More and more different digital devices are appearing in our apartments - laptops, tablets and smartphones. As long as there was only one computer in the apartment and connected directly to the provider’s network, there were no questions. And now, when you are faced with a problem - how to connect your new laptop or tablet to the Internet. This is where it comes to the rescue NAT technology. What is the essence of NAT technology?
NAT — Network Address Translation
— translated into Russian it sounds something like this: “network address conversion.” NAT is a mechanism in TCP/IP networks that allows you to convert the IP addresses of transit packets.
In simple terms, if there are several computers on a local network, then thanks to technology NAT all of them can access the external Internet network using one external ip address (IP).
What is an IP address?
Router — router— operates at the third level of the OSI system, accordingly it is used IP protocol— routed network layer protocol of the TCP/IP stack. An integral part of the protocol is network addressing. In accordance with existing rules, all devices on the network are assigned IP addresses (IP addresses) - unique network identifiers of the node address. There are 2 types of IP addresses used − gray And white. Gray addresses- this is part of the address space allocated for the local network - subnets of IP addresses 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 . All other subnets are used on the Internet and are white IP addresses.
How to share Internet access with devices on your network.
In order to connect all devices on the local network to the Internet you will need router. Router is a device that can connect to the Internet through the provider’s network and distribute it to connected devices due to the fact that it has at least 4 LAN ports and Wi-Fi module. Do not confuse a router with a simple Ethernet switch, which is essentially a stupid network “splitter.” Due to the fact that a UNIX-like operating system is installed on the router, various services can be installed on the device, including NAT service. To do this, when setting up the router, check the box Enable NAT .
So router For each request that passes through it, it puts a specific label containing data about the sender on the local network. When this request receives a response, router by the label determines to which IP address on the local network to send the packet. That's all how NAT technology works in a nutshell.
Network Address Translation (NAT) is a method of reassigning one address space to another by changing the information that is, the headers of packets are changed while they are in transit through a traffic routing device. This method was originally used to easily redirect traffic on IP networks without renumbering each host. It has become a popular and important tool for preserving and distributing global address space in the face of a shortage of IPv4 addresses.
NAT - what is it?
The original use of network address translation is to map each address in one address space to a corresponding address in another space. For example, this is necessary if the Internet service provider has changed and the user is unable to publicly advertise the new route to the network. With the foreseeable global depletion of IP address space, NAT technology has been increasingly used since the late 1990s in combination with IP encryption (which is a method of moving multiple IP addresses into one space). This mechanism is implemented in a routing device that uses stateful translation tables to map "hidden" addresses into a single IP address, and forwards outgoing IP packets on the egress. Thus, they appear to be leaving the routing device. In reverse, responses are mapped to the source IP address using rules stored in translation tables. The translation table rules, in turn, are cleared after a short period if new traffic does not update its state. This is the basic mechanism of NAT. What does this mean?
This method allows communication through the router only when the connection is on an encrypted network, as it creates translation tables. For example, a web browser inside such a network can view a site outside of it, but if installed outside it, it cannot open a resource hosted within it. However, most NAT devices today allow translation table entries to be configured for persistent use. This feature is often referred to as static NAT or port forwarding, and it allows traffic originating on the "external" network to reach designated hosts on the encrypted network.
Due to the popularity of this method, used to preserve the IPv4 address space, the term NAT (what it actually is - stated above) has become almost synonymous with the encryption method.
Because Network Address Translation changes the address information of IP packets, it has serious consequences for the quality of your Internet connection and requires careful attention to the details of its implementation.
NAT applications differ from each other in their specific behavior in different cases regarding the impact on network traffic.
Basic NAT
The simplest type of Network Address Translation (NAT) provides one-to-one IP address translation. RFC 2663 is the main type of this translation. In this type, only the IP addresses and the checksum of the IP headers are changed. Basic translation types can be used to connect two IP networks that have incompatible addressing.
What is NAT in a one-to-many connection?
