Download Cisco 4 – NAT, PAT and DHCP

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Transcript
Cisco 4 – NAT, PAT and DHCP
Cisco 3 covered 3 IP scaling solutions – VLSM, CIDR and IPv6
Other solutions are private addressing, NAT and PAT, DHCP
Private addressing = RFC 1918
Class A = 10.0.0.0 – 10.255.255.255
Class B = 172.16.0.0 – 172.31.255.255
Class C = 192.168.0.0 – 192.168.255.255
Can not be routed through the Internet (un-routable)
NAT = network address translation
 Enables intra-networks that use private IP addresses to connect to the Internet by translating
the address to a globally registered IP address.
 Stores mapping of local to global address in NAT table
 Increases network security by hiding internal IP addresses
 Typically operates at the border of a stub network (single connection to neighbor network)
 Private inside addresses = inside local
 Public addresses = inside global
 Can be assigned dynamically or statically
o Static NAT is for one-to-one mappings used for internal hosts that must be accessible
from the Internet (DNS or mail server)
o Dynamic NAT maps internal IP address to pool of available registered IP addresses
PAT = port address translation
 NAT configured to advertise only one address for the entire internal network to the outside
world
 “static PAT” or “address overloading” or “many-to-one”
 Appends a unique source port number to each translation to outside IP address
 Total number available internal addresses per 1 outside address is 65,536 ports
 Attempts to assign first available port number, if already allocated assigns next number
Configure static NAT
Statically maps an inside local address to an inside global address
One-for-one mapping
1. Global configuration mode
ip nat inside source static local-ip global-ip
2. Ethernet interface (inside local)
ip nat inside
3. Serial interface (inside global)
ip nat outside
Configure dynamic NAT
Global configuration
1. Access list permits addresses to be translated
access-list num permit inside-ip-net wildcard-mask
2. Define pool of inside global addresses available for inside local addresses translation:
(a) must be in same subnet
ip nat pool pool-name outside-start-ip outside-end-ip netmask subnet-mask
or (b) entire subnet
ip nat pool pool-name outside-subnet-pool netmask subnet-mask
3. Assign access list to pool
ip nat inside source list access-list-num pool pool-name
4. Ethernet interface (inside local)
ip nat inside
5. Serial interface (inside global)
ip nat outside
Configure PAT (NAT overloading)
1. Access list permits inside addresses to be translated (see dynamic NAT)
access-list num permit inside-ip-net wildcard-mask
2. Define pool of inside global addresses (see dynamic NAT)
ip nat pool pool-name outside-start-ip outside-end-ip netmask subnet-mask
3. Establish overload translation to
(a) specific interface (using interface IP address as outside address)
ip nat inside source list access-list-num interface outside-interface overload
or (b) specific pool (uses pool addresses as outside address)
ip nat inside source list access-list-num pool pool-name overload
4. Ethernet interface (inside local)
ip nat inside
5. Serial interface (inside global)
ip nat outside
Verify NAT and PAT
clear ip nat translation *
clears all dynamic entries from NAT translation table
clear ip nat translation inside global-ip local-ip clears dynamic translation entry
show ip nat translations
displays active translation
show ip nat statistics
displays statistics
Troubleshoot NAT and PAT
debug ip nat
displays every packet translated by the router
s=
source address
->
source on left translated to IP address on right
d=
destination address
Advantages
Conserves public addresses by allowing private addressing within LAN
Provides flexibility in connection to public network
Pools, backup pools, load sharing pool
Supports ICMP, FTP, NetBIOS, DNS “A” and “PTR”
Disadvantages
Increases delay
Loss of end-to-end traceability
Supports TCP/UDP traffic with no source or destination IP address
Does NOT support routing table updates, DNS zone transfers, BOOTP, SNMP
DHCP = Dynamic host configuration protocol
Routers, servers, other key nodes require specific or static IP address
Clients can use an IP from a pool of available addresses
Minimum host configuration for Internet:
IP address
Subnet mask
Default gateway
DNS server IP
DHCP allows network administrator to assign a pool of available IP addresses for clients with
additional configuration information such as default gateway, DNS IP, WINS IP, domain names
Addresses are leased, Cisco default is 24 hours
DHCP process
 Client boots up, sends a DHCPDISCOVER broadcast
 All available DHCP servers respond with DHCPOFFER containing proposed IP address,
lease time, DNS IP; server checks that IP offered is not in use before making the offer by
issuing a default 2 pings
 Client responds to first offer with DHCPREQEST broadcast
 Server matching request sends DHCPACK and records lease; all other servers withdraw
offers
 If client detects the address is already in use it sends DHCPDECLINE and starts process over
Configure DHCP
Enabled by default
Disable with no service dhcp
Re-enable with service dhcp
1. Global configuration mode
ip dhcp pool pool-name
2. Within DHCP configuration mode:
(a) Must define pool of available IP addresses, must be in same subnet
network ip-address [ mask | /prefix-length ]
(b) Can assign default gateway, domain name, DNS server IP, WINS server IP
default-router gateway-addr
domain-name domain
dns-server ip-addr
netbios-name-server ip-addr
lease [days][hours][minutes]
3. Can exclude range of addresses from pool, global configuration mode
ip dhcp excluded-address ip-addr [end-ip-range]
Verify DHCP operation
show ip dhcp binding
show ip dhcp conflict
show ip dhcp database
show ip dhcp statistics
Troubleshoot DHCP operation
debug ip dhcp server events
debug ip dhcp server packets
debug ip dhcp server linkage
DHCP Relay
DHCP uses broadcast which requires a DHCP server to reside in each network segment
 Server overhead
 Administrative nightmare
 Other critical services also use broadcast – TFTP, DNS
Cisco IOS helper address = relay agent
 Intercepts UDP broadcasts and forwards to specific IP address (server on another segment)
 For DHCP, fills router IP address as gateway IP; DHCP assigns address from pool with same
subnet as gateway IP
Configure DHCP relay
Interface mode for clients needing DHCP service
ip helper-address dhcp-ip-addr