CCNP-Studies
Routing
NAT
Network Address Translation

Comprehensive NAT Labs Workbook

Lab Overview

Lab Overview

  1. Overloading NAT (PAT): Configuring Port Address Translation for internal hosts sharing a single public IP address.
  2. Port Forwarding: Setting up port forwarding to allow external access to an internal web server.
  3. Static NAT with 1 to 1 Mapping for Hosts: Creating static NAT mappings for specific internal hosts.
  4. Static 1 to 1 NAT: Implementing static 1 to 1 NAT for individual devices.
  5. Dynamic NAT (Reversible): Configuring dynamic NAT with reversible mappings for internal hosts.
  6. Static 1 to 1 NAT (Extendable): Extending static 1 to 1 NAT configurations for scalability.
  7. Dynamic NAT (1 to 1 Host Mapping): Implementing dynamic NAT with specific host mappings.
  8. Virtual Server and VIP: Setting up virtual server and VIP configurations for load balancing.
  9. VRF Aware NAT (VRF – Global Context): Implementing NAT in a VRF-aware context.
  10. Static NAT (Outside to Inside): Configuring static NAT for inbound traffic.
  11. VRF Aware CGNAT-LSN: Implementing Carrier Grade NAT in a VRF-aware context.
  12. NAT64: Configuring NAT64 for IPv6 to IPv4 translation.
  13. NAT64 (IPv4 to IPv6): Implementing NAT64 for IPv4 to IPv6 translation.

Detailed Lab Configuration, Testing, and Troubleshooting

1. Overloading NAT (PAT)

Configuration:

Router1(config)# interface GigabitEthernet0/0
Router1(config-if)# ip address 192.168.1.1 255.255.255.0
Router1(config-if)# ip nat inside
 
Router1(config)# interface GigabitEthernet0/1
Router1(config-if)# ip address 203.0.113.1 255.255.255.0
Router1(config-if)# ip nat outside
 
Router1(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload
Router1(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Explanation:

  • PAT allows multiple internal hosts to share a single public IP address by using different source port numbers.

Testing:

  1. From an internal host (e.g., Windows 10 with IP 192.168.1.100), ping an external IP (e.g., 8.8.8.8).
  2. Verify translation on the router with show ip nat translations.

Troubleshooting:

  1. Ensure correct NAT configuration: show run | section ip nat.
  2. Check NAT translations: show ip nat translations.
  3. Verify ACLs permit correct traffic: show access-lists.
  4. Debug Command:
    Router1# debug ip nat
    Use undebug all to stop debugging.

2. Port Forwarding

Configuration:

Router2(config)# ip nat inside source static tcp 192.168.1.10 80 203.0.113.2 80

Explanation:

  • Port forwarding directs incoming traffic on a specific port to an internal server, allowing external access to services.

Testing:

  1. From an external host (e.g., another router or internet), access the web server via the public IP: http://203.0.113.2.
  2. Verify the web server responds correctly.

Troubleshooting:

  1. Check port forwarding configuration: show run | section ip nat.
  2. Verify NAT translations: show ip nat translations.
  3. Ensure the server is reachable internally: ping 192.168.1.10.
  4. Debug Command:
    Router2# debug ip nat
    Use undebug all to stop debugging.

3. Static NAT with 1 to 1 Mapping for Hosts

Configuration:

Router3(config)# ip nat inside source static 192.168.1.20 203.0.113.3

Explanation:

  • Static NAT provides a permanent mapping between internal and external IP addresses, ideal for servers hosting public services.

Testing:

  1. From an external host, ping the public IP: ping 203.0.113.3.
  2. Verify translation on the router with show ip nat translations.

Troubleshooting:

  1. Ensure correct NAT configuration: show run | section ip nat.
  2. Verify NAT translations: show ip nat translations.
  3. Ensure the internal host is reachable: ping 192.168.1.20.
  4. Debug Command:
    Router3# debug ip nat
    Use undebug all to stop debugging.

4. Static 1 to 1 NAT

Configuration:

Router4(config)# ip nat inside source static 192.168.1.30 203.0.113.4

Explanation:

  • Similar to static NAT but used for individual devices requiring dedicated public IP addresses, such as VoIP servers or specific devices.

Testing:

  1. From an external host, ping the public IP: ping 203.0.113.4.
  2. Verify translation on the router with show ip nat translations.

Troubleshooting:

  1. Ensure correct NAT configuration: show run | section ip nat.
  2. Verify NAT translations: show ip nat translations.
  3. Check for any IP conflicts.
  4. Debug Command:
    Router4# debug ip nat
    Use undebug all to stop debugging.

