15.1.6 Lab - Implement NAT (Answers)

15.1.6 Lab – Implement NAT (Answers)

Topology

15.1.6 Lab - Implement NAT (Answers) 2

Addressing Table

Device	Interface	IP Address	Default Gateway
R1	G0/0/0	209.165.200.1/24	N/A
R1	G0/0/1	10.0.0.1/24	N/A
R2	G0/0/0	209.165.200.2/24	N/A
	G0/0/1	209.165.224.2/24
	Loopback0	209.165.240.1/24
R3	G0/0/0	209.165.224.3/24	N/A
R3	G0/0/1	10.1.0.1/24	N/A
D1	VLAN 1	10.0.0.2/24	N/A
D2	VLAN 1	10.2.0.2/24	N/A
PC1	NIC	10.0.0.50/24	10.0.0.1
PC3	NIC	10.1.0.50/24	10.1.0.1
PC4	NIC	10.1.0.75/24	10.1.0.1

Objectives

Part 1: Build the Network and Configure Basic Device Settings
Part 2: Configure and Verify Static Inside NAT
Part 3: Configure and Verify Pooled NAT
Part 4: Configure and Verify NAT Overload

Background / Scenario

The HQ and Branch sites must be configured to support NAT. Specifically, the HQ and Branch routers will be configured to provide inside LAN users with outside public addresses using NAT. The HQ router will also provide static NAT to access the email server from the outside network.

Note: This lab is an exercise in configuring and verifying various methods of NAT and does not reflect networking best practices.

Note: The routers and switches used with CCNP hands-on labs are Cisco 4221 and Cisco 3650, both with Cisco IOS XE Release 16.9.4 (universalk9 image). Other routers and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs.

Note: Ensure that the routers and switches have been erased and have no startup configurations. If you are unsure contact your instructor.

Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices

Required Resources

3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
2 Switches (Cisco 3650 with Cisco IOS XE Release 16.9.4 universal image or comparable)
3 PCs (Choice of operating system with a terminal emulation program installed)
Console cables to configure the Cisco IOS devices via the console ports
Ethernet and serial cables as shown in the topology

Instructions

Part 1: Build the Network and Configure Basic Device Settings

In Part 1, you will set up the network topology and configure basic settings.

Step 1: Cable the network as shown in the topology.

Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for each device.

a. Console into each device, enter global configuration mode, and apply the basic settings. A command list for each device is provided below for the initial configurations.

Router R1

hostname R1
no ip domain lookup
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
line vty 0 4
 privilege level 15
 password cisco123
 exec-timeout 0 0
 logging synchronous
 login
 exit
banner motd # This is R1, Implement NAT Lab #
interface g0/0/0
 ip address 209.165.200.1 255.255.255.0
 no shut
 exit
interface g0/0/1
 ip address 10.0.0.1 255.255.255.0
 no shut
 exit
 ip route 0.0.0.0 0.0.0.0 g0/0/0 209.165.200.2

Router R2

hostname R2
no ip domain lookup
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
line vty 0 4
 privilege level 15
 password cisco123
 exec-timeout 0 0
 logging synchronous
 login
 exit
banner motd # This is R2, Implement NAT Lab #
interface g0/0/0
ip address 209.165.200.2 255.255.255.0
no shut
exit
interface g0/0/1
ip address 209.165.224.2 255.255.255.0
no shut
exit
interface loopback 0
ip address 209.165.240.1 255.255.255.0
no shut
exit
ip route 10.0.0.0 255.255.255.0 g0/0/0 209.165.200.1
ip route 10.1.0.0 255.255.255.0 g0/0/1 209.165.224.3

Router R3

hostname R3
no ip domain lookup
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
line vty 0 4
 privilege level 15
 password cisco123
 exec-timeout 0 0
 logging synchronous
 login
 exit
banner motd # This is R3, Implement NAT Lab #
interface g0/0/0
 ip address 209.165.224.3 255.255.255.0
 no shut
 exit
interface g0/0/1
 ip address 10.1.0.1 255.255.255.0
 no shut
 exit
ip route 0.0.0.0 0.0.0.0 g0/0/0 209.165.224.2

Switch D1

hostname D1
no ip domain lookup
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
line vty 0 4
 privilege level 15
 password cisco123
 exec-timeout 0 0
 logging synchronous
 login
 exit
banner motd # This is D1, Implement NAT Lab #
interface range g1/0/1-24, g1/1/1-4
 shutdown
 exit
interface range g1/0/11, g1/0/23
 no shutdown
 exit
interface g1/0/23
 switchport mode access
 spanning-tree portfast
 exit
interface vlan 1
 ip address 10.0.0.2 255.255.255.0
 no shutdown
ip default-gateway 10.0.0.1

