scaling networks with network address translation scaling networks with network address translation...
TRANSCRIPT
Scaling Networks Scaling Networks with Network Address with Network Address
TranslationTranslation
Solutions forSolutions for
IPv4 Security and ScalabilityIPv4 Security and Scalability
ECPI College of Technology
Department of Computer Information Sciences
Mtaylor v2009-3
ObjectivesObjectives
Understand limits of traditional Understand limits of traditional addressing methodsaddressing methods
Describe how Network Address Describe how Network Address Translation can contribute to securityTranslation can contribute to security
Describe how Port Address Describe how Port Address Translation enhances usage of scarce Translation enhances usage of scarce public ip addressespublic ip addresses
NAT Presentation Lab 6.1NAT Presentation Lab 6.1
Optional but Optional but useful:useful:
Set this up to Set this up to follow the follow the presentationpresentation
Limits of Public Internet Limits of Public Internet AddressesAddresses
Limited number of networks Limited number of networks available for private useavailable for private use– Most major class numbers for both Class Most major class numbers for both Class
A and Class B were claimed by 1990A and Class B were claimed by 1990 Numbers are usually controlled by Numbers are usually controlled by
providersproviders– Makes it difficult to change providersMakes it difficult to change providers– Makes market less competitiveMakes market less competitive
Solution: Private Address Solution: Private Address RangesRanges
ClassClass Network RangeNetwork Range CIDR PrefixCIDR Prefix
AA 10.0.0.0 – 10.0.0.0 – 10.255.255.25510.255.255.255
10.0.0.0/810.0.0.0/8
BB 172.16.0.0-172.16.0.0-172.31.255.255172.31.255.255
172.16.0.0/12172.16.0.0/12
CC 192.168.0.0- 192.168.0.0- 192.168.255.255192.168.255.255
192.168.0.0/1192.168.0.0/166
Big Limitation: These addresses cannot be routed on the Internet. They are filtered out and dropped as soon as the ISP router sees them.
What to do?What to do? Translate the Translate the private IP address private IP address at the at the
border of the network into a border of the network into a public IP public IP addressaddress that the Internet can use. that the Internet can use.
Called Network Address TranslationCalled Network Address Translation
NAT TerminologyNAT Terminology Inside Local Addresses Inside Local Addresses
– An IP address assigned to a host inside a network. An IP address assigned to a host inside a network. This address is likely to be a RFC 1918 private This address is likely to be a RFC 1918 private address.address.
Inside Global AddressInside Global Address– A legitimate IP address assigned by the NIC or A legitimate IP address assigned by the NIC or
service provider that represents one or more inside service provider that represents one or more inside local IP address to the outside world.local IP address to the outside world.
Outside Local AddressOutside Local Address– The IP address of an outside host as it known to the The IP address of an outside host as it known to the
hosts in the inside network.hosts in the inside network. Outside Global AddressOutside Global Address
– The IP address assigned to a host on the outside The IP address assigned to a host on the outside network. The owner of the host assigns this address.network. The owner of the host assigns this address.
Basic Process of NATBasic Process of NAT
The inside source address is a Private Address, aka, inside local The inside source address is a Private Address, aka, inside local address – this address gets changed or translated into an inside address – this address gets changed or translated into an inside global address if you are using public ip addresses on that networkglobal address if you are using public ip addresses on that network
Outside means public and signifies what the rest of the world will Outside means public and signifies what the rest of the world will recognize the inside address asrecognize the inside address as
The inside address is kept in a translation table so that when a The inside address is kept in a translation table so that when a packet returns, it can return to the host machine that it belongs topacket returns, it can return to the host machine that it belongs to
Original Header
Ver-sion
TypeOfSer
Destination Address
Private Inside Local Source Address
Hdr Len
Total Length …..