Most flavors of NAT are capable of mapping multiple private hosts to a single publicly designated IP address. In a typical configuration, the LAN uses one of the assigned "private" subnet IP addresses (RFC 1918). A router on this network has a private address in this space.
The router also connects to the Internet using a “public” address assigned by the ISP. Since the traffic passes from the source local network, each packet is transferred on the fly from a private address to a public one. The router keeps track of basic information about each active connection (specifically, the destination address and port). When the response returns to it, it uses the connection data that is stored during the off-site phase to determine the private internal network address to which the response should be forwarded.
One of the benefits of this functionality is that it serves as a practical solution to the impending exhaustion of the IPv4 address space. Even large networks can be connected to the Internet using a single IP address.
All datagram packets on IP networks have 2 IP addresses - source and destination. Typically, packets traveling from a private network to a public network will have the packet's source address change during the transition from the public network back to the private network. More complex configurations are also possible.
Peculiarities
Setting up NAT may have some features. To avoid difficulties in how to translate the returned packages, further modifications are required. The vast majority of Internet traffic travels over TCP and UDP, and their port numbers are modified so that the combination of IP address and port number begins to match when the data is sent back.
Protocols not based on TCP and UDP require other translation methods. The Internet Control Message Protocol (ICMP) typically matches the data being transmitted to an existing connection. This means that they must be displayed using the same IP address and number originally set.
What to consider?
Configuring NAT on a router does not give it end-to-end connectivity. Therefore, such routers cannot participate in some Internet protocols. Services that require initiation of TCP connections from the external network or users without protocols may not be available. If a NAT router does not make special efforts to support such protocols, incoming packets may not reach their destination. Some protocols can fit into a single translation between participating hosts ("passive mode" FTP, for example), sometimes using an application layer gateway, but the connection will not be established when both systems are separated from the Internet by NAT. The use of Network Address Translation also complicates "tunnel" protocols such as IPsec because it changes values in headers that interact with request integrity checks.
Existing problem
End-to-end connectivity has been a core principle of the Internet since its inception. The current state of the network shows that NAT is a violation of this principle. There are serious concerns among experts about the ubiquity of IPv6 network address translation, and concerns about how to effectively address it.
Due to the short-lived nature of the translation state tables in NAT routers, internal network devices lose IP connectivity, usually within a very short period of time. When talking about what NAT is in a router, we must not forget about this circumstance. This seriously reduces the operating time of compact devices powered by batteries and rechargeable batteries.
Scalability
Additionally, when using NAT, only ports are monitored, which can be quickly exhausted by internal applications that use multiple simultaneous connections (for example, HTTP requests for web pages with a large number of embedded objects). This problem can be mitigated by tracking the destination IP address in addition to the port (thus one local port is shared by a large number of remote hosts).
Some difficulties
Since all internal addresses are masqueraded as a single public address, it becomes impossible for external hosts to initiate a connection to a specific internal host without special configuration on the firewall (which must forward connections to a specific port). Applications such as IP telephony, video conferencing, and similar services must use NAT traversal techniques to function properly.
Return address and translation port (Rapt) allows a host whose real IP address changes from time to time to remain available as a server using a fixed IP address on the home network. Basically, this should allow the servers setup to maintain the connection. Although this is not a perfect solution to the problem, it can be another useful tool in a network administrator's arsenal when deciding how to configure NAT on a router.
Port Address Translation (PAT)
Cisco's implementation of Rapt is Port Address Translation (PAT), which maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped as an address because each one is tracked using a port number. PAT uses unique source port numbers on the internal global IP to distinguish the direction of data transfer. These numbers are 16-bit integers. The total number of internal addresses that can be translated to one external address can theoretically reach 65536. The actual number of ports to which a single IP address can be assigned is about 4000. Typically, PAT tries to preserve the original "original" port. If it is already in use, Port Address Translation assigns the first available port number starting from the beginning of the corresponding group - 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address, PAT moves on to the next one to try to allocate the original port. This process continues until there is no more available data.
