Problem with defining a NAT pool

Tricon7

This problem says that we're to assign the IP of 199.9.9.0 /29 for public addressing in this private network (192.168.5.0 /24). There is one switch in the network and six hosts. The first host is to be given a static IP; all other hosts are dynamic, pulling a public IP from the NAT pool. My question is, the 199.9.9.0 /29 allotment only gives six usable host addresses (199.9.9.1-199.9.9.6, with .6 being taken as the static); the instructor said, "Assume there can be more than five connections, so configure NAT/PAT to accommodate this."

So the the only IP not "used" in the allotted IP will be the static IP assigned to PC 1. The IP of the default gateway (the router's fast ethernet interface) and the switch don't have anything to do with the assigned public IP of 199.9.9.0 /29, right? Or do they? If I have it right, then the assignable IPs for the public pool would be 199.9.9.1-199.9.9.5, and 199.9.9.6 would be the last usable IP and assigned as static to PC 1. Have I got this scenario right?

dtlokee

I think the what you're missing is the fact that the inside addresses are going to be private from the 192.168.5.0/24 subnet and they need to translate to an IP address in the 199.9.9.0/29 range, not that they are going to be assigned an IP from that range. For the NAT configuration you will need 1 static translation and one overloaded nat pool which could consist of one IP address, thereby only using 2 total addresses for all the hosts on the inside network. There really is no need to create a pool of multiple addresses if you're using overloading (in this case there's a max of 254 hosts on your internal subnet) but you could create one with multiple addresses in the pool.

in this case I would use a static translation to 199.9.9.1 (could be anything) and an overloaded pool to the IP address of the router's outside interface. or you could use a seperate address if you wanted to instead of overloading to the interface's IP address

mikearama

On top of what lokee explained, I believe the scenerio wants you to practice your pool, static, dynamic, and access-list commands. Cause lokee's bang on... one ip is static, and only one other ip is needed for every host you have, period.

Having said that, the designers of your scenerio understand that the solution above is too simplistic, and you wouldn't have experienced the whole NAT/PAT process in its' full beauty.

So, remembering that the teacher wants the possibility of more than 5 concurrent client connections, the solution would be something like:

ip nat inside source static 192.168.5.1 199.9.9.1 (takes care of the static node)

ip nat pool NATPOOL 199.9.9.2 199.9.9.6 255.255.255.248 (allows other public IP's to be available)

access-list 1 permit 192.168.5.0 0.0.0.255 (group all internal IP's into one list)

configure:

ip nat inside source list 1 pool NATPOOL overload (apply pool of public IP's to list of internal IP's, and allow for more than just 5 concurrent connections)

Then just apply the "inside" / "outside" nat commands to the right ports.

Again, it's not overly practical, but based on what your teacher wants, it satisfies all the requirements.

Netstudent

ip nat inside source list 1 pool NATPOOL overload (apply pool of public IP's to list of internal IP's, and allow for more than just 5 concurrent connections)

So in this config, when would port address translation take place over dynamic translations?
IN the pool, there are 5 available inside global IP's. So would PAT start occuring when there is only 1 address left in the pool? Or does PAT start happening with the very first translation? When would overloang start?

mikearama

Great questions NS, for which I can't find any answers in Cisco.com or elsewhere.

I think it's a silly scenerio, since the moment you put "overload" at the end of the nat statement, you wouldn't have multiple IP's in your pool. Your pool would have one IP in it. Anything else is a waste.

So, to edit the above... tell your teacher, Tricon, that the answer is:

ip nat inside source list 1 pool NATPOOL overload

where

ip nat pool NATPOOL 199.9.9.2 255.255.255.248

...

and then tell him to stop hogging four extra IP's... give em back to the ISP for some other desperate soul to use.

Mike

Tricon7

mikearama wrote:

On top of what lokee explained, I believe the scenerio wants you to practice your pool, static, dynamic, and access-list commands. Cause lokee's bang on... one ip is static, and only one other ip is needed for every host you have, period.

Having said that, the designers of your scenerio understand that the solution above is too simplistic, and you wouldn't have experienced the whole NAT/PAT process in its' full beauty.

So, remembering that the teacher wants the possibility of more than 5 concurrent client connections, the solution would be something like:

ip nat inside source static 192.168.5.1 199.9.9.1 (takes care of the static node)

ip nat pool NATPOOL 199.9.9.2 199.9.9.6 255.255.255.248 (allows other public IP's to be available)

access-list 1 permit 192.168.5.0 0.0.0.255 (group all internal IP's into one list)

configure:

ip nat inside source list 1 pool NATPOOL overload (apply pool of public IP's to list of internal IP's, and allow for more than just 5 concurrent connections)

Then just apply the "inside" / "outside" nat commands to the right ports.

Again, it's not overly practical, but based on what your teacher wants, it satisfies all the requirements.

I think this is what I finally put, and it seemed to work fine. My problem had been that I thought one would use either NAT or PAT, but not both simultaneously, which is not correct. Also, I was getting an error message when trying to use PAT, saying "dynamic in use, can't use this one" or something-or-other. A friend said I should have cleared the table.

dtlokee

Ok, as far as making a pool of overloaded addresses, the IOS will only use the first one unless it uses up all available port/protocol combinations for the first available address. When there's a conflict between a static and dynamic allocation the static one wins. There are examples on Cisco's website referring to backing up a dynamic pool with PAT(I looked but couldn't find the link right quick). In this example you create a dynmic pool of addresses for your available range of addresses leaving the last one out of the pool so it can be used for a overloaded NAT pool.

Somthing like this:

ip nat inside source static 192.168.5.1 199.9.9.1
ip nat pool DYN_POOL 199.9.9.2 199.9.9.5 255.255.255.248
ip nat pool OVERLOAD_POOL 199.9.9.6 199.9.9.6 255.255.255.248

access-list 1 permit 192.168.5.0 0.0.0.255

ip nat source list 1 pool DYN_POOL
ip nat source list 1 pool OVERLOAD_POOL overload

In theory it will use up the addresses 199.9.9.2 - 5 for the first 4 hosts, then any aditional connections will be port address translated to the 199.9.9.6 address

Netstudent

ahhhhhh interesting...this is why i love this site. Lots of knowledge to share.