tech:network:cisco:pat:pat
Table of Contents
PAT
Using Cisco IOS 15.1(4)M10, Cisco ISR1841 box.
PAT(Port Address Translation) called also NAPT(Network Address Port Translation).
Simply called NAT, in many cases, it means NAPT technology.
192.168.10.210 192.168.10.211 172.16.2.0/24
Configuration with interface
conf t ! access-list 1 permit 172.16.2.0 0.0.0.255 ! ip nat inside source list 1 interface f0/1 overload ! int f0/0 ip nat inside exit int f0/1 ip nat outside exit ! end
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)# R1(config)# R1(config)# R1(config)#acce R1(config)#access-list 1 per R1(config)#access-list 1 permit 172.16.2.0 0.0.0.255 R1(config)#ip nat R1(config)#ip nat insi R1(config)#ip nat inside sour R1(config)#ip nat inside source lis R1(config)#ip nat inside source list 1 inter R1(config)#ip nat inside source list 1 interface f0/1 over R1(config)#ip nat inside source list 1 interface f0/1 overload R1(config)# *Apr 10 12:13:29.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up R1(config)#int f0/0 R1(config-if)#ip nat insi R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#int f0/1 R1(config-if)#ip nat outsi R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#end R1# *Apr 10 12:19:33.091: %SYS-5-CONFIG_I: Configured from console by console R1#
Verification
% ssh pi@172.16.2.11 % ssh pi@172.16.2.12 % ssh pi@172.16.2.13
ping 172.16.2.1 -c2 ping 192.168.10.210 -c2 ping 8.8.8.8 ping 8.8.8.8 -c4
sh ip nat statistics sh ip nat translations sh ip nat translations verbose sh ip access-lists sh ip int f0/0 | i (translation|NAT) sh ip int f0/1 | i (translation|NAT) sh run | i nat
pi@pi1:~ $ ping 172.16.2.1 -c2 PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data. 64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.95 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.66 ms --- 172.16.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.660/1.805/1.951/0.151 ms pi@pi1:~ $ ping 192.168.10.210 -c2 PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data. 64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=2.23 ms 64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.53 ms --- 192.168.10.210 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.537/1.886/2.236/0.352 ms pi@pi1:~ $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.4 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=9.80 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.79 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 9.793/10.012/10.438/0.311 ms pi@pi1:~ $ ping 8.8.8.8 -c4 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.1 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=10.0 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.76 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=10.4 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 9.760/10.098/10.465/0.263 ms pi@pi1:~ $
pi@pi2:~ $ ping 172.16.2.1 -c2 PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data. 64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.86 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.61 ms --- 172.16.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.613/1.739/1.865/0.126 ms pi@pi2:~ $ ping 192.168.10.210 -c2 PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data. 64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=1.70 ms 64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=2.03 ms --- 192.168.10.210 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.706/1.868/2.030/0.162 ms pi@pi2:~ $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.3 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=10.1 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.89 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 9.891/10.129/10.326/0.179 ms pi@pi2:~ $ ping 8.8.8.8 -c4 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.5 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=9.91 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.76 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=10.1 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 9.762/10.080/10.503/0.305 ms pi@pi2:~ $