Address and port mapping is performed by a Cisco service that combines the translation port address with IPv4 packet tunneling data over the internal IPv6 network. Essentially, it is an unofficial alternative to CarrierGrade NAT and DS-Lite that supports IP address/port translations (and therefore supports NAT configuration). Thus, it avoids problems in establishing and maintaining connections and also provides a transition mechanism for IPv6 deployment.
Translation methods
There are several ways to implement network address and port translation. In some application protocols that use IP address applications running on an encrypted network, it is necessary to determine the external NAT address (which is used at the other end of the connection), and in addition, it is often necessary to examine and classify the type of transmission. This is usually done because it is desirable to create a direct communication channel (either to keep data flowing through the server uninterrupted, or to improve performance) between two clients, both of which are behind separate NATs.
For this purpose (how to configure NAT), a special protocol, RFC 3489, was developed in 2003 to provide simple UDP bypass over NATS. Today it is outdated, since such methods are insufficient to correctly evaluate the performance of many devices these days. The new methods were standardized in the RFC 5389 protocol, which was developed in October 2008. This specification today is called SessionTraversal and is a utility for NAT operation.
Creating two-way communication
Each TCP and UDP packet contains the source IP address and its port number, as well as the coordinates of the destination port.
To receive public services such as mail server functionality, the port number is important. For example, it connects to the web server software, and 25 connects to the SMTP mail server. The IP address of a public server also has a significant value, similar to a postal address or telephone number. Both of these parameters must be reliably known to all nodes that intend to establish a connection.
Private IP addresses only have meaning on the local networks where they are used and on host ports. Ports are unique communication endpoints on a host, so communication across NAT is maintained using a combined port and IP address mapping.
PAT (Port Address Translation) resolves conflicts that may arise between two different hosts using the same source port number to establish unique connections simultaneously.
If you are reading this document, then most likely you are connected to the Internet and using network address translation ( Network Address Translation, NAT) right now! The Internet has become so much bigger than anyone could have imagined. Although the exact size is unknown, the current estimate is approximately 100 million hosts and more than 350 million users active on the Internet. In fact, the rate of growth is such that the Internet is effectively doubling in size every year. For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address. An IP address (IP stands for Internet Protocol) is a unique 32-bit number that identifies your computer's location on a network. Basically it works just like your street address: a way to find out exactly where you are and deliver information to you. Theoretically, you can have 4,294,967,296 unique addresses (2^32). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) due to the way addresses are divided into classes and the need to set aside some of the addresses for multicast, testing, or other specific needs. With the increase in home networks and business networks, the number of available IP addresses is no longer sufficient. The obvious solution is to redesign the address format to accommodate more possible addresses. Thus, the IPv6 protocol is being developed, but this development will take several years, because it requires modification of the entire Internet infrastructure.
This is where NAT comes to our rescue. Basically, Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or "public network") and the local (or "private") network. This means that only a single unique IP address is required to expose an entire group of computers to anything outside their network. The lack of IP addresses is only one reason to use NAT. Two other good reasons are security and administration.
You'll learn about how you can benefit from NAT, but first, let's take a closer look at NAT and see what it can do.
Disguise
A NAT is like a secretary in a large office. Let's say you left instructions for the secretary not to forward any calls to you unless you ask for it. Later, you call the potential client and leave a message for him to call you back. You tell the secretary that you are expecting a call from this client and the call needs to be transferred. The client calls your office's main number, which is the only number he knows. When the client tells the secretary who he is looking for, the secretary checks his list of employees to find a match between the name and his extension number. The receptionist knows you requested this call, so he transfers the caller to your phone.
Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between the internal network and the rest of the world. NAT comes in many forms and can work in several ways:
Static NAT- Mapping unregistered IP address to registered IP address on a one-to-one basis. Particularly useful when the device must be accessible from outside the network.
In static NAT, a computer with the address 192.168.32.10 will always be translated to the address 213.18.123.110:
Dynamic NAT- Maps an unregistered IP address to a registered address from a group of registered IP addresses. Dynamic NAT also establishes a direct mapping between an unregistered address and a registered address, but the mapping may change depending on the registered address available in the address pool during communication.
