QuickTutorial Guide Advanced Topics in IP Addressing

Quick Tutorial Guide for Advanced Topics in IP Addressing

C D I C o m m u n i c a t i o n s I n c

Netwind Learning Center, 4327 South Hwy 27, Suite 331

Clermont (Orlando), FL 34711

Toll Free Tel: 800.617.5586 (407.656.2277)

Toll Free Fax: 877.557.3064

e-mail us at: [email protected]

Copyright © 1996-2013 Netwind Learning Center /

CDi Communications, Inc.

If you are already familiar with IP Addressing, Subnetting, Classes of IP addresses and understand difference between private and public IP addresses. This guide will help you master advance topics like VLSM, Super netting, CIDR, NAT and PAT.

mailto:%[email protected]�

1

1 Table of Contents 2 VLSM (Variable Length Subnet Masking): ..........................................................................................................3

2.1 VLSM Practical Example .............................................................................................................................4

3 Super netting or Route Summarization .............................................................................................................6

4 CIDR (RFC: 4632) .................................................................................................................................................8

4.1 A simple example: ......................................................................................................................................8

4.2 CIDR in Depth! ............................................................................................................................................9

4.3 MeritRADb routing asset Database: ........................................................................................................ 11

5 NAT (Network Address translation) ................................................................................................................ 12

5.1 Introduction: ............................................................................................................................................ 12

5.2 NAT Working: .......................................................................................................................................... 12

6 Types of NAT: ................................................................................................................................................... 13

Dynamic NAT: ...................................................................................................................................................... 13

Dynamic NAT with overload or PAT: ................................................................................................................... 13

Static NAT: ........................................................................................................................................................... 14

6.1 Some of the terminology of NAT worth remembering: ........................................................................... 14

6.2 A few more things regarding NAT ! ......................................................................................................... 14

7 NAT Practical Implementation: ....................................................................................................................... 15

7.1 Dynamic NAT Configurations:.................................................................................................................. 16

7.1.1 Step 1: .............................................................................................................................................. 16

7.1.2 Step 2: .............................................................................................................................................. 17

7.1.3 Step 3: .............................................................................................................................................. 17

7.1.4 Now let’s see what’s happening on R2: .......................................................................................... 18

7.2 NAT Overload (PAT): ................................................................................................................................ 19

7.3 Static NAT: ............................................................................................................................................... 21

7.4 Troubleshooting NAT: .............................................................................................................................. 21

8 Some additional NAT settings: ........................................................................................................................ 22

8.1 SNAT: Statefull Network Address Translation: ........................................................................................ 23

2

Introduction We assume that you have read our introductory manual of IP Addressing and familiar with topics like IP Addressing, Subnetting, classes of IP Addresses , public and private IP Addresses. In this manual we will introduce you with advanced topics in IP Addressing like VLSM, Supernetting, Route Summarization, CIDR and NAT. Before that lets revise your IP addressing concepts by doing the following exercises of subnetting .

Class C:

We have an IP of 192.168.2.0 /24; our network design requirement is 16 subnets! We have an IP of 192.168.150.0 /24; our network design requirement is 14 hosts per network! We have an IP of 192.168.100.0 /24; our network design requirement is 32 subnets!

Class B:


Class A:


3

2 VLSM (Variable Length Subnet Masking):

We have a very scarce resource of IP v4, that’s why private addresses were created, that’s why sub netting was introduce and that’s why NATing is done to preserve the IP addresses. What if we design our network carelessly and waste many precious IP addresses? This can happen if we don’t take precautions in network design and don’t use VLSM. VLSM give us a facility to use different subnet mask networks in our topology, and believe me VLSM can save us a lot of address space. To understand this further, please consider the following network:

Suppose we are using 192.168.10.0 Class C Address in above network and have made 8 subnets like:

IP Address Network Address 1st Host Address Last Host Address Broadcast Address 192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.62 192.168.10.63 192.168.10.64 192.168.10.64 192.168.10.65 192.168.10.94 192.168.10.95 192.168.10.96 192.168.10.96 192.168.10.97 192.168.10.126 192.168.10.127 192.168.10.128 192.168.10.128 192.168.10.129 192.168.10.158 192.168.10.159 192.168.10.160 192.168.10.160 192.168.10.161 192.168.10.190 192.168.10.191 192.168.10.192 192.168.10.192 192.168.10.193 192.168.10.222 192.168.10.223

