Posted by: Richard @ Configureterminal.com | January 17, 2008

Day 4 of Week 2

Good Evening,

Tonight I am updating my blog from behind a virtual NAT’ing router, I currently have a Microsoft loopback adapter mapped to the inside (f0/0) interface of a Dynamips router (7200) and the outside router interface (f1/0) is mapped to my ‘Local Area Connection’.  I have been configuring and testing NAT for various scenarios and as I type this I’m going through a pretty simple PAT with route-map.

Here are the URL’s I have been using as guides for various NAT scenarios:

NAT Support for Multiple Pools Using Route Maps
NAT – Ability to Use Route Maps with Static Translations
Configuring Static and Dynamic NAT simultaneously
Using NAT in Overlapping Networks

And here is another useful URL:
NAT Order of Operation

Regarding the ‘NAT Support for Multiple Pools Using Route Maps’ hyperlink here is an example of how it can be used, this configuration would split outbound TCP and UDP traffic to different global addresses:

ip nat pool insideglobal1 ‘first IP address’ ‘last IP address’ prefix-length ‘no.’
ip nat pool insideglobal2 ‘first IP address’ ‘last IP address’ prefix-length ‘no.’
!
access-list 101 permit tcp ‘inside network’ ‘inside network mask’ any
access-list 102 permit udp ‘inside network’ ‘inside network mask’ any
!
route-map outtcp permit 10
match ip address 101
route-map outudp permit 10
match ip address 102
!
ip nat inside source route-map outtcp pool insideglobal1
ip nat inside source route-map outudp pool insideglobal2

Don’t ask me why you would ever do this but I found it to be quite interesting, don’t forget ip nat inside and ip nat outside.

The main reasons route-maps are used with NAT is because they create an ‘extended’ translation and ‘set’ commands can be used (useful for multi-homing).

I can’t imagine NAT will come up too much on the exam (RSCG2 doesn’t mention much about it) and it’s one of those technologies that I never have to ‘look-up’ but I also didn’t want to miss anything and that’s why I had a good look around.  I have also found the ‘IP Addressing’ chapter quite tedious so NAT added a bit of interest to it.  Another item that gained my interest is a post by Brian McGahan on the Internetwork Experts blog detailing how to work out the most specific match wildcard mask for any two IP addresses (to be used in an ACL).  Here is an example:

IP address 1 in decimal  = 1.2.3.4
IP address 1 in binary  = 00000001.00000010.00000011.00000100
IP address 2 in decimal = 4.3.2.1
IP address 2 in binary  = 00000100.00000011.00000010.00000001

Firstly, we need to find the ‘IP address to match’ first, we do this by doing a ‘Boolean AND’ on the two binary strings:
          00000001.00000010.00000011.00000100
          00000100.00000011.00000010.00000001
AND 00000000.00000010.00000010.00000000 = 0.2.2.0

We now need to find the wildcard mask to apply to the IP address above (0.2.2.0), we do this by doing a ‘Boolean XOR’ on the two binary strings:
          00000001.00000010.00000011.00000100
          00000100.00000011.00000010.00000001
XOR 00000101.00000001.00000001.00000101 = 5.1.1.5

So, if we need to reference that in an ACL it would be something like:
ip access-list 1 permit 0.2.2.0 5.1.1.5

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: