Anda di halaman 1dari 11

What the benefit of using NAT ?

- NAT Protect network secuity because private network are not advertised - NAT eliminated the need to re-address all hot that require e ternal access Which two statement about static NAT transtlation are true ? - there are always present in the NAT table - they are allow the connection from the outside

NAT addresses can be divided into two categories! inside network and outside network which are defined based on the NAT functions" The device that has NAT functions connects the inside and the outside network like a bridge# the N$% connected to the inside network is called &inside& # the N$% connected to the outside network is calle d &outside&# that is to say# the inside addresses are used by the inside network devices# while the outside addresses are used by the outside network devices

Addresses can also be divided into local and global addresses" 'ocal address refers to the address that can be seen and used by the inside network devices( while global address refers to the address that can be seen and used by the outside network devices"

These four addresses are! Inside local address is the $P address used by the inside network devices# which is often a private address" Inside global address is a public address provided by $)P" $t is often used when the inside network devices communicate with the outside network devices" Outside local address is the address used by the outside network device as it appears to the inside network device" $t is not necessarily a public network address" Outside global address is the real address used by the outside network devices" $P packets sent from the inside network devices regard &inside local address& as the source address and &outside local address& as the destination address" When the packets reach the &inside& interface of the NAT equipment# the addresses will be translated into &inside global address& and &outside global address& # the packets will be out from the &outside& interface " $n the same way# $P packets sent from the outside network devices regard &outside global address& as the source address and &inside global address& as the destination address" When the packets reach the &outside& interface of the NAT equipment# the addresses will be translated into &outside local address& and &inside local address&# the packets will be out from the &inside& interface"

*ou need to configure NAT on a Test+ing router that is connected to the $nternet" To do so# you must determine what the $nside ,lobal $P addresses will be" What does the &$nside ,lobal& address represent in the configuration of NAT - A registered address that represents an inside host to an outside network - planation ! With NAT# %isco defines . different types of addresses as follows! / Inside local address ! The $P address assigned to a host on the inside network" This is the address configured as a parameter of the computer0s 1) or received via dynamic address allocation protocols such as 23%P" The address is likely not a legitimate $P address assigned by the Network $nformation %enter 4N$%5 or service provider" / Inside global address ! A legitimate $P address assigned by the N$% or service provider that represents one or more inside local $P addresses to the outside world" / Outside local address ! The $P address of an outside host as it appears to the inside network" Not necessarily a legitimate address# it is allocated from an address space routable on the inside" / Outside global address ! The $P address assigned to a host on the outside network by the host0s owner" The address is allocated from a globally routable address or network space" The above definitions still leave a lot to be interpreted" 6or this e ample# this document redefines these terms by first defining &local address& and &global address"& +eep in mind that the terms &inside& and &outside& are NAT definitions" $nterfaces on a NAT router are defined as &inside& or &outside& with the NAT configuration commands# ip nat inside and ip nat outside" Networks to which these interfaces connect can then be thought of as &inside& networks or &outside& networks# respectively" / 'ocal address ! A local address is any address that appears on the &inside& portion of the network" / ,lobal address ! A global address is any address that appears on the &outside& portion of the network" The router has been configured with these commands: hostname Gateway interface FastEthernet 0/0 ip address 198.133.219.14 255.255.255.248 no shutdown interface FastEthernet 0/1 ip address 192.1 8.10.254 255.255.255.0 no shutdown interface !eria" 0/0 ip address 4.100.0.2 255.255.255.252 no shutdown ip route 0.0.0.0 0.0.0.0 4.100.0.1 What are the two results of this configuration? (Choose two.

translation"

The addressing scheme allows users on the $nternet to access the WWW server" 3osts on the 'AN that is connected to 6ast-thernet 789 will not be able to access the $nternet without address

Which one of the following varieties of NAT utili:es different ports to map multiple $P addresses to a single globally registered $P address? NAT Overloading Question

Test+ing has ;< computers and decides to connect the network to the $nternet" Test+ing would like for all of the computers to have access to the $nternet at the same time# but Test+ing only has four usable publicly routable $P addresses" What should be configured on the router so that all computers can connect to the $nternet simultaneously? 2ynamic NAT with overload - planation! NAT overload# also called many to one NAT or Port Address Translation 4PAT5 allows for many $P hosts to share a single $P address when connecting to the outside" $n this case# the use of dynamic NAT with overloading will allow for the ;< hosts to use an $P address from the NAT pool# which will contain the . public $P addresses"

