Network Address Translation (NAT) is a method of mapping one IP Address space into another IP address space by changing network address information in the IP head of packet while they are crossing routing devices such as routers or firewalls.
Dynamic NAT allows internal hosts to access the Internet by assigning each host a unique public IP address from Pubic IP Pool for the duration of a client session. After the session ended meaning the internal hosts stop accessing the internet, NAT timeout will clear the Dynamic NAT entries from the NAT table and make the public IP address available to other hosts.
Following the scenario, the diagram represents the sample network with few internal hosts connected to the Internet router via access switch in the subnet of 10.10.10.0/24. The Internet router connected to ISP via FastEthernet 0/1 with an IP Address of 192.168.200.200/24 (considering this private subnet as Public IP subnet from ISP) and I will assign the public IP range from 192.168.200.200 to 192.168.200.205 for Dynamic NAT Pool.
Now let’s jump into configuring the Internet Router…
Configuring Cisco Router Interfaces
We are going to assign an IP Address for internal and external interfaces.
INT_RT01>enable
INT_RT01#configure terminal
INT_RT01(config)#interface fastEthernet 0/1
INT_RT01(config)#description “Connection to ISP”
INT_RT01(config-if)#ip address 192.168.200.200 255.255.255.0
INT_RT01(config-if)#no shutdown
INT_RT01(config-if)#exit
INT_RT01(config)#interface fastEthernet 0/0
INT_RT01(config)#description “Connection to Internal Network”
INT_RT01(config-if)#ip address 10.10.10.1 255.255.255.0
INT_RT01(config-if)#no shutdown
INT_RT01(config-if)#end
INT_RT01#copy running-config startup-config
Configuring default route for Internal Network to Internet
The router will need the default route in order to forward internet traffic requested by internal hosts, so let configure default to instruct the router to forward all internet traffic to ISP IP address.
INT_RT01>enable
INT_RT01#configure terminal
INT_RT01(config)#ip route 0.0.0.0 0.0.0.0 192.168.200.1
INT_RT01(config)#exit
INT_RT01# copy running-config startup-config
Enabling NAT on inside and outside interfaces
In order for NAT to function properly, we need to enable NAT feature on the router’s interface which is connected to the internal network as inside NAT, and the router’s interface connecting to ISP as outside NAT.
INT_RT01(config)#interface FastEthernet0/1
INT_RT01(config-if)#ip nat outside
INT_RT01(config-if)#exit
INT_RT01(config)#interface FastEthernet0/0
INT_RT01(config-if)#ip nat inside
INT_RT01(config-if)#exit
Creating NAT Pool of Public IP Addresses
Next is to define a pool of public IP addresses which will be handling each Internet session established by internal hosts. Remember, we can also call it a one-to-one NAT which means every time an internal host access the internet, it requires a dedicated public IP address for the session. So one internal host is mapped to one public IP address.
INT_RT01(config)#ip nat pool PUBLIC_IPs 192.168.200.200 192.168.200.205 netmask 255.255.255.0
Creating Access Control List (ACL) for NAT
Finally, we will create an Access Control List (ACL) to specify and allow our internal network to the Internet and apply it to our NAT Pool. The ACL will only allow our internal network subnet 10.10.10.0/24 to use our NAT pool to access to the internet.
INT_RT01(config)# access-list 100 remark “Control DYNAMIC NAT Pool”
INT_RT01(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
INT_RT01(config)# ip nat inside source list 100 pool PUBLIC_IPs
Verification by PING from internal hosts to Google & Cloudflare IP Addresses
PC1> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=109 time=67.331 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=109 time=63.748 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=109 time=54.747 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=109 time=55.654 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=109 time=63.806 ms
PC2> ping 1.1.1.1
84 bytes from 1.1.1.1 icmp_seq=1 ttl=52 time=41.256 ms
84 bytes from 1.1.1.1 icmp_seq=2 ttl=52 time=31.587 ms
84 bytes from 1.1.1.1 icmp_seq=3 ttl=52 time=21.945 ms
84 bytes from 1.1.1.1 icmp_seq=4 ttl=52 time=32.561 ms
84 bytes from 1.1.1.1 icmp_seq=5 ttl=52 time=21.993 ms
PC3> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=109 time=82.326 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=109 time=63.836 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=109 time=57.827 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=109 time=63.842 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=109 time=53.949 ms
Verifying Dynamic NAT Translation
Below NAT Table shows that each internal host is mapped to a unique public IP address.
INT_RT01#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.200.200:52816 10.10.10.2:52816 8.8.8.8:52816 8.8.8.8:52816
icmp 192.168.200.200:53328 10.10.10.2:53328 8.8.8.8:53328 8.8.8.8:53328
icmp 192.168.200.200:53584 10.10.10.2:53584 8.8.8.8:53584 8.8.8.8:53584
icmp 192.168.200.200:53840 10.10.10.2:53840 8.8.8.8:53840 8.8.8.8:53840
icmp 192.168.200.200:54096 10.10.10.2:54096 8.8.8.8:54096 8.8.8.8:54096
— 192.168.200.200 10.10.10.2 — —
icmp 192.168.200.201:56912 10.10.10.3:56912 1.1.1.1:56912 1.1.1.1:56912
icmp 192.168.200.201:57168 10.10.10.3:57168 1.1.1.1:57168 1.1.1.1:57168
icmp 192.168.200.201:57424 10.10.10.3:57424 1.1.1.1:57424 1.1.1.1:57424
icmp 192.168.200.201:57680 10.10.10.3:57680 1.1.1.1:57680 1.1.1.1:57680
icmp 192.168.200.201:57936 10.10.10.3:57936 1.1.1.1:57936 1.1.1.1:57936
— 192.168.200.201 10.10.10.3 — —
icmp 192.168.200.202:62544 10.10.10.4:62544 8.8.8.8:62544 8.8.8.8:62544
icmp 192.168.200.202:62800 10.10.10.4:62800 8.8.8.8:62800 8.8.8.8:62800
icmp 192.168.200.202:63056 10.10.10.4:63056 8.8.8.8:63056 8.8.8.8:63056
icmp 192.168.200.202:63312 10.10.10.4:63312 8.8.8.8:63312 8.8.8.8:63312
icmp 192.168.200.202:63568 10.10.10.4:63568 8.8.8.8:63568 8.8.8.8:63568
— 192.168.200.202 10.10.10.4 — —
INT_RT01#
In it something is. I thank for the information, now I will not commit such error.
xxxbdsmvideos