CCNA LAB 46: Configuring Dynamic Network Address Translation

小乔

Lab Objective:
The objective of this lab exercise is for you to learn and understand how to configure dynamic NAT using a pool of IP addresses for translation.

Lab Purpose:
NAT configuration is a fundamental skill. Dynamic NAT provides dynamic one-to-one translation between private IP addresses (RFC 1918) and public IP addresses. Dynamic NAT is typically used to provide inside private hosts with access to public or external networks without revealing the private IP addresses of the inside hosts. When dynamic NAT is used, hosts on the outside cannot access hosts on the inside. In other words, dynamic NAT works only when traffic is coming from hosts on the inside. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure dynamic NAT.

Certification Level:
This lab is suitable for CCNA certification exam preparation.

Lab Difficulty:
This lab has a difficulty rating of 8/10.

Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 10 minutes.

Lab Topology:
Please use the following topology to complete this lab exercise:




Task 1:
Configure the hostnames on R1, R2, and Sw1 as illustrated in the topology.

Task 2:
Configure R1 S0/0, which is a DCE, to provide a clock rate of 256 Kbps to R2. Configure the IP addresses on the Serial interfaces of R1 and R2 as illustrated in the topology.

Task 3:
Configure VLAN50 named NAT_VLAN on Sw1. Assign the FastEthernet0/2 interface on Sw1 to this VLAN. Also, configure R1 to allow Telnet access using the password CISCO.


Task 4:
Configure interface VLAN50 on Sw1 and assign it the IP address illustrated in the topology. The default gateway on Sw1 should be 10.2.2.2. Next, configure interface FastEthernet0/0 in R2 and assign it the IP address illustrated in the topology.

Task 5:
Test connectivity by pinging from R1 to R2 and pinging from R2 to Sw1. These should all be successful. However, since R1 does not know about the 10.2.2.0/27 subnet, Sw1 will not be able to ping R1, or vice versa.

Task 6:

Configure R3 F0/0 as the inside NAT interface and S0/0 as the outside NAT interface. Next, create an ACL to permit all IP traffic from the 10.2.2.0/27 subnet to any destination. You can use either a named or numbered ACL.


Task 7:
Create a NAT pool called Dynamic-NAT. The starting IP address in this pool should be 192.168.254.3 and the ending IP address should be 192.168.254.6. This should have the same prefix length as the Serial0/0 subnet.

Task 8:
Configure NAT to translate all addresses specified in the ACL pool you created in Task 7.

Task 9:
Ping R1 from Sw1. Next, ping R1 from the FastEthernet0/0 interface of R2 using the ping <ip_address> source <interface> command (it won’t work on Packet Tracer). If you have configured your NAT translation correctly, the ping should be successful. Use the show ip nat translations command to verify your dynamic NAT translations.

Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.

Task 2:
For reference information on configuring DCE clocking and IP addresses, please refer to earlier labs.

Task 3:
For reference information on configuring VLANs, please refer to earlier labs.

Task 4:
For reference information on configuring Telnet, please refer to earlier labs.

Task 5:
For reference information on pinging, please refer to earlier labs.


Task 6:
R2#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
R2(config)#int fa0/0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#int s0/0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip access-list extended NAT-ACL
R2(config-ext-nacl)#remark “Permit The 10.2.2.0/27 Subnet To Be NATd”
R2(config-ext-nacl)#permit ip 10.2.2.0 0.0.0.31 any
R2(config-ext-nacl)#end
R2#
Task 7:
R2#conf t
Enter configuration commands, one per line.  End with CTRL/Z.
R2(config)#ip nat pool Dynamic-NAT 192.168.254.3 192.168.254.6 prefix-length 29
R2(config)#^Z
R2#
Task 8:
R2#config t
Enter configuration commands, one per line.  End with CTRL/Z.
R2(config)#ip nat inside source list NAT-ACL pool Dynamic-NAT
R2(config)#end
R2#
R2#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 53  Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-ACL pool Dynamic-NAT refcount 0
pool Dynamic-NAT: netmask 255.255.255.248
  start 192.168.254.3 end 192.168.254.6
  type generic, total addresses 4, allocated 0 (0%), misses 0
Task 9:
Sw1#ping 192.168.254.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

R2#ping 192.168.254.1 source fastethernet0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.254.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R2#show ip nat translations
Pro Inside global    Inside local       Outside local      Outside global
--- 192.168.254.3    10.2.2.4           ---               ---
--- 192.168.254.4    10.2.2.2           ---               ---

R2#show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 91  Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-ACL pool Dynamic-NAT refcount 2
pool Dynamic-NAT: netmask 255.255.255.248
     start 192.168.254.3 end 192.168.254.6
     type generic, total addresses 4, allocated 2 (50%), misses 0
NOTE: Now that you have dynamic NAT configured, and you have pinged R1 from the F0/0 interface of R2 as well as from Sw1, you can see two dynamic translations in the NAT table. The first is a translation of the inside address 10.2.2.4 to the outside address of 192.168.254.3, and the second is the translation of the inside address 10.2.2.2 to the outside address of 192.168.254.4. Because the NAT pool only has four total IP addresses allocated, you can see that half of the pool is in use as specified in the line type generic, total addresses 4, allocated 2 (50%), misses 0. Pay attention to the information printed by this command and commit it to memory.

来源: CCNA LAB39: Configuring and Applying Extended Named ACLs Inbound
来源: CCNA LAB40: Configuring and Applying Extended Numbered ACLs
来源: CCNA LAB41: Restricting Inbound Telnet Access Using Extended ACLs
来源: CCNA LAB42: Debugging Network Traffic Using Extended ACLs
来源: CCNA LAB43: ACL Sequence Numbers
来源: CCNA LAB 44: Logging ACL Matches
来源: CCNA LAB 45: Configuring Static Network Address Translation