Good Evening,
Tonight I am updating my blog from behind a virtual NAT’ing router, I currently have a Microsoft loopback adapter mapped to the inside (f0/0) interface of a Dynamips router (7200) and the outside router interface (f1/0) is mapped to my ‘Local Area Connection’. I have been configuring and testing NAT for various scenarios and as I type this I’m going through a pretty simple PAT with route-map.
Here are the URL’s I have been using as guides for various NAT scenarios:
NAT Support for Multiple Pools Using Route Maps
NAT – Ability to Use Route Maps with Static Translations
Configuring Static and Dynamic NAT simultaneously
Using NAT in Overlapping Networks
And here is another useful URL:
NAT Order of Operation
Regarding the ‘NAT Support for Multiple Pools Using Route Maps’ hyperlink here is an example of how it can be used, this configuration would split outbound TCP and UDP traffic to different global addresses:
| ip nat pool insideglobal1 ‘first IP address’ ‘last IP address’ prefix-length ‘no.’ ip nat pool insideglobal2 ‘first IP address’ ‘last IP address’ prefix-length ‘no.’ ! access-list 101 permit tcp ‘inside network’ ‘inside network mask’ any access-list 102 permit udp ‘inside network’ ‘inside network mask’ any ! route-map outtcp permit 10 match ip address 101 route-map outudp permit 10 match ip address 102 ! ip nat inside source route-map outtcp pool insideglobal1 ip nat inside source route-map outudp pool insideglobal2 |
Don’t ask me why you would ever do this but I found it to be quite interesting, don’t forget ip nat inside and ip nat outside.
The main reasons route-maps are used with NAT is because they create an ‘extended’ translation and ‘set’ commands can be used (useful for multi-homing).
I can’t imagine NAT will come up too much on the exam (RSCG2 doesn’t mention much about it) and it’s one of those technologies that I never have to ‘look-up’ but I also didn’t want to miss anything and that’s why I had a good look around. I have also found the ‘IP Addressing’ chapter quite tedious so NAT added a bit of interest to it. Another item that gained my interest is a post by Brian McGahan on the Internetwork Experts blog detailing how to work out the most specific match wildcard mask for any two IP addresses (to be used in an ACL). Here is an example:
| IP address 1 in decimal = 1.2.3.4 IP address 1 in binary = 00000001.00000010.00000011.00000100 IP address 2 in decimal = 4.3.2.1 IP address 2 in binary = 00000100.00000011.00000010.00000001 Firstly, we need to find the ‘IP address to match’ first, we do this by doing a ‘Boolean AND’ on the two binary strings: 00000001.00000010.00000011.00000100 00000100.00000011.00000010.00000001 AND 00000000.00000010.00000010.00000000 = 0.2.2.0 We now need to find the wildcard mask to apply to the IP address above (0.2.2.0), we do this by doing a ‘Boolean XOR’ on the two binary strings: So, if we need to reference that in an ACL it would be something like: |
