I thought I’d go over these two concepts really quickly.
NAT Pools – When you are overloading a single IP, the truth is that you are using the ports available on that IP to send and recieve traffic and that’s translating to IP’s on the inside.
Once you have even a few pc’s you can see from the translation table that many many ports are used, and while these connections tend to get torn down quickly, it’s still quite possible to run out. It really just depends on how many active clients you have to nat.
To overcome this, you can create a pool of external IP’s to overload. The router will simply move to the next IP when the first has too many ports full.
Lets use the same lab as our last NAT example.
Router0 is using 184.108.40.206 as it’s interface. It’s gateway is 220.127.116.11, which is on Router1.
If we are using that same lab.. we need to remove the nat command we issued earlier.
WORKRTR(config)#no ip nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload
if you have active connections you will be asked to kill those connections, and nat will of course.. stop.
to nat overload, first we need to create a nat pool. In this example, I want to make ip’s 18.104.22.168 thru 22.214.171.124 available in my pool.
WORKRTR(config)#ip nat pool OUTSIDE_PUBLIC 126.96.36.199 188.8.131.52 netmask 255.255.255.0
and now we simply create our nat using the same ACL we made in our last example.
WORKRTR(config)#ip nat inside source list INSIDE_NAT_ADDRESSES pool OUTSIDE_PUBLIC overload
We can now see in in the translations tables the nats being created.
WORKRTR#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 184.108.40.206:102410.0.0.101:7 220.127.116.11:7 18.104.22.168:1024
icmp 22.214.171.124:102510.0.0.101:8 126.96.36.199:8 188.8.131.52:1025
icmp 184.108.40.206:102610.0.0.101:9 220.127.116.11:9 18.104.22.168:1026
icmp 22.214.171.124:102710.0.0.101:10 126.96.36.199:10 188.8.131.52:1027
icmp 184.108.40.206:102810.0.0.101:11 220.127.116.11:11 18.104.22.168:1028
icmp 22.214.171.124:102910.0.0.101:12 126.96.36.199:12 188.8.131.52:1029
icmp 184.108.40.206:103010.0.0.101:13 220.127.116.11:13 18.104.22.168:1030
icmp 22.214.171.124:103126.96.36.199:14 188.8.131.52:14 184.108.40.206:1031
icmp 220.127.116.11:10318.104.22.168:15 22.214.171.124:15 126.96.36.199:1032
icmp 188.8.131.52:103310.0.0.101:16 184.108.40.206:16 220.127.116.11:1033
icmp 18.104.22.168:103410.0.0.101:17 22.214.171.124:17 126.96.36.199:1034
icmp 188.8.131.52:103510.0.0.101:18 184.108.40.206:18 220.127.116.11:1035
icmp 18.104.22.168:103610.0.0.101:19 22.214.171.124:19 126.96.36.199:1036
icmp 188.8.131.52:103710.0.0.101:20 184.108.40.206:20 220.127.116.11:1037
icmp 18.104.22.168:103810.0.0.101:21 22.214.171.124:21 126.96.36.199:1038
icmp 188.8.131.52:103910.0.0.101:22 184.108.40.206:22 220.127.116.11:1039
icmp 18.104.22.168:104010.0.0.101:23 22.214.171.124:23 126.96.36.199:1040
icmp 188.8.131.52:104184.108.40.206:24 220.127.116.11:24 18.104.22.168:1041
icmp 22.214.171.124:104126.96.36.199:25 188.8.131.52:25 184.108.40.206:1042
icmp 220.127.116.11:104310.0.0.101:26 18.104.22.168:26 22.214.171.124:1043
I can’t really create the traffic in my lab to make this jump to the next IP however 😀
This is also really useful to you, if you have an IP that it’s internal and you want to map that IP completley 1 to 1 to another ip on the other side of the router (publicly, for example) you may follow the next example to accomplish this.
In our diagram you see on the Inside a Server which is IP 10.0.0.254 and we want to make this server publicly available as 126.96.36.199. On our router we as seen before specify on the interface which is inside and which is outside. And then we pass the following command:
WORKRTR(config)#ip nat inside source static 10.0.0.254 188.8.131.52
Now on our other server on the outside we can test access via ping.
Pinging 184.108.40.206 with 32 bytes of data:
Reply from 220.127.116.11: bytes=32 time=1ms TTL=126
Reply from 18.104.22.168: bytes=32 time=0ms TTL=126
Reply from 22.214.171.124: bytes=32 time=11ms TTL=126
Reply from 126.96.36.199: bytes=32 time=12ms TTL=126
Ping statistics for 188.8.131.52:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 12ms, Average = 6ms
Also if you wanted to only do certain ports, for example, just port 80, you can do so in this way:
WORKRTR(config)#ip nat inside source static tcp 10.0.0.254 80 184.108.40.206 80
Or perhaps I wanted to send traffic that would normally go to port 3389 to some wild port so that it would mitigate an attack directed towards rdp:
WORKRTR(config)#ip nat inside source static tcp 10.0.0.254 3389 220.127.116.11 12658
Share your thoughts