Switch D2

hostname D2
no ip domain lookup
line con 0
 exec-timeout 0 0
 logging synchronous
 exit
line vty 0 4
 privilege level 15
 password cisco123
 exec-timeout 0 0
 logging synchronous
 login
 exit
banner motd # This is D2, Implement NAT Lab #
interface range g1/0/1-24, g1/1/1-4
 shutdown
 exit
interface range g1/0/11, g1/0/23-24
 no shutdown
 exit
interface range g1/0/23-24
 switchport mode access
 spanning-tree portfast
 exit
interface vlan 1
 ip address 10.1.0.2 255.255.255.0
 no shutdown
ip default-gateway 10.1.0.1

b. Set the clock on each device to UTC time.

c. Save the running configuration to startup-config.

Step 3: Verify reachability.

PC1 (10.0.0.50) should be able to ping PC3 (10.1.0.50), and PC4 (10.1.0.75) should be able to ping switch D1 (10.0.0.2). If not, notify your instructor so they may assist you in troubleshooting and correcting any incorrect configurations.

Part 2: Configure and Verify Static Inside NAT

In Part 2, you will configure and verify Static Inside NAT. The idea behind Static Inside NAT is to make an inside local address reachable via an outside global address. For this lab, we will make interface VLAN 1 on switch D1 appear as 209.165.200.99 on the outside network.

Step 1: On R1, configure Static Inside NAT.

Note: The following steps a and b do not have to be carried out in the order listed.

a. Configure R1 to translate the address on D1 Interface VLAN 1 to 209.165.200.99.

R1(config)# ip nat inside source static 10.0.0.2 209.165.200.99

b. On R1, specify the inside and outside interfaces for NAT purposes.

R1(config)# interface g0/0/0
R1(config-if)# ip nat outside
R1(config-if)# exit
R1(config)# interface g0/0/1
R1(config-if)# ip nat inside
R1(config-if)# exit

Step 2: Verify the NAT process is occurring on R1.

a. On R1, issue the command show ip nat translations. In the output, you will see the static translation information.

R1# show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  209.165.200.99        10.0.0.2              ---                   ---
Total number of translations: 1

b. From the console of R2, send 10,000 pings to the destination address 209.165.200.99 using the command ping 209.165.200.99 repeat 10000. The pings should be successful.

c. On R1, issue the command show ip nat translations. In the output, you will see the static translation as well as the translation used for the ping.

R1# show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  209.165.200.99        10.0.0.2              ---                   ---
icmp 209.165.200.99:0      10.0.0.2:0            209.165.200.2:0       209.165.200.2:0
Total number of translations: 2

d. From the console of R2, stop the ping if it is still running and then telnet to 209.165.200.99. You should be able to connect and login to D1. Use cisco123 as the password when prompted.

e. While logged in to D1, issue the command show tcp brief. In the output, you will see the addresses involved in the communication from D1’s perspective.

D1# show tcp brief
TCB       Local Address           Foreign Address        (state)
054D9734  10.0.0.2.23             209.165.200.2.63955    ESTAB

f. On R1, issue the command show ip nat translations. In the output, you will see the static translation as well as the translation used for the telnet session.

R1# show ip nat translations
Pro  Inside global         Inside local   Outside local         Outside global
---  209.165.200.99        10.0.0.2       ---                   ---
tcp  209.165.200.99:23     10.0.0.2:23    209.165.200.2:63955   209.165.200.2:63955
Total number of translations: 2

g. Disconnect the telnet session in preparation for the next part of the lab.

Part 3: Configure and Verify Pooled NAT

In Part 3, you will configure, examine, and verify pooled NAT. Pooled NAT uses a pool of available outside addresses to dynamically translate inside addresses on a one-to-one basis. The drawback to Pooled NAT is that if you do not have a pool of addresses that is at least the same size as the number of addresses that need to be translated, there will be inside hosts that cannot send traffic outside until a translation times out or is manually cleared.

Step 1: On R3, configure Pooled NAT.

Note: The following steps a, b, c, and d do not have to be carried out in the order listed.

a. On R3, create a standard access list that identifies the source addresses of traffic to be translated. Traffic with source addresses matching this access list are referred to as “interesting” and will be processed through the configured NAT rule. For this lab, specify the entire 10.1.0.0/24 network as interesting.

R3(config)# access-list 33 permit 10.1.0.0 0.0.0.255

b. Next, create a pool of addresses to use for the interesting traffic translations. You should have authority to use these addresses, and outside networks should route traffic destined to these addresses to you. For this lab, we will use two addresses from the subnet connecting R3 and R2.