Ver-sion
TypeOfSer
Destination Address
Inside global Address
Hdr Len
Total Length …..
unchangedTranslated Header
NAT ImplementationsNAT Implementations
Static NATStatic NAT– One to One mapping of an internal ip One to One mapping of an internal ip
address to a specific external addressaddress to a specific external address Dynamic NATDynamic NAT
– Many to many mapping of a pool of Many to many mapping of a pool of internal addresses to a pool of external internal addresses to a pool of external addresses.addresses.
Static NAT: one to one Static NAT: one to one mappingmapping
In this scenario: only the specific machines defined In this scenario: only the specific machines defined in the static translation can have Internet Accessin the static translation can have Internet Access
Dynamic NAT uses an address Dynamic NAT uses an address poolpool
Machines 1.3, 1.4 & 1.5 currently have an outside translationMachines 1.3, 1.4 & 1.5 currently have an outside translation Additional machine addresses are allowed when one of these Additional machine addresses are allowed when one of these
finishes its sessionfinishes its session
Port Address TranslationPort Address Translation
Multiple Inside Local addresses are translated into a Multiple Inside Local addresses are translated into a single outside global (routable) addresssingle outside global (routable) address
Configuring NATConfiguring NAT
Regardless of whether it is NAT (Static or Dynamic) Regardless of whether it is NAT (Static or Dynamic) or PAT, the inside and outside interfaces must be or PAT, the inside and outside interfaces must be defineddefined
Implementing Static NATImplementing Static NAT
On Perimeter Router in global configuration modeOn Perimeter Router in global configuration mode– Perimeter(config)#Ip nat inside source static 172.16.1.3 201.1.1.1Perimeter(config)#Ip nat inside source static 172.16.1.3 201.1.1.1
On Perimeter Router fa0/0 portOn Perimeter Router fa0/0 port– Perimeter(config-if)#ip nat insidePerimeter(config-if)#ip nat inside
On Perimeter Router s0/0 portOn Perimeter Router s0/0 port– Perimeter(config-if)#ip nat outsidePerimeter(config-if)#ip nat outside
Perimeter
Repeat the first line for each inside to outside translation
Verifying the TranslationVerifying the Translation
Router-A#Router-A#show ip nat translationshow ip nat translation
Pro Inside global Inside local Outside local Outside Pro Inside global Inside local Outside local Outside global global
172.16.1.3172.16.1.3 201.1.1.1 201.1.1.1 ------ --- --- Router-A#Router-A#debug ip nat debug ip nat IP: s=172.16.1.3 (Serial0), d=201.1.1.1, len 100, unroutable ICMP type=8, code=0 IP: s=172.16.1.3 (local), d=201.1.1.1 (Serial0), len 56, sending ICMP type=3, code=1
Implementing Dynamic NATImplementing Dynamic NAT Define a pool and permit addresses into Define a pool and permit addresses into
the poolthe pool(Config)#ip nat pool mynetwork 201.1.1.1 201.1.1.31 netmask (Config)#ip nat pool mynetwork 201.1.1.1 201.1.1.31 netmask
255.255.255.224255.255.255.224(config)#Access-list 7 permit 172.16.1.0 0.0.0.31(config)#Access-list 7 permit 172.16.1.0 0.0.0.31(config)#Ip nat inside source list 7 pool mynetwork(config)#Ip nat inside source list 7 pool mynetwork
Note that the number of addresses in the pool is matched Note that the number of addresses in the pool is matched exactly to the number of addresses in the networkexactly to the number of addresses in the network
As long as the number of people who need access to the As long as the number of people who need access to the Internet does not exceed 31, we can place as many Internet does not exceed 31, we can place as many addresses in the source list as we wish.addresses in the source list as we wish.
How to add another network to the mix with another lineHow to add another network to the mix with another linerouter(config)#Access-list 7 permit 172.17.3.0 0.0.0.63router(config)#Access-list 7 permit 172.17.3.0 0.0.0.63Again, when the 32Again, when the 32ndnd node attempts to get a translation, an node attempts to get a translation, an
error will occur denying participation because the total error will occur denying participation because the total address pool has been exceeded.address pool has been exceeded.
