PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:static-nat:static-nat

Static NAT

Physical Lab 6

Using Cisco IOS 15.1(4)M10, Cisco ISR1841 box.

R1#sh ver | i Version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(4)M10, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.4(13r)T5, RELEASE SOFTWARE (fc1)
% ssh pi@172.16.2.11
% ssh pi@172.16.2.12
% ssh pi@172.16.2.13
ping 172.16.2.1 -c2
ping 192.168.10.210 -c2
ping 8.8.8.8
ping 8.8.8.8 -c4
pi@pi1:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 172.16.2.11 icmp_seq=1 Destination Host Unreachable
From 172.16.2.11 icmp_seq=2 Destination Host Unreachable
From 172.16.2.11 icmp_seq=3 Destination Host Unreachable
From 172.16.2.11 icmp_seq=4 Destination Host Unreachable
From 172.16.2.11 icmp_seq=5 Destination Host Unreachable
From 172.16.2.11 icmp_seq=6 Destination Host Unreachable
From 172.16.2.11 icmp_seq=7 Destination Host Unreachable
From 172.16.2.11 icmp_seq=8 Destination Host Unreachable
192.168.10.211-192.168.10.213
o172.16.2.11
x172.16.2.12
x172.16.2.13
ip nat inside source static 172.16.2.11 192.168.10.211
!
int f0/1
ip nat outside
exit
int f0/0
ip nat inside
exit
R1(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol
R1(config)#ip nat inside source static 192.168.10.211 172.16.2.11
R1(config)#
*Apr  3 22:53:20.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R1(config)#int f0/1
R1(config-if)#ip nat ou
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#int f0/0
R1(config-if)#ip nat insi
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#end
R1#
*Apr  3 22:54:41.603: %SYS-5-CONFIG_I: Configured from console by console

Let's ping to worl…, lost SSH connection to pi1….why?

pi@pi1:~ $ ping 192.168.10.210 -c2
PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data.
From 172.16.2.11 icmp_seq=1 Destination Host Unreachable
From 172.16.2.11 icmp_seq=2 Destination Host Unreachable

--- 192.168.10.210 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1003ms
pipe 2
pi@pi1:~ $ packet_write_wait: Connection to 172.16.2.11 port 22: Broken pipe
✘╹◡╹✘  18-04-04 8:59:54 /home/wnoguchi
% ssh pi@172.16.2.11
ssh: connect to host 172.16.2.11 port 22: Connection refused
pi@pi2:~ $ ping 192.168.10.210 -c2
PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data.
64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=4.08 ms
64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.32 ms

--- 192.168.10.210 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.325/2.703/4.081/1.378 ms
pi@pi2:~ $ ping 172.16.2.1 -c2
PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data.
64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.17 ms
64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.15 ms

--- 172.16.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.155/1.166/1.178/0.036 ms
pi@pi3:~ $ ping 192.168.10.210 -c2
PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data.
64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=4.09 ms
64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.18 ms

--- 192.168.10.210 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.188/2.640/4.092/1.452 ms
pi@pi3:~ $ ping 172.16.2.1 -c2
PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data.
64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.29 ms
64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.20 ms

--- 172.16.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.207/1.250/1.294/0.056 ms

looking R1 console.

R1#
*Apr  3 22:54:41.603: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Apr  3 22:56:24.979: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 22:57:17.403: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 22:57:48.791: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 22:58:18.827: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 22:59:25.187: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 22:59:55.187: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 23:00:25.191: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 23:00:55.251: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#
*Apr  3 23:01:25.283: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#sh run | sec int
interface FastEthernet0/0
 ip address 172.16.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
interface FastEthernet0/1
 ip address 192.168.10.210 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
R1#sh run | sec int
*Apr  3 23:05:25.715: %IP-4-DUPADDR: Duplicate address 172.16.2.11 on FastEthernet0/0, sourced by b827.eb8a.3719
R1#sh run | i nat
 ip nat inside
 ip nat outside
ip nat inside source static 192.168.10.211 172.16.2.11