R3(config)# ip nat pool POOLEDNAT 209.165.224.5 209.165.224.6 prefix-length 24

c. Associate the interesting addresses with the NAT pool.

R3(config)# ip nat inside source list 33 pool POOLEDNAT

d. Establish the inside and outside interfaces on R3.

R3(config)# interface g0/0/0
R3(config-if)# ip nat outside
R3(config-if)# exit
R3(config)# interface g0/0/1
R3(config-if)# ip nat inside
R3(config-if)# exit

Step 2: Verify the NAT process is occurring on R3.

a. On R3, issue the command show ip nat translations. The output will indicate that there are no translations.

b. On R3, issue the command show ip nat pool name POOLEDNAT. The output will give you details about the pool that is available for translation.

R3# show ip nat pool name POOLEDNAT

NAT Pool Statistics

Pool name POOLEDNAT, id 1
                              Assigned            Available
  Addresses                          0                    2
  UDP Low Ports                      0                 1024
  TCP Low Ports                      0                 1024
  UDP High Ports                     0               129024
  TCP High Ports                     0               129024

(Low ports are less than 1024. High ports are greater than or equal to 1024.)

c. From the command prompt on PC3, start a continuous ping to the destination address 209.165.224.2. The pings should be successful.

d. On R3, issue the command show ip nat translations. In the output you will see the pooled translation as well as the translation used for the ping.

R3# show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  209.165.224.5         10.1.0.50             ---                   ---
icmp 209.165.224.5:1       10.1.0.50:1           209.165.224.2:1       209.165.224.2:1
Total number of translations: 2

e. From the command prompt on PC4, start a continuous ping to the destination address 209.165.224.2. The pings should be successful.

f. On R3, issue the command show ip nat translations. In the output you will see the pooled translations as well as the translation used for the ping.

R3# show ip nat translations
Pro  Inside global         Inside local    Outside local         Outside global
---  209.165.224.6         10.1.0.75       ---                   ---
---  209.165.224.5         10.1.0.50       ---                   ---
icmp 209.165.224.6:6740    10.1.0.75:6740  209.165.224.2:6740    209.165.224.2:6740
icmp 209.165.224.5:1       10.1.0.50:1     209.165.224.2:1       209.165.224.2:1
Total number of translations: 4

g. From the console of D2, send 10,000 pings to the destination address 209.165.224.2 using the command ping 209.165.224.2 repeat 10000. The pings should fail.

h. On R3, you should see the following syslog message being repeated:

*Jan 25 16:52:01.498: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000053243712630396 %NAT-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 1 may be exhausted [2]

We purposely created a pool of addresses that was too small to demonstrate one of the shortcomings of Pooled NAT. Verify the pool is exhausted by examining the output of the command show ip nat pool name POOLEDNAT.

R3# show ip nat pool name POOLEDNAT

NAT Pool Statistics

Pool name POOLEDNAT, id 1
                              Assigned            Available
  Addresses                          2                    0
  UDP Low Ports                      0                 1024
  TCP Low Ports                      0                 1024
  UDP High Ports                     0               129024
  TCP High Ports                     0               129024

(Low ports are less than 1024. High ports are greater than or equal to 1024.)

i. Stop the pings on D2, PC3, and PC4. (Note: To stop the ping, press Ctr+Shift+6.)

j. In preparation for the next part of the lab, remove the pool and mapping commands. Leave the ACL and the interface specifications.

R3(config)# do clear ip nat translation *
R3(config)# no ip nat pool POOLEDNAT 209.165.224.5 209.165.224.6 prefix-length 24
R3(config)# no ip nat inside source list 33 pool POOLEDNAT

Part 4: Configure and Verify NAT Overload

In Part 4, you will configure and examine NAT Overload, which is also called Port Address Translation or PAT. PAT overloads on an interface address or on a pool of addresses by associating each traffic session with a unique set of port numbers. The advantage, especially for smaller networks, is that everyone can get out of the network by leveraging a single outside IP address. The drawback to PAT is that you have a limit of about 65,000 to the number of translations possible via a single address. The impact of this limit is felt in large networks, where you must have multiple outside IP addresses to overload onto to ensure everyone can communicate.

As a reminder, R3 still has interfaces setup as outside and inside, and still has access list 33 specifying the LAN network address. You will leverage those existing configurations to complete this part of the lab.
For this lab, R3 will overload on the interface specified as outside, which is g0/0/0.

a. Configure the NAT statement directing the router to translate addresses matching access list 33 to the outside interface IP address, keying on port numbers.

