Network Address Translation (NAT)

Network Address Translation allows you to use private or unregistered IP addresses on your
private network, and translate these addresses to public or registered addresses for connection to
the Internet.

NAT is an IP translation and mapping protocol that works at the network layer. It is sometimes
referred to as a routing protocol because it allows packets from a private network to be globally
routed to the Internet.

Flavours of NAT

Static NAT (One to One)

A local address is mapped to a real global address on a one-to-one basis this is useful for hosts
such as severs which must have a consistent address that is accessible from the internet.
Static NAT

Dynamic NAT (Many to Many)

A private IP address is mapped to a public IP address from a pool of public registered IP

addresses. Dynamic NAT also establishes a one-to-one mapping between private and public ip
addresses but the mapping varies depending on the registered address available in the pool.

For example, a computer with an ip of 192.168.32.10 will translate to the first available address in
the range 213.18.123.100 - 213.18.123.150
Dynamic NAT

Overloading, (Port Address Translation) aka NAT Overload (Many to One)

Port Address Translation a form of dynamic NAT, it maps multiple unregistered private IP
addresses to a single public registered IP address, by using different ports.

For example, each pc on the private network is translated to the same IP address
213.18.123.100:port_number (213.18.123.100:1080). Using PAT thousands of users connect to
the internet using only one real global IP address.
Port Address Translation (Overloading)

This example uses only one public ip address provided by the ISP and assigned to the outside
interface.

Overlapping

This when addresses in the inside network overlap with addresses in the outside network - the IP
addresses are registered on another network too. The router must maintain a lookup table of
these addresses so that it can intercept them and replace them with registered unique IP
addresses.

The internal IP range (237.16.32.xx) is also a registered range used by another network.
Therefore, the router is translating the addresses to avoid a potential conflict with another
network. It will also translate the registered global IP addresses back to the unregistered local IP
addresses when information is sent to the internal network
Changing the content of an IP address or TCP port can change the meaning of some of the other
fields, especially the checksum. And many protocols and applications carry the IP address or
information based on the IP address within their data fields. Changing an IP address in the
header could change the meaning of the encapsulated data, possibly breaking the application.
This section examines the most common issues surrounding the operation of NAT.

Header Checksums

The checksum of an IP packet is calculated over the entire header. If the source or destination IP
address or both change, the checksum must be recalculated. The same is true of the checksum
in the TCP header. This number is calculated over the TCP header and data, and also over a
pseudo-header that includes the source and destination IP addresses. Therefore, if an IP address
or a port number changes, the TCP checksum must also change. Cisco's NAT performs these
checksum recalculations.

Encryption

Cisco's NAT can change the IP address information carried within the data fields of many
applications, as you will see shortly. If the data fields are encrypted, however, NAT has no way of
reading the data. Therefore, for NAT to function, neither the IP addresses nor any information
derived from them (such as the TCP header checksum) can be encrypted.

Another concern is virtual private networks (VPNs) using, for example, IPSec. With certain modes
of IPSec, if an IP address is changed in an IPSec packet, the IPSec becomes meaningless and
the VPN is broken. When any sort of encryption is used, you must place the NAT on the secure
side rather than in the encrypted path.

NAT is typically placed on a boarder router

NAT Names

A local address is any address on the inside portion of the network before translation.A global
address is any address that appears on the outside portion of the network after translation.

Inside Local Name of inside address before translation

The ip address assigned to a host on the inside network likely to be a private address.

Outside Local Name of destination before translation

The ip address of an outside host as it is known to the hosts on the inside network.

Inside Global Name of inside host after translation

A public ip address assigned by the ISP

Outside Local Name of outside destination host after translation

The ip address of outside host as known to the hosts on the inside network
Depending on how NAT is configured the local and global addresses for inside and outside may
vary.

How NAT works

A table of information about each packet that passes through is maintained by NAT.
When a computer on the network attempts to connect to a website on the internet the header of
the source IP address is changed and replaced with the IP address of the NAT computer on the
way out

The "destination" IP address is changed (based on the records in the table) back to the specific
internal private class IP address in order to reach the computer on the local network on the way
back in

Network Address Translation can be used as a basic firewall – the administrator is able to filter
out packets to/from certain IP addresses and allow/deny access to specified ports.

Packets from the inside portion of the network the source address SA are inside local addresses
and the DA destination address is an outside local address. When the same packet is switched to
the outside network the SA is now the inside global address and the DA is the outside global
address.
Define Inside Local and Inside Global Addresses

ip nat inside source static 10.10.10.1 171.16.68.5

!--- Inside host is known by the outside host as 171.16.68.5.

interface s0
ip nat inside

interface s1
ip nat outside
Packets traversing on the inside and outside network.

When the NAT router receives a packet on its inside interface

With a source address of 10.10.10.1, the source address is translated to 171.16.68.5.

This also means that when the NAT router receives a packet on its outside interface
With a destination address of 171.16.68.5, the destination address is translated to 10.10.10.1

show ip nat translations shows the active NAT translations in the router.

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 171.16.68.5 10.10.10.1 --- ---

When the packet moves from the inside network to the outside network,
the output of show ip nat translations is

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 171.16.68.5 10.10.10.1 171.16.68.1 171.16.68.1

Because of the way NAT is configured the inside addresses are the only addresses that are
translated, therefore the inside local address is different from the inside global address while the
outside local and outside global address are the same.

Define Outside Local and Outside Global Addresses

ip nat outside source static 171.16.68.1 10.10.10.5

!--- Outside host is known to the inside host as 10.10.10.5

interface s0
ip nat inside

interface s1
ip nat outside

This is what the packets look like when they are on the inside network and on the outside
network.
When the NAT router receives a packet on its outside interface S1
With a source address of 171.16.68.1 the SA is translated to 10.10.10.5.

This also means that if the NAT router receives a packet on its inside interface S0
With a DA of 10.10.10.5 the DA address is translated into 171.16.68.1

We can issue the show ip nat translations command in order to verify the NAT translations in
the ideal condition, the output of the show ip nat translations command is as shown here

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 10.10.10.5 171.16.68.1

When the packet moves from the outside network to the inside network, the output of the show ip
nat translations command is,

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 10.10.10.5 171.16.68.1
icmp 10.10.10.1 10.10.10.1 10.10.10.5 171.16.68.1

In this example only the outside addresses get translated therefore the outside local is different
from the outside global address while the inside local and global are the same.

Define All Local and Global Addresses

interface s0
ip nat inside

interface s1
ip nat outside

ip nat inside source static 10.10.10.1 171.16.68.5

ip nat outside source static 171.16.68.1 10.10.10.5
The packets as they are on the inside and on the outside network.

When the NAT router receives a packet on its inside interface

With a SA of 10.10.10.1 the SA is translated to 171.16.68.5.

When the NAT router receives a packet on its outside interface

With a SA of 171.16.68.1 the SA is translated to 10.10.10.5

This also means that when the NAT router receives a packet on its outside interface
With a DA of 171.16.68.5 the DA is translated to 10.10.10.1

When the NAT router receives a packet on its inside interface

With a DA of 10.10.10.5 the DA is translated to 171.16.68.1

If an inside host was communicating with an outside device the addresses would be

Inside Global Inside Local Outside Local Outside Global

171.16.68.5 10.10.10.1 10.10.10.5 171.16.68.1

When the packet transfer is initiated from both the sides, the output of the show ip nat
translations command is as shown here

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 10.10.10.5 171.16.68.1
icmp 10.10.10.1 10.10.10.1 10.10.10.5 171.16.68.1
icmp 171.16.68.5 10.10.10.1 171.16.68.1 171.16.68.1
--- 171.16.68.5 10.10.10.1 --- ---

Here both the inside and outside addresses are translated therefore the inside local is different
from the inside global and the outside global is different from the outside local.

So depending on how NAT is configured the local and global addresses for inside and outside
may vary.

Verifying NAT
show ip nat translation to see basic IP address translation information.
Router#show ip nat translation

show ip nat translations shows the active NAT translations in the router.
Router#show ip nat translations

The debug ip nat shows the sending, destination addresses and the translation.
Router#debug ip nat

You can use the "debug ip nat" command while you are pinging hosts on either side of the tunnel
to verify NAT operation. Make sure you disable debugging once you are done.

clear ip nat translation

To clear your NAT entries from the translation table
Router#clear ip nat translation

To clear all entries from the NAT table use the *

Router#clear ip nat translation *

Of course, only dynamic entries are cleared, the command does not remove static entries.

Static NAT
Configure a static NAT between the private IP 10.6.1.2 and the public 171.69.68.10

Establish static translation between an inside local address and an inside global address
Specify the inside interface
Specify the outside interface

Router(config)#ip nat inside source static<inside local><inside global>

Router(config)#int <type & number>
Router(config)#ip nat inside
Router(config)#int <type & number>
Router(config)#ip nat outside
Example

1st Specify the inside and outside interfaces

R3(config)#interface ethernet0
R3(config-if)#ip address 10.5.5.8 255.0.0.0
R3(config-if)#ip nat inside
R3(config-if)#interface serial0
R3(config-if)#ip address 210.1.1.1 255.255.255.0
R3(config-if)#ip nat outside

2nd Create the static mappings

R3#conf t
R3(config)#ip nat inside source static 10.5.5.5 210.1.1.2
R3(config)#ip nat inside source static 10.5.5.6 210.1.1.3
R3(config)#ip nat inside source static 10.5.5.7 210.1.1.4

3rd verify the mappings

R3#show ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 210.1.1.2 10.5.5.5 --- ---
--- 210.1.1.3 10.5.5.6 --- ---
--- 210.1.1.4 10.5.5.7 --- ---
show ip nat statistics displays the number of static and dynamic mappings
R3#show ip nat statistics

Total active translations 3(3 static, 0 dynamic, 0 extended)

Outside interfaces: Serial0
Inside interfaces: Ethernet0
Hits: 0 Misses: 0
Static NAT Example

The diagram shows a router translating an inside source IP address to a source IP address for
the outside network.