To set up multiple subnetsTo set up multiple subnets
Set up ‘ip nat inside’ on both Ethernet portsSet up ‘ip nat inside’ on both Ethernet ports Create poolCreate pool Include both networks in the access list (use wildcard mask)Include both networks in the access list (use wildcard mask)
To set up multiple subnetsTo set up multiple subnets
Ip nat pool duhpool 201.1.1.1 201.1.1.31 netmask Ip nat pool duhpool 201.1.1.1 201.1.1.31 netmask 255.255.255.224255.255.255.224
Access-list 7 permit 172.16.1.0 0.0.0.255Access-list 7 permit 172.16.1.0 0.0.0.255 Access-list 7 permit 172.16.3.0 0.0.0.63Access-list 7 permit 172.16.3.0 0.0.0.63 Ip nat inside source list 7 pool duhpoolIp nat inside source list 7 pool duhpool
Implementing PAT using Implementing PAT using overloadoverload
ip nat pool lotsofthem 201.1.1.1 ip nat pool lotsofthem 201.1.1.1 201.1.1.1 prefix 24 201.1.1.1 prefix 24
ip nat source list 7 pool lotsofthem ip nat source list 7 pool lotsofthem overloadoverload
This configures the outside interface This configures the outside interface to use port numbers to create a to use port numbers to create a many to one internal translation many to one internal translation table.table.
Sample CCNA QuestionSample CCNA QuestionUse the _____ command to verify the operation Use the _____ command to verify the operation of the NAT feature by displaying information of the NAT feature by displaying information about every packet that is translated by the about every packet that is translated by the
router?router?
debug ip natdebug ip nat debug ip nat verbosedebug ip nat verbose show ip nat statisticsshow ip nat statistics show ip nat translationsshow ip nat translations
Sample CCNA QuestionSample CCNA QuestionUse the _____ command to verify the operation Use the _____ command to verify the operation of the NAT feature by displaying information of the NAT feature by displaying information about every packet that is translated by the about every packet that is translated by the
router?router?
debug ip natdebug ip nat debug ip nat verbosedebug ip nat verbose show ip nat statisticsshow ip nat statistics show ip nat translationsshow ip nat translations
CCNA NAT/PAT questionCCNA NAT/PAT question You implement Network Address Translation (NAT) on the network. You You implement Network Address Translation (NAT) on the network. You
verify the NAT configuration on the network. You issue the debug ip nat verify the NAT configuration on the network. You issue the debug ip nat command on router-F to turn on the debugging. You then issue the show command on router-F to turn on the debugging. You then issue the show log command to view the debug output. The following is the output of the log command to view the debug output. The following is the output of the debug command:debug command:05:32:23: NAT: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [70] 05:32:23: NAT: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [70] 05:32:23: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [70] 05:32:23: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [70] 05:32:25: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [71] 05:32:25: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [71] 05:32:25: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [71] 05:32:25: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [71] 05:32:27: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [72] 05:32:27: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [72] 05:32:27: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [72] 05:32:27: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [72] 05:32:29: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [73] 05:32:29: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [73] 05:32:29: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [73] 05:32:29: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [73] 05:32:31: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [74] 05:32:31: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [74] 05:32:31: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [74] 05:32:31: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [74]
What can you interpret from the above output? (Choose all What can you interpret from the above output? (Choose all that apply.)that apply.)
Choose 2Choose 2
1.1. The source address 172.16.11.70 is The source address 172.16.11.70 is translated to 10.10.50.4.translated to 10.10.50.4.
2.2. The source address 10.10.50.4 is The source address 10.10.50.4 is translated to 172.16.11.70.translated to 172.16.11.70.
3.3. The destination address 172.16.11.70 The destination address 172.16.11.70 is translated back to 10.10.50.4.is translated back to 10.10.50.4.