R3(config)# ip nat inside source list 33 interface g0/0/0 overload

b. On R3, issue the command show ip nat translations. The output will indicate that there are no translations.

c. From the command prompt on PC3, start a continuous ping to the destination address 209.165.224.2. The pings should be successful.

d. On R3, issue the command show ip nat translations. In the output you will see the PAT translation used for the ping.

R3# show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
icmp 209.165.224.3:1       10.1.0.50:1           209.165.224.2:1       209.165.224.2:1
Total number of translations: 1

e. From the command prompt on PC4, start a continuous ping to the destination address 209.165.224.2. From the console of D2, send 100,000 pings to the same address. The pings should be successful.

f. On R3, issue the command show ip nat translations. In the output you will see the PAT translations as well as the translation used for the ping from D2 and PC4.

R3# show ip nat translations
Pro  Inside global         Inside local       Outside local         Outside global
icmp 209.165.224.3:6791    10.1.0.75:6791     209.165.224.2:6791    209.165.224.2:6791
icmp 209.165.224.3:1       10.1.0.50:1        209.165.224.2:1       209.165.224.2:1
icmp 209.165.224.3:6784    10.1.0.2:1         209.165.224.2:1       209.165.224.2:6784
Total number of translations: 3

e. Stop the continuous pings on D2, PC3, and PC4.

Router Interface Summary Table

Router Model	Ethernet Interface #1	Ethernet Interface #2	Serial Interface #1	Serial Interface #2
1800	Fast Ethernet 0/0 (F0/0)	Fast Ethernet 0/1 (F0/1)	Serial 0/0/0 (S0/0/0)	Serial 0/0/1 (S0/0/1)
1900	Gigabit Ethernet 0/0 (G0/0)	Gigabit Ethernet 0/1 (G0/1)	Serial 0/0/0 (S0/0/0)	Serial 0/0/1 (S0/0/1)
2801	Fast Ethernet 0/0 (F0/0)	Fast Ethernet 0/1 (F0/1)	Serial 0/1/0 (S0/1/0)	Serial 0/1/1 (S0/1/1)
2811	Fast Ethernet 0/0 (F0/0)	Fast Ethernet 0/1 (F0/1)	Serial 0/0/0 (S0/0/0)	Serial 0/0/1 (S0/0/1)
2900	Gigabit Ethernet 0/0 (G0/0)	Gigabit Ethernet 0/1 (G0/1)	Serial 0/0/0 (S0/0/0)	Serial 0/0/1 (S0/0/1)
4221	Gigabit Ethernet 0/0/0 (G0/0/0)	Gigabit Ethernet 0/0/1 (G0/0/1)	Serial 0/1/0 (S0/1/0)	Serial 0/1/1 (S0/1/1)
4300	Gigabit Ethernet 0/0/0 (G0/0/0)	Gigabit Ethernet 0/0/1 (G0/0/1)	Serial 0/1/0 (S0/1/0)	Serial 0/1/1 (S0/1/1)

Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

Device Configs – Final

Router R1

R1# show run
Building configuration...


Current configuration : 3665 bytes
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ip domain lookup
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
spanning-tree extend system-id
!
redundancy
 mode none
!
interface GigabitEthernet0/0/0
 ip address 209.165.200.1 255.255.255.0
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface Serial0/1/0
 no ip address
 shutdown
!
interface Serial0/1/1
 no ip address
 shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static 10.0.0.2 209.165.200.99
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 209.165.200.2
!
control-plane
!
banner motd ^C This is R1, Implement NAT Lab ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco123
 logging synchronous
 login
!
end

Router R2

R2# show run
Building configuration...


Current configuration : 3633 bytes
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ip domain lookup
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
spanning-tree extend system-id
!
redundancy
 mode none
!
interface Loopback0
 ip address 209.165.240.1 255.255.255.0
!
interface GigabitEthernet0/0/0
 ip address 209.165.200.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 209.165.224.2 255.255.255.0
 negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 10.0.0.0 255.255.255.0 GigabitEthernet0/0/0 209.165.200.1
ip route 10.1.0.0 255.255.255.0 GigabitEthernet0/0/1 209.165.224.3
!
control-plane
!
banner motd ^C This is R2, Implement NAT Lab ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco123
 logging synchronous
 login
!
end

Router R3

R3# show run
Building configuration...


Current configuration : 3762 bytes
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ip domain lookup
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
spanning-tree extend system-id
!
redundancy
 mode none
!
interface GigabitEthernet0/0/0
 ip address 209.165.224.3 255.255.255.0
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 10.1.0.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface Serial0/1/0
 no ip address
 shutdown
!
interface Serial0/1/1
 no ip address
 shutdown
!
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list 33 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 209.165.224.2
!
access-list 33 permit 10.1.0.0 0.0.0.255
!
control-plane
!
banner motd ^C This is R3, Implement NAT Lab ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco123
 logging synchronous
 login
!
end

Switch D1

D1# show run
Building configuration...