The Translation Process

1. User at host 10.0.0.3 sends traffic to the router, destined for host at 212.31.80.2

2. Upon receiving the first packet, the router checks its NAT table.

If dynamic NAT is configured, the router picks up a free global address from its dynamic address
pool (in the above example 179.2.2.80) and creates a translation entry into its NAT table.

If static NAT is configured, the router automatically translates the inside local address 10.0.0.3
with its equivalent global IP address 179.2.2.80, and forwards the packet.

3. User at 212.31.80.2 replies to host 10.0.0.3 using the inside global destination address
179.2.2.80 (Destination address =179.2.2.80)

4. When the router receives the replied packet, it checks its NAT table again to find an entry for
the inside global address 179.2.2.80. If a match is found, then the router translates the address
back to its respective local address 10.0.0.3 and forwards it to the user.

To configure static inside source address translation

Specify the inside and outside interface

Router(config)#interface ethernet0
Router(config-if)#ip nat inside

Router(config)#interface serial0
Router(config-if)#ip nat outside

Enter static translation entry

Router(config)#ip nat inside source static 10.0.0.3 179.2.2.80

The ip nat inside source command identifies what IP addresses will be translated.
This is a static translation between the inside local address 10.0.0.3 to the outside global address
170.2.2.80
Router(config)#interface ethernet0
Router(config-if)#ip nat inside
Router(config)#interface serial0
Router(config-if)#ip nat outside
Router(config)#ip nat inside source static 10.0.0.3 179.2.2.80
Inside local outside global
The ip nat outside source could also be used as a starting point of the translation.

Another Static Example

(config)#ip nat inside source static 10.1.1.2 192.168.1.2

(config)#int E0
(config-if)#ip nat inside
(config-if)#exit
(config)#int S0
(config)#ip nat outside
Dynamic NAT

A router needs to be configured with NAT and it has 15 public addresses, 179.9.8.80 through
179.9.8.95 call this pool_1. On the inside network hosts use the private addresses of 10.1.0.0/16.
What is the NAT configuration on the router?

(config)#access-list 1 permit 10.1.0.0 0.0.255.255

(config)#ip nat pool POOL_1 179.9.8.80 179.9.8.95 netmask 255.255.255.0
(config)#ip nat inside source list 1 pool POOL_1
(config)#int E0
(config-if)#ip nat inside
(config)#exit
(config)int S0
(config-if)#ip nat outside

The configuration translates all source addresses passing access list 1, which have source
address from 10.1.0.0/16, to an address from the pool named nat-pool1. The pool contains
addresses from 179.9.8.80/24 to 179.9.8.95/24.

Another Example

Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255

Router(config)#ip nat pool cisco 179.2.2.65 179.2.2.90 netmask
255.255.255.224
Router(config)#ip nat inside source list 1 pool cisco
Router(config)#interface ethernet0
Router(config-if)#ip nat inside
Router(config)#interface serial0
Router(config-if)#ip nat outside

Global outside addresses 25, therefore block size 32, netmask 256 – 32 = 224

To configure dynamic inside source address translation an access list must permit only those
address that are to be translated. Remember there is an implicit “deny all” at the end of each
access list.

Router(config)#ip nat pool <name> <start-IP> <end-IP> netmask <netmask>

Router(config)#access-list <number> permit <IPs> <wildcard>
Router(config)#ip nat inside source list <ACL number> pool <name>
Router(config)#int <type & number>
Router(config-if)#ip nat inside
Router(config)#int <type & number>
Router(config-if)#ip nat outside
Any outside device’s packet destination address that happens to be responding to any inside
device is known as the IG address. This means that the initial mapping has to be held in the NAT
table so that packets arriving from a specific connection get translated consistently.
Holding entries in the NAT table also cuts down on repeated lookups.

When an entry is placed into the NAT table the 1st time a timer begins this is the translation
timeout. Each time a packet for a given entry translates through the router the timer gets reset. If
the timer expires (cisco default 24 hrs = 86400s) the entry is removed from the NAT table and the
dynamically assigned address is returned to the pool. This can be changed using
ip nat translation timeout

NAT Overload or Port Address Translation

NAT overloading conserves registered inside global IP addresses on the router. Inside local IP
addresses are translated to a common global IP address and are distinguished between them by
the use of different port numbers. Outside hosts do not see this translation; they believe they are
talking to the same host with IP address 179.2.2.80, though they are actually talking to two
different hosts.
NAT Overload or PAT Configuration

(config)#access-list 1 permit 10.1.0.0 0.0.255.255

(config)#ip nat pool POOL_2 179.9.8.20 netmask 255.255.255.240
(config)#ip nat inside source list 1 interface Serial0/0 overload
(config)#ip nat inside source list 1 pool POOL_2 overload
(config)#interface Fa0/1
(config-if)#ip nat inside
(config)#interface Serial 0/0
(config-if)#ip nat outside

