Configuring Dynamic NAT Translations

18 Mar

Configuring Dynamic NAT Translations
Dynamic NAT translation of addresses is one of many types of NAT configurations. The difference in the configuration of dynamic NAT translations and static NAT translations is minimal. However, the manner in which the translation table is populated is vastly different. With static NAT, you need to manually enter the pairs of translation addresses. Using dynamic NAT, the table is populated dynamically after a packet is received on the inside interface and the packet matches parameters
defined within an access list. Packets that are to be translated by NAT should match a permit statement within the access list. A deny statement in the access list tells NAT not to perform translation on the packet.

To perform translation on packets moving between interfaces labeled as “inside” and interfaces labeled as “outside,” NAT must be told what address to change the packet to. With static NAT, the address is manually entered so NAT doesn’t have to decide which address to allocate to a certain flow. With dynamic NAT, a pool of inside global addresses is configured, and NAT chooses the next available address to allocate to every new flow. NAT chooses addresses from the configured pool, starting with the lowest IP address first and then continuing to translate each new flow with the next available address. After all of the addresses in the pool are in use and allocated, NAT translates a new flow until a translation times out or is cleared and released back into the pool. To configure basic dynamic NAT, use the following steps:

1.Use the following global configuration command to define a pool of inside global addresses to be allocated as needed:

ip nat pool <name> <start−ip address> <end−ip address> −
{netmask netmask|prefix−length prefix−length}

The start IP address is the address that NAT will begin with when creating a dynamic translation entry. The end IP address is the last IP address that NAT will be able to use
when creating a dynamic translation entry.

2.Use this command to define an extended access list and its parameters:

access−list <access−list−number> {deny|permit} <protocol> −
<source> <source−wildcard> <destination> <destination− wildcard>

The access list should specify which traffic arriving at the inside interface and destined to the outside interface is eligible to create a translation entry.

3.Use the following command to establish an association between the local inside addresses and the pool of global addresses:

ip nat inside source list <access−list−number> pool <name>

4.Use the following command to move into interface configuration mode:

interface <interface type> <interface number>

5.Use the ip nat inside interface configuration command to apply NAT to the interface that is connected to the networks with the local addresses.

6.Use this command to move into interface configuration mode:

interface <interface type> <interface number>

Use the ip nat outside interface configuration command to apply NAT to the interface that isconnected to the networks with the inside global addresses.

The preceding steps contain all the commands needed to configure dynamic NAT translation. Figure 3.7 displays a network that must use NAT to communicate with outside networks. The networks that are behind Router 1 are all allocated from RFC 1918 nonroutable address space. The clients located behind Router 1 have inside local addresses allocated from the subnet. The configuration of Router 1 is shown in Listing 3.13.

Listing 3.13: Dynamic NAT configuration.

ip subnet−zero
ip nat pool INTERNET −
ip nat inside source list 1 pool INTERNET
interface Serial0/0
ip address
ip nat outside
int FastEthernet0/0
ip address
ip nat inside
access−list 1 permit

Figure 3.7: Dynamic NAT network example.
The configuration in Listing 3.13 defines an inside global pool of addresses named INTERNET with 126 inside global addresses. The access list command is used to tell NAT which inside local addresses are eligible for translation. The ip nat inside source command is used to bound the access list and the pool of addresses together. Interface serial0/0 is defined as the outside interface, and interface fastethernet0/0 is defined as the inside interface.

When hosts on the network need to connect to networks outside of their local network, NAT will perform a translation table lookup and determine if a translation entry already exists. If a translation is present in the translation table, the router performs no other function. If no translation exists in the translation table, NAT performs a translation and allocates the next lowest available IP address for the packet. To view the translation table of Router 1, use the sh ip nat translations command. Listing 3.14 displays the output when the command is issued on Router 1.

Listing 3.14: Display of NAT translations.

Router−1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
− − −
− − −
− − −
− − −


The output from Listing 3.14 confirms that NAT is allocating IP addresses from the inside global pool of addresses and translating the inside local address to an inside global address. After an entry is created, all connections from hosts on the inside network to hosts on the outside network should be successful.

Another command used to monitor and verify the operation of NAT is the show ip nat statistics command. This command was used earlier to monitor and verify the operation of static NAT; however, when it was used with static NAT, no information regarding the dynamic mappings was listed. When the command is issued on Router 1, information specific to the dynamic mappings is included. Listing 3.15 displays the output of issuing the command on Router 1 with dynamic mapping.

Listing 3.15: Display of NAT statistics.

Router−1#sh ip nat stat
Total active translations: 11 (0 static, 11 dynamic; 0 extended)
Outside interfaces:
Inside interfaces:
Hits: 63 Misses: 5
Expired translations: 0
Dynamic mappings:
−− Inside Source
access−list 1 pool INTERNET refcount 11
pool INTERNET: netmask
start end
type generic, total addresses 126, allocated 11 (8%), misses 0

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.