Do you feel anything wrong with above network? Hmm, apparently there is nothing wrong according to addressing point of view in above network but we are wasting a lot of IP addresses. How? Okay look at the serial connection of Router0 and Router1, we are using a subnet of 192.168.10.32/27, this subnet can give us the following host addresses:

192.168.10.33 192.168.10.34 192.168.10.35 192.168.10.36 192.168.10.37 192.168.10.38 ----- Till 192.168.10.62!

4

Suppose we assign 192.168.10.33 and 192.168.10.34 to our Connected WAN interfaces, what about the rest of 28 addresses? They are simply wasted! The same thing is happening on our Switch0 and Switch4, we are allocating more addresses than actually required! So how can we protect these IP addresses from getting wasted? That’s where VLSM comes handy.

2.1 VLSM Practical Example By using a different subnet mask for each router interface, we can create the IP addresses according to the network requirements. Like for the WAN interface only two IP addresses are required. So if we use a mask of /30 for this Class C address 192.168.10.0, we can have 2 host bits, which are 2^2-2 = 2 hosts per subnet! Any subnet from /30 mask will full fill our requirements of two IP addresses for the two connected serial WAN interfaces. So if we take 192.168.10.0 and use 255.255.255.252 as the subnet mask, we can have

Subnets: 2^6 = 64 subnets, an 2^2-2 = 2 hosts /subnet Block Size = 256-252 = 4. So 0, 4, 8, 12, ----

IP Address Network Address 1st Host Address Last Host Address Broadcast Address 192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.4 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7 192.168.10.8 192.168.10.8 192.168.10.9 192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.12 192.168.10.13 192.168.10.14 192.168.10.15 192.168.10.16 192.168.10.16 192.168.10.17 192.168.10.18 192.168.10.19 192.168.10.20 192.168.10.20 192.168.10.21 192.168.10.22 192.168.10.23 Continues Continues Continues Continues Continues 192.168.10.252 192.168.10.252 192.168.10.253 192.168.10.254 192.168.10.255 We have chosen below address for our WAN Connection:

IP Address Network Address 1st Host Address Last Host Address Broadcast Address 192.168.10.4 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7

Okay, if we take a careful look on our switches, Switch0 requirement is 10 hosts, so we need to create a subnet according to this requirement. If we take 4 bits for our subnet, we are remaining with 4 host bits, which are sufficient to fulfill our requirements because 2^4-2 = 14 hosts! So repeating the above process, a subnet mask of /28 is enough for this:

So if we take 192.168.10.0 and use 255.255.255.240 as the subnet mask, we can have

Subnets: 2^4 = 16 subnets, an 2^4-2 = 14 hosts /subnet Block Size = 256-240 = 16. So 0, 16, 32, 48, ----

5

These subnets can be summarized as:

IP Address Network Address 1st Host Address Last Host Address Broadcast Address 192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.14 192.168.10.15 192.168.10.16 192.168.10.16 192.168.10.17 192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.46 192.168.10.47 192.168.10.48 192.168.10.48 192.168.10.49 192.168.10.78 192.168.10.79 192.168.10.80 192.168.10.80 192.168.10.81 192.168.10.94 192.168.10.95 Continues Continues Continues Continues Continues 192.168.10.239 192.168.10.239 192.168.10.240 192.168.10.254 192.168.10.255

As we have already used 192.168.10.4/30 subnet for WAN, we can use the below IP subnet from /28 mask to fulfill our requirement:


And we can use the same subnet (/28) to fulfill our IP addressing requirements on Switch4; it will not only preserve the IP addresses but will also give us room for a few more IPs, if we expand our network in the future. We will use the following IP addresses for Switch4:


So our network with VLSM will look like:

The above network, with different Subnet masks, is known as a Classless Network! And to route packets on such a network we use routing protocols which support classless networks. RIPv2, EIGRP, and OSPF support classless networks. Using VLSM, care should be taken to avoid IP address conflict. This can be achieved via proper documentation of the IP addressing scheme used in the network or any method that seems convenient for you. But a proper documentation is always recommended!

Please remember: in VLSM , always start from the largest host requirement network!

6

3 Super netting or Route Summarization Route summarization is all about minimizing processing load of the routers and for the robust operation of networks. Via route summarization, instead of advertising individual network IDs, a router advertises summary of the similar subnets. By sending this summary of the addresses, the neighbor routers are able to send data to all the networks related to the summary advertised. That summary route is a sort of superset of all the networks for which we have configured it, that’s why it’s also called Supernetting. The other common term for route summarization is Route Aggregation, used in BGP! There could be various route summaries for the given set of IP addresses, but the best summary is the one which narrows down the IP address space as much as possible. Let’s understand this via an example:

Let suppose the following addresses are connected to our Corporate router:

192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 172.1.4.0/24 172.1.5.0/24 172.1.6.0/24 172.1.7.0/24 If the router advertises each address individually to its connected routers, it will increase routing processing not only on our Corporate router but also on the connected routers. As each router had to parse individual IP addresses, also maintaining big routing table is a hefty task for a router.

7

In the given network, we have a total of 8 Network Addresses in the routing table. We will use route summarization to summarize these addresses into only two addresses of 192.168.X.X address space and 172.1.X.X! So how can we create a summary route for the first block i.e.:

192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 Hmm, in above address, the first two octets are same, converting our addresses into binary:

Address 1st Octet 2nd Octet 3rd Octet 4th Octet 192.168.16.0 11000000 10101000 00010000 00000000 192.168.17.0 11000000 10101000 00010001 00000000 192.168.18.0 11000000 10101000 00010010 00000000 192.168.19.0 11000000 10101000 00010011 00000000 Subnet Mask 255 255 252 0

Okay, 1st and 2nd Octets are similar, and first 6 bits (highlighted in red) are similar in 3rd Octet. Our summary address would be the lowest of the addresses i.e. 192.168.16.0 and our modified subnet mask would be /22 i.e. 255.255.252.0 (the 6 similar bits in the 3rd octet are considered as 1 while calculating the revised subnet)! The same process can be repeated for the Class B Address:

172.1.4.0/24 172.1.5.0/24 172.1.6.0/24 172.1.7.0/24 Address 1st Octet 2nd Octet 3rd Octet 4th Octet 172.1.4.0 10101100 00000001 00000100 00000000 172.1.5.0 10101100 00000001 00000101 00000000 172.1.6.0 10101100 00000001 00000110 00000000 172.1.7.0 10101100 00000001 00000111 00000000 Subnet Mask 255 255 252 0

So our Summary route is: 172.1.4.0/22 or 172.1.4.0 255.255.252.0. Once these summary routes are configured on our above network, it would advertise all the networks connected to it in the form of following super netted IP Addresses:

192.168.16.0/22 & 172.1.4.0/22 Route summarization is one of the main feature in OSPF, the routes are summarized at the ABRs (Area border routers) and advertised to the backbone area by all other connected regular areas. BGP also uses the route aggregation. Care should be taken while implementing route summarization, we should try to minimize the risk of creating room for IP addresses which doesn’t belong to our network. If care is not considered, we will begin getting packets for the addresses which are not configured in our network.

8

4 CIDR (Classless Inter Domain Routing) Classless inter domain routing (CIDR) is like supernetting route summarization and VLSM at the ISP end that’s why it is called Classless inter domain routing. Confusing? Okay let us discuss it via an example; it will help us picture the whole concept. As we learned in route summarization, instead of advertising each address, a router makes a block of addresses and advertise it, it minimizes load on routers and enhances network efficiency.

Instead of assigning addresses according to the Classful subnet boundaries, the ISPs begin to assign IP addresses in the form of blocks. Then it was the duty of the ISPs to assign smaller blocks to its customers from the big block. In CIDR the routers were given the ability to process the IP addresses according to the classless subnet prefix instead of the starting 0 and 1s in each IP address. Or in the other words, the routers were programmed to understand the prefix through which it can decide to which domain (major block of IPs) these addresses are assigned.