Define an Access List to permit the inside local addresses to be translated

Router(config)#access-list 1 permit 10.1.0.0 0.0.255.255

Enter dynamic translation

Router(config)#ip nat inside source list 1 interface serial0 overload

The access list in this case is not being used to permit or deny traffic but to select interesting
traffic into the NAT process

Router(config)#interface ethernet0 Define interfaces

Router(config-if)#ip nat inside

Router(config)#interface serial0
Router(config-if)#ip nat outside

Example

Router(config)#int e0/0
Router(config-if)#ip nat inside
Router(config)#int s0/0
Router(config-if)#ip nat outside
Router(config)#ip nat inside source list 10 interface s0/0 overload
Router(config)#access-list 10 permit 172.16.10.0 0.0.0.255
Question

Where would you implement NAT in this design and what type would you configure?

Answer

Place the NAT on the corporate router and use dynamic NAT with overload (PAT)

Question
ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask 255.255.255.0

The pool command shows this is dynamic NAT, there is more than one address so its not PAT

Example

A border router needs to be configured with NAT and will allow 6 public addresses,
198.18.131.65 through 70. On the inside network there are 63 hosts that use the private
addresses of 192.168.10.129 through 190. What is the NAT configuration on the border router?

Answer

#ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255.255.248

#access-list 1 permit 192.168.10.128 0.0.0.63
#ip nat inside source list 1 pool Todd overload

ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255.255.248

Sets the pool name as Todd and creates the dynamic pool of public addresses for the NAT to use
from 198.18.131.65 to 70

For the inside global pool 5 addresses are required block size = 2, 4, 8.
Block size must be 8, 256 - 8 = 248, Giving us a netmask of 255.255.255.248

Inside local 63 hosts required block size 64 therefore wildcard mask is 0.0.0.63
For the subnet the start of local address pool is 192.168.10.129
This lies in the 192.168.10.128 subnet

ip nat inside source list 1 pool Todd overload

This sets dynamic pool to use Port Address Translation (PAT) by using the overload cmd

Remember to add the ip nat inside and ip nat outside statements on the interfaces.

Lab_A(config)#int s0/0
Lab_A(config-if)#ip nat outside
Lab_A(config-if)#ip f0/0
Lab_A(config-if)#ip nat inside

We are going to connect the link between the Corp and R3 router using a 64.1.1.4/30 network
(with global PAT) and the LAN F0/0 link and on the R3 router using the 64.1.1.8/30 network.

Configure NAT on the Corp router, all the networks connected to the Corp router need to
communicate to all the networks connected to the R3 router using the new global address of
64.1.1.5/30 before NAT translation the interface ip is known as the inside local.
Corp#config t
Corp(config)#ip nat pool Todd 64.1.1.5 64.1.15 net 255.255.255.252
Corp(config)#access-list 1 permit 10.1.0.0 0.0.255.255
Corp(config)#ip nat inside source list 1 pool Todd overload

Note Corp’s outside interface 64.1.1.5 is used as both a start and finish address of the pool.

Configure NAT on all interfaces

Corp(confi)#int s0/2/0
Corp(config-if)#ip nat outside
Corp(config-if)#int f0/1
Corp(config-if)#ip nat inside
Corp(config-if)#int s0/0/0
Corp(config-if)#ip nat inside
Corp(config-if)#int s0/0/1
Corp(config-if)#ip nat inside
Corp(config-if)#int s0/1/0
Corp(config-if)#ip nat inside

PAT is now configured and interfaces are set.

(PAT) NAT Overload

1. NAT inside interface

Enable an interface on the router with an IP Address and mark it as nat inside interface. This is
the interface that connects to your internal private network

WANRouter(config)#int fastethernet0/1
WANRouter(config-if)#ip address 192.168.1.1 255.255.255.0
WANRouter(config-if)#ip nat inside

2. Enable NAT outside interface

WANRouter(config)#int serial0/0/0
WANRouter(config-if)#ip address 100.100.100.100 255.255.255.0
WANRouter(config-if)#ip nat outside

3. Configure NAT Pool

This will be a pool of legal Public IPs that is bought by the organisation. This could anything from
one to many IP Address

WANRouter(config)#ip nat pool WANPOOL 100.100.100.10 100.100.100.10

netmask 255.255.255.0

This creates pool which has just one IP address. The syntax is

ip nat pool <pool name> start ip end ip {netmask netmask | prefix prefix-length}

4. Access List to allow list of IP Addresses to NAT translate

WANRouter(config)#ip access-list 10 permit 192.168.1.0 0.0.0.255

For more networks or hosts to overload the NAT pool simply add them to the access list

WANRouter(config)#ip access-list 10 permit 192.168.2.0 0.0.0.255

WANRouter(config)#ip access-list 10 permit 192.168.3.0 0.0.0.255

Instruct Router to NAT the Access list to the NATPool

WANRouter(config)#ip nat inside source list 10 pool WANPOOL overload

If this is an internet configuration then ensure that a default route on the IP to the outside IP
address or outside interface

WANRouter(config)#ip route 0.0.0.0. 0.0.0.0 serial0/0/0

or

WANRouter(config)#ip route 0.0.0.0 0.0.0.0 100.100.100.100

The NAT setup is now complete.

