I. Lab Objectives
- Understand the principles and functions of NAT network address translation;
- Master the configuration of napt to enable LAN access to the Internet;
Ii. Lab background
The company's office network needs to access the Internet, and the company only applies for a leased line from the ISP. The leased line is assigned a public IP address, which allows all the company's hosts to access the Internet.
Iii. Technical Principles
- Nat divides the network into two parts: internal network and external network. When a LAN host uses Nat to access the network, the local address inside the LAN is converted to a global address (a valid IP address of the Internet) forward data packets later;
- Nat can be divided into two types: NAT (Network Address Translation) and napt (network port address translation IP address corresponds to a global address ).
- Napt: use different ports to map multiple Intranet IP addresses to a specified Internet IP address, multiple-to-one.
- Napt adopts port multiplexing. All hosts in the internal network can share a valid external IP address to access the Internet, thus saving IP Address resources to the maximum extent. At the same time, all hosts in the network can be hidden to effectively prevent attacks from the Internet. Therefore, port multiplexing is the most widely used network.
Iv. Experiment steps
Lab Topology
1. R1 is the egress router of the company. It is connected to the ISP router through a serial port of V.35 cable. the DCE end is connected to R1 and the clock frequency is set to 64000;
2. Configure the IP addresses of PCs, servers, and router interfaces;
3. Configure the Static Routing Protocol on each vro so that the PCs can ping each other;
4. Configure napt on R1;
5. Define internal and external network interfaces on R1;
6. Verify the interconnectivity between hosts.
R1:
Router> enrouter # conf tenter configuration commands, one per line. end with cntl/Z. router (config) # host r1r1 (config) # int fa0/0r1 (config-If) # IP add 192.168.1.1 255.255.255.0r1 (config-If) # No shut % link-5-changed: interface fastethernet0/0, changed state to up % LINEPROTO-5-UPDOWN: Line protocol on interface fastethernet0/0, changed state to upr1 (config-If) # exitr1 (config) # int S2/0r1 (config-If) # IP address add 200.1. 1.1 255.255.255.0r1 (config-If) # No shut % link-5-changed: interface serial/0, changed state to downr1 (config-If) # clock rate 64000r1 (config-If) # exitr1 (config) # r1 (config) # r1 (config) # r1 (config) # % link-5-changed: interface serial/0, changed state to up % LINEPROTO-5-UPDOWN: line protocol on interface serial/0, changed state to upr1 (config) # r1 (config) # IP Route 200.1.2.0 route 255.255.0 200.1.1.2 // configure static route r1 (Config) # endr1 # % SYS-5-CONFIG_ I: configured from console by consoler1 # Show IP routecodes: C-connected, S-static, I-IGRP, R-rip, M-mobile, b-BGP D-OSPF, ex-OSPF external, o-OSPF, Ia-OSPF Inter Area N1-OSPF NSSA external type 1, n2-ospf nssa external type 2 E1-OSPF external type 1, E2-OSPF external type 2, E-EGP I-is, L1-is level-1, l2-is level-2, Ia-I S-IS Inter Area *-candidate default, U-per-user static route, o-ODR p-periodic downloaded static routegateway of last resort is not SETC 192.168.1.0/24 is directly connected, fastethernet0/0C 200.1.1.0/24 is directly connected, serial/0 s 200.1.2.0/24 [1/0] via 200.1.1.2r1 # R1 # R1 # R1 # R1 # R1 # conf tenter configuration commands, one per line. end with cntl/Z. r1 (config) # int fa0/0r1 (config-If) # IP Nat inside r1 (config-If) # exitr1 (config) # int S2/0r1 (config-If) # ip nat outside r1 (config-If) # exitr1 (config) # access-list?< 1-99 > IP standard access list < 100-199 > IP extended access listr1 (config) # access-List 1? Deny specify packets to reject permit specify packets to forward remark access list entry commentr1 (config) # access-List 1 permit? A. B .c.d address to match any source host a single host addressr1 (config) # access-List 1 permit 192.168.1.0? A. B .c.d wildcard bits < Cr > R1 (config) # access-List 1 permit 192.168.1.0 0.0.255? < Cr > R1 (config) # access-List 1 permit 192.168.1.0 0.0.255 // define the access control list r1 (config) # ip nat? Inside inside address translation outside address translation pool define pool of addressesr1 (config) # ip nat pool? Word pool namer1 (config) # ip nat pool David? A. B .c.d start IP addressr1 (config) # IP NAT pool David 200.1.1.3? A. B .c.d end IP addressr1 (config) # IP NAT pool David 200.1.1.3 200.1.1.3? Netmask specify the network maskr1 (config) # ip nat pool David 200.1.1.3 200.1.1.3 netmask? A. B .c.d network maskr1 (config) # IP NAT pool David 200.1.1.3 200.1.1.3 netmask 255.255.255.0? < Cr > R1 (config) # ip nat pool David 200.1.1.3 200.1.1.3 netmask 255.255.255.0 r1 (config) # ip nat inside? Source source address translationr1 (config) # ip nat inside source? List specify access list describing local addresses static specify static local-> global mappingr1 (config) # ip nat inside source list 1? Interface specify interface for global address pool name pool of global addressesr1 (config) # ip nat inside source list 1 pool? Word name pool of global addressesr1 (config) # ip nat inside source list 1 pool David? Overload overload an address translation < Cr > R1 (config) # ip nat inside source list 1 pool David overload? < Cr > R1 (config) # ip nat inside source list 1 pool David overload r1 (config) # endr1 # % SYS-5-CONFIG_ I: configured from console by consoler1 # Show IP NAT? Statistics translation statistics translations translation entriesr1 # Show ip nat translations // no records are recorded when the host accesses the web server.
