Configuring Dynamic NAT Pooling

NAT Pooling is the ability to randomly assign public IP addresses to private internal IP’s on a first come first serve basis from a pool of IP’s. This lab will discuss and demonstrate the configuration and verification of dynamic NAT pooling.

Real World Application & Core Knowledge

If you’ve completed the previous Lab 11-1 – Configuring Network Address Translation (NAT) One-to-One then you should have a basic understanding of how NAT works, if not then its recommended to complete the previous lab before attempting this one.

A Network Address Translation Pool in simple terms is a pool that has been carved out of an allocated address block that assigns inside global addresses on a first come first serve basis to inside local host based on a match found in a specified access control list. The benefit of this type of configuration is that your inside network can use RFC1918 private addressing such as the 10.0.0.0/8 range but still obtain IP connectivity to the outside world using a single public IP address per host. Some universities use this method however the majority of universities in the USA are moving more towards a NAC (Network Admissions Control) infrastructure of its residential students to access the internet due to NAC having the ability to enforce virus protection and required operating system updates.

However NAT pooling still has its place in today’s networks such as the DMZ (Demilitarized Zone) or companies that own a block of public IP addresses and requires each inside host to have its own translated outside IP address.

When configuring a NAT pool you must specify a address pool range with a start and end IP address followed by the network prefix of the allocated IP address block the IP address range is carved out of . After the pool has been created you must then create the NAT statement that uses a specific access control list that translates ACL matched inside host machines to the outside global IP addresses in the pool on a first come first serve basis.

To create an NAT pool you’ll use the command ip nat pool poolname sip.sip.sip.sip eip.eip.eip.eip prefix # whereas the poolname is referenced by the NAT translation statement followed by the starting ip and ending ip of the pool range and the prefix of the allocation that the IP address range is carved out of; I.e; 24 = /24 or 255.255.255.0

When specifying a NAT translation statement using a pool you’ll need specify an access control list which is used to match inside host addresses or networks that will be translated to the IP addresses found in the pool on a first come first serve basis.

To configure a NAT Pool Translation you’ll use the ip nat inside source list ACL#_OR_NAME pool POOLNAME command in global configuration whereas the ACL#_OR_NAME is the access control list name or number used to match inside host which will be permitted to use the NAT pool translation and the POOLNAME is the IP address range pool you carved out of an address block allocation.

In this lab you will be using R1, R2 and R3 to simulate a network connected to an ISP at R2 and using R2 to translate simulated inside host machines from R1 to a public IP address pool to the internet (R3).

Please review the following command(s) listed below;

Command	Description
ip nat pool poolname sip.sip.sip.sip eip.eip.eip.eip prefix #	This command is executed in global configuration mode to configure a NAT pool whereas the sip is the starting ip address in the range of the pool and the eip is the ending ip address range of the pool. The prefix # is the actual prefix used by the router which the ip’s in the pool use.
ip nat inside source list acl# pool poolname	This command is executed in global configuration mode to setup an inside to outside NAT pool configuration whereas the access-list # matches in ACL in which inside hosts must be permitted to be able to obtain a pool IP address. The pool name references the pool of IP addresses created when using the previous command.
show ip nat translations	This command is executed in user or privileged mode to view all the current NAT translations in the routers NAT table.
clear ip nat translation *	This command is executed in privileged mode to purge all the dynamic NAT translations that exist in the routing table. If this command is executed in a live network take caution as it will drop current dynamic NAT translated TCP sessions.

The following logical topology shown below is used in this lab;

Lab Prerequisites

If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1, R2 and R3
Establish a console session with devices R1, R2 and R3 than load the initial configurations provided below by copying the config from the textbox and pasting it into the respected routers console.

!################################################### !# Free CCNA Workbook Lab 11-2 R1 Initial Config # !################################################### ! enable configure terminal ! hostname R1 no ip domain-lookup ! interface Serial0/0 description ### PHYSICAL FRAME RELAY INTERFACE ### no ip address encapsulation frame-relay serial restart-delay 0 no frame-relay inverse-arp exit ! interface Serial0/0.122 point-to-point description ### FRAME RELAY LINK TO R2 ### ip address 10.112.12.1 255.255.255.252 frame-relay interface-dlci 122 exit ! interface Serial0/0 no shut exit ! router eigrp 10 no auto-summary network 10.112.12.1 0.0.0.0 exit ! line con 0 logging sync no exec-timeout ! end !################################################### !# Free CCNA Workbook Lab 11-2 R2 Initial Config # !################################################### ! enable configure terminal ! hostname R2 no ip domain-lookup ! interface Serial0/0 description ### PHYSICAL FRAME RELAY INTERFACE ### encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.221 point-to-point description ### FRAME RELAY LINK TO R1 ### ip address 10.112.12.2 255.255.255.252 frame-relay interface-dlci 221 exit ! interface Serial0/0.223 point-to-point description ### FRAME RELAY LINK TO R3 ### ip address 171.18.24.1 255.255.255.224 frame-relay interface-dlci 223 exit ! interface Serial0/0 no shut exit ! router eigrp 10 no auto-summary network 10.112.12.2 0.0.0.0 network 171.18.24.1 0.0.0.0 redistribute static passive-interface Serial0/0.223 exit ! ip route 0.0.0.0 0.0.0.0 171.18.24.2 ! line con 0 logging sync no exec-timeout ! end !################################################### !# Free CCNA Workbook Lab 11-2 R3 Initial Config # !################################################### ! enable configure terminal ! hostname R3 no ip domain-lookup ! interface Loopback0 description ### SIMULATED INTERNET HOST ### ip address 4.2.2.2 255.255.255.255 ! interface Serial0/0 description ### PHYSICAL FRAME RELAY INTERFACE ### encapsulation frame-relay no frame-relay inverse-arp exit ! interface Serial0/0.322 point-to-point description ### FRAME RELAY LINK TO R2 ### ip address 171.18.24.2 255.255.255.224 frame-relay interface-dlci 322 exit ! interface Serial0/0 no shut exit ! line con 0 logging sync no exec-timeout ! end