If a whole Class A, B or C address is assigned to an organization, there is a chance of the wastage of IP addresses, so IP address conservation was one of the main reasons behind CIDR development by IANA. IANA suggested assignment of IPs address ranges other than the conventional class paradigm. These policies not only helped in preserving the wastage of IP addresses but also reduced the load of the global routing tables. So the two goals behind CIDR creation by IANA were:

• To reduce the global routing table size • To preserve the IP address space

4.1 A simple example:

Let understand the first point via an example. Suppose we have a block of addresses as given below:

192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24 We can summarize this address as: Our block size is 4, so our best subnet choice at 3rd octet is 256-4 = 252, so we can summarize the above network IDs with following subnet IP: 192.168.20.0 255.255.252.0 OR 192.168.20.0/22 Have you noticed one interesting thing, we have moved backward from standard Class C boundary. We have an IP address 192.168.20.0 with the prefix 22 which represents a block of 4 IP addresses of 24 subnets. Now the router will only advertise with /22 addresses and the same process are repeated from our side to our ISP. Our ISP does the same route aggregation and advertises a single block to higher networks and the process goes on. Without this process we would have millions of routing tables for the global IP traffic! And how the IP addresses

9

are conserved? Well they are conserved when a specific block of IP addresses is assigned to customers. An ISP will never assign a Classful address to any corporation, as a lot of addresses will go waste and the ISP can’t take back the non-used addresses. For the solution of this problem, IP address Ownership an IP address Lending scheme was introduced but they are still in review amidst much heated debate on it. 4.2 CIDR in Depth!

Suppose our ISP owns an address block: 200.24.0.0/16. What this means? An address block comprises of different addresses that the ISP can allocate and sell to its customers. The IP address block 200.24.0.0/16 can represent 2^16 = 65, 536 IP addresses. Suppose from this block it wants to allocate 200.24.15.0/20 address block. So how much address space is this in reality? Simple, 2^12 = 4096 or 16 /24s, how? The block size is /20 or in other words 255.255.240.0 so the block size can be calculated as 256-240 = 16 , this means the given /20 block comprises of 16 /24 addresses if we are considering a Class full environment. 200.24.15.0 200.24.16.0 200.24.17.0 200.24.18.0 200.24.19.0 200.24.20.0 200.24.21.0 200.24.22.0 200.24.23.0 200.24.24.0 200.24.25.0 200.24.26.0 200.24.27.0 200.24.28.0 200.24.29.0 200.24.30.0 Each address has the capacity to represent 255 addresses so 255*16 = 4096, as already mentioned above. So if the ISP distributes these among 3 organizations named A, B, C—the distribution would be as follows: 200.24.15.0 200.24.16.0 200.24.17.0 Block size of 4, 256-4=252 so the whole block would be 200.24.15.0/30 200.24.18.0 The block 200.24.15.0/30 will be assigned to the Organization A 200.24.19.0 200.24.20.0 200.24.21.0 200.24.22.0 Block size of 8. 256-8 = 248 so the whole block would be 200.24.19.0/21

10

200.24.23.0 The block 200.24.19.0/21 will be assigned to organization B 200.24.24.0 200.24.25.0 200.24.26.0 200.24.27.0 200.24.28.0Block size of 4, 256-4=252, so the whole block would be 200.24.27.0/30 200.24.29.0 The block 200.24.27.0/30 will be assigned to organization C 200.24.30.0

So the above hierarchy, in a CIDR environment works like:

Believe me, by doing above process, we have cracked all the route aggregation and summarization at the Global, ISP and Organization level.

Internet

200.24.0.0/16

200.24.15.0/20

200.24.19.0/21

200.24.15.0/30 200.24.27.0/30

200.24.19.0 200.24.20.0 200.24.21.0 200.24.22.0 200.24.23.0 200.24.24.0 200.24.25.0 200.24.26.0

200.24.15.0 200.24.16.0 200.24.17.0 200.24.18.0

200.24.27.0 200.24.28.0 200.24.29.0 200.24.30.0

B - Org

A - Org C - Org

ISP

11

You will feel that CIDR has the same look like VLSM. Yes, it’s right to some extent. Both allow us to change the IP dynamics according to our requirements, but VLSM is invisible to the global internet. The VLSM can be felt only in our internal network topology. On the other side, CIDR is visible to the global internet. A global Internet Registry can assign any CIDR block or prefix block to any top level ISP, to a medium level ISP or to any private organization.

