The purpose of this exercise is to learn how to configure NAT for a campus network. We will be setting up NAT on the border router so that the campus private IPv4 address space (172.2X.0.0/16) will be NATed so that devices using that private address space can reach the public Internet.
NOTE: Make sure you replace X with your Campus number.
Create a pool of addresses to use for NAT:
ip nat pool CAMPUSX 100.68.X.33 100.68.X.46 prefix-length 28Create an access list that defines the addresses that should be translated:
ip access-list extended NATplus
remark Do not NAT NREN address space
deny ip 100.68.0.0 0.0.0.255 any
remark Do not NAT our public address space
deny ip 100.68.X.0 0.0.0.255 any
remark NAT traffic which goes to the Internet
permit ip 172.2X.0.0 0.0.255.255 any
remark Do not NAT anything else - and log anything that gets this far
deny ip any any log
Link the access list and the address pool together:
ip nat inside source list NATplus pool CAMPUSX overloadThe command you have just entered will look for incoming packets matching the NATplus list, and translate them into the address specified in CAMPUSX. The overload command ensures that the router can map many internal addresses to the small range of external public addresses. Without overload, the router NAT will simply map one internal address to one external address - and with only 14 addresses in the CAMPUSX pool, that would mean only 14 internal addresses would be NATed before the pool is exhausted.
Now add the address translation to the network interfaces (the interface names depend on the routers used):
interface FastEthernet0/0
description Link to NREN
ip nat outside
!
interface FastEthernet0/1
description Link to Core Router
ip nat inside
!
Log into one of your switches. These have addresses in the 172.2X.0.0/16 range.
Can you ping your border router?
Now try to ping one of the NREN Transit routers on 10.10.0.235 or 10.10.0.236 - does it work?
Can you ping 10.10.0.254? This is the default gateway in the workshop network.
The Transit routers don't know anything about your 172.2X.0.0/16 so if the Network Address Translation is working then the original IP address of the packet has been translated into the range:
100.68.X.33 100.68.X.46You can use the command
show ip nat translationson your Border router to see what's happening.
Can you ping hosts on the wider Internet from one of your switches? For example, can you ping 8.8.8.8?
If the ping works, try using trace to 8.8.8.8. What do you see?
If you have completed the above and demonstrated that it is all working, and you have some spare time, try this configuration.
Rather than having one NAT pool for the entire campus, NAT the private IPv4 address space used for each class of user into its own pool. So for example, NAT the MGMT address space into one public address, the STAFF1 address space into another public pool, and the STUDENT1 address space into a third public pool, etc.
Ask the instructors if you need any help - use the example above to guide you for this scenario.
Hint 1 - use this table for your NAT mapping:
| VLAN | Internal Address Block | External Address |
|---|---|---|
| MGMT1, MGMT2 | 172.2X.10.0/24 & 172.2X.20.0/24 | 100.68.X.32 |
| STAFF1 | 172.2X.11.0/24 | 100.68.X.33-35 |
| STUDENT1 | 172.2X.12.0/24 | 100.68.X.36-38 |
| STAFF2 | 172.2X.21.0/24 | 100.68.X.39-41 |
| STUDENT2 | 172.2X.22.0/24 | 100.68.X.42-44 |
Hint 2 - set up a pool for each VLAN and set up a mapping for each pool
Once you have made it work, show the workshop instructors.