We have setup the router to translate LAN private IPs into the Internet public IPs.
Configuring NAT Using SDM Security Device Manager
Select Configure > NAT

Basic NAT Use this wizard for basic pc’s on your trusted network that need internet access.

Advanced NAT
A Demilitarized Zone (DMZ). A DMZ allows external Internet users to access public servers,
including Web and FTP servers, while maintaining security for the company's private LAN through
the use of Cisco IOS Firewall.

If you have a DMZ or servers on your inside network that users from the outside need to access
use the Advanced NAT configuration.
Here we going to create a basic NAT. After that we click Launch the Selected Task, we get the
next screen which says what the Basic NAT Wizard is going to do.

Here we are able to select all our inside and outside addresses
After choosing inside and outside interfaces, click Next. A NAT pool is created and all interfaces
are assigned inside or outside configurations. Click Finish.
Exam Questions

Question
A system administrator must provide Internet connectivity for ten hosts in a small remote office.
The ISP has assigned two public IP addresses to this remote office. How can the system
administrator configure the router to provide Internet access to all ten users at the same time?

A. Configure static NAT for all ten users.

B. Configure dynamic NAT for ten users.
C. Configure dynamic NAT with PAT.
D. Configure DHCP and static NAT.
E. What the administrator wants to do cannot be done.

Answer C

Question
What is the purpose of the command marked with an arrow shown in the partial configuration
output of a Cisco 806 broadband router?

A. defines which addresses are allowed out of the router

B. defines which addresses are allowed into the router
C. defines which addresses can be translated
D. defines which addresses are assigned to a NAT pool

Answer C

defines which addresses can be translated

Answer C

Explanation
Port address translation or NAT overloading uses transport layer port information to dynamically
create NAT entries.

Incorrect Answers
A Static NAT is known as one to one NAT and is used to map a single IP address to a single
registered IP address. It is often used for servers that need to be accessed via the internet.

Question

A network administrator would like to implement NAT in the network shown to allow inside hosts
to use a private addressing scheme. Where should NAT be configured?

A. Corporate router
B. Engineering router
C. Sales router
D. All routes
E. All routes and switches

Answer A

Explanation: Network Address Translation (NAT) can be used to hide the private IP addressing
scheme of the entire network from the Internet. To do this, NAT needs to only be configured on
the router that resides between the Internet and the rest of the private internal network. In this
case, it needs to only be implemented on the Corporate router.

Question
ABC has 25 computers and decides to connect the network to the Internet. ABC would like for all
of the computers to have access to the Internet at the same time, but ABC only has four usable
publicly routable IP addresses. What should be configured on the router so that all computers can
connect to the Internet simultaneously?

A. Static NAT
B. Global NAT
C. Dynamic NAT
D. Static NAT with ACLs
E. Dynamic NAT with overload
Answer E

Explanation: NAT overload, also called many to one NAT or Port Address Translation (PAT)
allows for many IP hosts to share a single IP address when connecting to the outside. In this
case, the use of dynamic NAT with overloading will allow for the 25 hosts to use an IP address
from the NAT pool, which will contain the 4 public IP addresses.

Question
A Cisco router has been configured with the following command: IP nat pool nat-test
192.168.6.10 192.168.6.20 netmask 255.255.255.0 This is an example of what type of NAT?

A. Static NAT
B. Dynamic NAT
C. Dynamic NAT with overload
D. Port Address Translation
E. None of the above

Answer B

Explanation: The configuration statement in this example is used to define a pool of IP addresses
to be used for dynamic NAT translations.
Incorrect Answers

A. Static NAT is used for 1 to 1 translation entries, using the "static" configuration keyword. In this
example a range of addresses are being defined for the use in a pool. C, D. With NAT overload,
also known as Port Address Translation (PAT), the keyword "overload" is added at the end of the
configuration statement.

Question
In any NAT (network address translation) configuration, what is the Inside Global IP address?

A. The summarized address for all internal subnetted addresses.

B. A private IP address assigned to a host on the inside network.
C. A registered address that represents an inside host to an outside network.
D. A unique IP address used on an internal network
E. None of the above

Answer C

Explanation
With NAT, Cisco defines 4 different types of addresses as follows

Inside local address - The IP address assigned to a host on the inside network. This is the
address configured as a parameter of the computer's OS or received via dynamic address
allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by
the Network Information Center (NIC) or service provider.

Inside global address - A legitimate IP address assigned by the NIC or service provider that
represents one or more inside local IP addresses to the outside world.

Outside local address - The IP address of an outside host as it appears to the inside network. Not
necessarily a legitimate address, it is allocated from an address space routable on the inside

Outside global address - The IP address assigned to a host on the outside network by the host's
owner.