4.4. The destination address 10.10.50.4 is The destination address 10.10.50.4 is translated back to 172.16.11.70.translated back to 172.16.11.70.
Choose 2Choose 2
1.1. The source address 172.16.11.70 is The source address 172.16.11.70 is translated to 10.10.50.4.translated to 10.10.50.4.
2.2. The source address 10.10.50.4 is The source address 10.10.50.4 is translated to 172.16.11.70.translated to 172.16.11.70.
3.3. The destination address 172.16.11.70 The destination address 172.16.11.70 is translated back to 10.10.50.4.is translated back to 10.10.50.4.
4.4. The destination address 10.10.50.4 is The destination address 10.10.50.4 is translated back to 172.16.11.70.translated back to 172.16.11.70.
Sample CCNA QuestionSample CCNA QuestionYou have started to configure Router A as a network address You have started to configure Router A as a network address
translation (NAT) device. You have defined its Fast Ethernet 0/0 translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. as the NAT outside interface.
Using the router simulation, use unabbreviated Cisco Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the Internetwork Operating System (IOS) commands from the
console to do the following on Router console to do the following on Router A: A:
* Configure access control list (ACL) 1, permits all addresses in * Configure access control list (ACL) 1, permits all addresses in the 172.16.0.0/24 subnet. the 172.16.0.0/24 subnet. * Configure a NAT pool called thepool with addresses 10.1.1.1 * Configure a NAT pool called thepool with addresses 10.1.1.1 through 10.1.1.100, with a subnet mask 255.255.255.0. through 10.1.1.100, with a subnet mask 255.255.255.0. * Configure NAT translation to use translate inside source * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool addresses that match ACL 1 into addresses from the pool thepool. thepool.
Sample CCNA QuestionSample CCNA QuestionYou have started to configure Router A as a network address You have started to configure Router A as a network address
translation (NAT) device. You have defined its Fast Ethernet translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. interface as the NAT outside interface.
Using the router simulation, use unabbreviated Cisco Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the Internetwork Operating System (IOS) commands from the
console to do the following on Router console to do the following on Router A: A:
* Configure access control list (ACL) 1, permits all addresses in the * Configure access control list (ACL) 1, permits all addresses in the 172.16.0.0/24 subnet. 172.16.0.0/24 subnet. * Configure a NAT pool called thepool with addresses 10.1.1.1 * Configure a NAT pool called thepool with addresses 10.1.1.1 through 10.1.1.100, with a subnet mask 255.255.255.0. through 10.1.1.100, with a subnet mask 255.255.255.0. * Configure NAT translation to use translate inside source * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool. addresses that match ACL 1 into addresses from the pool thepool.
Sample CCNA QuestionSample CCNA QuestionYou have started to configure Router A as a network address translation You have started to configure Router A as a network address translation
(NAT) device. You have defined its Fast Ethernet 0/0 interface as the (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside NAT inside interface and its Serial 0/0 interface as the NAT outside interface. interface. Using the router simulation, use unabbreviated Cisco Internetwork Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the Operating System (IOS) commands from the console to do the
following on Router following on Router A: A: * Configure access control list (ACL) 1, permits all addresses in the * Configure access control list (ACL) 1, permits all addresses in the 172.16.0.0/24 subnet. 172.16.0.0/24 subnet. * Configure a NAT pool called thepool with addresses 10.1.1.1 through * Configure a NAT pool called thepool with addresses 10.1.1.1 through 10.1.1.100, with a subnet mask 255.255.255.0. 10.1.1.100, with a subnet mask 255.255.255.0. * Configure NAT translation to use translate inside source addresses that * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool.match ACL 1 into addresses from the pool thepool.