pi@pi3:~ $ ping 172.16.2.1 -c2 PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data. 64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.62 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.65 ms --- 172.16.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.621/1.637/1.653/0.016 ms pi@pi3:~ $ ping 192.168.10.210 -c2 PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data. 64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=1.53 ms 64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.80 ms --- 192.168.10.210 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.530/1.669/1.808/0.139 ms pi@pi3:~ $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.5 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=9.84 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.95 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 9.846/10.098/10.500/0.309 ms pi@pi3:~ $ ping 8.8.8.8 -c4 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.4 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=10.0 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.98 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=10.1 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 9.986/10.151/10.422/0.206 ms pi@pi3:~ $
R1#sh ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Peak translations: 6, occurred 00:03:54 ago
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 96 Misses: 0
CEF Translated packets: 96, CEF Punted packets: 0
Expired translations: 6
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface FastEthernet0/1 refcount 3
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.10.210:6754 172.16.2.11:6754 8.8.8.8:6754 8.8.8.8:6754
icmp 192.168.10.210:7716 172.16.2.12:7716 8.8.8.8:7716 8.8.8.8:7716
icmp 192.168.10.210:6899 172.16.2.13:6899 8.8.8.8:6899 8.8.8.8:6899
R1#sh ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 192.168.10.210:6754 172.16.2.11:6754 8.8.8.8:6754 8.8.8.8:6754
create 00:01:19, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 8, lc_entries: 0
icmp 192.168.10.210:7716 172.16.2.12:7716 8.8.8.8:7716 8.8.8.8:7716
create 00:01:19, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 9, lc_entries: 0
icmp 192.168.10.210:6899 172.16.2.13:6899 8.8.8.8:6899 8.8.8.8:6899
create 00:01:19, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 7, lc_entries: 0
R1#sh ip access-lists
Standard IP access list 1
10 permit 172.16.2.0, wildcard bits 0.0.0.255 (9 matches)
R1#sh ip int f0/0 | i (translation|NAT)
Network address translation is enabled, interface in domain inside
Output features: NAT Inside, Stateful Inspection, NAT ALG proxy
R1#sh ip int f0/1 | i (translation|NAT)
Network address translation is enabled, interface in domain outside
Input features: Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
Output features: Post-routing NAT Outside, Stateful Inspection, NAT ALG proxy
R1#sh run | i nat
ip nat inside
ip nat outside
ip nat inside source list 1 interface FastEthernet0/1 overload
R1#
Configuration with pool
conf t ! ip nat pool PG1X-POOL 192.168.10.211 192.168.10.211 netmask 255.255.255.0 ! access-list 1 permit 172.16.2.0 0.0.0.255 ! ip nat inside source list 1 pool PG1X-POOL overload ! int f0/0 ip nat inside exit int f0/1 ip nat outside exit ! end
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip nat R1(config)#ip nat po R1(config)#ip nat poo R1(config)#ip nat pool PG1X-POOL 192.168.10.211 192.168.10.211 netma R1(config)#$ PG1X-POOL 192.168.10.211 192.168.10.211 netmask 255.255.255.0 R1(config)# *Apr 10 21:50:29.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up R1(config)#acce R1(config)#access-list 1 permi R1(config)#access-list 1 permit 172.16.2.0 0.0.0.255 R1(config)#ip nat insi R1(config)#ip nat inside sour R1(config)#ip nat inside source li R1(config)#ip nat inside source list 1 poo R1(config)#ip nat inside source list 1 pool PG1X-POOL overlo R1(config)#ip nat inside source list 1 pool PG1X-POOL overload R1(config)#int f0/0 R1(config-if)#ip nat insi R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#int f0/1 R1(config-if)#ip nat out R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#end R1# *Apr 10 21:58:37.327: %SYS-5-CONFIG_I: Configured from console by console R1#
Verification
% ssh pi@172.16.2.11 % ssh pi@172.16.2.12 % ssh pi@172.16.2.13
ping 172.16.2.1 -c2 ping 192.168.10.210 -c2 ping 8.8.8.8 -c4 ping 8.8.8.8
sh ip nat statistics sh ip nat translations sh ip nat translations verbose sh ip access-lists sh ip int f0/0 | i (translation|NAT) sh ip int f0/1 | i (translation|NAT) sh run | i nat
pi@pi1:~ $ ping 172.16.2.1 -c2 PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data. 64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.98 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.61 ms --- 172.16.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.610/1.799/1.988/0.189 ms pi@pi1:~ $ ping 192.168.10.210 -c2 PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data. 64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=1.14 ms 64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.26 ms --- 192.168.10.210 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.142/1.202/1.262/0.060 ms pi@pi1:~ $ ping 8.8.8.8 -c4 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=11.6 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=10.1 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=10.0 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=10.0 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 10.038/10.464/11.612/0.671 ms pi@pi1:~ $