Current configuration : 6664 bytes
!
version 16.9
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname D1
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no aaa new-model
switch 1 provision ws-c3650-24ps
!
no ip domain lookup
!
login on-success log
!
license boot level ipservicesk9
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
transceiver type all
 monitoring
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description Inter FED, EWLC control, EWLC data
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/1
 shutdown
!
interface GigabitEthernet1/0/2
 shutdown
!
interface GigabitEthernet1/0/3
 shutdown
!
interface GigabitEthernet1/0/4
 shutdown
!
interface GigabitEthernet1/0/5
 shutdown
!
interface GigabitEthernet1/0/6
 shutdown
!
interface GigabitEthernet1/0/7
 shutdown
!
interface GigabitEthernet1/0/8
 shutdown
!
interface GigabitEthernet1/0/9
 shutdown
!
interface GigabitEthernet1/0/10
 shutdown
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
 shutdown
!
interface GigabitEthernet1/0/13
 shutdown
!
interface GigabitEthernet1/0/14
 shutdown
!
interface GigabitEthernet1/0/15
 shutdown
!
interface GigabitEthernet1/0/16
 shutdown
!
interface GigabitEthernet1/0/17
 shutdown
!
interface GigabitEthernet1/0/18
 shutdown
!
interface GigabitEthernet1/0/19
 shutdown
!
interface GigabitEthernet1/0/20
 shutdown
!
interface GigabitEthernet1/0/21
 shutdown
!
interface GigabitEthernet1/0/22
 shutdown
!
interface GigabitEthernet1/0/23
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 shutdown
!
interface GigabitEthernet1/1/1
 shutdown
!
interface GigabitEthernet1/1/2
 shutdown
!
interface GigabitEthernet1/1/3
 shutdown
!
interface GigabitEthernet1/1/4
 shutdown
!
interface Vlan1
 ip address 10.0.0.2 255.255.255.0
!
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip http server
ip http secure-server
!
control-plane
 service-policy input system-cpp-policy
!
banner motd ^C This is D1, Implement NAT Lab ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco123
 logging synchronous
 login
line vty 5 15
 login
!
end

Switch D2

D2# show run
Building configuration... 
Current configuration : 6712 bytes!
!
version 16.9
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname D2
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no aaa new-model
switch 1 provision ws-c3650-24ps
!
no ip domain lookup
!
login on-success log
!
license boot level ipservicesk9
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
transceiver type all
 monitoring
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description Inter FED, EWLC control, EWLC data
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/1
 shutdown
!
interface GigabitEthernet1/0/2
 shutdown
!
interface GigabitEthernet1/0/3
 shutdown
!
interface GigabitEthernet1/0/4
 shutdown
!
interface GigabitEthernet1/0/5
 shutdown
!
interface GigabitEthernet1/0/6
 shutdown
!
interface GigabitEthernet1/0/7
 shutdown
!
interface GigabitEthernet1/0/8
 shutdown
!
interface GigabitEthernet1/0/9
 shutdown
!
interface GigabitEthernet1/0/10
 shutdown
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
 shutdown
!
interface GigabitEthernet1/0/13
 shutdown
!
interface GigabitEthernet1/0/14
 shutdown
!
interface GigabitEthernet1/0/15
 shutdown
!
interface GigabitEthernet1/0/16
 shutdown
!
interface GigabitEthernet1/0/17
 shutdown
!
interface GigabitEthernet1/0/18
 shutdown
!
interface GigabitEthernet1/0/19
 shutdown
!
interface GigabitEthernet1/0/20
 shutdown
!
interface GigabitEthernet1/0/21
 shutdown
!
interface GigabitEthernet1/0/22
 shutdown
!
interface GigabitEthernet1/0/23
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 switchport mode access
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/1/1
 shutdown
!
interface GigabitEthernet1/1/2
 shutdown
!
interface GigabitEthernet1/1/3
 shutdown
!
interface GigabitEthernet1/1/4
 shutdown
!
interface Vlan1
 ip address 10.1.0.2 255.255.255.0
!
ip default-gateway 10.1.0.1
ip forward-protocol nd
ip http server
ip http secure-server
!
control-plane
 service-policy input system-cpp-policy
!
banner motd ^C This is D2, Implement NAT Lab ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco123
 logging synchronous
 login
line vty 5 15
 login
!
end