RouterA(config)#access-list 1 permit 172.16.0.0 0.0.0.255RouterA(config)#access-list 1 permit 172.16.0.0 0.0.0.255
RouterA(config)#ip nat pool thepool 10.1.1.1 10.1.1.100 netmask RouterA(config)#ip nat pool thepool 10.1.1.1 10.1.1.100 netmask 255.255.255.0255.255.255.0
RouterA(config)ip nat inside source list 1 pool thepoolRouterA(config)ip nat inside source list 1 pool thepool
CCNA Sample Exam CCNA Sample Exam QuestionQuestion
You are the network administrator for your company. You are in the You are the network administrator for your company. You are in the process of implementing Network Address Translation (NAT) on process of implementing Network Address Translation (NAT) on the network. You use the following command in the NAT the network. You use the following command in the NAT configuration: configuration:
ip nat inside source list 8 pool not-overload ip nat inside source list 8 pool not-overload Which correctly describes the operation of this command? (Choose Which correctly describes the operation of this command? (Choose all that apply.)all that apply.)
A.A. This command ensures that any packets received on the inside This command ensures that any packets received on the inside interface that are permitted by source-list 8 will have the source interface that are permitted by source-list 8 will have the source address translated to an address out of the NAT pool "not-address translated to an address out of the NAT pool "not-overload."overload."
B.B. NAT overloading is used.NAT overloading is used.
C.C. This command ensures that any packets received on the inside This command ensures that any packets received on the inside interface that are permitted by access-list 8 will have the source interface that are permitted by access-list 8 will have the source address translated to an address out of the NAT pool "not-address translated to an address out of the NAT pool "not-overload."overload."
D.D. NAT overloading is not used.NAT overloading is not used.
CCNA Sample Exam CCNA Sample Exam QuestionQuestion
You are the network administrator for your company. You are in the You are the network administrator for your company. You are in the process of implementing Network Address Translation (NAT) on the process of implementing Network Address Translation (NAT) on the network. You use the following command in the NAT configuration: network. You use the following command in the NAT configuration:
ip nat inside source list 8 pool not-overload ip nat inside source list 8 pool not-overload Which correctly describes the operation of this command? (Choose Which correctly describes the operation of this command? (Choose all that apply.)all that apply.)
A.A. This command ensures that any packets received on the inside This command ensures that any packets received on the inside interface that are permitted by source-list 8 will have the source interface that are permitted by source-list 8 will have the source address translated to an address out of the NAT pool "not-overload."address translated to an address out of the NAT pool "not-overload."
B.B. NAT overloading is used.NAT overloading is used.
C.C. This command ensures that any packets received on the inside This command ensures that any packets received on the inside interface that are permitted by interface that are permitted by access-list 8 access-list 8 will have the source will have the source address translated to an address out of the NAT pool "not-overload."address translated to an address out of the NAT pool "not-overload."
D.D. NAT overloading isNAT overloading is not not used.used.
Note: the overload command would be at the Note: the overload command would be at the end of the command if overload were usedend of the command if overload were used
CCNA Exam SampleCCNA Exam Sample The exhibit displays part of your network. You have configured Router A as a network The exhibit displays part of your network. You have configured Router A as a network
address translation (NAT) device. The following displays part of Router A's configuration: address translation (NAT) device. The following displays part of Router A's configuration:
access-list 1 permit 192.168.3.0 0.0.0.255 access-list 1 permit 192.168.3.0 0.0.0.255 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat inside source list 1 pool newpool ip nat inside source list 1 pool newpool interface fastethernet 0/0 interface fastethernet 0/0 ip address 192.168.3.7 255.255.255.0 ip address 192.168.3.7 255.255.255.0 ip nat inside ip nat inside interface serial 0/0 interface serial 0/0 ip address 192.168.2.7 255.255.255.0 ip address 192.168.2.7 255.255.255.0 ip nat outside ip nat outside router rip router rip network 192.168.2.0 network 192.168.2.0 network 192.168.3.0 network 192.168.3.0
While you are testing, you discover that Host A cannot ping Host B. While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.)What should you do to resolve this issue? (Choose two statements.)