The address is allocated from a globally routable address or network space. The above
definitions still leave a lot to be interpreted. For this example, this document redefines these
terms by first defining "local address" and "global address." Keep in mind that the terms "inside"
and "outside" are NAT definitions. Interfaces on a NAT router are defined as "inside" or "outside"
with the NAT configuration commands, ip nat inside and ip nat outside. Networks to which these
interfaces connect can then be thought of as "inside" networks or "outside" networks,
respectively.

Local address- A local address is any address that appears on the "inside" portion of the network.

Global address- A global address is any address that appears on the "outside" portion of the
network.

Question
The administrator of the network needs to ensure that a web server in their network is accessible
from the Internet. Since the network uses private addressing, this requires an IP-to-registered-
address mapping. The following command is entered on the router: TK1(config)# ip nat inside
source static 192.168.2.1 198.18.1.254 After unsuccessful results from a ping to the Internet, the
administrator issues the show ip nat translations command and the output is blank. What could
be the problem with the NAT configuration for this mapping?

A. The keyword overload is missing from the command.

B. The administrator needs to define a NAT pool first.
C. An access list must be defined to create static NAT translations.
D. The interfaces need to be configured for NAT.

Answer D

Explanation. After configuring the static NAT administrator should configure the NAT on interface
in order to define which interfaces are on the outside and which are on the inside.
Example: interface s0 ip nat outside because s0 interface is connected to ISP interface
e0 ip nat inside because e0 interface is connected to Local LAN.

Incorrect Answers
A, B, C. These are all tasks that need to be configured when performing many to one NAT, also
known as Port Address Translation (PAT). In this example, we are specifying a static 1-1 NAT
entry.

Question

Refer to the topology and router configuration shown in the graphic above. A host on the LAN is
accessing an FTP server across the Internet. Which of the following addresses could appear as a
source address for the packets forwarded by the router to the destination server?

A. 10.10.0.1
B. 10.10.0.2
C. 199.99.9.3
D. 199.99.9.57
E. 200.2.2.17
F. 200.2.2.18
Answer D

Explanation: Using NAT we can translate the Source or Destination Address. In our example all
source address from the 10.10.0.0 0.0.0.255 network will be translated to an IP address from the
199.99.9.40-62 pool.

Question

The network administrator has configured NAT as shown in the exhibit. Clients still cannot access
the Internet. What should the network administrator do to resolve this problem?

A. Configure an IP NAT address pool.

B. Properly configure the ACL.
C. Apply the ip nat command to the S0 interface.
D. Configure the ip nat inside and ip nat outside commands on the interfaces.

Answer D

Explanation
The "ip nat inside" and "ip nat outside" commands must be used from interface configuration
mode to tell the router which interface is performing which role in the NAT process. The following
commands show how to configure our example router:
Border(config)#interface ethernet0
Border(config-if)#ip nat inside
Border(config-if)#exit
Border(config)#interface serial0
Border(config-if)#ip nat outside
Border(config-if)#exit
Border(config)#
Question Simulation

Configure a router to provide Internet access. The ISP has provided you with six public IP
addresses of 198.18.158.97, 198.18.158.98, 198.18.158.99, 198.18.158.100, 198.18.158.101,
and 198.18.158.102. ABC.com has 62 hosts that need access to the Internet simultaneously. The
hosts in the ABC.com LAN have been assigned private space addresses in the range of
192.168.98.65 - 192.168.98.126. The following have already been configured on the router

1. The basic router configuration

2. The appropriate interfaces have been configured for NAT inside an NAT outside.
3. The appropriate static routes have also been configured (since the company will be a stub
network, no routing protocol will be required)
4. All passwords have been temporarily set to "Cisco" The task is to complete the NAT
configuration using all IP addresses assigned by the ISP to provide Internet access to the hosts in
the ABC1 LAN. Functionality can be tested by clicking on the host provided for testing.

Configuration information
Router name: ABC1 inside global addresses: 198.18.158.97 198.18.158.102/29
inside local addresses: 192.168.98.65 - 192.168.98.126/26 Number of inside hosts: 62

password Cisco

Answer

ABC1(config)#ip nat inside source list 1 pool nat-pool overload

ABC1(config)#access-list 1 permit 192.168.98.64 0.0.0.63
ABC1(config)#ip nat pool nat-pool 198.18.158.97 198.18.158.102 netmask
255.255.255.248
ABC1(config)#int Fa0/0
ABC1(config-if)#ip nat inside
ABC1(config-if)#exit
ABC1(config)#int s0
ABC1(config-if)#ip nat outside
ABC1(config-if)#end
ABC1#copy run start

Previously the ip nat pool nat-pool was configured with /26 which is 255.255.255.192 which is
incorrect because we are configuring inside global and it's /29 which is 255.255.255.248.

Explanation
Public ip addresses 198.18.158.97 – 102
5 addresses, block size 8, 256 – 8 = 248, netmask 255.255.255.248

Local inside addresses 192.168.98.65 – 126, 62 hosts = block size 8, 16, 32, 64, block size = 64
Start of local pool 192.168.98.65 lies in the 64 subnet = 192.168.98.64
So subnet and inverse mask 192.168.98.64 0.0.0.63

Question

BBC.com wants to use NAT in network displayed in the exhibit. Which commands will apply the
NAT configuration to the proper interfaces? Select two.