4.3 MeritRADb routing asset Database:

Okay now some interesting stuff. If you want to see all this CIDR, route summarization in action, visit MeritRADb the routing asset database online website. This website provides information related to all the routed networks and ASs (Autonomous Systems) on the internet up to this very instant! For example if we want to dig this IP: 173.194.67.104, go to MeritRADb website: http://www.ra.net/ and will query this IP using Query the RADb box. The output is quite interesting:

route: 173.194.67.0/24 descr: Google origin: AS15169 notify: [email protected] mnt-by: MAINT-AS15169 changed: [email protected] 20121119 source: RADB

This IP (173.194.67.104) is owned by Google incorporations!! Okay one more IP: 205.134.232.114

route: 205.134.224.0/19 descr: Corporate Colocation, Inc. origin: AS17139 notify: [email protected] mnt-by: MAINT-CORPCOLO changed: [email protected] 20071108 source: RADB

The above IP (173.194.67.104) is somehow part of the major route shown in the RADb output. The Routing Asset Database website is one of a great place to spend your weekend time on!

Please remember that IANA or Internet Assigned Numbers Authority is the organization responsible for taking care of the global IP address allocation and other IP related activities.

http://www.ra.net/�

12

5 NAT (Network Address translation)

5.1 Introduction:

In simple words NAT is about IP address translation or conversion. This translation is for two purposes:

• Translation of Private addresses into Public addresses • Translation of internal addresses to avoid duplication or for Topology hiding

As you know private IP addresses are not routable on the internet, that’s why we need to configure NAT on our gateways to talk to the public internet domain. The duplication of addresses can take place if we merge two organizations and they both have the same IP plan, in such case NAT is used to avoid such issues via a DNS server. As discussed in VLSM and CIDR, IP address preservation was also one of the main causes behind the induction of NAT.

5.2 NAT Working:

To understand NAT (Network Address Translation) working, please consider below block diagram:

Inside Local IPs --- > Inside Global IPs

The above diagram explains NAT in its simple form. NAT is configured on the Gateway where address translation or mapping take place. The Global Network is unaware of the internal local addresses of our network, that’s why it’s helpful in hiding our network topology.

For an interesting demonstration of NAT, please check http://www.cisco.com/image/gif/paws/6450/nat.swf URL.

Local Network

Global Network Private Address Space Gateway

http://www.cisco.com/image/gif/paws/6450/nat.swf�

13

6 Types of NAT:

There are three types of NAT, mostly used in network design.

• Dynamic NAT • Dynamic NAT with overload (also called PAT: Port Address Translation) • Static NAT

While implementing NAT on a router, we first define an ACL (normally a standard Access Control list) to define the internal IPs that we are going to translate. These addresses are technically called Inside Local addresses. Then we apply our NAT commands in global configuration mode, specifying the list of addresses in our ACL and the public addresses in which we want to translate it. These public addresses are technically called Inside Global. Dynamic NAT: In dynamic NAT, as the name suggests the address translation take place by allocating available Public IPs from a pool dynamically. We define a pool of global IP addresses for NAT and then this pool is associated with address local IPs for translation. The address translation works, until all of the addresses in the pool are consumed and network established via it. Dynamic NAT with overload or PAT: Overloading is used to enhance the addressing capability of NAT and for this magic, PAT is used. PAT stands for Port address translation, so as the name implies, port numbers are used with local hosts. At the same time, port numbers are also used with the global inside IP. Via this association, a single global IP can be used for around 65000 addresses! This could be better explained via below chart: Protocol Inside Local IP : Port Inside Global IP : Port TCP 192.168.3.2:1723 170.16.3.2:1456 TCP 192.168.3.1:1744 170.16.3.2:1098 TCP 192.168.3.10:1764 170.16.3.2:4432 As you can see we have a single global IP, but with different port numbers. This table is maintained by the router and it forwards the packet accordingly. Suppose if IP 192.168.3.2:1723 has established a global connection via 170.16.3.2:1456, once any packet is received on this IP (170.16.3.2:1456) with relevant port number, it's forwarded according to the above table to 192.168.3.2:1723. You must be aware of the fact that port numbers are used by a host to establish different connections to the outside world and keep track of each established connection. Suppose a connection to the web server port 80 would be like:

Inside Global IP : Port Outside Global IP address: Port 170.16.3.2:1456 173.194.23.4:80 170.16.3.2:1098 173.194.23.4:80

14

Static NAT: Static NAT is a one to one mapping of internal addresses with the global IP addresses. In network design, static NAT is best if we are going to host some server inside our network and want it to be accessible from global internet.