A.A. Change access-list 1 permit 192.168.3.0 0.0.0.255 to access-list 1 permit 10.0.0.0 Change access-list 1 permit 192.168.3.0 0.0.0.255 to access-list 1 permit 10.0.0.0 0.255.255.255.0.255.255.255.
B.B. Change ip nat inside on interface fastethernet 0/0 to ip nat outside.Change ip nat inside on interface fastethernet 0/0 to ip nat outside.
C.C. Change network 192.168.3.0 to network 10.0.0.0.Change network 192.168.3.0 to network 10.0.0.0.
D.D. Add a loopback interface with an Internet Protocol (IP) address in the network 192.168.3.0 Add a loopback interface with an Internet Protocol (IP) address in the network 192.168.3.0 address space.address space.
E.E. Add a loopback interface with an Internet Protocol (IP) address in the network Add a loopback interface with an Internet Protocol (IP) address in the network 10.0.0.0 address space.10.0.0.0 address space.
F.F. Change ip nat outside on interface serial 0/0 to ip nat inside.Change ip nat outside on interface serial 0/0 to ip nat inside.
CCNA Exam SampleCCNA Exam Sample The exhibit displays part of your network. You have configured Router A as a network The exhibit displays part of your network. You have configured Router A as a network
address translation (NAT) device. The following displays part of Router A's configuration: address translation (NAT) device. The following displays part of Router A's configuration:
access-list 1 permit 192.168.3.0 0.0.0.255 access-list 1 permit 192.168.3.0 0.0.0.255 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat inside source list 1 pool newpool ip nat inside source list 1 pool newpool interface fastethernet 0/0 interface fastethernet 0/0 ip address 192.168.3.7 255.255.255.0 ip address 192.168.3.7 255.255.255.0 ip nat inside ip nat inside interface serial 0/0 interface serial 0/0 ip address 192.168.2.7 255.255.255.0 ip address 192.168.2.7 255.255.255.0 ip nat outside ip nat outside router rip router rip network 192.168.2.0 network 192.168.2.0 network 192.168.3.0 network 192.168.3.0
While you are testing, you discover that Host A cannot ping Host B. While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.)What should you do to resolve this issue? (Choose two statements.)
A.A. Change access-list 1 permit 192.168.3.0 0.0.0.255 to access-list 1 permit 10.0.0.0 Change access-list 1 permit 192.168.3.0 0.0.0.255 to access-list 1 permit 10.0.0.0 0.255.255.255.0.255.255.255.
B.B. Change ip nat inside on interface fastethernet 0/0 to ip nat outside.Change ip nat inside on interface fastethernet 0/0 to ip nat outside.
C.C. Change network 192.168.3.0 to network 10.0.0.0.Change network 192.168.3.0 to network 10.0.0.0.
D.D. Add a loopback interface with an Internet Protocol (IP) address in the network 192.168.3.0 Add a loopback interface with an Internet Protocol (IP) address in the network 192.168.3.0 address space.address space.
E.E. Add a loopback interface with an Internet Protocol (IP) address in the network Add a loopback interface with an Internet Protocol (IP) address in the network 10.0.0.0 address space.10.0.0.0 address space.
F.F. Change ip nat outside on interface serial 0/0 to ip nat inside.Change ip nat outside on interface serial 0/0 to ip nat inside.
Lab Activity for NAT-PATLab Activity for NAT-PAT
Note that Note that switches A and switches A and B are not used B are not used in this labin this lab
Router C is Router C is needed to needed to make use of make use of ‘debug ip nat’ ‘debug ip nat’ commandscommands
Summary QuestionsSummary Questions What is the difference between NAT What is the difference between NAT
and PATand PAT What might be a situation in which What might be a situation in which
you might use both NAT and PAT?you might use both NAT and PAT? How can NAT/PAT enhance security?How can NAT/PAT enhance security? How might a Layer 2 encryption How might a Layer 2 encryption
cause problems for NAT?cause problems for NAT? Which interface is the ‘ip nat inside’ Which interface is the ‘ip nat inside’
command applied to?command applied to?