5. Dynamic NAT (Reversible)

Configuration:

Router5(config)# ip nat pool NAT_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router5(config)# ip nat inside source list 2 pool NAT_POOL reversible
Router5(config)# access-list 2 permit 192.168.1.0 0.0.0.255

Explanation:

  • Dynamic NAT dynamically assigns available public IP addresses from a pool to internal hosts, reversible for return traffic.

Testing:

  1. From an internal host, initiate outbound traffic (e.g., browsing a website).
  2. Verify translation on the router with show ip nat translations.

Troubleshooting:

  1. Monitor NAT pool utilization: show ip nat translations.
  2. Ensure sufficient addresses are available in the pool.
  3. Check NAT configuration: show run | section ip nat.
  4. Debug Command:
    Router5# debug ip nat
    Use undebug all to stop debugging.

  1. Static 1 to 1 NAT (Extendable)

Configuration:

Router6(config)# ip nat inside source static 192.168.1.40 203.0.113.6 extendable

Explanation:

  • Extendable static NAT allows for more flexible and scalable NAT configurations, supporting additional features.

Testing:

  1. From an external host, ping the public IP: ping 203.0.113.6.
  2. Verify translation on the router with show ip nat translations.

Troubleshooting:

  1. Check NAT configuration: show run | section ip nat.
  2. Verify NAT translations: show ip nat translations.
  3. Ensure the internal host is reachable: ping 192.168.1.40.
  4. Debug Command:
    Router6# debug ip nat
    Use undebug all to stop debugging.

7. Dynamic NAT (1 to 1 Host Mapping)

Configuration:

Router1(config)# ip nat pool DYNAMIC_POOL 203.0.113.30 203.0.113.40 netmask 255.255.255.0
Router1(config)# ip nat inside source list 3 pool DYNAMIC_POOL
Router1(config)# access-list 3 permit 192.168.1.0 0.0.0.255

Explanation:

  • Dynamic NAT with 1 to 1 host mapping ensures each internal host is dynamically assigned a unique public IP address.

Testing:

  1. From an internal host, initiate outbound traffic.
  2. Verify NAT mappings with show ip nat translations.

Troubleshooting:

  1. Check NAT pool configuration: show run | section ip nat.
  2. Verify ACL permits correct internal traffic.
  3. Monitor NAT pool utilization: show ip nat translations.
  4. Debug Command:
    Router1# debug ip nat
    Use undebug all to stop debugging.

8. Virtual Server and VIP

Configuration:

Router2(config)# ip nat inside source static tcp 192.168.1.50 80 203.0.113.6 80
Router2(config)# ip nat inside source static tcp 192.168.1.51 80 203.0.113.6 81

Explanation:

  • Virtual servers and VIP configurations allow multiple internal servers to be accessed via different ports on a single public IP.

Testing:

  1. From an external host, access the servers via public IP and different ports: http://203.0.113.6:80 and http://203.0.113.6:81.
  2. Verify the correct server responds to each request.

Troubleshooting:

  1. Check NAT configuration: show run | section ip nat.
  2. Ensure the internal servers are reachable and running.
  3. Verify NAT translations: show ip nat translations.
  4. Debug Command:
    Router2# debug ip nat
    Use undebug all to stop debugging.

9. VRF Aware NAT (VRF – Global Context)

Configuration:

Router3(config)# ip vrf CUSTOMER_A
Router3(config-vrf)# rd 65000:1
Router3(config-vrf)# route-target export 65000:1
Router3(config-vrf)# route-target import 65000:1
 
Router3(config)# interface GigabitEthernet0/2
Router3(config-if)# ip vrf forwarding CUSTOMER_A
Router3(config-if)# ip address 192.168.2.1 255.255.255.0
 
Router3(config)# ip nat inside source list 4 interface GigabitEthernet0/1 vrf CUSTOMER_A overload
Router3(config)# access-list 4 permit 192.168.2.0 0.0.0.255

Explanation:

  • VRF-aware NAT allows different customers or tenants to use the same private IP address ranges without conflict, providing NAT within the VRF context.

Testing:

  1. From a host in the VRF, initiate outbound traffic.
  2. Verify NAT translations: show ip nat translations vrf CUSTOMER_A.

Troubleshooting:

  1. Check VRF routing tables: show ip route vrf CUSTOMER_A.
  2. Verify NAT translations within the VRF context: show ip nat translations vrf CUSTOMER_A.
  3. Debug Command:
    Router3# debug ip nat
    Use undebug all to stop debugging.

