Introduction
The purpose of this exercise is to learn how to configure NAT for a campus network. We will be setting up NAT on the border router so that the campus private IPv4 address space (172.2X.0.0/16) will be NATed so that devices using that private address space can reach the public Internet.
Setting up NAT on the Border Router
NOTE: Make sure you replace X with your Campus number.
Create a pool of addresses to use for NAT:
ip nat pool CAMPUSX 100.68.X.33 100.68.X.46 prefix-length 28Create an access list that defines the addresses that should be translated:
ip access-list extended NATplus
remark Do not NAT NREN address space
deny ip 100.68.0.0 0.0.0.255 any
remark Do not NAT our public address space
deny ip 100.68.X.0 0.0.0.255 any
remark NAT traffic which goes to the Internet
permit ip 172.2X.0.0 0.0.255.255 any
remark Do not NAT anything else - and log anything that gets this far
deny ip any any logLink the access list and the address pool together:
ip nat inside source list NATplus pool CAMPUSX overloadThe command you have just entered will look for incoming packets matching the NATplus list, and translate them into the address specified in CAMPUSX. The overload command ensures that the router can map many internal addresses to the small range of external public addresses. Without overload, the router NAT will simply map one internal address to one external address – and with only 14 addresses in the CAMPUSX pool, that would mean only 14 internal addresses would be NATed before the pool is exhausted.
Now add the address translation to the network interfaces of the Border router:
interface GigabitEthernet0/0
description Link to NREN
ip nat outside
!
interface GigabitEthernet0/1
description Link to Core Router
ip nat inside
!Testing
Log into one of your switches. These have addresses in the 172.2X.0.0/16 range.
Can you ping your border router?
Now try to ping the NREN Transit router on 100.64.0.2 – does it work?
Can you ping 100.64.0.1? This is the default gateway in the workshop network.
The Transit router doesn’t know anything about your 172.2X.0.0/16 so if the Network Address Translation is working then the original IP address of the packet has been translated into the range:
100.68.X.32 100.68.X.47You can use the command
show ip nat translations
show ip nat translations verboseon your Border router to see what’s happening.
Can you ping hosts on the wider Internet from one of your switches? For example, can you ping 8.8.8.8?
If the ping works, try using trace to 8.8.8.8. What do you see?
NAT timeouts
After a traceroute to 8.8.8.8 on the edge switches, look at the NAT state on the border router:
bdr1.campus1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 100.68.1.33:32803 172.21.20.4:32803 8.8.8.8:33457 8.8.8.8:33457
udp 100.68.1.33:32834 172.21.20.4:32834 8.8.8.8:33442 8.8.8.8:33442
udp 100.68.1.33:32971 172.21.20.4:32971 8.8.8.8:33460 8.8.8.8:33460
udp 100.68.1.33:33076 172.21.20.4:33076 8.8.8.8:33447 8.8.8.8:33447
udp 100.68.1.33:35657 172.21.20.4:35657 8.8.8.8:33456 8.8.8.8:33456
... etcTraceroute cycles through UDP ports for each hop, and generates NAT state for each one. The default settings keep these generic UDP translations open for 300 seconds, and 60 seconds for DNS and ICMP.
You can save memory and NAT ports on your router by making them expire more quickly:
ip nat translation udp-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30Additional Exercise
If you have completed the above and demonstrated that it is all working, and you have some spare time, try this configuration.
Rather than having one NAT pool for the entire campus, NAT the private IPv4 address space used for each class of user into its own pool. So for example, NAT the MGMT address space into one public address, the STAFF1 address space into another public pool, and the STUDENT1 address space into a third public pool, etc.
Ask the instructors if you need any help – use the example above to guide you for this scenario.
Hint 1 – use this table for your NAT mapping:
| VLAN | Internal Address Block | External Address |
|---|---|---|
| MGMT1, MGMT2 | 172.2X.10.0/24 & 172.2X.20.0/24 | 100.68.X.33 |
| STAFF1 | 172.2X.11.0/24 | 100.68.X.34-36 |
| STUDENT1 | 172.2X.12.0/24 | 100.68.X.37-39 |
| STAFF2 | 172.2X.21.0/24 | 100.68.X.40-42 |
| STUDENT2 | 172.2X.22.0/24 | 100.68.X.43-46 |
Hint 2 – set up a pool for each VLAN and set up a mapping for each pool
Once you have made it work, show the workshop instructors.
Question: why can we not use 100.68.X.32 and 100.68.X.47 in the above?
Answer: We have noted that the subnet is a /28, and Cisco IOS treats the first and last address as unavailable for NAT as they are network and broadcast address respectively. This means that in the /28, 100.68.X.32 and 100.68.X.47 are unusable for the NAT pool.