The 7 Things I Know About Cyber Security After 25 Years | April 2024
NAT Scneario
1. LOGO
CCNA
Tehran Institute of Technology
Course name: Cisco CCNA
Instructor: Mansour.nch
Senior @ Tehran Institute of Technology
Copyright 2014
2. Course name: Cisco CCNA
Instructor: Mansour.nch
Senior @ Tehran Institute of Technology
Copyright 2014
Tehran Institute of Technology
Contents
1. Introduction to NAT
2. Static NAT
3. Dynamic NAT
3. Introduction to NAT
Before identifying NAT Technology we need know some about address
types in real world networks.
Private Address
Public Address
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
4. Private VS Public
The public addresses are used to reach to the internet.
» because they can be routed on internet.
But the private addresses are used within an organization only.
» because they can not be routed.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
5. Using NAT benefits
With NAT, we can use private address millions of times all
over the world and still can be access to the internet.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
6. Security tips on NAT
For securtiy reasons,
NAT also provide hiding your network from the outside of the
world. Because the remote node that you connect by internet,
only knows your public address, not the real internal address of
your pc.
NAT provide the translation from
private address to the public address. We are connecting
internet with our private address, but in real at the backplane it is
doing this with a public address.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
7. NAT Types
• Static NAT
• Dynamic NAT
• PAT(Port Address Translation) or NAT Overload
Static NAT is the type that is used for one-to-one translation of ports or
addresses,
Dynamic NAT is the type that is used with a public address pool, and
works with more than one public address,
PAT is the type that translates the outbound traffic of internal nodes to
unique port numbers of a single public address.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
8. Keywords on NAT
Inside local : Your PC’s private address,
Inside global : Public address assigned to your PC,
Outside local : Outside host’s public address,
Outside global: Same address as the outside local,
necessary to translate an outside address to an private
address.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
9. How NAT works?
At the example above there are different addresses. For PC A, these address are:
• Inside Local Address - 10.1.1.10
• Inside Global Address - 55.1.1.1
• Outside Global Address – 99.1.1.2
• Outside Local Address – 99.1.1.2
Here the PC A ’s configured address, 10.1.1.10 is the inside global
address. When this PC wants to go to the internet, it will use the Router
A ‘s publica address, using PAT. So the inside global address of PC A is
55.1.1.1. Suring comunication with PC B, PC A access only PC B ‘s
outside global address, 99.1.1.2
Tehran Institute of Technology
10. LOGO
Static NAT
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
11. Define Topology
For static NAT configuration, we will use the
below topology. Let’s firstly define our
routers. Think R1 router as your local router.
And R2 as a router on Internet. Finally
RouterA will be our NAT configured router.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
12. Define Topology
Firslt you must configure interface ip
addresses on three of these routers.And
then you must give the static route from
both ends to others. After ping from both
end successfull to other end, then it is ready
for our NAT configuration.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
13. Define Topology
R1
R1 # conf terminal
R1 (config)# int f0/0
R1 (config-if)# ip address 192.168.0.1
255.255.255.0
R1 (config-if)# no shut
R1 (config-if)# exit
R1 (config)# ip route 10.10.10.0
255.255.255.0 192.168.0.2
R1 (config)# exit
R1 # copy run start
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
14. Define Topology
www.Win2Farsi.com
R2
R2 # conf terminal
R2 (config)# int f0/0
R2 (config-if)# ip address 10.10.10.1
255.255.255.0
R2 (config-if)# no shut
R2 (config-if)# exit
R2 (config)# ip route 192.168.0.0
255.255.255.0 10.10.10.2
R2 (config)# exit
R2 # copy run start
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
15. Define Topology
RouterA
RouterA # conf terminal
RouterA (config)# int f0/0
RouterA (config-if)# ip address 192.168.0.2
255.255.255.0
RouterA (config-if)# no shut
RouterA (config-if)# exit
RouterA (config)# int f0/1
RouterA (config-if)# ip address 10.10.10.2
255.255.255.0
RouterA (config-if)# no shut
RouterA (config-if)# end
RouterA # copy run start
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
16. Verify Configurations
R1 # ping 10.10.10.1
R2 # ping 192.168.0.1
Here, lets give “ debug ip packet” command on R2 and ping R1 to R2.
Asyou can see below, the source address will be R1’s fa0/0 interface
address and the destination address will be the R2’s fa0/0 address. After
NAT configuration this source address will be change as RouterA’s fa0/1
interface ip address.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
17. Verify Configurations
And lastly for the mapping, private to public, we need an extra command
on Router A.
Router A (config)# ip nat inside source static 192.168.0.1 10.10.10.2
After configuring the RouterA with this command, let’s ping R1 to R2 again
and check the debug ip packet command output. Here, as you can see
below, the new source ip address is the ip address of RouterA’s fa0/1
interface.
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
18. LOGO
Dynamic NAT
Course name: Cisco CCNA
Instructor: Mansour.nch
Senior @ Tehran Institute of Technology
Copyright 2014
19. Scenario
www.Win2Farsi.com
ISP
A network associate is configuring a router for the Weaver company to
provide internet access. The ISP has provided the company six public IP
addresses of 198.18.184.105 – 198.18.184.110. The company has 14 hosts
that need to access the internet simultaneously. The hosts in the Company
LAN have been assigned private space addresses in the range
of192.168.100.17 – 192.168.100.30.
20. Scenario
The following have already been configured on the router:
- The basic router configuration
- The appropriate interfaces have been configured for NAT inside
and NAT outside
- The appropriate static routes have also been configured (since
the company will be a stub network, no routing protocol will be
required.)
- All passwords have been temporarily set to “cisco”
The task is to complete the NAT configuration using all IP
addresses assigned by the ISP to provide Internet access for the
hosts in the Weaver LAN. Functionality can be tested by clicking
on the host provided for testing.
Configuration information
Router name – Weaver
Inside global addresses – 198.18.184.105 198.18.184.110/29
Inside local addresses – 192.168.100.17 – 192.168.100.30/28
Number of inside hosts – 14
Tehran Institute of Technology
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014
21. Solution (step by step)
1. What the IP Addressing of scenario
ISP
The Local Area Network has been assigned addresses –
> 192.168.100.17 to 192.168.100.30 and the subnet mask used, is
/28 OR 255.255.255.240
Private IPs
Tehran Institute of Technology
22. Solution (step by step)
What the IP Addressing of scenario?
ISP
We need to translate these LAN addresses into
198.18.184.105 – 198.18.184.110
Public IPs
Tehran Institute of Technology
23. Solution (step by step)
So, Problem with IP addressing?
ISP
The company has 14 hosts in the LAN that need to access the Internet
simultaneously but we just have 6 public IPs. So we need to configure
NAT overloading or Port Address Translation (PAT).
Tehran Institute of Technology
24. Solution (step by step)
ISP
Step 1: Create a standard access-list that specifies the Private IPs to
be translated i.e., 192.168.100.17 – 192.168.100.30
Step 2: Create a POOL of Public IPs to be allocated i.e.,
198.18.184.105 – 198.18.184.110
Step 3: Use “ip nat inside source ….” command to link the ACCESS-
LIST and POOL so that NAT overloading can be performed.
Step 4: Use ip nat inside and ip nat outside command on
fastEthernet and Serial interfaces respectively.
Tehran Institute of Technology
25. Solution (step by step)
To access the Weaver Router Click on Console PC —-> Desktop —-> Terminal —
-> OK
Router>enable
Router#configure terminal
Change the router’s name to Weaver as given in the LAB
Router(config)#hostname Weaver
Create a NAT pool of global addresses to be allocated with the subnet mask.
Weaver(config)#ip nat pool NHPOOL 198.18.184.105 198.18.184.110
netmask 255.255.255.248
ISP
Tehran Institute of Technology
26. Solution (step by step)
Create a standard access control list that permits the Private addresses OR the
addresses that are to be translated.
Weaver(config)#access-list 10 permit 192.168.100.16 0.0.0.15
ISP
Tehran Institute of Technology
27. Solution (step by step)
Perform NAT overloading by specifying the access-list and pool defined in the prior
steps.
This command translates all inside local addresses that pass access list 1, into an
address from the pool named NHPOOL.
Weaver(config)#ip nat inside source list 10 pool NHPOOL overload
As mentioned in LAB that the ip nat inside and ip nat outside commands have
been configured already so we don’t need to configure it again
on FastEthernet0/0 and Serial0/0respectively.
Copy running configuration into startup configuration.
Weaver#copy running-config startup-config
ISP
Tehran Institute of Technology
28. Solution (step by step)
Perform NAT overloading by specifying the access-list and pool defined in the prior
steps.
This command translates all inside local addresses that pass access list 1, into an
address from the pool named NHPOOL.
Weaver(config)#ip nat inside source list 10 pool NHPOOL overload
As mentioned in LAB that the ip nat inside and ip nat outside commands have
been configured already so we don’t need to configure it again
on FastEthernet0/0 and Serial0/0respectively.
Copy running configuration into startup configuration.
Weaver#copy running-config startup-config
ISP
Tehran Institute of Technology
29. Solution (step by step)
To verify your LAB the Click on Host for Testing —-> Desktop —-> Command
Prompt
C:>ping 192.0.2.114
The ping should work well and you will be replied from 192.0.2.114
Issue “show ip nat translation“ command on Weaver Router to verify the
translation.
ISP
30. LOGO
Tehran Institute of Technology
www.Win2Farsi.com
Course name: CCNA
Instructor: Mansour.nch
Email: Powerst.basu@gmail.com
Tel: +98 – 935 658 9590
Senior @ Tehran Institute of Technology
Copyright 2014