wrong argument order…

ip nat inside source static 192.168.10.211 172.16.2.11

correct command

no ip nat inside source static 192.168.10.211 172.16.2.11
ip nat inside source static 172.16.2.11 192.168.10.211
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip nat inside source static 192.168.10.211 172.16.2.11
R1(config)#ip nat inside source static 172.16.2.11 192.168.10.211
R1(config)#^Z
R1#
*Apr  3 23:07:48.555: %SYS-5-CONFIG_I: Configured from console by console
pi@pi1:~ $ ping 172.16.2.1 -c2
PING 172.16.2.1 (172.16.2.1) 56(84) bytes of data.
64 bytes from 172.16.2.1: icmp_seq=1 ttl=255 time=1.21 ms
64 bytes from 172.16.2.1: icmp_seq=2 ttl=255 time=1.19 ms

--- 172.16.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.195/1.205/1.215/0.010 ms
pi@pi1:~ $ ping 192.168.10.210 -c2
PING 192.168.10.210 (192.168.10.210) 56(84) bytes of data.
64 bytes from 192.168.10.210: icmp_seq=1 ttl=255 time=1.23 ms
64 bytes from 192.168.10.210: icmp_seq=2 ttl=255 time=1.16 ms

--- 192.168.10.210 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.169/1.199/1.230/0.046 ms
  • pi1
pi@pi1:~ $ ping 8.8.8.8 -c4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=9.84 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=10.1 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=9.81 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 9.812/10.043/10.385/0.244 ms
  • pi2
pi@pi2:~ $ ping 8.8.8.8 -c4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3004ms
  • pi3
pi@pi3:~ $ ping 8.8.8.8 -c4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3004ms

ok, add static nat

ip nat inside source static 172.16.2.12 192.168.10.212
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip nat inside source static 172.16.2.12 192.168.10.212
R1(config)#^Z
R1#
*Apr  3 23:13:57.987: %SYS-5-CONFIG_I: Configured from console by console
pi@pi2:~ $ ping 8.8.8.8 -c4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=10.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=9.64 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=9.96 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 9.643/10.355/10.993/0.580 ms

verify nat translation table.

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.10.211     172.16.2.11        ---                ---
--- 192.168.10.212     172.16.2.12        ---                ---

ssh from 192.168.10.0/24 subnet.e

no ip nat inside source static 172.16.2.12 192.168.10.212
ip nat inside source static tcp 172.16.2.12 22 192.168.10.212 2222 extendable
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip nat inside source static 172.16.2.12 192.168.10.212
R1(config)#ip nat insi
R1(config)#ip nat inside sour
R1(config)#ip nat inside source sta
R1(config)#ip nat inside source static tc
R1(config)#$de source static tcp 172.16.2.12 22 192.168.10.212 2222 ?
  extendable  Extend this translation when used
  forced      Delete this entry and its children, even if in use
  mapping-id  Associate a mapping id to this mapping
  no-alias    Do not create an alias for the global address
  no-payload  No translation of embedded address/port in the payload
  redundancy  NAT redundancy operation
  route-map   Specify route-map
  vrf         Specify vrf
  <cr>

R1(config)#$de source static tcp 172.16.2.12 22 192.168.10.212 2222 extenda
R1(config)#$static tcp 172.16.2.12 22 192.168.10.212 2222 extendable
R1(config)#^Z
R1#
*Apr  3 23:28:12.659: %SYS-5-CONFIG_I: Configured from console by console

TCP 2222 → 22 SSH successful, but ping to world failed because of NAT translation not exists.

pi@pi2:~ $ ping 8.8.8.8 -c4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3002ms
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.10.211     172.16.2.11        ---                ---
tcp 192.168.10.212:2222 172.16.2.12:22    192.168.10.16:64863 192.168.10.16:64863
tcp 192.168.10.212:2222 172.16.2.12:22    ---                ---

close ssh session.

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.10.211     172.16.2.11        ---                ---
tcp 192.168.10.212:2222 172.16.2.12:22    ---                ---

References

tech/network/cisco/static-nat/static-nat.txt · Last modified: 2018/04/04 09:43 by wnoguchi