So now we can actually start on our static nat config
(with static Nat, there’s one command ! but with dynamic NAT we end up doing an ACL to identify the inside devices that can have their addresses translated)
With static nat the only command we’re dealing with really is “creating the static mapping”.
And here’s where the command differs, because you’re going to use this in static nat and dynamic nat.
“static” specifies static local to global mapping. (When you are going to use dynamic Nat you’re going to call an Access List to describe the local addresses which means identify them.)
Then you need to put your inside local IP address here.
So that’s going to be 10.1.1.2
And then inside global IP address … and that’s it because these are all for future studies.
So we’re assuming then that we were given the address of 200.1.1.1 and 200.1.1.2 and we mapped them to 2 and 22 and that’s all there is to it.
If you want to check your work, run ‘show ip nat translation’
We have the ‘inside global’ and the ‘inside local’ and they match up exactly as we had described.
And really for static net that is it. And again you could see work that have limited specialized uses again like if it had a server that you wanted to use NAT but you did not want to have a different IP address from time to time or different translation you might use static Nat but you can also see what the drawbacks are.
Because the problem here is you’ve got to have all these routable addresses to give out in the first place whether you’re using static or dynamic Nat.
But the thing is these hosts may not even be using these addresses right now.
And the thing is they’re tied up.
You can’t give 200.1.1.1 to somebody else because it is statically mapped to 10.1.1.2 and that is the drawback of static Nat.
Dynamic NAT (DNAT)
The issue with static NAT is the issue with static anything, and that’s scalability. If you have quite a few hosts that need address translation, dynamic NAT is the NAT for you.
DNAT enables us to create a pool of inside global addresses. Those routable addresses are mapped to certain private addresses on an as-needed basis, and the mapping is dropped when the translation is no longer active.
(It sounds like DHCP! we’re not statically assigning IP addresses. We’re using DHCP to dynamically assign them when someone needs them. And then when that host doesn’t need it anymore eventually that address gets returned to the pool. Same thing here with dynamic Nat. We create a pool of addresses and as devices that we identify is able to use the service need an address, they can have it and when they’re not using it anymore it’s returned to the pool)
So let’s configure dynamic net…
I have removed all of the static nat commands from R1. we’re using the same two interfaces 10.1.1.2 and 10.1.1.22 ( those with 32 bit masks )
So we’ve got those in place and now we’re going to build our pool first.
So we’ve really got to do three things:
- we’ve got to create an access list
- identifying the host that can use that.
- Write an IP net inside statement which mentions or calls that list name or number and calls the pool.
So the first thing we really should do is configure the pool first.
we got to give it a name
So you’re not going to enter each IP address that you want your pool individually.
You’ve got to give it a range. So we’re going to go at 200.1.1.1 through 200.1.1.5 with a 24 bit mask
(I could also put network mass 255.255.255.0 )
Now let’s write our access list.
Now what exactly should my ACL look like? (Let’s say I’m going to use number two
I don’t need anything else because I’m just going to go with the implicit deny. So right now these two hosts are the only hosts that can have their addresses translated by NAT. Now let’s do the third step which is the IP Nat inside command.
( here is where it changes from static Nat because we’re going to use list here.)
and then the name or number… Then you’ve actually got to put the word pull.
Notice so that we have an option for interface (specify interface for global address.)
We’re going with the pool though because that’s what we’re doing.
And then you simply name the pool that you just created and you’ve got some options there that we don’t need!
and it’s in place now we got to send some pings and we’ll send them across our little cloud to 172.12.123.2 and check those translations.
OK I sent the ping over from R1 over to R2 … we know what address that is by now: Router 2 serial interface… pings go through no problem at all.
But I don’t have a translation. Why don’t I have a translation?
Because the source address of those pings is 172.12.123.1 . By default the source IP address of a ping is going to be the address of the interface that’s leaving.
So that’s when we have to use a little bit of an extended ping. We’re going to use an option here with our ping command 172.12.123.2
I know you remember this one… and specify the source
and I can put loop back 2 and 22 here if I wanted to but instead I’m just going to put the IP address
But this is the only thing we really needed to do. So let’s go with 10 1 1 2…
pings go through just fine. And now let’s run show IP NAT translation.
Even though a port number is mentioned here it with a “ :6 “ , the inside global entries are the same.
So our mapping is working just fine. Our mapping was 200.1.1.1. That’s the first address that it pulled out of the pool and the inside local that just sent it was 10.1.1.2 . Now as far as outside local and outside global, note that they’re the same and you’re going to see that sometimes. in this case you wouldn’t see anything because we’re not running NAT over on R2. There’s no translation involved. So we’re really concentrating on the inside information here.
Now if we send another ping over from our other friend then we should get a different address from the pool (it should come out in order, so it should be 200.1.1.2)
So we moved up one port number and also note that the original ICMP mapping has gone for 200.1.1.1 and now we’re left with the mapping we expect (10.1.1.2 to 200.1.1.1.) and here is our mapping for 10.1.1.22 (the one we just sent) and it’s been mapped to 200.1.1.2… just that simple.
You may run into a situation: What if you have some addresses that hang in the pool too long and you just want to clear it out or you have 10 hosts but you get five routable addresses.
Well if you set up dynamic NAT for that, sooner or later you gonna have somebody that needs an IP address it doesn’t have one.
If you want to clear this table of all the dynamic entries, run ‘clear IP NAT trans’… and then you’ll have some options here but I would go with the asterisk (delete all dynamic translations)
And now if you run ‘show ip nat trans’ you have nothing.
That’s a handy thing to use once in a while. (Clear IP nat trans * )
Now I didn’t run that when we ran static Nat because this only gets rid of dynamic translations, and your static ones are in there for as long as you leave them in there.
That’s why I took them out before we started this lab.
Leave feedback about this