The networ! at the Test!ing has "ust been configured for NAT as shown. #nitial tests indicate that e$erything is functioning as intended. %owe$er& it is found that a number of hosts cannot access the #nternet. What is the problem? - There are not enough #' addresses a$ailable in the NAT address pool. ()planation :
According to the configuration shown abo$e& the NAT pool only specifies * #' addresses (+,-...-.+/+-+/* while there are +/ hosts on the networ! that need to be translated. This e)plains why e$erything functions well for the first hosts& but not for the rest. To fi) this issue& more #' addresses need to be specified in the NAT pool named 010& or alternati$ely the 2o$erload2 !eyword could be used to specify many to one address translation& or 'AT. 0e$eral internal addresses can be NATed to only one or a few e)ternal addresses by using a feature called 'ort Address Translation ('AT which is also referred to as 2o$erload2& a subset of NAT functionality. 'AT uses uni3ue source port numbers on the #nside 4lobal #' address to distinguish between translations. 5ecause the port number is encoded in +/ bits& the total number could theoretically be as high as /*&*6/ per #' address. 'AT will attempt to preser$e the original source port& if this source port is already allocated 'AT will attempt to find the first a$ailable port number starting from the beginning ofthe appropriate port group .-*+++& *+--+.-6 or +.-7-/**6*. #f there is still no port a$ailable from the appropriate group and more than one #' address is configured& 'AT will mo$e to the ne)t #' address and try to allocate the original source port again. This continues until it runs out of a$ailable ports and #' addresses. Alternati$ely& we could ha$e configured port address translation& or NAT o$erload& to pro$ide #nternet access to the gi$en number of hosts.

The ip subnet-8ero configuration command is also in effect on router T9+. After this router performs networ! address translation& which address is a $alid 2inside global address2? 199.99.9.47 ()planation

:sing NAT we can translate the 0ource or ;estination Address. #n our e)ample all source address from the +..+.... ......-** networ! will be translated to an #' address form the +,,.,,.,.7.-/- pool.

0tudy the e)hibit carefully. <ou are re3uired to perform configurations to enable internet access. The Test9ing #0' has gi$en you si) public #' addresses in the +,=.+=.-->.-* +,=.+=.-->.6. range. Test9ing.com has 6. clients that needs to ha$e simultaneous internet access. These local hosts use pri$ate #' addresses in the +,-.+/=.+.>.66 - +,-.+/=.+.>./- range. <ou need to configure ?outer Test9ing+ using the Test9ingA console. <ou ha$e already made basic router configuration. <ou ha$e also configured the appropriate NAT interfaces@ NAT inside and NAT outside respecti$ely.
#est$in%1& ena'"e #est$in%1& confi% t #est$in%1()onfi%*& access+"ist 1 permit 192.1 8.10,.33 0.0.0.30 #est$in%1()onfi%*& access+"ist 1 deny any #est$in%1()onfi%*& interface fa0/0 #est$in%1()onfi%+if*& ip nat inside #est$in%1()onfi%+if*& e-it #est$in%1()onfi%*&interface s0/0 #est$in%1()onfi%+if*&ip nat outside #est$in%1()onfi%+if*&e-it #est$in%1()onfi%*&ip nat poo" test.nat 198.18.22,.25 198.18.22,.30 prefi-+"en%th 24 #est$in%1()onfi%*&ip nat inside source "ist 1 poo" test.nat o/er"oad

Aerify using: #est$in%1&show ip nat trans"ations

*ou are required to perform configurations to enable internet access" The Test+ing $)P has given you si public $P addresses in the 9=>"9>"9>."97< 9=>"9>"9>."9978;= range" Test+ing"com has 9. clients that needs to have simultaneous internet access" These local hosts use private $P addresses in the 9=;"9?>"977"9@ - 9=;"9?>"977"A78;> range" *ou need to configure Bouter Test+ing9 using the Test+ingA console" *ou have already made basic router configuration" *ou have also configured the appropriate NAT interfaces( NAT inside and NAT outside respectively"
interface FastEthernet0/0 no ip address no ip directed+'roadcast ip nat inside 0 interface !eria"0/0 no ip directed+'roadcast ip nat outside 0 ip nat poo" nat.test 198.18.184.105 198.18.184.110 netmas$ 255.255.255.248 ip nat inside source "ist 1 poo" nat.test o/er"oad ip c"ass"ess no ip http ser/er 0 0

access+"ist 1 permit 192.1 8.100.1

0.0.0.15

Befer to the e hibit" Addresses within the range 97"97"97"78;. are not being translated to the 9"9"9;>"789? range" Which command shows if 97"97"97"78;. are allowed inside addresses? )how access-list

The administrator of the Test9ing networ! needs to ensure that a web ser$er in their networ! is accessible from the #nternet. 0ince the networ! uses pri$ate addressing& this re3uires an #'-to-registered-address mapping. The following command is entered on the router: Test9ing+(config B ip nat inside source static +,-.+/=.-.+ +,=.+=.+.-*7 After unsuccessful results from a ping to the #nternet& the administrator issues the show ip nat translations command and the output is blan!. What could be the problem with the NAT configuration for this mapping?