In dynamic NAT, the computer with the address 192.168.32.10 is translated to the first available address in the range from 213.18.123.100 to 213.18.123.150
Overload is a form of dynamic NAT that maps multiple unregistered addresses to a single registered IP address using different ports. Also known as PAT (Port Address Translation)
When overloaded, every computer on the private network is translated to the same address (213.18.123.100), but with a different port number
Overlap- When IP addresses used on your internal network are also used on another network, the router must keep a lookup table of these addresses so that it can intercept and replace them with registered unique IP addresses. It is important to note that a NAT router must translate "internal" addresses into registered unique addresses, and must also translate "external" registered addresses into addresses that are unique to the private network. This can be done either through static NAT, or you can use DNS and implement dynamic NAT.
Example:
The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router translates addresses to avoid potential conflict. It will also translate registered global IP addresses back to unregistered local addresses when packets are sent to the internal network
An internal network is usually a LAN (Local Area Network), most often called a stub domain. A stub domain is a LAN that uses internal IP addresses. Most network traffic in such a domain is local and does not leave the internal network. A domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use NAT to communicate with the rest of the world.
NAT can be configured in various ways. In the example below, the NAT router is configured to translate unregistered IP addresses (local internal addresses) that reside on the private (internal) network into registered IP addresses. This happens whenever a device on the inside with an unregistered address needs to communicate with the outside network.
NAT overloading uses a feature of the TCP/IP protocol stack, such as multiplexing, that allows a computer to maintain multiple concurrent connections to a remote computer using different TCP or UDP ports. The IP packet has a header that contains the following information:
- Source address - IP address of the source computer, for example, 201.3.83.132.
- Source Port - The TCP or UDP port number assigned by the computer as the source for this packet, for example, Port 1080.
- Destination address - IP address of the receiver computer. For example, 145.51.18.223.
- Destination port - TCP or UDP port number that asks the source computer to open on the application, for example, port 3021.
IP addresses identify the two machines on each side, while port numbers ensure that the connection between the two machines has a unique identifier. The combination of these four numbers defines a single TCP/IP connection. Each port number uses 16 bits, which means there are 65,536 (2^16) possible values. In reality, since different manufacturers display ports in slightly different ways, you can expect approximately 4,000 ports available.
Examples of dynamic NAT and NAT with overload
Below is how dynamic NAT works.Click on one of the green buttons to send a successful packet either to or from the internal network. Click on one of the red buttons to send a packet that will be dropped by the router due to an invalid address.
- the internal one was set up with IP addresses that were not specifically allocated to this company by IANA (Internet Assigned Numbers Authority), the global bureau that hands out IP addresses. Such addresses should be considered non-routable, since they are not unique. These are internal local addresses.
- the company installs a router with NAT. The router has a range of unique IP addresses issued to the company. These are internal global addresses.
- a computer on the LAN is trying to connect to a computer outside the network, such as a Web server.
- The router receives the packet from the computer on the LAN.
- After checking the routing table and the verification process for translation, the router stores the non-routable computer address in the address translation table. The router replaces the non-routable address of the sending computer with the first available IP address in a range of unique addresses. The translation table now has a display of the non-routable IP address of the computer that corresponds to one of the unique IP addresses.
- When a packet returns from the destination computer, the router checks the destination address in the packet. It then looks at the address translation table to find which computer in the domain the packet belongs to. It changes the receiver address to the one that was previously stored in the translation table and sends the packet to the desired computer. If the router does not find a match in the table, it discards the packet.
- The computer receives the packet from the router and the entire process repeats while the computer communicates with the external system.
- The internal network was set up with non-routable IP addresses that were not specifically allocated to the company
- the company installs a router with NAT. The router has a unique IP address that is issued by IANA
- A computer in the domain is trying to connect to a computer outside the network, such as a Web server.
- The router receives a packet from a computer in the domain.
- After routing and examining the packet to perform translation, the router stores the computer's non-routable IP address and port number in the translation table. The router replaces the non-routable IP address of the sending computer with the IP address of the router. The router replaces the source port of the sender's computer with some random port number and stores it in the address translation table for that sender. The translation table has a display of the computer's non-routable IP address and port number along with the router's IP address.
