Monday, October 23, 2017

Static NAT & Dynamic NAT with Overload

In this short post I will configure my router allow to NAT a single port only.


router1#conf t 
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#ip nat inside source static udp 10.0.2.2 514 10.0.1.245 514 extendable


This command will allow the router accept syslog messages sent to UDP port 514 on 10.0.1.245 and translate them to UDP 514 on 10.0.2.2 which is the syslog server. Only port 514 will be available for translation.

Static NAT

In this post I will configure a Static NAT entry on Router1 for the Win7 host. I'll be using the network in the diagram below.



First I remove the NAT configuration from my last post.


router1(config)#no ip nat inside source list NAT pool NAT_POOL overload 
Dynamic mapping in use, do you want to delete all entries? [no]: y


Now I configure NAT to map Win7 (10.0.2.1) to 10.0.1.240


router1(config)#ip nat inside source static 10.0.2.1 10.0.1.240 


I verify I can reach the internet from the NAT'd host and check the NAT translations


router1(config)#do sh ip nat tran 
Pro Inside global Inside local Outside local Outside global
tcp 10.0.1.240:1328 10.0.2.1:1328 208.43.202.17:80 208.43.202.17:80

Dynamic NAT Using Pools

In this post I will remove my previous NAT entry and create a pool of addresses to use for NAT. I'll be using the network in the diagram below and configuring Router1.





First I'll remove the previous NAT (from my last post) configuration.


router1(config)#no ip nat inside source list NAT interface Ethernet0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: yes


After removing the config I verify that I cannot access the internet or ping the internet from the Win7 host.

Now I create a NAT pool with three addresses.


router1(config)#ip nat pool NAT_POOL 10.0.1.250 10.0.1.252 netmask 255.255.255.0


I already have the NAT access-list created from my previous post so I'll use that again.


router1(config)#ip nat inside source list NAT pool NAT_POOL overload


Now I access the internet from the Win7 host and verify that I am being NAT'd.


router1#sh ip nat translations 
Pro Inside global Inside local Outside local Outside global
tcp 10.0.1.251:1231 10.0.2.1:1231 208.43.202.17:80 208.43.202.17:80


I can also check the NAT statistics.


router1#sh ip nat statistics 
Total active translations: 41 (0 static, 41 dynamic; 41 extended)
Outside interfaces:
Ethernet0
Inside interfaces: 
Ethernet1
Hits: 24714 Misses: 1339
CEF Translated packets: 25094, CEF Punted packets: 1907
Expired translations: 1666
Dynamic mappings:
-- Inside Source
[Id: 3] access-list NAT pool NAT_POOL refcount 41
pool NAT_POOL: netmask 255.255.255.0
start 10.0.1.250 end 10.0.1.252
type generic, total addresses 3, allocated 1 (33%), misses 0
Queued Packets: 0

Basic NAT with Overload

In this post I will configure basic NAT with overload to NAT addresses from the 10.0.2.0/24 network (inside) to the outside interface Ethernet 0.




I have already configured DHCP to hand out addresses to computers on the 10.0.2.0/24 network. I have also configured the router to be the DNS server for those computers.


I create a standard access-list defining the addresses I want to NAT.


router1(config)#ip access-list standard NAT
router1(config-std-nacl)#permit 10.0.2.0 0.0.0.255 
router1(config-std-nacl)#end


I use a show command to view the access-list.


router1#sh ip access-lists 
Standard IP access list NAT
10 permit 10.0.2.0, wildcard bits 0.0.0.255


I check my interfaces to make sure I know which I want to name as inside and outside.


router1(config)#do show ip interface brief 
Interface IP-Address OK? Method Status Protocol
FastEthernet1 unassigned YES unset up up 
FastEthernet2 unassigned YES unset down down 
FastEthernet3 unassigned YES unset down down 
FastEthernet4 unassigned YES unset down down 
Ethernet0 10.0.1.254 YES NVRAM up up 
Ethernet1 10.0.2.254 YES NVRAM up up 


I name the interfaces Inside and Outside


router1(config)#interface ethernet 0
router1(config-if)#ip nat outside
router1(config-if)#exit 

router1(config)#interface ethernet 1
router1(config-if)#ip nat inside 
router1(config-if)#exit


I Configue NAT to translate any addresses in the source access-list to the outside interface with overload.


router1(config)#ip nat inside source list NAT interface ethernet 0 overload 


To test the configuration I connect to a website with a client that is behind the inside interface. Then I check the NAT translations on my router.


router1#sh ip nat translations 
Pro Inside global Inside local Outside local Outside global
udp 10.0.1.254:123 10.0.2.1:123 207.46.232.182:123 207.46.232.182:123
tcp 10.0.1.254:1149 10.0.2.1:1149 174.36.30.70:443 174.36.30.70:443

Useful DHCP Show Commands

In this post I will demonstrate a few useful show commands that will help me see the state of the routers DHCP server which I set up in the previous post.

  • show ip dhcp binding
  • show ip dhcp pool
  • show ip dhcp server statistics

These commands were run after a computer was issued the IP 10.0.2.1 from the dmz pool.


router1#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.2.1 0100.1e68.ffd3.5f Oct 13 2009 10:08 PM Automatic


router1#show ip dhcp pool 
Pool dmz :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0 
Total addresses : 254
Leased addresses : 1
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.0.2.2 10.0.2.1 - 10.0.2.254 1



router1#show ip dhcp server statistics 
Memory usage 23991
Address pools 1
Database agents 0
Automatic bindings 1
Manual bindings 0
Expired bindings 0
Malformed messages 9
Secure arp entries 0

Message Received
BOOTREQUEST 0
DHCPDISCOVER 8
DHCPREQUEST 12
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 5

Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 4
DHCPNAK 0

Configure DHCP

In this post I will configure DHCP Settings on my router. I turn on the DHCP service, create a pool and configure it with an IP range, domain name, DNS server, default router and lease. I add in exclusions for the addresses I do not want leased. Finally I check the running config.



router1(config)#service dhcp
router1(config)#ip dhcp pool dmz 
router1(dhcp-config)#network 10.0.2.0 /24
router1(dhcp-config)#domain-name lab.local
router1(dhcp-config)#dns-server 8.8.8.8
router1(dhcp-config)#default-router 10.0.2.254
router1(dhcp-config)#lease 7 
router1(dhcp-config)#exit
router1(config)#ip dhcp excluded-address 10.0.2.10 10.0.2.255
router1(config)#end


router1#sh run

!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.2.10 10.0.2.255
!
ip dhcp pool dmz
network 10.0.2.0 255.255.255.0
domain-name lab.local
dns-server 8.8.8.8 
default-router 10.0.2.254 
lease 7
!
!

Configure EtherChannel

In this post I will configure 2 ports on 2 switches to be an EtherChannel. This effectively bundles the lines to increase bandwidth and allows any link in the bundle to fail without affecting service.

The diagram below shows the layout of the switches.




Before starting I make sure all interfaces that I will be configuring for EtherChannel have no configuration and are in the same VLAN.

I use the following commands to configure EtherChannel on the switches.

switch1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch1(config)#interface fastEthernet 0/1 
switch1(config-if)#channel-group 5 mode desirable 
Creating a port-channel interface Port-channel 5 
switch1(config-if)#exit
switch1(config)#interface fastEthernet 0/24 
switch1(config-if)#channel-group 5 mode desirable 
Creating a port-channel interface Port-channel 5 
switch1(config-if)#end


switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface fastEthernet 0/1 
switch2(config-if)#channel-group 5 mode desirable 
Creating a port-channel interface Port-channel 5 
switch2(config-if)#exit
switch2(config)#interface fastEthernet 0/24 
switch2(config-if)#channel-group 5 mode desirable 
Creating a port-channel interface Port-channel 5 
switch2(config-if)#end






I verify the configuration by checking the running config.

switch2#sh run
Building configuration...

Current configuration : 2447 bytes
!
------cut------
!
interface Port-channel5
no ip address
flowcontrol send off
!
interface FastEthernet0/1
no ip address
channel-group 5 mode desirable
!
-----cut--------
!
interface FastEthernet0/24
no ip address
channel-group 5 mode desirable


When I ping the remote switch and disconnect a cable I have no packet loss.

I also use the following useful show command to view EtherChannel information.

switch1#sh etherchannel summary 
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
u - unsuitable for bundling
U - in use f - failed to allocate aggregator

d - default port
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
5 Po5(SU) PAgP Fa0/1(Pd) Fa0/24(P)