pi@pi2:~ $ ping 172.16.2.1 -c2 PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data. 64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.71 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.62 ms --- 172.16.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.627/1.673/1.719/0.046 ms pi@pi2:~ $ ping 192.168.10.210 -c2 PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data. 64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=1.20 ms 64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.20 ms --- 192.168.10.210 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.202/1.205/1.208/0.003 ms pi@pi2:~ $ ping 8.8.8.8 -c4 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=11.5 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=10.2 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=10.0 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=9.80 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 9.802/10.393/11.540/0.678 ms pi@pi2:~ $
pi@pi3:~ $ ping 172.16.2.1 -c2 PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data. 64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.84 ms 64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.73 ms --- 172.16.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.731/1.787/1.844/0.070 ms pi@pi3:~ $ ping 192.168.10.210 -c2 PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data. 64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=1.15 ms 64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.12 ms --- 192.168.10.210 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.122/1.139/1.156/0.017 ms pi@pi3:~ $ ping 8.8.8.8 -c4 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.2 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=9.67 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.75 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=10.0 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 9.674/9.941/10.298/0.265 ms pi@pi3:~ $
R1#sh ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Peak translations: 6, occurred 00:00:35 ago
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 240 Misses: 0
CEF Translated packets: 240, CEF Punted packets: 0
Expired translations: 3
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool PG1X-POOL refcount 3
pool PG1X-POOL: netmask 255.255.255.0
start 192.168.10.211 end 192.168.10.211
type generic, total addresses 1, allocated 1 (100%), misses 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1#sh ip nat tras
R1#sh ip nat trans
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.10.211:7042 172.16.2.11:7042 8.8.8.8:7042 8.8.8.8:7042
icmp 192.168.10.211:8160 172.16.2.12:8160 8.8.8.8:8160 8.8.8.8:8160
icmp 192.168.10.211:7191 172.16.2.13:7191 8.8.8.8:7191 8.8.8.8:7191
R1#sh ip nat trasn
R1#sh ip nat transla
R1#sh ip nat translations verbo
R1#sh ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 192.168.10.211:7042 172.16.2.11:7042 8.8.8.8:7042 8.8.8.8:7042
create 00:01:13, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 6, lc_entries: 0
icmp 192.168.10.211:8160 172.16.2.12:8160 8.8.8.8:8160 8.8.8.8:8160
create 00:01:13, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 5, lc_entries: 0
icmp 192.168.10.211:7191 172.16.2.13:7191 8.8.8.8:7191 8.8.8.8:7191
create 00:01:13, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 4, lc_entries: 0
R1#sh ip acc
R1#sh ip acce
R1#sh ip access-lists
Standard IP access list 1
10 permit 172.16.2.0, wildcard bits 0.0.0.255 (6 matches)
R1#sh ip access-lists
Standard IP access list 1
10 permit 172.16.2.0, wildcard bits 0.0.0.255 (6 matches)
R1#sh ip int f0/0 | i (translation|NAT)
Network address translation is enabled, interface in domain inside
Output features: NAT Inside, Stateful Inspection, NAT ALG proxy
R1#sh ip int f0/1 | i (translation|NAT)
Network address translation is enabled, interface in domain outside
Input features: Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
Output features: Post-routing NAT Outside, Stateful Inspection, NAT ALG proxy
R1#sh run | i nat
ip nat inside
ip nat outside
ip nat pool PG1X-POOL 192.168.10.211 192.168.10.211 netmask 255.255.255.0
ip nat inside source list 1 pool PG1X-POOL overload
R1#
References
tech/network/cisco/pat/pat.txt · Last modified: 2018/04/11 08:35 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