- When a packet returns from the destination, the router checks the destination port in the packet. It then looks at the translation table to find which computer in the domain the package belongs to. Next, the router changes the receiver address and receiver port to the values that were previously stored in the translation table and sends the packet to the end node.
- the computer receives the packet from the router and the process repeats
- Since the NAT router now has the computer's source address and source port stored in its translation table, it will continue to use the same port number for subsequent connections. Each time the router accesses an entry in the translation table, the timer to live for that entry is reset. If an entry is not accessed before the timer expires, it is removed from the table
The number of simultaneous broadcasts a router will support is determined primarily by the amount of DRAM (Dynamic Random Access Memory). Since a typical translation table entry is approximately 160 bytes, a router with 4 MB of RAM can theoretically handle 26,214 simultaneous connections, which is more than enough for most applications.
Security and Administration
Implementing dynamic NAT automatically creates a firewall between your internal network and external networks or the Internet. Dynamic NAT only allows connections that originate on the local network. Essentially, this means that a computer on the external network cannot connect to your computer unless your computer has started the connection. This way you can surf the Internet and connect to a site, and even upload a file. But no longer can anyone just grab your IP address and use it to connect to a port on your computer.
Static NAT, also called inbound mapping, allows connections initiated by external devices to computers on the LAN under certain circumstances. For example, you can map an inside global address to a specific inside local address that is assigned to your Web server.
Static NAT allows a computer on the LAN to maintain a specific address when communicating with devices outside the network:
Some NAT routers provide extensive filtering and traffic logging. Filtering allows your company to control which sites on the Internet employees visit, preventing them from viewing questionable material. You can use traffic logging to create a log of which sites are visited and generate various reports based on this.
Sometimes Network Address Translation is confused with proxy servers, where there are certain differences. NAT is transparent to source and destination computers. None of them know that this is dealing with a third device. But the proxy server is not transparent. The source computer knows that this is making a request to the proxy. The destination computer thinks that the proxy server is the source computer and deals directly with it. Additionally, proxy servers typically operate at Layer 4 (Transport) of the OSI model or higher, while NAT is a Layer 3 (Network) protocol. Operating at higher levels makes proxy servers slower than NAT devices in most cases.
The rapid growth of the Internet, soon after its appearance, brought about the problem of a shortage of addresses. Now this is partially being solved by the introduction of the new IPv6 protocol, which will provide many times more available addresses for network nodes. But updating the protocol alone is not enough. NAT technology was invented, which allowed hosts from a private network to connect to the Internet using just one external IP address. This makes scaling private LANs much easier when trying to connect them to the Internet. Now we will analyze NAT technology in detail.
How NAT works
Let's imagine, for example, that we have a local network that includes 3 workstations. We decided to connect to the Internet. The provider has allocated us 1 external one, which we must register in the settings of our router. As a result, we will get the following picture.
Our three computers will be connected to a local network with the addressing "192.168.."
This is what it will look like:
- Router - 192.168.1.1
- Computer 1 - 192.168.1.2
- Computer 2 - 192.168.1.3
- Computer 3 - 192.168.1.4
If you are already familiar with the basics of local networks, you should know that in the settings of network cards, in the “Default Gateway” field, the value for our computers should be 192.168.1.1. Thus, we must send all requests that do not belong to our local network to our router. Simply put, all Internet requests will be redirected to it.
As we have already noted, we only have one external IP. This is where the fun begins. How can three computers with different IP addresses access the Internet if there is one external address?
This is where NAT technology comes to the rescue.
As you can see, within the network all nodes have addresses in the same subnet. This allows them to implement data transfer. If the request is sent to the Internet, it will be transmitted to the internal interface of the router. Then, using NAT technology, the data will be slightly modified. They will be assigned an external IP address. And after that the packets will go onto the network.
Surely you already understand the principle of operation of network address translation technology. With its help, all internal network addresses are assigned a single external address. This allows, if you have a single external address, several computers to access the network at the same time.
