[Notes] Network Planning and Administration: Internet Access
Internet access.
Static NAT
Static NAT is used to reserve a public IP exclusively for a machine inside the local network on the router that goes out to the Internet. On the router that goes out to the Internet:
Router(config)# int Se2/0
Router(config-if)# ip nat outside
Router(config)# int Fa0/0
Router(config-if)# ip nat inside
(Se2/0 is the adapter on the Internet side -outside-, Fa0/0 is the adapter on the internal side of the local network -inside-)
And we create a substitution rule:
Router(config)# ip nat inside source static 10.0.0.5 198.64.126.5
(When the rule is inside, the first IP is the private/internal -10.0.0.5- and the second is the public/external -198.64.126.5-)
Dynamic NAT
Dynamic NAT is used so that the machines of a local network go out to the Internet with a public IP obtained from a range (pool) of several public IPs. On the router that goes out to the Internet:
Router(config)# int Se2/0
Router(config-if)# ip nat outside
Router(config)# int Fa0/0
Router(config-if)# ip nat inside
(Se2/0 is the adapter on the Internet side -outside-, Fa0/0 is the adapter on the internal side of the local network -inside-)
Being the public IP range from 198.64.126.10 to 198.64.126.20:
Router(config)# ip nat pool PoolName 198.64.126.10 198.64.126.20 netmask 255.255.255.0
We create a standard ACL allowing private IPs to use the newly created pool:
Router(config)# access-list 10 permit 10.0.0.0 0.255.255.255
(Remember: standard (1-99) and extended (100-199) ACLs, that’s why 10 in the example. 10.0.0.0 is the internal network and 0.255.255.255 is the wildcard)
And we associate that ACL with the pool:
Router(config)# ip nat inside source list 10 pool PoolName
(10 is the number of the ACL)
Dynamic NAT overloaded with public IP different from the one assigned to the adapter going out to the Internet
Overloaded dynamic NAT is used so that the machines of a local network go out to the Internet with a public IP obtained from a range (pool) formed by a single public IP different from the one assigned to the adapter that goes out to the Internet. On the router that goes out to the Internet:
Router(config)# int Se2/0
Router(config-if)# ip nat outside
Router(config)# int Fa0/0
Router(config-if)# ip nat inside
(Se2/0 is the adapter on the Internet side -outside-, Fa0/0 is the adapter on the internal side of the local network -inside-)
Being the range of public IP only 198.64.126.2:
Router(config)# ip nat pool nameOfTheOtherPool 198.64.126.2 198.64.126.2 netmask 255.255.255.0
We create a standard ACL allowing private IPs to use the newly created pool:
Router(config)# access-list 20 permit 10.0.0.0 0.255.255.255
(Remember: standard (1-99) and extended (100-199) ACLs, that’s why 20 in the example. 10.0.0.0 is the internal network and 0.255.255.255 is the wildcard)
And we associate that ACL with the pool:
Router(config)# ip nat inside source list 20 pool NameOfOtherPool overload
(20 is the number of the ACL, note the overload)
Dynamic NAT overloaded with the public IP assigned to the adapter going out to the Internet
Overloaded dynamic NAT is used so that the machines of a local network go out to the Internet with the public IP assigned to the adapter that goes out to the Internet. On the router that goes out to the Internet:
Router(config)# int Se2/0
Router(config-if)# ip nat outside
Router(config)# int Fa0/0
Router(config-if)# ip nat inside
(Se2/0 is the adapter on the Internet side -outside-, Fa0/0 is the adapter on the internal side of the local network -inside-)
We create a standard ACL allowing private IPs to use the newly created pool:
Router(config)# access-list 30 permit 10.0.0.0 0.255.255.255
(Remember: standard (1-99) and extended (100-199) ACLs, that’s why 30 in the example. 10.0.0.0 is the internal network and 0.255.255.255 is the wildcard)
And we associate that ACL with the internet adapter (outside):
Router(config)# ip nat inside source list 30 interface Se2/0 overload
(30 is the number of the ACL, note the overload)
DHCP and dynamic NAT overloaded with the public IP assigned to the adapter going out to the Internet
Having an internal network 192.168.0.0/24 and a router that goes to the Internet with the public IP 85.152.32.14 (and to the internal network with 192.168.0.254), we want the router to assign private IPs from 192.168.0.128 to 192.168 .0.191, so we have to exclude IPs from 192.168.0.1 to .127 and .192 to .254. On the router that goes out to the Internet:
Router(config)# ip dhcp excluded-address 192.168.0.1 192.168.0.127
Router(config)# ip dhcp excluded-address 192.168.0.192 192.168.0.254
We define the pool of private addresses to be assigned to the devices of the internal network that request them:
Router(config)# ip dhcp pool PoolName
Router(dhcp-config)# network 192.168.0.0 255.255.255.0
We establish the gateway and DNS to offer to the devices that are configured by DHCP:
Router(dhcp-config)# default-router 192.168.0.254
Router(dhcp-config)# dns-server 1.1.1.1
From here, overloaded dynamic NAT is configured as before. On the router that goes out to the Internet:
Router(config)# int Se2/0
Router(config-if)# ip nat outside
Router(config)# int Fa0/0
Router(config-if)# ip nat inside
(Se2/0 is the adapter on the Internet side -outside-, Fa0/0 is the adapter on the internal side of the local network -inside-)
We create a standard ACL allowing private IPs to use the newly created pool:
Router(config)# access-list 10 permit 192.168.0.0 0.0.0.255
(Remember: standard (1-99) and extended (100-199) ACLs, that’s why 10 in the example. 192.168.0.0 is the internal network and 0.0.0.255 is the wildcard)
And we associate that ACL with the internet adapter (outside):
Router(config)# ip nat inside source list 10 interface Se2/0 overload
(10 is the number of the ACL, note the overload)