The interfaces need to be configured for NAT.

What two statements are true of the planned configuration for interface fa.C+? (Choose two

#nternet hosts may not initiate connections to ;DE ;e$ices through the configuration that is shown. Address translation on fa.C+ is not re3uired for ;DE ;e$ices to access the #nternet.

- planation ! 6a789 address already routeable $P address# no need to be translate to reach internet

*ou work as a network administrator at Test+ing"com" *ou study the e hibits carefully" Test+ing. can ping Test+ing< 49@;"9?"?"<5# but not Test+ing@ 49@;"9?"99"@5" There are no routing protocols running in any of the routers" Test+ing. has Test+ing? as its default gateway" What can be done to address this problem?

Add a static route in Test+ing@ back to Test+ing."

- planation ! $n this e ample NAT is translating the 97"97"97". 4Test+ing. router $P5 statically to 9@;"9?"?"9." 3owever# we can see that Test+ing@ does not have any route to the 9@;"9?"?"78;. network so there is no way for Test+ing@ to return the ping traffic back to Test+ing." %onfiguring a static route to the 9@;"9?"?"7 network will fi this problem" Note! The reason that pings to Test+ing< work is because it knows how to get back to the 9@;"9?"?"78;. network# since this network resides on its directly connected interface"

Befer to the e hibit" What does the 4/5 represent in the output?

Packet was translated and fast switched to the destination" Need Explanation : ?efer to the e)hibit. What command se3uence will enable 'AT from the inside to outside networ!? 11(confi%* ip nat inside source "ist 1 interface ethernet1 o/er"oad

?efer to the e)hibit. Which command would allow the translations to be created on the router?

ip nat poo" mynats 1.1.128.1 1.1.135.254 prefi-+"en%th 19 e-p"anation 2 ?efer to the e)hibit. A "unior networ! engineer has prepared the e)hibited configuration file. What two statements are true of the planned configuration for interface fa.C+? (Choose two.

Question:

You work as a network technician at 9tut.com. Study the exhibit carefully. You are required to perform configurations to enable Internet access. The outer IS! has gi"en you six public I! addresses in the #9$.#$.%&.'( #9$.#$.%&.)*+&9 range. 9tut.com has '& clients that needs to ha"e simultaneous internet access. These local hosts use pri"ate I! addresses in the #9&.#'$.'.'( , #9&.#'$.'.#&'+&' range. You need to configure outer# using the !-# console. You ha"e already made basic router configuration. You ha"e also configured the appropriate ./T interfaces0 ./T inside and ./T outside respecti"ely. .ow you are required to finish the configuration of outer#. Solution The company has 62 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18. 2.6! to 198.18. 2."#$29 %& we have to use '(T overload )or P(T* +ouble clic, on P-1 to access .outer1/s command line interface

Router1>enable Router1#configure terminal -reate a '(T pool of 0lobal addresses to be allocated with their netmas, )notice that $29 % 218* Router1(config)#ip nat pool mypool 198.18.3 .!" 198.18.3 .#$ netmas% "". "". "". &8

-reate a standard access control list that permits the addresses that are to be translated Router1(config)#access'list 1 permit 19 .1!8.!.!& $.$.$.!3 2stablish dynamic source translation3 specifyin0 the access list that was defined in the prior step Router1(config)#ip nat insi(e source list 1 pool mypool o)erloa( This command translates all source addresses that pass access list 13 which means a source address from 192.168.6.6! to 192.168.6.1263 into an address from the pool named mypool )the pool contains addresses from 198.18. 2.6! to 198.18. 2."#* *)erloa( ,eyword allows to map multiple IP addresses to a sin0le re0istered IP address )many4to4one* by usin0 different ports The 5uestion said that appropriate interfaces have been confi0ured for '(T inside and '(T outside statements. This is how to confi0ure the '(T inside and '(T outside3 just for your understandin06 Router1(config)#interface fa$+$ Router1(config'if)#ip nat insi(e Router1(config'if)#e,it Router1(config)#interface s$+$ Router1(config'if)#ip nat outsi(e 7efore leavin0 .outer13 you should save the confi0uration6 Router1(config)#en( )or Router1(config'if)#en(* Router1#copy running'config startup'config -hec, your confi0uration by 0oin0 to P-2 and type6 -:.>ping 19 .$. .11& The pin0 should wor, well and you will be replied from 192.#.2.111