What you should pay attention to here. Firstly, there doesn’t have to be just one external address. There may be several of them.
Secondly, the use of NAT technology imposes some restrictions related to IP blocking. This occurs when you try to access a resource where only one host from one IP can connect. In the event that someone on your network is already connected to it, you will not be able to establish a connection.
Terminology
To understand the principle of network address translation, let's understand the basic terms.
This is the first type of implementation of this technology.
At the same time, the router converts each internal address into an external one, based on the entries in the routing table. The mappings must be configured in advance when configuring the router.
Configuration on Cisco routers
- Go to the settings of the interface, which will be located in the internal part of the network, and use the ip nat inside command
- Next, for the external interface, the command ip nat outside
- Next, in global configuration mode, we need to manually set the mapping for addresses. We use the command ip nat inside source static inside-local inside-global. Where "inside-local" is the internal local address, "inside-global" is the internal global
Dynamic NAT
This implementation is similar to static translation. The difference is that the address translation process occurs dynamically, based on previously configured parameters. There is no longer a static routing table. The table contains correspondences that are activated at the moment of packet transmission. In the event that all configured parameters match.
To configure, you need to specify a pool of external addresses that will be used for broadcasting. And also set a pool of internal addresses by creating a new one for them.
Settings
- Set ip nat inside for internal interfaces
- Ip nat outside for external
- Create an ACL with a list of internal addresses that should participate in the broadcast
- We create a pool of external addresses. In global configuration mode, use the command ip nat pool name first-address last-address mask subnet mask. Where "name" is the name for the pool, "first-address" is the starting address, "last-address" is the last address, "subnet mask" is the subnet mask
- Enable dynamic NAT address translation. ip nat source list acl-number pool pool-name. Where "acl-number" is the previously created access control list, "pool-name" is the pool of addresses.
PAT - Port Based Translation
In any case, the number of available external addresses is limited. How can we further scale a large local network to enable all its nodes to access the Internet? It is already clear that both static and dynamic NAT will require a large number of external addresses. But this option does not suit us.
This is where the third implementation of NAT comes to the rescue - PAT port-based translation. Its essence is that in addition to the "address - address" link, the "address - port" link is added. This way, the router can activate the connection not only using the IP address, but also using a unique port number.
Considering that 16-bit is used for port numbering, more than 65 thousand connections can be active simultaneously.
Settings
The entire setup process is similar to configuring dynamic routing. In case we want to enable PAT, we need to add the overload keyword to the configuration command. In the end it will look like this:
ip nat source list acl-number interface interface name/ number overload
Video for the article:
Conclusion
Using NAT technology allows you to implement Internet access for any local network. In this case, you only need one external IP address. This is the most commonly used option - often providers offer just such tariffs for home users or small offices.
Why look for information on other sites if everything is collected here?
- Step by step
Hello everyone, today we will talk about how to configure Cisco NAT. What is NAT and why is it generally needed, since this functionality has long been firmly established in our daily lives and now it is very difficult to imagine at least one enterprise that does not use this technology. At one time, it saved the Internet and greatly delayed the transition from ipv4 to ipv6, but first things first.
What is NAT
NAT (Network Address Translation) is a mechanism for converting network addresses; to put it simply, it is a technology that allows a bunch of private or gray IPs to sit behind one white IP. An example would be the office Internet, where all users use a common gateway, which is configured with an IP address that connects to the Internet, so that users have local IP addresses configured.
It looks something like this
Types of NAT
- Static NAT - converting gray IP to white, example of port forwarding to a local network, for example RDP
- Dynamic NAT - converting a gray IP into one of the IP addresses of a group of white IP addresses
- Overloaded NAT or as it is also called PAT (port Address translation), converting several gray IPs to white, giving them different ports.
Today we will look at static NAT and PAT.
Cisco NAT Setup
This is what a small office layout looks like. We have 3 computers in vlan 2, there is a server in a separate vlan 3. All this stuff is connected to a Cisco 2660 second-level switch, which in turn is plugged into a Cisco 1841 router, which routes local traffic between vlan 2 and 3.
