NAT Pooling is the ability to randomly assign public IP addresses to private internal IP’s on a first come first serve basis from a pool of IP’s. This lab will discuss and demonstrate the configuration and verification of dynamic NAT pooling.
If you’ve completed the previous Lab 11-1 – Configuring Network Address Translation (NAT) One-to-One then you should have a basic understanding of how NAT works, if not then its recommended to complete the previous lab before attempting this one.
A Network Address Translation Pool in simple terms is a pool that has been carved out of an allocated address block that assigns inside global addresses on a first come first serve basis to inside local host based on a match found in a specified access control list. The benefit of this type of configuration is that your inside network can use RFC1918 private addressing such as the 10.0.0.0/8 range but still obtain IP connectivity to the outside world using a single public IP address per host. Some universities use this method however the majority of universities in the USA are moving more towards a NAC (Network Admissions Control) infrastructure of its residential students to access the internet due to NAC having the ability to enforce virus protection and required operating system updates.
However NAT pooling still has its place in today’s networks such as the DMZ (Demilitarized Zone) or companies that own a block of public IP addresses and requires each inside host to have its own translated outside IP address.
When configuring a NAT pool you must specify a address pool range with a start and end IP address followed by the network prefix of the allocated IP address block the IP address range is carved out of . After the pool has been created you must then create the NAT statement that uses a specific access control list that translates ACL matched inside host machines to the outside global IP addresses in the pool on a first come first serve basis.
To create an NAT pool you’ll use the command ip nat pool poolname sip.sip.sip.sip eip.eip.eip.eip prefix # whereas the poolname is referenced by the NAT translation statement followed by the starting ip and ending ip of the pool range and the prefix of the allocation that the IP address range is carved out of; I.e; 24 = /24 or 255.255.255.0
When specifying a NAT translation statement using a pool you’ll need specify an access control list which is used to match inside host addresses or networks that will be translated to the IP addresses found in the pool on a first come first serve basis.
To configure a NAT Pool Translation you’ll use the ip nat inside source list ACL#_OR_NAME pool POOLNAME command in global configuration whereas the ACL#_OR_NAME is the access control list name or number used to match inside host which will be permitted to use the NAT pool translation and the POOLNAME is the IP address range pool you carved out of an address block allocation.
In this lab you will be using R1, R2 and R3 to simulate a network connected to an ISP at R2 and using R2 to translate simulated inside host machines from R1 to a public IP address pool to the internet (R3).
Please review the following command(s) listed below;
Command | Description |
---|---|
ip nat pool poolname sip.sip.sip.sip eip.eip.eip.eip prefix # | This command is executed in global configuration mode to configure a NAT pool whereas the sip is the starting ip address in the range of the pool and the eip is the ending ip address range of the pool. The prefix # is the actual prefix used by the router which the ip’s in the pool use. |
ip nat inside source list acl# pool poolname | This command is executed in global configuration mode to setup an inside to outside NAT pool configuration whereas the access-list # matches in ACL in which inside hosts must be permitted to be able to obtain a pool IP address. The pool name references the pool of IP addresses created when using the previous command. |
show ip nat translations | This command is executed in user or privileged mode to view all the current NAT translations in the routers NAT table. |
clear ip nat translation * | This command is executed in privileged mode to purge all the dynamic NAT translations that exist in the routing table. If this command is executed in a live network take caution as it will drop current dynamic NAT translated TCP sessions. |
The following logical topology shown below is used in this lab;
Objective 1. – Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.
R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface loopback0 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up R1(config-if)#ip add 10.55.0.1 255.255.255.0 R1(config-if)#interface loopback1 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R1(config-if)#ip add 10.55.1.1 255.255.255.0 R1(config-if)#interface loopback2 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up R1(config-if)#ip add 10.55.2.1 255.255.255.0 R1(config-if)#interface loopback3 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up R1(config-if)#ip add 10.55.3.1 255.255.255.0 R1(config-if)#exit R1(config)#router eigrp 10 R1(config-router)#network 10.55.0.0 0.0.3.255 R1(config-router)#end R1#
Objective 2. – Configure the respected NAT interface types then create a NAT pool on R2 starting with the IP address 171.18.24.5 and ending with the IP address 171.18.24.25 using the prefix mask of /27.
R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#interface Serial0/0.221 R2(config-subif)#ip nat inside %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up R2(config-subif)#interface Serial0/0.223 R2(config-subif)#ip nat outside R2(config-subif)#exit R2(config)#ip nat pool natpool1 171.18.24.5 171.18.24.25 prefix-length 27 R2(config)#
Objective 3. – Create a named extended access-list on R2 matching the simulated host on R1 using only a single line in the ACL.
R2(config)#ip access-list extended NATPOOL_ACL R2(config-ext-nacl)#10 permit ip 10.55.0.0 0.0.3.255 any R2(config-ext-nacl)#exit R2(config)#
Objective 4. – Configure a NAT Pool translation on R2 using the newly created named ACL and NAT Pool.
R2(config)#ip nat inside source list NATPOOL_ACL pool natpool1 R2(config)#end R2#
Objective 5. – Verify that R1′s simulated has IP connectivity to the simulated internet host (4.2.2.2) on R3 via NAT.
R1#ping 4.2.2.2 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/104/196 ms R1#ping 4.2.2.2 source lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/108/184 ms R1#ping 4.2.2.2 source lo2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.2.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/136/252 ms R1#ping 4.2.2.2 source lo3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.55.3.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/83/224 ms R1#
Objective 6. – Verify on R2 that the inside host(s) are being assigned pool addresses.
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 171.18.24.5:2 10.55.0.1:2 4.2.2.2:2 4.2.2.2:2
--- 171.18.24.5 10.55.0.1 --- ---
icmp 171.18.24.6:3 10.55.1.1:3 4.2.2.2:3 4.2.2.2:3
--- 171.18.24.6 10.55.1.1 --- ---
icmp 171.18.24.7:4 10.55.2.1:4 4.2.2.2:4 4.2.2.2:4
--- 171.18.24.7 10.55.2.1 --- ---
icmp 171.18.24.8:5 10.55.3.1:5 4.2.2.2:5 4.2.2.2:5
--- 171.18.24.8 10.55.3.1 --- ---
R2#
As you can see shown in Objective 5 and 6 that the simulated host IP addresses on R1 have ip connectivity to the simulated server on R3 via NAT pool translation.
Objective 6 shows that 10.55.0.1 has been assigned the IP 171.18.24.5 from the NAT pool, 10.55.1.1 has been assigned 171.18.24.6 and so on.