6.1 Some of the terminology of NAT worth remembering: Inside Local: the host address inside the network that we want to translate Outside Local: translated address of the outside hosts, as seen inside their network Inside Global: the addresses used to translate the inside addresses Outside Global: addresses of outside hosts as seen on the outside

The above mentioned three types of NAT can be summed up as:

Static NAT Dynamic NAT Overload NAT One to one mapping Many to many Allow multiple hosts to use single Address Creates a permanent entry in the NAT table

Fewer address then hosts Around 65000 addresses per Global IP

Enable bidirectional initiation Entries dynamically created Entries timeout after some

time

Configure using pool

6.2 A few more things regarding NAT ! A few more terminologies of NAT:

• Policy based NAT • Port redirection (one to one mapping for a single port, also called Static PAT) • NVIs or NAT virtual interfaces (a newer method of NAT configuration in which there is no need for

inside/outside definition on an interface. NAT table is maintained on per interface basis) I think we have covered enough of the terminology regarding Network Address translation, now it’s time to practically implement all of the above concepts for getting a strong technical grasp of it.

15

7 NAT Practical Implementation:

For the practical implementation of NAT on a Cisco router, follow the following three steps:

• Designate the interfaces for inside/outside the NAT • Define an ACL for the local host IPs • Implemented NAT from the global configuration mode

In VoIP packets, as it’s not possible to modify the source header, for this we had to enable some special services of NAT to support SIP or Skinny protocols etc. There are also some other issues that might arise from changing the IP in a packet as it will change the packet checksum value, encapsulated data and hence breaking the meaning of the application.

In our lab, we are using c2691 series of routers in GNS3. We will emulate our ISP. Loopback interfaces are created on R1 to emulate different connected networks. R2 is our gateway router, and all of the NATing is done on this router. The ACL and different sort of NAT will be configured on this (R2) router. S Please note, RIP is running on our current topology. You can run any routing protocol as you feel convenient.

R1 interfaces are configured as follows: Interface IP Subnet Mask Loopback2 192.168.2.1 255.255.255.0 Loopback3 192.168.3.1 255.255.255.0 Loopback4 192.168.4.1 255.255.255.0 FastEthernet0/1 192.168.1.1 255.255.255.0

16

RIP enabled for routing of the addresses: router rip network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 ! Some of the output is omitted. So as is evident from above configurations, we have created three loop back interfaces: 192.168.3.1/24 192.168.2.1/24 192.168.4.1/24 And Fa 0/0 is assigned: 192.168.1.1/24 address. RIP is configured and all the routes known to R1 are advertised!

7.1 Dynamic NAT Configurations: In this part we are going to configure Dynamic NAT on our gateway router ( R2). We will follow the above mentioned three steps :

1. Labeling the interfaces 2. Configuring the ACL for hosts 3. Implementing the NAT from the global config mode

So here we go, and you will see it’s not that difficult to implement it practically: Suppose we want to configure Dynamic NAT on R2. For this purpose, we need a pool of global IP addresses that would be dynamically mapped with our local hosts. So we need to buy these addresses from our ISP ( just assume, we bought the following IP pool from our ISP: 171.16.10.52 - 171.16.10.56 We will follow above mentioned three steps to implement dynamic NAT on our current network topology: 7.1.1 Step 1: Labeling the interfaces: Interface FastEthernet0/0 IP address 192.168.1.2 255.255.255.0 ip nat inside Interface Serial1/0 IP address 171.16.10.1 255.255.255.0