A. BBC1(config)# interface serial0/1

BBC1(config-if)# ip nat inside

B. BBC1(config)# interface serial0/1

BBC1(config-if)# ip nat outside

C. BBC1(config)# interface fastethernet0/0

BBC1(config-if)# ip nat inside

D. BBC1(config)# interface fastethernet0/0

BBC1(config-if)# ip nat outside

E. BBC1(config)# interface serial0/1

BBC1(config-if)# ip nat outside source pool 200.2.2.18 255.255.255.252

F. BBC1(config)# interface serial0/1

BBC1(config-if)# ip nat inside source 10.10.0.0 255.255.255.0

Answer B, C

Explanation. After creating the static NAT entries, the router needs to know which interfaces are
"inside" and which are "outside." The ip nat inside and ip nat outside interface subcommands
identify each interface appropriately.
Question

Refer to the topology and partial configuration output shown in the graphic. The ip subnet-zero
configuration command is also in effect. After the router performs network address translation,
which address is a valid "inside global address"?

A. 10.10.0.1
B. 10.10.0.17
C. 200.2.2.17
D. 200.2.2.18
E. 199.99.9.33
F. 199.99.9.47

Answer F

Explanation
Regarding NAT operation

1. Inside local address - The IP address assigned to a host on the inside network. This is the
address configured as a parameter of the computer's OS or received via dynamic address
allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by
the Network Information Center (NIC) or service provider.

2. Inside global address - A legitimate IP address assigned by the NIC or service provider that
represents one or more inside local IP addresses to the outside world. In this case, the NAT pool
is used to distribute the Inside Global IP addresses.

3. Outside local address - The IP address of an outside host as it appears to the inside network.
Not necessarily a legitimate address, it is allocated from an address space routable on the inside.

4. Outside global address - The IP address assigned to a host on the outside network by the
host's owner. The address is allocated from a globally routable address or network space.
Question

Which of the following can be done to allow the users on the 10.0.0.0 network to communicate
with the Web Server shown in the graphic? (Choose two.)

A. Configure the Miami router to use NAT.

B. Configure the Web Server with a private address.
C. Configure the Miami router to use PAT.
D. Change the Internet link IP address of 128.56.0.0 to a private address.
E. Configure the Tampa router to use PAT

Answer A & C

Configure the Miami router to use NAT.

Configure the Miami router to use PAT.

10.0.0.0 is a private ip address and not routable outside the private network as soon Miami is a
border router

Question NAT SIM

A network associate is configuring a router for the weaver company to provide internet access.
The ISP has provided the company six public IP addresses of 198.18.184.105 - 198.18.184.110.
The company has 14 hosts that need to access the internet simultaneously. The hosts in the
company LAN have been assigned private space addresses in the range of 192.168.100.17 –
192.168.100.30.
NAT SIM Configuration

The following configuration translates between inside hosts (Weaver LAN) addressed from
192.168.100.16 /28 network (192.168.100.17 – 192.168.100.30) to the globally unique pool of
address provided by ISP 198.18.184.105 – 198.18.184.110 /29.

Weaver>enable
Weaver#configure terminal

Before starting the NAT configuration verify that router hostname currently configured is weaver.
If not change hostname to Weaver using the command

Router(config)#hostname weaver

Create an access-list to match all inside local Weaver LAN addresses that need NAT translations

Weaver(config)#access-list 10 permit 192.168.100.16 0.0.0.15

Number inside hosts = 14, block size = 16, wildcard = 0.0.0.15

Start of local pool 192.168.100.17 lies in the 192.168.100.16 subnet

Create a NAT Pool with pool name isp_adr and specify the pool address range provided by ISP
with their netmask.

Weaver(config)#ip nat pool isp_adr 198.18.184.105 198.18.184.110

netmask 255.255.255.248

198.18.184.105 – 110, 5 addresses block size 8, 256 – 8 = 248, netmask = 255.255.255.248

Packets that match access-list 10 will be translated to an address from the pool called "isp_adr".

Overload keyword specify to use Port based NATing to support all the Weaver LAN address
range.

Weaver(config)#ip nat inside source list 10 pool isp_adr overload

overload keyword is compulsory because the internal LAN address space is more then the ISP
provided public address range

We need to support all internal LAN address to access internet thats the reason we are using
overload keyword.

SIM Question already provides that appropriate interfaces have been configured for NAT Inside
and NAT Outside statements.

For your information configuration would have been like this

Weaver(config)#interface fastethernet 0/0

Weaver(config-if)#ip nat inside

Weaver(config)#interface serial 0/0

Weaver(config-if)#ip nat outside

Weaver>enable
Weaver#configure terminal
Router(config)#hostname weaver
Weaver(config)#access-list 10 permit 192.168.100.16 0.0.0.15
Weaver(config)#ip nat pool isp_adr 198.18.184.105 198.18.184.110
netmask 255.255.255.248
Weaver(config)#ip nat inside source list 10 pool isp_adr overload

Functionality Test
Our requirements are to allow the hosts (Weaver LAN) the ability to communicate with the
Internet. For this test, we ping the Internet device (ISP router S0/1) from Host for testing.