Lab Objectives

Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.
Configure the respected NAT interface types then create a NAT pool on R2 starting with the IP address 171.18.24.5 and ending with the IP address 171.18.24.25 using the prefix mask of /27.
Create a named extended access-list on R2 matching the simulated host on R1 using only a single line in the ACL.
Configure a NAT Pool translation on R2 using the newly created named ACL and NAT Pool.
Verify that R1’s simulated has IP connectivity to the simulated internet host (4.2.2.2) on R3 via NAT.
Verify on R2 that the inside host(s) are being assigned pool addresses.

Lab Instruction

Objective 1. – Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface loopback0
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)#ip add 10.55.0.1 255.255.255.0
R1(config-if)#interface loopback1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#ip add 10.55.1.1 255.255.255.0
R1(config-if)#interface loopback2
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
R1(config-if)#ip add 10.55.2.1 255.255.255.0
R1(config-if)#interface loopback3
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up
R1(config-if)#ip add 10.55.3.1 255.255.255.0
R1(config-if)#exit
R1(config)#router eigrp 10
R1(config-router)#network 10.55.0.0 0.0.3.255
R1(config-router)#end
R1#

Objective 2. – Configure the respected NAT interface types then create a NAT pool on R2 starting with the IP address 171.18.24.5 and ending with the IP address 171.18.24.25 using the prefix mask of /27.

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface Serial0/0.221
R2(config-subif)#ip nat inside
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed
state to up
R2(config-subif)#interface Serial0/0.223
R2(config-subif)#ip nat outside
R2(config-subif)#exit
R2(config)#ip nat pool natpool1 171.18.24.5 171.18.24.25 prefix-length 27
R2(config)#

Objective 3. – Create a named extended access-list on R2 matching the simulated host on R1 using only a single line in the ACL.

R2(config)#ip access-list extended NATPOOL_ACL
R2(config-ext-nacl)#10 permit ip 10.55.0.0 0.0.3.255 any
R2(config-ext-nacl)#exit
R2(config)#

Objective 4. – Configure a NAT Pool translation on R2 using the newly created named ACL and NAT Pool.

R2(config)#ip nat inside source list NATPOOL_ACL pool natpool1
R2(config)#end
R2#

Objective 5. – Verify that R1′s simulated has IP connectivity to the simulated internet host (4.2.2.2) on R3 via NAT.

R1#ping 4.2.2.2 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/104/196 ms
R1#ping 4.2.2.2 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/108/184 ms
R1#ping 4.2.2.2 source lo2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/136/252 ms
R1#ping 4.2.2.2 source lo3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.3.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/83/224 ms
R1#

Objective 6. – Verify on R2 that the inside host(s) are being assigned pool addresses.

R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 171.18.24.5:2     10.55.0.1:2        4.2.2.2:2          4.2.2.2:2
--- 171.18.24.5        10.55.0.1          ---                ---
icmp 171.18.24.6:3     10.55.1.1:3        4.2.2.2:3          4.2.2.2:3
--- 171.18.24.6        10.55.1.1          ---                ---
icmp 171.18.24.7:4     10.55.2.1:4        4.2.2.2:4          4.2.2.2:4
--- 171.18.24.7        10.55.2.1          ---                ---
icmp 171.18.24.8:5     10.55.3.1:5        4.2.2.2:5          4.2.2.2:5
--- 171.18.24.8        10.55.3.1          ---                ---
R2#

As you can see shown in Objective 5 and 6 that the simulated host IP addresses on R1 have ip connectivity to the simulated server on R3 via NAT pool translation.

Objective 6 shows that 10.55.0.1 has been assigned the IP 171.18.24.5 from the NAT pool, 10.55.1.1 has been assigned 171.18.24.6 and so on.

◄ Previous Lab

Next Lab ►