17

ip nat outside 7.1.2 Step 2: An ACL needed to be created for local hosts IPs that we want to translate: ip access-list standard NAT_IPs permit 192.168.3.0 0.0.0.255 permit 192.168.2.0 0.0.0.255 permit 192.168.4.0 0.0.0.255 7.1.3 Step 3: Once ACL is created, we need to configure our IP pool and dynamic NAT from global configuration like: ip nat pool Global_IP_Pool 171.16.10.52 171.16.10.56 netmask 255.255.255.0 ip nat inside source list NAT_IPs pool Global_IP_Pool Our pool name is: Global_IP_Pool ACL name is: NAT_IPs Some of the other things done on R2 are: static route to ISP and RIP ( for routing on the network): ! router rip Passive-interface Serial1/0 ( this command is configured to stop RIP advertisements to our emulated ISP) Network 171.16.0.0 Network 192.168.1.0 ! IP route 171.16.0.0 255.255.0.0 171.16.10.2 ! ! And we are done with our Dynamic NAT! Now some other fun commands. In order to check the IP NAT translations going on in the network, we just issue show ip nat translations command on R2 and see the result:

18

From R1 we ping our ISP: R1#ping 171.16.10.2 source 192.168.3.1 We get successful ping results to 171.16.10.2. The source IP was changed on R2 during the process of pinging as we have configured NAT on R2. 7.1.4 Now let’s see what’s happening on R2: Our ping request was originated from inside local: 192.168.3.1 and has been translated into 171.16.10.52 inside global address. One other interesting command for your geek mind:

I hope after going through all of the above commands, you will have confidence in yourself and will see how interesting it is to implement NAT. Just remember one thing: if dynamic NAT is used, we can’t access our local hosts from outside the network, as the router will not be sure to where it has to route the packets , for this purpose Static NAT is recommended, which we will discuss shortly.

Okay, as an example, please perform some practice of dynamic NAT with the following requirements:

• The routing protocol running is EIGRP with AS # 4 • The IP Pool Name is CORP-IP pool • ACL allows only 192.168.3.0/24 network to translate

19

7.2 NAT Overload (PAT): Now we are going to implement NAT overload on R2, so we need to add overload to the end of ip nat command like: ip nat inside source list Whitelist_IPs pool Global_IP_Pool overload First we will clear all IP NAT translations (that were done previously once we configured dynamic NAT) , by issuing the following command: R2#clear ip nat translation * Now we will overload the NAT by using the overload key word at the end of our dynamic NAT command: R2(config)#ip nat inside source list NAT_IPs pool Global_IP_Pool overload To check our NAT in action, we will issue some of pings from our loop back interfaces on R1: R1#ping 171.16.10.2 source 192.168.3.1 Successful! R1#ping 171.16.10.2 source 192.168.3.1 Successful! R1#ping 171.16.10.2 source 192.168.2.1 Successful! R1#ping 171.16.10.2 source 192.168.4.1 Successful! All of these pings were successful via NATing, to check the NAT translations on R2, we will use the following commands: R2#show ip nat translations //Some of the output omitted// icmp 171.16.10.53:4 192.168.2.1:4 171.16.10.2:4 171.16.10.2:4 icmp 171.16.10.53:3 192.168.3.1:3 171.16.10.2:3 171.16.10.2:3 icmp 171.16.10.53:5 192.168.4.1:5 171.16.10.2:5 171.16.10.2:5