10. Static NAT (Outside to Inside)

Configuration:

Router4(config)# ip nat outside source static 203.0.113.7 192.168.1.200

Explanation:

  • Static NAT for inbound traffic allows external hosts to initiate connections to internal servers by mapping a public IP address to a private one.

Testing:

  1. From an external host, ping the public IP: ping 203.0.113.7.
  2. Verify translation on the router with show ip nat translations.

Troubleshooting:

  1. Ensure static NAT entry is correctly configured: show run | section ip nat.
  2. Verify NAT translations: show ip nat translations.
  3. Check connectivity to the internal host: ping 192.168.1.200.
  4. Debug Command:
    Router4# debug ip nat
    Use undebug all to stop debugging.

11. VRF Aware CGNAT-LSN

Configuration:

Router5(config)# ip vrf CUSTOMER_B
Router5(config-vrf)# rd 65000:2
Router5(config-vrf)# route-target export 65000:2
Router5(config-vrf)# route-target import 65000:2
 
Router5(config)# interface GigabitEthernet0/2
Router5(config-if)# ip vrf forwarding CUSTOMER_B
Router5(config-if)# ip address 192.168.3.1 255.255.255.0
 
Router5(config)# ip nat inside source list 5 interface GigabitEthernet0/1 vrf CUSTOMER_B overload
Router5(config)# access-list 5 permit 192.168.3.0 0.0.0.255

Explanation:

  • VRF-aware CGNAT scales NAT services for multiple customers or tenants, managing IP address depletion and enhancing network efficiency.

Testing:

  1. From a host in the VRF, initiate outbound traffic.
  2. Verify CGNAT sessions: show ip nat translations vrf CUSTOMER_B.

Troubleshooting:

  1. Monitor CGNAT sessions: show ip nat translations.
  2. Check for NAT pool exhaustion or misconfigurations.
  3. Debug Command:
    Router5# debug ip nat
    Use undebug all to stop debugging.

12. NAT64

Configuration:

Router6(config)# interface GigabitEthernet0/3
Router6(config-if)# ipv6 address 2001:db8::1/64
 
Router6(config)# ip nat64 vrf VRF_INTERNET stateful
Router6(config)# ip nat64 source vrf VRF_INTERNET pool NAT64_POOL
Router6(config)# ipv6 nat64 prefix 64:ff9b::/96 vrf VRF_INTERNET

Explanation:

  • NAT64 enables communication between IPv6-only and IPv4-only networks by translating IPv6 addresses to IPv4 addresses and vice versa.

Testing:

  1. From an IPv6-only host, ping an IPv4 address using NAT64: ping 64:ff9b::8.8.8.8.
  2. Verify NAT64 translations: show ip nat64 translations.

Troubleshooting:

  1. Verify NAT64 prefix configuration: show run | section nat64.
  2. Check IPv6 to IPv4 translation: show ip nat64 translations.
  3. Debug Command:
    Router6# debug ip nat64
    Use undebug all to stop debugging.

13. NAT64 (IPv4 to IPv6)

Configuration:

Router1(config)# ip nat64 vrf VRF_INTERNAL stateful
Router1(config)# ipv6 nat64 prefix 2001:db8::/96 vrf VRF_INTERNAL
Router1(config)# ip nat64 source vrf VRF_INTERNAL pool NAT64_POOL

Explanation:

  • NAT64 translates IPv4 addresses to IPv6 addresses, facilitating communication between IPv4-only and IPv6-only devices.

Testing:

  1. From an IPv4-only host, ping an IPv6 address using NAT64: ping 2001:db8::1.
  2. Verify NAT64 translations: show ip nat64 translations.

Troubleshooting:

  1. Monitor NAT64 sessions: show ip nat64 translations.
  2. Ensure correct bidirectional IPv4 to IPv6 translation.
  3. Debug Command:
    Router1# debug ip nat64
    Use undebug all to stop debugging.

Conclusion

This comprehensive lab workbook covers a wide range of NAT scenarios using CSR routers in EVE-NG, providing extensive hands-on practice. Adjust IP addressing and interface names according to your specific lab environment. Document each step thoroughly with testing and troubleshooting tips to


Additional Resources for Learning NAT Concepts and Protocols

More resources about the NAT concepts and protocols mentioned above:

  1. NAT Overloading (PAT)

  2. Port Forwarding

  3. Static NAT

  4. Dynamic NAT

  5. Virtual Servers and VIPs

  6. VRF (Virtual Routing and Forwarding)

  7. PPTP (Point-to-Point Tunneling Protocol)

  8. NAT64

  9. NAT Troubleshooting

These resources should provide you with a detailed understanding of each protocol and configuration scenario.