PAT Configuration on Cisco NAT overload
This section covers PAT Configuration on Cisco NAT overload or NAT overload. You will find the complete commands along with a practical example. PAT is the types of NAT, static NAT & Dynamic NAT are the other examples.PAT (also called “NAT with overload”) preserves the addresses of the set of internal global addresses by allowing the router to use an internal global address for many internal local addresses. In other words, a single public IPv4 address can be used for hundreds, even thousands of internal private IPv4 addresses. When this type of translation is configured, the router maintains enough information about the higher-level protocols, TCP or UDP port numbers, for example, to translate the internal global address back to the correct internal local address. When multiple internal local addresses are assigned to an internal global address, the TCP or UDP port numbers of each internal host distinguish between local addresses.
Steps to configure PAT on Cisco Router
There are two ways to configure PAT, depending on how the ISP assigns public IPv4 addresses. First, the ISP assigns more than one public IPv4 address to the organization and, secondly, it assigns a single public IPv4 address that is required for the organization to connect to the ISP. sIf more than one public IPv4 address was issued for a site, these addresses may be part of a set used by PAT. This is similar to dynamic NAT, with the exception that there are not enough public addresses to make a one-to-one assignment between internal and external addresses. A large number of devices share the small set of addresses.
The following table shows the steps to configure PAT to use an address set. The main difference between this configuration and the one-to-one dynamic NAT configuration is that the keyword overload is used . The overload keyword enables PAT.
|
Steps
|
Command
|
|
1. Define the set of global addresses that
should be used for overload translation.
|
ip nat pool first-ip-ip last name { netmask netmask | prefix-length prefix-length }
|
|
2. Define a standard access list that
allows the addresses to be translated.
|
access-list
access-list- number allow source [wildcard-origin]
|
|
3. Specify the access list and set defined
in the previous steps to establish the overload translation.
|
ip nat inside source
list access-list-number pool name overload
|
|
4. Identify the internal interface.
|
interface type ip number
nat inside |
|
5. Identify the external interface.
|
interface type ip number
nat outside |
|
Table of steps to configure PAT.
|
|
PAT configuration example
The sample configuration shown in Image 1 sets the overhead translation for the NAT set called NAT-POOL2. NAT-POOL2 contains the addresses from 209.165.200.226 to 209.165.200.240. Hosts on the 192.168.0.0/16 network are subject to translation. The S0 / 0/0 interface is identified as an internal interface, and the S0 / 1/0 interface is identified as an external interface.
R2 (config) # ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224 R2 (config) # access-list 1 permit 192.168.0.0 0.0.255.255 R2 (config) # ip nat inside source list 1 pool NAT-POOL2 overload R2 (config) # interface Serial0 / 0/0 R2 (config-if) # ip nat inside R2 (config) # interface Serial0 / 1/0 R2 (config-if) # ip nat outsid
Steps to Configure PAT
In Image 2, the topology of a PAT implementation for the translation of a single public IPv4 address is shown. In the example, all hosts on the 192.168.0.0/16 network (which matches ACL 1) that send traffic to the Internet through router R2 are translated to IPv4 address 209.165.200.225 (IPv4 address of interface S0 / 1/0). Traffic flows are identified by the port numbers in the NAT table, since the keyword overload was used .
The following table shows the steps that must be followed to configure PAT with a single IPv4 address. If there is only a single public IPv4 address available, the overhead configuration generally assigns the public address to the external interface that connects to the ISP. All internal addresses are translated to the only IPv4 address when they leave the external interface.
|
Steps
|
Command
|
|
1. Define a standard access list that
allows the addresses to be translated.
|
access-list
access-list- number permit origin [wildcard-origin]
|
|
2. Specify the ACL, output interface and
overload options to establish the dynamic source translation.
|
ip nat inside source
list access-list- number interface type number overload
|
|
3. Identify the internal interface.
|
interface type ip number
nat inside |
|
4. Identify the external interface.
|
interface type ip number
nat outside |
|
Table of steps to configure PAT: Unique
address.
|
|
The
configuration is similar to that of dynamic NAT , except that, instead of a set of addresses,
the keyword interface is
used to identify the external IPv4 address. Therefore, no
NAT set is defined.
