In the following lab I will demonstrate how to change the packet
destination using NAT.
This is the topology I used (please ignore SERVER2 and
SERVER3):
Let’s say that SERVER1 (192.168.10.1) need to access HOST1
but he is not allowed to use HOST1 real IP - which is 192.168.20.1, so in this
case we will have to change the destination IP. Also HOST1 doesn’t know SERVER1
IP so we will have to do source NAT as well.
HOST1 relevant configuration:
|
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
speed 100
full-duplex
!
ip route 0.0.0.0 0.0.0.0
192.168.20.254
|
R2 relevant configuration:
|
interface FastEthernet0/0
ip address 10.1.0.2 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.20.254 255.255.255.0
speed 100
full-duplex
|
Note that even R2 doesn’t know network 192.168.10.0/24!
SERVER1 relevant configuration:
|
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
speed 100
full-duplex
!
ip route 0.0.0.0 0.0.0.0
192.168.10.254
|
And R1 relevant configuration:
|
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
ip virtual-reassembly
speed
100
full-duplex
!
interface FastEthernet0/1
ip address 10.1.0.1 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
|
So first let’s configure R1 interfaces according to their part
in the NAT topology, Fa0/0 is the INSIDE while Fa0/1 is the OUTSIDE:
|
interface FastEthernet0/0
ip nat inside
!
interface FastEthernet0/1
ip nat outside
|
Then we will configure the NAT statement:
|
ip nat outside source static
192.168.20.1 2.2.2.2 add-route
|
Whenever a packet goes through the OUTSIDE NAT interface
with destination IP of 2.2.2.2 R1 will change the destination to 192.168.20.1
and will add a static route to 2.2.2.2 in his routing table.
Now we need to change also the source IP – 192.168.10.1 to
something that R2 and HOST1 will know like 10.1.0.1 (R1 outside interface)
|
ip access-list standard
ACL_LAN
permit 192.168.10.0 0.0.0.255
!
ip nat inside source list
ACL_LAN interface FastEthernet0/1 overload
|
Now let’s verify SERVER1 can ping HOST1 IP:
|
SERVER1#ping 2.2.2.2
Type escape sequence to
abort.
Sending 5, 100-byte ICMP
Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent
(5/5), round-trip min/avg/max = 132/192/280 ms
SERVER1#
|
And the process in R1 (debug ip packet and ip nat detailed
with no ip route-cache):
|
*Mar 1 01:28:01.287: IP: tableid=0,
s=192.168.10.1 (FastEthernet0/0), d=2.2.2.2 (FastEthernet0/1), routed via FIB
*Mar 1 01:28:01.291: NAT: [0] Allocated Port for
192.168.10.1 -> 10.1.0.1: wanted 20 got 20
*Mar 1 01:28:01.291: NAT: setting up outside
mapping 2.2.2.2->192.168.20.1, with mapping-id 0
*Mar 1 01:28:01.291: NAT: i: icmp (192.168.10.1,
20) -> (2.2.2.2, 20) [96]
*Mar 1 01:28:01.295: NAT:
s=192.168.10.1->10.1.0.1, d=2.2.2.2 [96]
*Mar 1 01:28:01.295: NAT: s=10.1.0.1,
d=2.2.2.2->192.168.20.1 [96]
*Mar 1 01:28:01.295: IP: s=10.1.0.1
(FastEthernet0/0), d=192.168.20.1 (FastEthernet0/1), g=10.1.0.2, len 100,
forward
|
Note how R1 do outside mapping from 2.2.2.2 to 192.168.20.1
and allocate port to 192.168.10.1 from 10.1.0.1 as part of the PAT (Port
Address Translation).
R1 routing table:
|
R1#sh ip route
Codes: C - connected, S -
static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded
static route
Gateway of last resort is not
set
2.0.0.0/32 is subnetted, 1 subnets
S 2.2.2.2 [1/0] via 192.168.20.1
C 192.168.10.0/24 is directly connected,
FastEthernet0/0
S 192.168.20.0/24 [1/0] via 10.1.0.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.0.0 is directly connected,
FastEthernet0/1
|