Step1. Go to host for testing

C:\>ping 192.0.2.114

PING should be success to 192.0.2.114 since SIM question provides that static route is already
configured on router.

Step2. On console of router (Weaver)

Issue show ip nat translation command to verify the NAT translations.

Sample output
Considering host for testing IP address is 192.168.100.17

weaver# show ip nat translation

Pro Inside global Inside local Outside local Outside global

icmp 198.18.184.105:434 192.168.100.17:434 192.0.2.113:434 192.0.2.114:434
icmp 198.18.184.105:435 192.168.100.17:435 192.0.2.113:435 192.0.2.114:435
icmp 198.18.184.105:436 192.168.100.17:436 192.0.2.113:436 192.0.2.114:436
icmp 198.18.184.105:437 192.168.100.17:437 192.0.2.113:437 192.0.2.114:437
icmp 198.18.184.105:438 192.168.100.17:438 192.0.2.113:438 192.0.2.114:438

Question

Refer to the exhibit. Which address is an inside global address?

A. 10.1.1.1
B. 10.1.1.2
C. 198.18.1.55
D. 64.100.0.1

Answer C

198.18.1.55

Question

Refer to the exhibit. Based on the output of the show ip nat translations command, which kind of
address translation is in effect on this router?
A. static
B. public
C. overload
D. private

Answer C

Overload

Question

How many addresses will be available for dynamic NAT translation when a router is configured
with the following commands?

Router(config)#ip nat pool TAME 209.165.201.23 209.165.201.30 netmask 255.255.255.224

Router(config)#ip nat inside source list 9 pool TAME

A. 7
B. 8
C. 9
D. 10
E. 24
F. 31

Answer B

Question

When configuring NAT on a Cisco router, what is the inside local IP address?
A. the IP address of an inside host as it appears to the outside network
B. the IP address of an outside host as it appears to the inside network
C. the IP address of an inside host as it appears to the inside network
D. the configured IP address assigned to a host in the outside network

Answer A

the IP address of an inside host as it appears to the outside network

Question
Given the accompanying debug output from a Cisco router, what kind of address is 10.10.10.3
with the IP identification number of 29855?

A. inside local
B. inside global
C. outside local
D. outside global

Answer A

inside local

Question

Given the accompanying graphic, which statement would be applied to the S0 interface when
configuring NAT on the Tampa router?

A. ip nat inside
B. ip nat outside
C. ip pat inside
D. ip pat outside

Answer B

ip nat outside

Question
Given the accompanying graphic, which addresses could be assigned to traffic leaving S0 as a
result of the statement
ip nat pool Tampa 179.9.8.96 179.9.8.111 netmask 255.255.255.240? (Choose two.)

A. 10.0.0.125
B. 179.9.8.95
C. 179.9.8.98
D. 179.9.8.101
E. 179.9.8.112

Answer C, D

Question

Which command would establish a group of 30 IP addresses that could be used to hide inside
addresses from the Internet?

A. ip nat pool Raleigh 10.0.0.32 10.0.0.63 netmask 255.255.255.224

B. ip nat pool Raleigh 10.0.0.32 10.0.0.63 netmask 255.255.255.240
C. ip nat pool Raleigh 171.11.10.32 171.11.10.63 netmask 255.255.255.224
D. ip nat pool Raleigh 171.11.10.32 171.11.10.63 netmask 255.255.255.240

Answer C

ip nat pool Raleigh 171.11.10.32 171.11.10.63 netmask 255.255.255.224

Question

Given the accompanying diagram, which commands are necessary to implement PAT on the
Raleigh router? (Choose four.)

A. access-list 10 permit 192.168.10.0 0.0.0.255

B. access-list 10 permit 171.11.0.0 0.0.255.255
C. ip nat inside source static 192.168.10.1 171.11.0.0
D. ip nat inside source list 10 interface S0 overload
E. ip nat outside
F. ip nat inside

Answer A, D, E, F

access-list 10 permit 192.168.10.0 0.0.0.255

ip nat inside source list 10 interface S0 overload
ip nat outside
ip nat inside
Question

What is true regarding the differences between NAT and PAT?

A. PAT uses the word "overload" at the end of the access-list statement to share a single
registered address.
B. Static NAT allows an unregistered address to map to multiple registered addresses.
C. Dynamic NAT allows hosts to receive the same global address each time external access is
required.
D. PAT uses unique source port numbers to distinguish between translations.

Answer D

PAT uses unique source port numbers to distinguish between translations

Question

The Raleigh router shown in the diagram is configured with PAT. Which of the following must be
changed if the private network is migrated to a 10.0.0.0 network? (Choose two.)

A. E0 interface address
B. S0 interface address
C. the access-list statement
D. the NAT outside interface
E. the NAT inside interface

Answer A, C

E0 interface address, the access-list statement