PAT PROCESS
The NAT process with overload is the same, whether a set of addresses or a single address is used. In the previous example of PAT, PC1 wishes to communicate with the web server Svr1 through a single public IPv4 address. At the same time, another client, PC2, wants to establish a similar session with the Svr2 web server. Both PC1 and PC2 were configured with private IPv4 addresses, with R2 enabled for PAT.COMPUTER TO SERVER PROCESS
- 1 . In Image 3, it is shown that PC1 and PC2 send packets to servers Svr1 and Svr2, respectively. PC1 has the source IPv4 address 192.168.10.10 and uses TCP source port 1444. PC2 has the source IPv4 address 192.168.10.11 and, by chance, is assigned the same source port 1444.
- 2 . The package of PC1 arrives first at R2. By using PAT, R2 modifies the source IPv4 address to 209.165.200.225 (internal global address). In the NAT table, there is no other device that uses port 1444, so PAT maintains the same port number. The package is then forwarded to Svr1 on 209.165.201.1.
- 3 . Next, the PC2 package arrives at R2. PAT is configured to use a single internal global IPv4 address for all translations, 209.165.200.225. As with the translation process for PC1, PAT changes the source IPv4 address of PC2 to the internal global address 209.165.200.225. However, PC2 has the same source port number as a current PAT entry, the translation for PC1. PAT increases the source port number until it is a unique value in its table. In this case, the source port entry in the NAT table and the PC2 packet receive the number 1445.
While PC1 and PC2 use the same translated address, internal global address 209.165.200.225, and the same source port number 1444, the modified port number for PC2 (1445) makes each entry in the table of NAT is unique. This becomes evident when packets are returned from the servers to the clients.
SERVER TO COMPUTER PROCESS
- 4 . As shown in Image 4, in a typical exchange between client and server, servers Svr1 and Svr2 respond to requests received from PC1 and PC2, respectively. The servers use the source port of the received packet as the destination port and the source address as the destination address for return traffic. Apparently, the servers communicate with the same host on 209.165.200.225, but it is not.
- 5 . As packets arrive, R2 locates a single entry in its NAT table using the destination address and destination port of each packet. In the case of the Svr1 package, the destination IPv4 address 209.165.200.225 has several entries, but only one with the destination port 1444. By entering its table, R2 changes the destination IPv4 address of the packet to 192.168. 10.10, without the need to modify the destination port. Then, the packet is forwarded to PC1.
- 6. When the Svr2 package arrives, R2 performs a similar translation. Destination IPv4 address 209.165.200.225 reappears in several entries. However, with destination port 1445, R2 can identify a single translation entry. The destination IPv4 address is modified to 192.168.10.11. In this case, the destination port must also be re-modified to its original value of 1444, which is stored in the NAT table. Then, the packet is forwarded to PC2.
VERIFICATION OF A PAT
Router R2 was configured to provide PAT to 192.168.0.0/16 clients. When internal hosts leave the R2 router to the Internet, they are translated to an IPv4 address of the PAT set with a single source port number.To verify PAT, the same commands that are used to verify static and dynamic NAT are used, as shown below. The show ip nat translations command shows the translations of two different hosts to different web servers. Note that the same IPv4 address 209.165.200.226 (internal global address) is assigned to two different internal hosts. The source port numbers in the NAT table distinguish the two transactions.
R2 # show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 209.165.200.226:51839 192.168.10.10:51839 209.165.201.1:80 209.165.201.1:80
tcp 209.165.200.226:42558 192.168.11.10:42558 209.165.202.129:80 209.165.202.129:80
R2 #
As shown below, the show ip nat statistics command verifies that NAT-POOL2 has assigned a single address for both translations. The result includes information on the quantity and type of active translations, the NAT configuration parameters, the number of addresses in the set and the amount that was assigned.
R2 # clear ip nat statistics
R2 # show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended )
Peak translations: 2, occurred 00:00:05 ago
Outside interfaces:
Serial0 / 0/1
Inside interfaces:
Serial0 / 1/0
Hits: 4 Misses: 0
CEF Translated packets: 4, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
- Inside Source
[Id: 3] access-list 1 pool NAT-POOL2 refcount 2
pool NAT-POOL2 : netmask 255.255.255.224
start 209.165.200.226 end 209.165.200.240
type generic, total addresses 15, allocated 1 (6%), misses 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R2 #
No comments:
Post a Comment