The problem with the configurations of the preceding case study is one of scalability. What if, instead of the four inside devices shown in Figure 4-18, there are 60 or 6000? Maintaining static NAT mappings, like maintaining static route entries, quickly becomes an administrative burden as the network grows.
The inside network in Figure 4-19 uses 10.1.1.0–10.1.2.255 for its IL address space and has been assigned the public address space 204.15.86.0/23 by its ISP. This public address space is used as a pool from which IG addresses are dynamically selected for mapping to the IL addresses. To make things more manageable and predictable, the space 10.1.1.0/24 is mapped to 204.15.86.0/24, and 10.1.2.0/24 is mapped to 204.15.87.0/24.
F igure 4-19 The Inside Network Has a Large Range of IL and IG Addresses
The ip nat pool command creates a pool of addresses and gives it a name. The pool is then designated as an IG pool and is linked to an IL address range with the command ip nat inside source list. Example 4-13 shows the configuration for Mazatlan.
Example 4-13 Mazatlan Is Configured to Dynamically Assign IG Addresses from an Address Pool
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Serial1
no ip address
encapsulation frame-relay
!
interface Serial1.705 point-to-point
ip address 199.100.35.254 255.255.255.252
ip nat outside
frame-relay interface-dlci 705
!
router ospf 100
network 10.1.1.1 0.0.0.0 area 0
default-information originate
!
ip nat pool PoolOne 204.15.86.1 204.15.86.254 netmask 255.255.255.0
ip nat pool PoolTwo 204.15.87.1 204.15.87.253 netmask 255.255.255.0
ip nat inside source list 1 pool PoolOne
ip nat inside source list 2 pool PoolTwo
ip nat inside source static 10.1.1.254 204.15.87.254
!
ip route 0.0.0.0 0.0.0.0 199.100.35.253
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.2.0 0.0.0.255
!
Two pools are created, named PoolOne and PoolTwo. PoolOne is assigned an address range of 204.15.86.1–204.15.86.254. PoolTwo is assigned an address range of 204.15.87.1–204.15.87.253. Notice that the address ranges exclude the network addresses and the broadcast addresses; the netmask portion of the commands acts as a sanity check, ensuring that such addresses as 204.15.87.255 are not mapped. An alternative to using the netmask keyword is the prefix-length. For example:
ip nat pool PoolTwo 204.15.87.1 204.15.87.253 prefix-length 24
has the same effect as the command with the netmask 255.255.255.0 keyword. Because of these commands, you can assign a range such as 204.15.86.0–204.15.86.255, and the "0" and "255" host addresses will not be mapped. However, it is good practice to configure only the actual pool addresses to avoid confusion.
Notice also that PoolTwo does not include the address 204.15.87.254. This address is statically assigned to DNS1 and so is left out of the pool. Any time an outside device must be able to initiate a session to an inside device, as in the case of DNS1, there must be a statically assigned address. If its IG address were dynamic, outside devices would have no way of knowing to which address to send packets.
Next, access lists are used to identify the addresses to be translated. In Mazatlan's configuration, access list 1 identifies the IL range 10.1.1.0–10.1.1.255, and access list 2 identifies the IL range 10.1.2.0–10.1.2.255.
Last, the IL addresses are linked to the correct pool. For example, the statement ip nat inside source list 1 pool PoolOne says that an IP address sourced from the inside (that is, IL addresses) and matching the range specified in access list 1 is to be translated to an IG address taken from PoolOne.
Example 4-14 shows Mazatlan's NAT table just after the dynamic NAT configuration is added. You can see that the only mapping in the table is the static entry for DNS1.
Example 4-14 When Mazatlan's Dynamic NAT Is First Configured, No Entries Reside in the NAT Table Except for the Single Static Entry
Mazatlan#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 204.15.87.254 10.1.1.254 --- ---
Mazatlan#
Example 4-15 shows the NAT table after several inside devices have originated traffic to the outside. The IG addresses are allocated from each pool numerically, beginning with the lowest available number.
Example 4-15 Dynamic IL-to-IG Mappings Are Entered into the NAT Table as Inside Devices Send Packets to the Outside
Mazatlan#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 204.15.86.4 10.1.1.3 --- ---
--- 204.15.86.3 10.1.1.83 --- ---
--- 204.15.86.2 10.1.1.239 --- ---
--- 204.15.86.1 10.1.1.4 --- ---
--- 204.15.87.3 10.1.2.164 --- ---
--- 204.15.87.2 10.1.2.57 --- ---
--- 204.15.87.1 10.1.2.2 --- ---
--- 204.15.87.254 10.1.1.254 --- ---
Mazatlan#
Occasionally, a network administrator might want the host portion of the IG address to match the host portion of the IL address to which it is mapped. To accomplish this, the keywords type match-host are added to the end of the statement defining the pool, as demonstrated in Example 4-16.
Example 4-16 Configuring the Host Portion of the IG Address to Match the Host Portion of the IL Address to Which It Is Mapped
ip nat pool PoolOne 204.15.86.1 204.15.86.254 netmask 255.255.255.0 type match-host
ip nat pool PoolTwo 204.15.87.1 204.15.87.253 netmask 255.255.255.0 type match-host
ip nat inside source list 1 pool PoolOne
ip nat inside source list 2 pool PoolTwo
ip nat inside source static 10.1.1.254 204.15.87.254
!
ip route 0.0.0.0 0.0.0.0 199.100.35.253
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.2.0 0.0.0.255
Example 4-17 shows the resulting NAT table. Comparing it with the table in Example 4-15, you can see that all the same IL addresses have been translated. Instead of selecting IG addresses from their respective pools sequentially, however, IG addresses are selected with matching host portions.
Example 4-17 The Host Portions of the IG Addresses Match the Host Portions of the IL Addresses to Which They Are Mapped
Mazatlan#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 204.15.86.4 10.1.1.4 --- ---
--- 204.15.86.3 10.1.1.3 --- ---
--- 204.15.86.83 10.1.1.83 --- ---
--- 204.15.86.239 10.1.1.239 --- ---
--- 204.15.87.2 10.1.2.2 --- ---
--- 204.15.87.57 10.1.2.57 --- ---
--- 204.15.87.164 10.1.2.164 --- ---
--- 204.15.87.254 10.1.1.254 --- ---
Mazatlan#
By default, the dynamic entries are held in the NAT table for 86,400 seconds (24 hours). You can change this time with the command ip nat translation timeout to any time between 0 and 2,147,483,647 seconds (approximately 68 years). The timeout period begins when a translation is first made and is reset each time a packet is translated by the mapping. While a pool address is mapped to an address in the NAT table, it cannot be mapped to any other address. If the timeout period elapses with no new "hits" to the mapping, the entry is removed from the table, and the pool address is returned to the pool and becomes available. If you use 0 seconds or the keyword never with the ip nat translation timeout command, the mapping is never removed from the NAT table.
The translation timeout for each entry appears with the show ip nat translations verbose command, as demonstrated in Example 4-18. The ip nat translations verbose command shows how long ago the mapping was entered into the NAT table, how long ago the mapping was last used to translate an address, and the time remaining before the end of the timeout period. You can use the Flags field to indicate translation types other than dynamic. In Example 4-18, for instance, the last entry is shown to be a static translation.
Example 4-18 The show ip nat translations verbose Command Reveals Details About the Translation Timeout Periods for Each Mapping
Mazatlan#show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
--- 204.15.86.4 10.1.1.3 --- ---
create 00:31:55, use 00:31:55, left 23:28:04, flags: none
--- 204.15.86.3 10.1.1.83 --- ---
create 00:32:19, use 00:32:19, left 23:27:40, flags: none
--- 204.15.86.2 10.1.1.239 --- ---
create 00:33:38, use 00:33:38, left 23:26:21, flags: none
--- 204.15.86.1 10.1.1.4 --- ---
create 00:34:25, use 00:00:05, left 23:59:54, flags: none
--- 204.15.87.3 10.1.2.164 --- ---
create 00:31:02, use 00:31:02, left 23:28:57, flags: none
--- 204.15.87.2 10.1.2.57 --- ---
create 00:34:10, use 00:34:10, left 23:25:49, flags: none
--- 204.15.87.1 10.1.2.2 --- ---
create 00:35:04, use 00:35:04, left 23:24:55, flags: none
--- 204.15.87.254 10.1.1.254 --- ---
create 03:59:32, use 03:59:32, flags: static
Mazatlan#
The translation timeout period is important when the range of IL addresses is larger than the pool of IG addresses. Consider the configuration in Example 4-19.
Example 4-19 1022 IL Addresses Share a Pool of 254 IG Addresses
ip nat pool GlobalPool 204.15.86.1 204.15.86.254 prefix-length 24
ip nat inside source list 1 pool GlobalPool
!
access-list 1 permit 10.1.0.0 0.0.3.255
Here, 1022 possible IL addresses—10.1.0.1 through 10.1.3.254—are translated using a pool of 254 available IG addresses. That means that when the NAT table contains 254 mapping entries, no more available IG addresses exist. Any packets with IL addresses that have not already been mapped are dropped. The designer of such an addressing scheme is gambling that only a fraction of the total users in the network will need outside access. With each mapping remaining in the NAT table for 24 hours, however, the chances of using up all available IG addresses increase substantially. By reducing the translation timeout, the designer can reduce this likelihood.
Share with your friends: |