Configuring Port Address Translation (PAT)

PAT, known as Port Address Translation has a much more popular name called port forwarding. This lab will discuss and demonstrate the configuration and verification of port address translation.

Real World Application & Core Knowledge

When most people think of Network Address Translation (NAT) they immediately think of the operation of Port Address Translation where you can translate many internal RFC1918 private addresses to a single public globally routable IP address. Most people think that a standard consumer grade router does NAT to allow several PC’s to share a single internet connection however this operation is called Port Address Translation (PAT).

PAT is a type of Network Address Translation that translates inside local addresses to a single inside global address which would be in most cases the IP Address your ISP assigns you. You can think of PAT as a dynamic form of extended NAT. The general operation of PAT is quite simple.

A PC on the inside network with the IP address 10.55.1.22 attempts to communicate to the internet however its IP address is not routable on the internet so this IP address would have to be translated to an IP address that is. When the PC attempts to communicate to an IP address on the internet the router will port address translate the packets to its own public IP address and random port number and install the NAT flow into the NAT table for return traffic.

So for example; PC 10.55.1.22 attempts to communicate to 4.2.2.2 so it sends its traffic to the default gateway. This router is connected to the internet and can reach 4.2.2.2 via a T1 interface. The router then translates the incoming packet sourced from 10.55.1.22 on a random port to the IP Address of its T1 interface with a randomly generated source port and the same destination. Once this is done the router adds the translation to the NAT table and forwards the traffic. When the traffic returns to the router it uses the same translation to translate the return traffic back to the internal private IP host inside the network.

Port Address Translation can serve up to 10,000 PC’s using a single IP address. In this scenario every internal privately address PC could theoretically use a maximum of 6 random ports simultaneously. This is a very high number for most companies and very hard to break. However if you’re hitting the max session range on a router/firewall for PAT you can just add another public IP address to be port address translated.

To configure Port Address Translation, you must specify the inside and outside NAT interfaces as with any NAT configuration. Afterward you’ll need to create an access control list to will be referenced by the NAT translation statement to match inside networks and/or host machines to be translated. If you have multiple public IP addresses and you wish to port address translate to an IP address other then the IP address that’s assigned to the routers WAN interface you’ll need to create a NAT pool with the specified IP address(es). In most scenarios you’ll just port address translate to the single IP address that is assigned to the routers public interface. When using the IP address of the routers interface you do not need to specify a pool. You just specify the interface name followed by “overload”. Example; ip nat inside source list PAT_TRAFFIC interface Serial0/0.223 overload

In this lab you will be using R1, R2 and R3 to simulate a small company network connected to an ISP at R2 and using R2 to port address translate simulated inside host machines with private IP addresses from R1 to a single public IP address so inside machines can reach the simulated internet host 4.2.2.2 on R3.

Please review the following command(s) listed below;

Command	Description
ip nat inside source list aclnameor# ip.ip.ip.ip overload	This command is executed in global configuration mode to configure a NAT translation that matches inside host to be permitted to be port address translated to a specific IP Address.
ip nat inside source list aclnameor# interface interface#/# overload	This command is executed in global configuration mode to configure a NAT translation that matches inside host that will permitted to be port address translated to a specific IP Address assigned to a specific interface.
show ip nat translations	This command is executed in user or privileged mode to view all the current NAT translations in the routers NAT table.
clear ip nat translation *	This command is executed in privileged mode to purge all the dynamic NAT translations that exist in the routing table. If this command is executed in a live network take caution as it will drop current dynamic NAT translated TCP sessions.

The following logical topology shown below is used in this lab;

Lab Prerequisites

If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1, R2 and R3.
Establish a console session with devices R1, R2 and R3 than load the initial configurations provided below by copying the config from the textbox and pasting it into the respected routers console.