R1 # R1 # Show ip nat translations // A host accesses the Web server to generate a record Pro inside global inside local outside globaltcp 200.1.1.3: 1026 192.168.1.2: 1026 200.1.2.2: 80 200.1.2.2: 80r1 # Show ip nat translations // access pro inside global inside local outside globaltcp 200.1.1.3: 1.2 192.168.1.2: 1.3 200.1.2.2: 80 200.1.2.2: 80tcp 200.1.1.3 from hosts 1026 and 1026: 1025 192.168.1.3: 1025 200.1.2.2: 80 200.1.2.2: 80r1 # Show ip nat translations pro inside global inside local outside globaltcp 200.1.1.3: 1026 192.168.1.2: 1026 200.1.2.2: 80 200.1.2.2: 80tcp 200.1.1.3: 1027 192.168.1.2: 1027 200.1.2.2: 80 200.1.2.2: 80tcp 200.1.1.3: 1025 192.168.1.3: 1025 200.1.2.2: 80 200.1.2.2: 80tcp 200.1.1.3: 1024 192.168.1.3: 1026 200.1.2.2: 80 200.1.2.2: 80r1 #
R2:
Router> enrouter # conf tenter configuration commands, one per line. end with cntl/Z. router (config) # hostname r2r2 (config) # int fa0/0r2 (config-If) # IP add 200.1.2.1 255.255.255.0r2 (config-If) # No shut % link-5-changed: interface fastethernet0/0, changed state to up % LINEPROTO-5-UPDOWN: Line protocol on interface fastethernet0/0, changed state to upr2 (config-If) # exitr2 (config) # int S2/0r2 (config-If) # IP add 200.1.1.2 255.255.255.0r2 (config-If) # No shut % link-5-changed: interface serial/0, changed state to upr2 (config-If) # % LINEPROTO-5-UPDOWN: Line protocol on interface serial/0, changed state to upr2 (config-If) # R2 (config-If) # R2 (config-If) # exitr2 (config) # IP Route 192.168.1.0 255.255.255.0 200.1.1.1r2 (config) # endr2 # % SYS-5-CONFIG_ I: configured from console by consoler2 # Show IP routecodes: c-connected, S-static, I-IGRP, R-rip, M-mobile, B-BGP D-VPN, ex-VPN external, o-OSPF, IA-OSPF Inter Area N1-ospf nssa external type 1, n2-ospf nssa external type 2 E1-OSPF external type 1, E2-OSPF external type 2, e-EGP I-is, L1-is level-1, L2-is level-2, Ia-Is Inter Area *-candidate default, u-per-user static route, o-ODR p-periodic downloaded static routegateway of last resort is not sets 192.168.1.0/24 [1/0] via 200.1.1.1c 200.1.1.0/24 is directly connected, serial/0C 200.1.2.0/24 is directly connected, fastethernet0/0r2 # R2 # R2 # R2 # R2 #
PC1:
Packet tracer PC command line 1.0 Pc> ipconfigip address ......................: 192.168.1.2subnet mask .....................: 255.255.255.0default gateway .................: 192.168.1.1pc> Ping 200.1.2.2pinging 200.1.2.2 with 32 bytes of data: reply from 200.1.2.2: bytes = 32 time = 15 ms TTL = 126 reply from 200.1.2.2: bytes = 32 time = 16 Ms TTL = 126 reply from 200.1.2.2: bytes = 32 time = 16 Ms TTL = 126 reply from 200.1.2.2: bytes = 32 time = 15 ms TTL = 126 Ping statistics for 200.1.2.2: Packets: Sent = 4, stored ED = 4, lost = 0 (0% loss ), approximate round trip times in Milli-seconds: Minimum = 15 ms, maximum = 16 ms, average = 15 mspc>
PC-WEB: