Friday, March 15, 2013

Network Address Translation IV


In this part of our NAT discussion, we will implement NAT with overload or PAT (Port Address Translation) on our R2 router.

NAT Overload (PAT):

Now we are going to implement NAT overload on R2, so we need to add overload to the end of ip nat command like:

First we will clear all IP NAT translations (that were done previously once we configured dynamic NAT), by issuing the following command:

R2#clear ip nat translation *

Now we will overload the NAT by using overload key word at the end of our dynamic NAT command:

R2(config)#ip nat inside source list NAT_IPs pool Global_IP_Pool overload

To check our NAT in action, we will issue some of pings from our loop back interfaces on R1:

R1#ping 171.16.10.2 source 192.168.3.1
Successful!

R1#ping 171.16.10.2 source 192.168.3.1
Successful!

R1#ping 171.16.10.2 source 192.168.2.1
Successful!

R1#ping 171.16.10.2 source 192.168.4.1
Successful!

All of these pings were successful via NATing, to check the NAT translations on R2, we will use the following commands:

R2#show ip nat translations

//some of the output omitted//


icmp 171.16.10.53:4    192.168.2.1:4      171.16.10.2:4      171.16.10.2:4
icmp 171.16.10.53:3    192.168.3.1:3      171.16.10.2:3      171.16.10.2:3
icmp 171.16.10.53:5    192.168.4.1:5      171.16.10.2:5      171.16.10.2:5






PAT can be seen in action, in below output of show ip nat translations command:

R2#show ip nat translations

/// some of the part omitted//

udp 171.16.10.53:49157 192.168.2.1:49157  171.16.10.2:33437  171.16.10.2:33437
udp 171.16.10.53:49158 192.168.2.1:49158  171.16.10.2:33438  171.16.10.2:33438
udp 171.16.10.53:49159 192.168.2.1:49159  171.16.10.2:33439  171.16.10.2:33439
udp 171.16.10.53:49164 192.168.2.1:49164  171.16.10.2:33437  171.16.10.2:33437
udp 171.16.10.53:49165 192.168.2.1:49165  171.16.10.2:33438  171.16.10.2:33438
udp 171.16.10.53:49166 192.168.2.1:49166  171.16.10.2:33439  171.16.10.2:33439
icmp 171.16.10.53:10   192.168.3.1:10     171.16.10.2:10     171.16.10.2:10

if we want to check NAT in real time, all the action can be seen via bebug ip nat command on R2:
Once debug command is issued on R2, all the IP changes happening in real time can be seen as on R2 as follow:

R2#
*Mar  1 00:07:31.079: NAT: [0] Allocated Port for 192.168.2.1 -> 171.16.10.53: wanted 6 got 6
*Mar  1 00:07:31.083: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [30]
*Mar  1 00:07:31.087: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [30]
*Mar  1 00:07:31.087: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [30]
*Mar  1 00:07:31.115: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [30]
*Mar  1 00:07:31.115: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [30]
*Mar  1 00:07:31.147: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [31]
*Mar  1 00:07:31.147: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [31]
*Mar  1 00:07:31.179: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [31]
*Mar  1 00:07:31.179: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [31]
*Mar  1 00:07:31.191: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [32]
*Mar  1 00:07:31.191: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [32]
*Mar  1 00:07:31.211: NAT*: o: icmp (171.16.10.2, 6) -> (171.16.10.53, 6) [32]
*Mar  1 00:07:31.211: NAT*: s=171.16.10.2, d=171.16.10.53->192.168.2.1 [32]
*Mar  1 00:07:31.219: NAT*: i: icmp (192.168.2.1, 6) -> (171.16.10.2, 6) [33]
*Mar  1 00:07:31.219: NAT*: s=192.168.2.1->171.16.10.53, d=171.16.10.2 [33]


All this action will be seen if we issue some connectivity commands from other routers, whose packets are going through R2. It’s one of the best way to check and troubleshoot different NAT issues. Please remember, PAT (Port Address Translation) is a one way NAT, we can’t use it as a both way NAT solution.
 -- to be continued --

No comments:

Post a Comment