Configuring Dynamic NAT Pooling
NAT Pooling is the ability to randomly assign public IP addresses to private internal IP’s on a first come first serve basis from a pool of IP’s. This lab will discuss and demonstrate the configuration and verification of dynamic NAT pooling.
Real World Application & Core Knowledge
If you’ve completed the previous Lab 11-1 – Configuring Network Address Translation (NAT) One-to-One then you should have a basic understanding of how NAT works, if not then its recommended to complete the previous lab before attempting this one.
A Network Address Translation Pool in simple terms is a pool that has been carved out of an allocated address block that assigns inside global addresses on a first come first serve basis to inside local host based on a match found in a specified access control list. The benefit of this type of configuration is that your inside network can use RFC1918 private addressing such as the 10.0.0.0/8 range but still obtain IP connectivity to the outside world using a single public IP address per host. Some universities use this method however the majority of universities in the USA are moving more towards a NAC (Network Admissions Control) infrastructure of its residential students to access the internet due to NAC having the ability to enforce virus protection and required operating system updates.
However NAT pooling still has its place in today’s networks such as the DMZ (Demilitarized Zone) or companies that own a block of public IP addresses and requires each inside host to have its own translated outside IP address.
When configuring a NAT pool you must specify a address pool range with a start and end IP address followed by the network prefix of the allocated IP address block the IP address range is carved out of . After the pool has been created you must then create the NAT statement that uses a specific access control list that translates ACL matched inside host machines to the outside global IP addresses in the pool on a first come first serve basis.
To create an NAT pool you’ll use the command ip nat pool <i>poolname</i> sip.sip.sip.sip eip.eip.eip.eip prefix # whereas the poolname is referenced by the NAT translation statement followed by the starting ip and ending ip of the pool range and the prefix of the allocation that the IP address range is carved out of; I.e; 24 = /24 or 255.255.255.0
When specifying a NAT translation statement using a pool you’ll need specify an access control list which is used to match inside host addresses or networks that will be translated to the IP addresses found in the pool on a first come first serve basis.
To configure a NAT Pool Translation you’ll use the ip nat inside source list <i>ACL#_OR_NAME</i> pool <i>POOLNAME</i> command in global configuration whereas the <i>ACL#_OR_NAME</i> is the access control list name or number used to match inside host which will be permitted to use the NAT pool translation and the <i>POOLNAME</i> is the IP address range pool you carved out of an address block allocation.
In this lab you will be using R1, R2 and R3 to simulate a network connected to an ISP at R2 and using R2 to translate simulated inside host machines from R1 to a public IP address pool to the internet (R3).
Please review the following command(s) listed below;
| Command | Description |
| ip nat pool <i>poolname</i> sip.sip.sip.sip eip.eip.eip.eip prefix # | This command is executed in global configuration mode to configure a NAT pool whereas the sip is the starting ip address in the range of the pool and the eip is the ending ip address range of the pool. The prefix # is the actual prefix used by the router which the ip’s in the pool use. |
| ip nat inside source list <i>acl#</i> pool <i>poolname</i> | This command is executed in global configuration mode to setup an inside to outside NAT pool configuration whereas the access-list # matches in ACL in which inside hosts must be permitted to be able to obtain a pool IP address. The pool name references the pool of IP addresses created when using the previous command. |
| show ip nat translations | This command is executed in user or privileged mode to view all the current NAT translations in the routers NAT table. |
| clear ip nat translation * | This command is executed in privileged mode to purge all the dynamic NAT translations that exist in the routing table. If this command is executed in a live network take caution as it will drop current dynamic NAT translated TCP sessions. |
The following logical topology shown below is used in this lab;
Lab Prerequisites
- If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1, R2 and R3
- Establish a console session with devices R1, R2 and R3 than load the initial configurations provided below by copying the config from the textbox and pasting it into the respected routers console.
!###################################################
!# Free CCNA Workbook Lab 11-2 R1 Initial Config #
!###################################################
!
enable
configure terminal
!
hostname R1
no ip domain-lookup
!
interface Serial0/0
description ### PHYSICAL FRAME RELAY INTERFACE ###
no ip address
encapsulation frame-relay
serial restart-delay 0
no frame-relay inverse-arp
exit
!
interface Serial0/0.122 point-to-point
description ### FRAME RELAY LINK TO R2 ###
ip address 10.112.12.1 255.255.255.252
frame-relay interface-dlci 122
exit
!
interface Serial0/0
no shut
exit
!
router eigrp 10
no auto-summary
network 10.112.12.1 0.0.0.0
exit
!
line con 0
logging sync
no exec-timeout
!
end
!###################################################
!# Free CCNA Workbook Lab 11-2 R2 Initial Config #
!###################################################
!
enable
configure terminal
!
hostname R2
no ip domain-lookup
!
interface Serial0/0
description ### PHYSICAL FRAME RELAY INTERFACE ###
encapsulation frame-relay
no frame-relay inverse-arp
exit
!
interface Serial0/0.221 point-to-point
description ### FRAME RELAY LINK TO R1 ###
ip address 10.112.12.2 255.255.255.252
frame-relay interface-dlci 221
exit
!