20

PAT can be seen in action, in below the output of show IP nat translations command: R2#show IP nat translations /// Some of the part omitted// udp 171.16.10.53:49157 192.168.2.1:49157 171.16.10.2:33437 171.16.10.2:33437 udp 171.16.10.53:49158 192.168.2.1:49158 171.16.10.2:33438 171.16.10.2:33438 udp 171.16.10.53:49159 192.168.2.1:49159 171.16.10.2:33439 171.16.10.2:33439 udp 171.16.10.53:49164 192.168.2.1:49164 171.16.10.2:33437 171.16.10.2:33437 udp 171.16.10.53:49165 192.168.2.1:49165 171.16.10.2:33438 171.16.10.2:33438 udp 171.16.10.53:49166 192.168.2.1:49166 171.16.10.2:33439 171.16.10.2:33439 icmp 171.16.10.53:10 192.168.3.1:10 171.16.10.2:10 171.16.10.2:10 If we want to check the NAT in real time, all the action can be seen via debug IP Nat command on R2: Once the debug command is issued on R2, all the IP changes happening in real time can be seen as on R2 as follows: R2# *Mar 1 00:07:31.079: NAT: [0] Allocated Port for 192.168.2.1 -> 171.16.10.53: wanted 6 got 6 *Mar 1 00:07:31.083: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [30] *Mar 1 00:07:31.087: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [30] *Mar 1 00:07:31.087: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [30] *Mar 1 00:07:31.115: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [30] *Mar 1 00:07:31.115: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [30] *Mar 1 00:07:31.147: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [31] *Mar 1 00:07:31.147: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [31] *Mar 1 00:07:31.179: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [31] *Mar 1 00:07:31.179: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [31] *Mar 1 00:07:31.191: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [32] *Mar 1 00:07:31.191: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [32] *Mar 1 00:07:31.211: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [32] *Mar 1 00:07:31.211: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [32] *Mar 1 00:07:31.219: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [33] *Mar 1 00:07:31.219: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [33] Please dont keep debug command running for long intervals on a production network. All this action will be seen only if we issue some connectivity commands from other routers, whose packets are going through R2. It’s one of the best way to check and troubleshoot different NAT issues. Please remember, PAT (Port Address Translation) is a one way NAT, we can’t use it as a both way NAT solution.

21

7.3 Static NAT:

In this part of NAT we will discuss the last common type of NAT, which is Static NAT. We will also discuss some of the features and special services on NAT. The discussion ends with a brief overview of SNAT (state-full Network Address Translation)

Now let’s suppose we have our email server on 192.168.4.1/24 on R1 ( in our GNS3 Lab topology) . Suppose we want to create a static NAT entry to for SMTP (simple mail transfer protocol) on this server, so it can communicate with the outside world and SMTP service should be accessible on this server from outside as well. It is achieved by enabling Static NAT on R2; we just need to issue the following command in global configuration mode: ip nat inside source static tcp 192.168.4.1 25 interface Serial1/0 25 Port 25 = SMTP port or email server port On Port 25 if any packet is received on our Router R2 interface serial 1/0, it will be forwarded to our SMPT server 192.168.4.1 and vice versa. So if we see our NAT translations, we will see a permanent static NAT entry for TCP port 25 in it:

This entry will not expire from the NAT table after translation timeout. All dynamic entries are deleted from the NAT translation table after translation timeout. As we have already discussed, static mapping is mostly used for server accessibility from outside the local network. Please remember, STATIC NAT is both way NAT i.e. We can use it for accessing from outside our network.

7.4 Troubleshooting NAT: Some of the points we need to keep in mind while troubleshooting NAT:

• Check the dynamic IP pools, they must contain correct IP ranges. • Check if static IPs are overlapping with the IP pool configured. • Check if ACL is correctly defined. The addresses to be mapped are properly specified no address left out.

22

• Proper inside/outside NAT interfaces are configured.

8 Some additional NAT settings: We can adjust the timeout values for different sorts of packets in NAT as follows:

Some special NAT services that we can enable are for SIP and other communication protocols:

These services are needed to be enabled as we can’t modify the IP header value in data packet in any special applications SIP, H.323 etc. Because once IP value is changed in a header, it affects and renew the checksum calculation and some other values of the packet.

23

8.1 SNAT: Statefull Network Address Translation: Okay, no network is ideal when it comes to 100 % up time, to avoid network failure; we use redundancy in our designs. So how it’s done in NAT? For this purpose we use Statefull NAT. In SNAT we create a group of our NAT IP addresses. The active Translator IP continuously exchanges the route maps and NAT entries with the Redundant NAT IP, in case the active IP translator fails, the redundant IP Translator take charge immediately. It is best represented in below network Topology:

I think that’s enough! We have had quite a discussion on NAT. NAT is one of the coolest protocols, which has really helped in the preservation of the IP address space. If there was no NAT, we would be using IPv6 now!

QuickTutorial Guide Advanced Topics in IP Addressing

Technology

Transcript of QuickTutorial Guide Advanced Topics in IP Addressing