Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure interface-based PAT.
Lab Purpose:
PAT configuration is a fundamental skill. PAT provides many-to-one translation using random port numbers. This means that multiple inside hosts can use the same outside address to communicate with external devices, while hiding their private IP addresses. Like dynamic NAT, PAT works in one direction only: from the inside to the outside. Interface-based PAT translates all private IP addresses to the outside interface on the router. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure interface-based Port Address Translation.
Certification Level:
This lab is suitable for CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 8/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 10 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure the hostnames on R1, R3, and Sw1 as illustrated in the topology.
Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 256 Kbps to R2. Configure the IP addresses on the Serial interfaces of R1 and R3 as illustrated in the topology.
Task 3:
Configure VLAN50 named NAT_VLAN on Sw1. Assign the FastEthernet0/2 interface on Sw1 to this VLAN. Also, configure R1 to allow Telnet access using the password CISCO.
Task 4:
Configure interface VLAN50 on Sw1 and assign it the IP address illustrated in the topology. The default gateway on Sw1 should be 10.2.2.2. Next, configure interface FastEthernet0/0 in R2 and assign it the IP address illustrated in the topology.
Task 5:
Test connectivity by pinging from R1 to R3 and pinging from R2 to Sw1. These should all be successful. However, since R1 does not know about the 10.2.2.0/27 subnet, Sw1 will not be able to ping R1, or vice versa.
Task 6:
Create an ACL to permit only ICMP and Telnet traffic from the 10.2.2.0/27 subnet to any destination. You can create either a named or numbered ACL to complete this task.
Task 7:
Configure R3 F0/0 as the inside interface for NAT and S0/0 as the outside interface for NAT. Next, configure PAT to translate all IP addresses specified in the ACL you configured in Task 6 to the S0/0 interface of R3.
Task 8:
Ping R1 from Sw1. Also, perform a telnet from Sw1 to R1. If you have configured interface-based PAT correctly, the ping and telnet should work. Check the NAT translation table on R3 using the show ip nat translations command.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
For reference information on configuring DCE clocking and IP addresses, please refer to earlier labs.
Task 3:
For reference information on configuring VLANs and Telnet, please refer to earlier labs.
Task 4:
For reference information on configuring SVIs and default gateways, please refer to earlier labs.
Task 5:
For reference information on pinging, please refer to earlier labs.
Task 6:
R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#access-list 140 remark “Permit ICMP Traffic For NAT” R3(config)#access-list 140 permit icmp 10.2.2.0 0.0.0.31 any R3(config)#access-list 140 permit tcp 10.2.2.0 0.0.0.31 any eq telnet R3(config)#end R3# R3#show ip access-lists 140 Extended IP access list 140 10 permit icmp 10.2.2.0 0.0.0.31 any 20 permit tcp 10.2.2.0 0.0.0.31 any eq telnet
Task 7:
R3#conf t Enter configuration commands, one per line. End with CTRL/Z. R3(config)#int fa0/0 R3(config-if)#ip nat inside R3(config-if)#exit R3(config)#int s0/0 R3(config-if)#ip nat outside R3(config-if)#exit R3(config)#ip nat inside source list 140 interface serial0/0 overload R3(config)#end R3#
NOTE: Port Address Translation (or NAT Overload) is enabled with the overload keyword in the ip nat inside source list command. This allows the router to overload address translation to the specified interface or IP address. Do not forget to issue this keyword when configuring PAT. Otherwise, you will have created dynamic NAT and will run out of addresses after the very first translation.
Task 8:
Perform a ping, and then telnet from Sw1 and disconnect from the Telnet session.
Sw1#ping 192.168.254.1 Sw1#telnet 192.168.254.1 R3#show ip nat translations Pro Inside global Inside local Outside local Outside global Tcp 192.168.254.2:11777 10.2.2.4:11777 192.168.254.1:23 192.168.254.1:23 icmp 192.168.254.2:4176 10.2.2.4:4176 192.168.254.1:4176 192.168.254.1:4176 icmp 192.168.254.2:4177 10.2.2.4:4177 192.168.254.1:4177 192.168.254.1:4177 icmp 192.168.254.2:4178 10.2.2.4:4178 192.168.254.1:4178 192.168.254.1:4178 icmp 192.168.254.2:4179 10.2.2.4:4179 192.168.254.1:4179 192.168.254.1:4179 icmp 192.168.254.2:4180 10.2.2.4:4180 192.168.254.1:4180 192.168.254.1:4180
NOTE: Notice that there is only one translation for telnet but there are five translations for ping. This is because a dynamic translation is created for every ping packet sent. By default, Cisco routers and switches will send five ping packets. You can tell they are from the same ping because the port numbers are sequential.
Also, by using interface-based PAT, R1 will see all packets (ping and telnet) being sourced from the Serial0/0 interface of R3. If you enabled the debug ip packet detail command on R1, you would see the following for Telnet:
*Mar 1 01:07:45.127: TCP src=23, dst=12289, seq=2994196370, ack=125681435, win=4085 ACK PSH *Mar 1 01:07:45.272: IP: tableid=0, s=192.168.254.2 (Serial0/0), d=192.168.254.1 (Serial0/0), routed via RIB
In a similar manner, you would also see the following for pings from Sw1:
*Mar 1 01:08:40.907: IP: s=192.168.254.2 (Serial0/0), d=192.168.254.1 (Serial0/0), len 100, rcvd 3 *Mar 1 01:08:40.907: ICMP type=8, code=0 *Mar 1 01:08:40.907: IP: tableid=0, s=192.168.254.1 (local), d=192.168.254.2 (Serial0/0), routed via FIB *Mar 1 01:08:40.907: IP: s=192.168.254.1 (local), d=192.168.254.2 (Serial0/0), len 100, sending *Mar 1 01:08:40.907: ICMP type=0, code=0 R#show ip nat statistics Total active translations: 5 (0 static, 5 dynamic; 5 extended) Outside interfaces: Serial0/0 Inside interfaces: FastEthernet0/0 Hits: 153 Misses: 23 Expired translations: 16 Dynamic mappings: -- Inside Source [Id: 3] access-list 140 interface Serial0/0 refcount 5