!################################################### !# Free CCNA Workbook Lab 11-3 R1 Initial Config # !################################################### ! enable configure terminal ! hostname R1 no ip domain-lookup ! interface Serial0/0 description ### PHYSICAL FRAME RELAY INTERFACE ### no ip address encapsulation frame-relay serial restart-delay 0 no frame-relay inverse-arp exit ! interface Serial0/0.122 point-to-point description ### FRAME RELAY LINK TO R2 ### ip address 10.113.12.1 255.255.255.252 frame-relay interface-dlci 122 exit ! interface Serial0/0 no shut exit ! router eigrp 10 no auto-summary network 10.113.12.1 0.0.0.0 exit ! line con 0 logging sync no exec-timeout ! end !################################################### !# Free CCNA Workbook Lab 11-3 R2 Initial Config # !################################################### ! enable configure terminal ! hostname R2 no ip domain-lookup ! interface Serial0/0 description ### PHYSICAL FRAME RELAY INTERFACE ### encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.221 point-to-point description ### FRAME RELAY LINK TO R1 ### ip address 10.113.12.2 255.255.255.252 frame-relay interface-dlci 221 exit ! interface Serial0/0.223 point-to-point description ### FRAME RELAY LINK TO R3 ### ip address 172.29.81.1 255.255.255.252 frame-relay interface-dlci 223 exit ! interface Serial0/0 no shut exit ! router eigrp 10 no auto-summary network 10.113.12.2 0.0.0.0 network 172.29.81.1 0.0.0.0 redistribute static passive-interface Serial0/0.223 exit ! ip route 0.0.0.0 0.0.0.0 172.29.81.2 ! line con 0 logging sync no exec-timeout ! end !################################################### !# Free CCNA Workbook Lab 11-3 R3 Initial Config # !################################################### ! enable configure terminal ! hostname R3 no ip domain-lookup ! interface Loopback0 description ### SIMULATED INTERNET HOST ### ip address 4.2.2.2 255.255.255.255 ! interface Serial0/0 description ### PHYSICAL FRAME RELAY INTERFACE ### encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.322 point-to-point description ### FRAME RELAY LINK TO R2 ### ip address 172.29.81.2 255.255.255.224 frame-relay interface-dlci 322 exit ! interface Serial0/0 no shut exit ! line con 0 logging sync no exec-timeout ! end

Lab Objectives

Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.
Configure the respected NAT inside/outside interfaces on R2.
Create a named extended named access-list on R2 matching the simulated host on R1 using only a single line in the ACL.
Configure a NAT translation statement to Port Address Translate any host machines matching the access-list previously created to the IP address of Serial0/0.223
Verify that you can ping the simulated host 4.2.2.2 located on R3 from R1’s simulated host loopback interfaces you created earlier.
After verifying IP connectivity between the inside simulated host machines on R1 to the simulated internet host on R3 (4.2.2.2), view the NAT translation table on R2 and verify that the router is translating the inside local addresses to a single inside global address.

Lab Instruction

Objective 1. – Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface loopback0
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)#ip add 10.55.0.1 255.255.255.0
R1(config-if)#interface loopback1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#ip add 10.55.1.1 255.255.255.0
R1(config-if)#interface loopback2
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
R1(config-if)#ip add 10.55.2.1 255.255.255.0
R1(config-if)#interface loopback3
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up
R1(config-if)#ip add 10.55.3.1 255.255.255.0
R1(config-if)#exit
R1(config)#router eigrp 10
R1(config-router)#network 10.55.0.0 0.0.3.255
R1(config-router)#end
R1#

Objective 2. – Configure the respected NAT inside/outside interfaces on R2.

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface Serial0/0.221
R2(config-subif)#ip nat inside
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R2(config-subif)#interface Serial0/0.223
R2(config-subif)#ip nat outside
R2(config-subif)#exit
R2(config)#

Objective 3. – Create a named extended named access-list on R2 matching the simulated host on R1 using only a single line in the ACL.

R2(config)#ip access-list extended PAT_TRAFFIC_ACL
R2(config-ext-nacl)#10 permit ip 10.55.0.0 0.0.3.255 any
R2(config-ext-nacl)#exit
R2(config)#

Objective 4. – Configure a NAT translation statement to Port Address Translate any host machines matching the access-list previously created to the IP address of Serial0/0.223.

R2(config)#ip nat inside source list PAT_TRAFFIC_ACL interface Serial0/0.223 overload
R2(config)#end
R2#

Objective 5. – Verify that you can ping the simulated host 4.2.2.2 located on R3 from R1’s simulated host loopback interfaces you created earlier.

R1#ping 4.2.2.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/94/168 ms
R1#ping 4.2.2.2 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/108/200 ms
R1#ping 4.2.2.2 source lo2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.2.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/133/196 ms
R1#ping 4.2.2.2 source lo3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.3.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/114/240 ms
R1#

Objective 6. – After verifying IP connectivity between the inside simulated host machines on R1 to the simulated internet host on R3 (4.2.2.2), view the NAT translation table on R2 and verify that the router is translating the inside local addresses to a single inside global address.

R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.29.81.1:2     10.55.0.1:2        4.2.2.2:2          4.2.2.2:2
icmp 172.29.81.1:3     10.55.1.1:3        4.2.2.2:3          4.2.2.2:3
icmp 172.29.81.1:4     10.55.2.1:4        4.2.2.2:4          4.2.2.2:4
icmp 172.29.81.1:5     10.55.3.1:5        4.2.2.2:5          4.2.2.2:5
R2#

As shown above in R2’s NAT translation table you will see the inside global IP address and source port number(s) assigned to the inside local source IP addresses per NAT translation flow. (A NAT Translation flow is a single line entry in the NAT Translation table).

◄ Previous Lab

Next Lab ►