initial configuration did not prepare router R2 for inbound Telnet, add configuration on R2 as follows:
- line vty 0 15
- transport input all
- login
- password cisco
- From S1/S2/S3, try the telnet 172.16.10.2 command, pinging R2’s global address, which tests the static NAT configuration.
- At router R1, using the show ip nat translations command to verify a new NAT table entry appeared in support of each flow.
- Because the initial configuration did not prepare router R2 for inbound Telnet, add configuration on R2 as follows:
Hello Odom,
I hope all is well.
Could you please mention the answer for ‘Configure static routes as needed on R2 so that R2 can forward packets back to these inside global addresses’
Thank you
Is it: ip route 10.1.1.0 255.255.255.0 172.16.10.1
Hi Joe,
Not in this case. From R2’s perspective, it needs routes for the addresses used in the packets that reach it. So, a packet sent by say S1, after going through NAT on R1, will have an address from within the address range 172.16.10.0/24. So, R2 needs a route to those addresses… which it already has as a connected route.
Wendell
Hi John,
Love to see that you’re digging into the detail!
It’s described in the final paragraph of the Lab Commentary text. Thinking through the scenario from R2’s perspective, in this limited lab network, R2 receives packets sourced from an IP address of the subnet on the link between R1 and R2. R2 already has a connected route for that subnet. So, R2 doesn’t need any additional routes.
Now imagine a larger lab, with some routers to the right of R1 that act like other routers in the Internet. They would need routes for the address range of that subnet between R1 and R2.
In lab, NAT should work, and a ping from server S1 to R2’s WAN IP address should work, with the reverse routing working.
Hello Wendell
After configuring R1(config)#ip nat pool nat_pool 172.16.10.10 172.16.10.20 netmask 255.255.255.224. The following is returned with packet tracer:
“%Pool nat_pool mask 255.255.255.224 too small; should be at least 0.0.0.0
%Start and end addresses on different subnets”
At first i thought maybe it is because these inside global addresses are less than the inside local ip addresses we are trying to translate. I tried using an extended standard named ACL to only include the hosts in the inside local subnet, but this did not work.
ip nat inside source list 2 pool nat_pool
ip classless
!
ip flow-export version 9
!
!
access-list 2 permit host 10.1.1.25
access-list 2 permit host 10.1.1.35
access-list 2 permit host 10.1.1.45
when i run the R1# show run command it also i appeared that R1 did not accept the nat_pool creation command.
Kindly assist.
Hi Reason,
Well, without turning on my lab pod w/ real gear to check it, I think the command you list, with the 255.255.255.224 mask, would be accepted by a real Cisco router. So it could just be a Packet Tracer issue. However, it’s pretty normal to use the same mask as what’s used on the interface from which you’re taking the NAT pool IP addresses. In this case, that mask is 255.255.255.0, not 255.255.255.224. The ip nat pool nat_pool 172.16.10.10 172.16.10.20 netmask 255.255.255.0 command should be accepted. Try that and let me know if not.
Hi Wendell
On Packet tracer, It is still not working with netmask 255.255.255.0 I redesigned the lab on GNS3 and it is accepting both netmasks (/24 and /27). Could this be packet tracer issue?
Hi Reason,
Well, it could be. But I wonder if you’re not seeing a typo? I just tried both versions of the command, with the two different masks, in PT 8.2.2, and it accepted both:
So, you’re tying the same commands, and getting a rejection, right?
Hi Wendell
Thanks for your assistance, I tried it just now on PT and it worked. Could have been a typo like you mentioned :)). Once again thanks for your patience, help, and knowledge sharing.