Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure static NAT.
Lab Purpose:
NAT configuration is a fundamental skill. Static NAT provides a one-to-one translation between a private IP address (RFC 1918) and a public IP address. Static NAT is typically used to provide access to private inside hosts from outside hosts or networks. When static NAT is configured, outside hosts or networks connect to devices on the inside using a public or external IP address. This hides the private IP addresses of hosts on the inside. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure static NAT.
Certification Level:
This lab is suitable for CCENT and CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 10 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure the hostnames on R1, R3, and Sw1 as illustrated in the topology.
Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 256 Kbps to R3. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.
Task 3:
Configure VLAN50 named NAT_VLAN on Sw1. Assign the FastEthernet0/2 interface on Sw1 to this VLAN. Also, configure Sw1 to allow Telnet access using the password CISCO.
Task 4:
Configure interface VLAN50 on Sw1 and assign it the IP address illustrated in the topology. The default gateway on Sw1 should be 10.2.2.2. Next, configure interface interface FastEthernet0/0 in R3 and assign it the IP address illustrated in the topology.
Task 5:
Test connectivity by pinging from R1 to R3 and pinging from R3 to Sw1. These should all be successful. However, since R1 does not know about the 10.2.2.0/27 subnet, Sw1 will not be able to ping R1. Verify this.
Task 6:
Configure R3 F0/0 as the inside NAT interface and S0/0 as the outside NAT interface. Next, create a static NAT statement on R3 mapping the inside address of 10.2.2.4 (Sw1 interface VLAN50) to the outside address of 192.168.254.4.
Task 7:
Ping from Sw1 to R1 and verify that the ping is successful. Next, telnet from R1 to 192.168.254.4 and verify that you are connected to Sw1 via the NAT configured on R3.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
For reference information on configuring DCE clocking and IP addressing, please refer to earlier labs.
Task 3:
Sw1#conf t
Enter configuration commands, one per line. End with CTRL/Z.
Sw1(config)#vlan50
Sw1(config-vlan)#name NAT_VLAN
Sw1(config-vlan)#exit
Sw1(config)#int f0/2
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport access vlan50
Sw1(config-if)#no shutdown
Sw1(config-if)#exit
Sw1(config)#line vty 0 15
Sw1(config-line)#password CISCO
Sw1(config-line)#login
Sw1(config-line)#end
Sw1#
Sw1#show vlan brief
VLAN Name Status Ports
---- ---------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
50 NAT_VLAN active Fa0/2
[Output Truncated]
Task 4:
Sw1#conf t Enter configuration commands, one per line. End with CTRL/Z. Sw1(config)#int vlan1 Sw1(config-if)#shutdown Sw1(config-if)#exit Sw1(config)#int vlan50 Sw1(config-if)#no shutdown Sw1(config-if)#ip address 10.2.2.4 255.255.255.224 Sw1(config-if)#exit Sw1(config)#ip default-gateway 10.2.2.2 Sw1(config)#end Sw1# R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#int fa0/0 R3(config-if)#no shutdown R3(config-if)#ip address 10.2.2.2 255.255.255.224 R3(config-if)#end R3#
Task 5:
R1#ping 192.168.254.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R3#ping 192.168.254.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R3#ping 10.2.2.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.4, timeout is 2 seconds: ..!!! Success rate is 60 percent (3/5), round-trip min/avg/max = 1/3/4 ms Sw1#ping 10.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms Sw1#ping 192.168.254.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Task 6:
R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#int fa0/0 R3(config-if)#ip nat inside R3(config-if)#exit R3(config)#int s0/0 R3(config-if)#ip nat outside R3(config-if)#exit R3(config)#ip nat inside source static 10.2.2.4 192.168.254.4 R3(config)#end R3# R3#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.254.4 10.2.2.4 --- ---
Task 7:
Sw1#ping 192.168.254.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms R1#telnet 192.168.254.4 Trying 192.168.254.4 ... Open User Access Verification Password: Sw1#
NOTE: You can look at translation statistics using the show ip nat statistics command. If you are having issues with NAT, this command can show you the hits versus the misses, which indicates successful versus unsuccessful translations. Use those counters to troubleshoot Network Address Translation. If it isn’t working, check that you added the nat statements to the interfaces and the default gateway to the switch.
R3#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Serial0/0 Inside interfaces: FastEthernet0/0 Hits: 53 Misses: 0 Expired translations: 0 Dynamic mappings:
Also keep in mind that because you configured static NAT, you will not see any dynamic NAT mappings or translation statistics until you configure dynamic NAT.