Configure and verify NAT for given network requirements
Exam: Cisco 600-502 - Developing with Cisco Network Programmability (NPDEV)
The “Configure and verify NAT for given network requirements” is a topic under the section IP services. In this chapter we will discuss in details what exactly this section is all about and how you can go on with preparing this from the CCNA exam point of view. NAT is nothing but network address translation. You will come across this term a lot as you work as a network administrator. IP address translation process is called the NAT. NAT can also be called the source NAT (SNAT) at times. The ACE is placed between the server and the client. This ACE tracks all the SNAT mappings. This mapping ensures that the packets from the server are routed back again to the client. We will discuss in details how the NAT can be verified and configured. The ACE will also allow a person to configure a virtual IP address in a pool of dynamic NAT.
There are different types of NAT and they are listed below:
- Static NAT
- Static PAT
- Dynamic PAT
- Bypassing the NAT when the NAT control is enabled
Some advantages of NAT are as follows:
- This will help private addresses to be used inside networks.
- The private addresses cannot be routed on the internet.
- The NAT ensures that the local addresses are hidden from the other networks. This will ensure that the hackers can never get to the real address easily.
- The NAT will allow solving the IP routing problems and also preventing overlapping of the addresses.
A dynamic NAT is also used as SNAT. This can translate some local source addresses into a pool of global source address. The dynamic NAT has the following disadvantage. If the traffic is more than expected then you may run out of addresses.
A static NAT is generally used in destination NAT (DNAT). This can translate a local address to a fixed global address. They use dynamic NAT and PAT. Each host must use different address or port after the translation has timed out. Global address is same for a connection that has a static NAT. Some of the differences between static NAT and dynamic NAT are as follows:
- Static NAT will need an equal number of local and global IP addresses. When a dynamic NAT is used one can have a pool of more local addresses than global addresses.
- The static NAT can use one to one correspondence only between the fixed global IP address and local IP address. The dynamic NAT will assign a global IP address from a number of global addresses.
The same real or mapped address cannot be used in a multiple static command unless the static PAT is used. If the static command is used the existing connections that use this translation will not be affected. To remove these connections the command used is clear local-host command. The static translation cannot be removed from the translation table. Only the dynamic translations that are created by the NAT and global commands can be removed by using the clear xlate command.
PAT can translate a number of multiple real addresses to a single mapped IP address. Dynamic PAT and Dynamic NAT can be configured in similar manner. For the dynamic NAT configuration you need to specify the range of mapped address. For a dynamic PAT you must mention only a single address that’s all. Only the translated hosts have the ability to create a NAT session. Only the responding traffic is allowed back. The mapped address is generally dynamically assigned in a pool that is defined by a global command.
The NAT control is required for the packets to travel from interface that is inside to the interface that is outside. The command hostname (config)#nat control will help to enable the NAT control. To disable then NAT control the NO form of the command must be entered. For the dynamic NAT and PAT implementation one needs to configure the NAT command. This will identify the real addresses on a given interface that one wants to translate. After this you can use separate global command can be used to specify the mapped addresses on the interface. The NAT ID will help you to match the global command with the NAT command. NAT ID is nothing but a number that is assigned to each of the command. The same NAT ID can be used to enter multiple NAT commands.
For an inside interface one can have two different NAT commands for two different NAT IDs. To configure the NAT and the PAT together the command used is hostname (config) # nat (inside). Outside NAT means traffic flow from outside to inside. To get this the outside keyword must be used in NAT command. If you want to specify a group IP address in a NAT command you will have to perform NAT on that group of addresses that will access lower or same security level in the interface.
When the NAT configuration is changed then you will have to wait for the existing translations to time out. This must be done before the new NAT information is used. Clearing the translation table will disconnect the current connections and use the translations only. For configuring the dynamic PAT and NAT the following steps must be taken:
- You must try to get the overlapping NAT as the first step. You can find these in the other NAT commands. You must set the policy NAT.
- In the second step try to identify and map the addresses into which you want to translate the real address. This can be done when these addresses exit the interface. You must match the NAT command to the NAT ID.
We hope that this chapter on “Configure and verify NAT for given network requirements” will help you understand the concept better and be better prepared for the exam. This is a critical section so try to spend more time on this.
Related IT Guides
- Configure and verify DHCP (IOS Router)
- Configure and verify network device security features
- Configure and verify switch port security
- Describe SNMP v2 and v3
- Describe the purpose and basic operation of the protocols in the OSI and TCP/IP models
- Identify enhanced switching technologies
- Troubleshoot and correct common problems associated with IP addressing and host configurations
- Troubleshoot and resolve Layer 1 problems
- Troubleshoot and resolve OSPF problems
- Troubleshoot and resolve VLAN problem