interface Serial0/0.223 point-to-point
description ### FRAME RELAY LINK TO R3 ###
ip address 171.18.24.1 255.255.255.224
frame-relay interface-dlci 223
exit
!
interface Serial0/0
no shut
exit
!
router eigrp 10
no auto-summary
network 10.112.12.2 0.0.0.0
network 171.18.24.1 0.0.0.0
redistribute static
passive-interface Serial0/0.223
exit
!
ip route 0.0.0.0 0.0.0.0 171.18.24.2
!
line con 0
logging sync
no exec-timeout
!
end
!###################################################
!# Free CCNA Workbook Lab 11-2 R3 Initial Config #
!###################################################
!
enable
configure terminal
!
hostname R3
no ip domain-lookup
!
interface Loopback0
description ### SIMULATED INTERNET HOST ###
ip address 4.2.2.2 255.255.255.255
!
interface Serial0/0
description ### PHYSICAL FRAME RELAY INTERFACE ###
encapsulation frame-relay
no frame-relay inverse-arp
exit
!
interface Serial0/0.322 point-to-point
description ### FRAME RELAY LINK TO R2 ###
ip address 171.18.24.2 255.255.255.224
frame-relay interface-dlci 322
exit
!
interface Serial0/0
no shut
exit
!
line con 0
logging sync
no exec-timeout
!
end
Lab Objectives
- Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.
- Configure the respected NAT interface types then create a NAT pool on R2 starting with the IP address 171.18.24.5 and ending with the IP address 171.18.24.25 using the prefix mask of /27.
- Create a named extended access-list on R2 matching the simulated host on R1 using only a single line in the ACL.
- Configure a NAT Pool translation on R2 using the newly created named ACL and NAT Pool.
- Verify that R1’s simulated has IP connectivity to the simulated internet host (4.2.2.2) on R3 via NAT.
- Verify on R2 that the inside host(s) are being assigned pool addresses.
Lab Instruction
Objective 1. – Create 4 new loopback interfaces on R1 using the 10.55.0.0/22 allocation and advertise them into EIGRP AS 10.
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface loopback0
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)#ip add 10.55.0.1 255.255.255.0
R1(config-if)#interface loopback1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#ip add 10.55.1.1 255.255.255.0
R1(config-if)#interface loopback2
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
R1(config-if)#ip add 10.55.2.1 255.255.255.0
R1(config-if)#interface loopback3
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up
R1(config-if)#ip add 10.55.3.1 255.255.255.0
R1(config-if)#exit
R1(config)#router eigrp 10
R1(config-router)#network 10.55.0.0 0.0.3.255
R1(config-router)#end
R1#
<br>
Objective 2. – Configure the respected NAT interface types then create a NAT pool on R2 starting with the IP address 171.18.24.5 and ending with the IP address 171.18.24.25 using the prefix mask of /27.
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface Serial0/0.221
R2(config-subif)#ip nat inside
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed
state to up
R2(config-subif)#interface Serial0/0.223
R2(config-subif)#ip nat outside
R2(config-subif)#exit
R2(config)#ip nat pool natpool1 171.18.24.5 171.18.24.25 prefix-length 27
R2(config)#
Objective 3. – Create a named extended access-list on R2 matching the simulated host on R1 using only a single line in the ACL.
R2(config)#ip access-list extended NATPOOL_ACL
R2(config-ext-nacl)#10 permit ip 10.55.0.0 0.0.3.255 any
R2(config-ext-nacl)#exit
R2(config)#
Objective 4. – Configure a NAT Pool translation on R2 using the newly created named ACL and NAT Pool.
R2(config)#ip nat inside source list NATPOOL_ACL pool natpool1
R2(config)#end
R2#
Objective 5. – Verify that R1′s simulated has IP connectivity to the simulated internet host (4.2.2.2) on R3 via NAT.
R1#ping 4.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/104/196 ms
R1#ping 4.2.2.2 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/108/184 ms
R1#ping 4.2.2.2 source lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/136/252 ms
R1#ping 4.2.2.2 source lo3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.55.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/83/224 ms
R1#
Objective 6. – Verify on R2 that the inside host(s) are being assigned pool addresses.
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 171.18.24.5:2 10.55.0.1:2 4.2.2.2:2 4.2.2.2:2
--- 171.18.24.5 10.55.0.1 --- ---
icmp 171.18.24.6:3 10.55.1.1:3 4.2.2.2:3 4.2.2.2:3
--- 171.18.24.6 10.55.1.1 --- ---
icmp 171.18.24.7:4 10.55.2.1:4 4.2.2.2:4 4.2.2.2:4
--- 171.18.24.7 10.55.2.1 --- ---
icmp 171.18.24.8:5 10.55.3.1:5 4.2.2.2:5 4.2.2.2:5
--- 171.18.24.8 10.55.3.1 --- ---
R2#
As you can see shown in Objective 5 and 6 that the simulated host IP addresses on R1 have ip connectivity to the simulated server on R3 via NAT pool translation.
Objective 6 shows that 10.55.0.1 has been assigned the IP 171.18.24.5 from the NAT pool, 10.55.1.1 has been assigned 171.18.24.6 and so on.
Rate This Article
Thanks for reading: Configuring Dynamic NAT Pooling Tutorial, Sorry, my English is bad:)