Question ( networ, associate is confi0urin0 a router for the --'( Trainin0 company to provide internet access. The I8P has provided the company si9 public IP addresses of 198.18.181.1#! 198.18.181.11#. The company has 11 hosts that need to access the internet simultaneously. The hosts in the --'( Trainin0 company :(' have been assi0ned private space addresses in the ran0e of 192.168.1##.1" ; 192.168.1##. #. The tas, is to complete the '(T confi0uration usin0 all IP addresses assi0ned by the I8P to provide Internet access for the hosts in the <eaver :('. =unctionality can be tested by clic,in0 on the host provided for testin0. -onfi0uration information router name ; <eaver inside 0lobal addresses ; 198.18.181.1#! 198.18.181.11#$29 inside local addresses ; 192.168.1##.1" ; 192.168.1##. #$28 number of inside hosts ; 11

The following ha"e already been configured on the router - The basic router configuration - The appropriate interfaces ha"e been configured for ./T inside and ./T outside - The appropriate static routes ha"e also been configured 1since the company will be a stub network2 no routing protocol will be required.3 - /ll passwords ha"e been temporarily set to 4cisco5

The --'( Trainin0 company has 11 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.181.1#! to 198.18.181.11#$29. Therefore we have to use '(T overload )or P(T* +ouble clic, on the <eaver router to open it Router>enable Router#configure terminal =irst you should chan0e the router>s name to <eaver Router(config)#/ostname 0ea)er -reate a '(T pool of 0lobal addresses to be allocated with their netmas, )$29 % 2!!.2!!.2!!.218*. There were reports that the simulator in the real e9am did not accept ?prefi94len0th@ ,eryword so you should use ?netmas,@ ,eyword. 0ea)er(config)#ip nat pool mypool 198.18.18&.1$" 198.18.18&.11$ netmas% "". "". "". &8

-reate a standard access control list that permits the addresses that are to be translated 0ea)er(config)#access'list 1 permit 19 .1!8.1$$.1! $.$.$.1" 2stablish dynamic source translation3 specifyin0 the access list that was defined in the prior step 0ea)er(config)#ip nat insi(e source list 1 pool mypool o)erloa(

This command translates all source addresses that pass access list 13 which means a source address from 192.168.1##.1" to 192.168.1##. #3 into an address from the pool named mypool )the pool contains addresses from 198.18.181.1#! to 198.18.181.11#* *)erloa( ,eyword allows to map multiple IP addresses to a sin0le re0istered IP address )many4to4one* by usin0 different ports The 5uestion said that appropriate interfaces have been confi0ured for '(T inside and '(T outside statements. This is how to confi0ure the '(T inside and '(T outside3 just for your understandin06 0ea)er(config)#interface fa$+$ 0ea)er(config'if)#ip nat insi(e 0ea)er(config'if)#e,it 0ea)er(config)#interface s$+$ 0ea)er(config'if)#ip nat outsi(e 0ea)er(config'if)#en( =inally3 we should save all your wor, with the followin0 command6 0ea)er#copy running'config startup'config -hec, your confi0uration by 0oin0 to ?Aost for testin0@ and type6 -:.>ping 19 .$. .11& The pin0 should wor, well and you will be replied from 192.#.2.111

?efer to the e)hibit. Addresses within the range +..+..+...C-7 are not being translated to the +.+-=..C+/ range. Which command shows if +..+..+...C-7 are allowed inside addresses? show ip nat statistics

NAT has been used to con$erting all #' address on the internal networ! to the single address +-=.+.>.+.+ as traffic is routed forward the internet. Which of these statement accurately describe what will happen when #' traffic return from the internet destined for host on the internal networ!.
P.)--B can use the directly connected interface on the 9;>"97@"9"7 network to route return traffic to its originators

?efer to the e)hibit. ?outer7 can ping ?outer* (+>-.+/./.* & but not ?outer> (+>-.+/.++.> . There are no routing protocols running in any of the routers& and ?outer7 has ?outer/ as its default gateway. What can be done to address this problem?

/dd a static route in outer) back to outer6. in this e ample NAT is translating the 97"97"97". 4Bouter. $P5 statically to 9@;"9?"?"9." 3owever# we can see that Bouter@ does not have any route to the 9@;"9?"?"78;. network so there is no way for Bouter@ to return the ping traffic back to Bouter." %onfiguring a static route to the 9@;"9?"?"7 network will fi this problem" Note! The reason that pings to Bouter< work is because it knows how to get back to the 9@;"9?"?"78;. network# since this network resides on its directly connected interface"