Cisco 2960 Setup
Let's create vlan 2 and vlan3, give them names and configure the necessary ports on these vlans.
enable
conf t
create vlan 2
vlan 2
name VLAN2
exit
create vlan 3
vlan 3
name VLAN3
exit
We put ports in vlan2
int range fa0/1-3
switchport mode access
switchport access vlan 2
exit
Place the port in vlan3
int fa 0/4
switchport mode access
switchport access vlan 3
exit
int fa 0/5
switchport mode trunk
switchport trunk allowed vlan 2,3
do wr mem
Cisco 1841 Setup
First of all, let's create sub interfaces and raise the port.
enable
conf t
int fa0/0
no shutdown
exit
int fa0/0.2
encapsulation dot1Q 2
ip address 192.168.2.251 255.255.255.0
no shutdown
exit
int fa0/0.3
encapsulation dot1Q 3
ip address 192.168.3.251 255.255.255.0
no shutdown
exit
As a result, the port turned green
PAT setup
In my virtual infrastructure, unfortunately, our scheme cannot be released on the Internet, we emulate it, we will have a router with a white IP address and a server also with a white IP address. Schematically it looks like this. On the provider's router, a specific port is assigned a white IP address 213.235.1.1 and a network mask 255.255.255.252
Let's configure this IP on our test provider router.
en
conf t
int fa0/0
ip address 213.235.1.1 255.255.255.252
no shutdown
exit
Let's configure the port fa0/1 which we look at the server, and give it another white ip 213.235.1.25 255.255.255.252
int fa0/1
ip address 213.235.1.25 255.255.255.252
no shutdown
exit
My server will have an IP address of 213.235.1.26 and the gateway will be 213.235.1.25, the interface of the router of the provider looking at the server.
Now let’s configure our local router Router0, configure it with the white IP address allocated to us by our provider 213.235.1.2 255.255.255.252, the gateway will be 213.235.1.1
enable
conf t
int fa0/1
ip address 213.235.1.2 255.255.255.252
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 213.235.1.1
exit
wr mem
We try to ping the IP addresses of the provider and server from the office router, and we see that everything works fine.
Router#ping 213.235.1.1
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms
Router#ping 213.235.1.1
Type escape sequence to abortion.
Sending 5, 100-byte ICMP Echos to 213.235.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms
Router#ping 213.235.1.2
Type escape sequence to abortion.
Sending 5, 100-byte ICMP Echos to 213.235.1.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/9/17 ms
Router#ping 213.235.1.25
Type escape sequence to abortion.
Sending 5, 100-byte ICMP Echos to 213.235.1.25, timeout is 2 seconds:
Router#ping 213.235.1.26
Type escape sequence to abortion.
Sending 5, 100-byte ICMP Echos to 213.235.1.26, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Well, the nating itself. On the local router we do the following. Now we need to set which nat interface will be considered external and which internal, here everything will simply be external where the white IP address of the provider is configured, internal will be what is connected to the second-level switch. fa0/1 will be external, and two sub interfaces will be internal.
enable
conf t
int fa0/1
ip nat outside
exit
int fa0/0.2
ip nat inside
int fa0/0.3
ip nat inside
exit
Setting up Access List
Access List is a list of which traffic needs to be NATed and which should work without NAT.
Creating an access list by NAT name
ip access-list standard NAT
Allow two pools
permit 192.168.2.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
0.0.0.255 is Wildcard bits
As you can see, we have an access list in our config and the ports are marked which are outside and which are inside.
And we enter another magic command, which says that traffic arriving at fa0/1 must be routed according to the NAT rule. We ended up setting up PAT.
ip nat inside source list NAT interface fa0/1 overload
Save everything do wr mem
Let's check the availability of external resources from a local network computer. Let's look at the current configurations using the ipconfig command, we see the IP address 192.168.2.1, ping 213.235.1.26, as you can see everything is ok and NAT cisco is working.
WiFi
