Testing NAT

mattrgeemattrgee Member Posts: 201
Hi guys,

I'm trying to come up with a good scenario for test NAT. My lab isn't connected to the internet so I need some way of testing common NAT configurations.

I was thinking of getting a router and configuring an ACL on it to only permit traffic from a single source address. This would act like the Internet, permiting only a specific IP address.

I would then have another router with a couple of hosts hanging off it with the router NATing the host IP's to the permitted IP address on the above router. The end result would be a couple of hosts being NAT'd in order to be permited by an ACL. I would then ping hosts on the other side of the 'Internet' router to prove the configuration etc.

Sound feasible?

Thanks.

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    You don't need the ACL just ensure you don't have a route back to the non NATed source. You can use an ACL also but its not necessary.
    An expert is a man who has made all the mistakes which can be made.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You don't need an access list, just treat the router that is doing NAT as a stub, only configure a default route to the next hop router and on the upstream router don't configure a return route to the inside network (since the source address is getting translated it's not needed)
    The only easy day was yesterday!
  • mattrgeemattrgee Member Posts: 201
    Ok, so have a route back to the router performing NAT but no route to the hosts beyond that router?
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    well have a route back to the simulated "public" addresses but not to the private addresses behind the router
    The only easy day was yesterday!
  • mattrgeemattrgee Member Posts: 201
    Gotcha, thanks a lot.
  • tech-airmantech-airman Member Posts: 953
    mattrgee wrote:
    Hi guys,

    I'm trying to come up with a good scenario for test NAT. My lab isn't connected to the internet so I need some way of testing common NAT configurations.

    I was thinking of getting a router and configuring an ACL on it to only permit traffic from a single source address. This would act like the Internet, permiting only a specific IP address.

    I would then have another router with a couple of hosts hanging off it with the router NATing the host IP's to the permitted IP address on the above router. The end result would be a couple of hosts being NAT'd in order to be permited by an ACL. I would then ping hosts on the other side of the 'Internet' router to prove the configuration etc.

    Sound feasible?

    Thanks.

    mattrgee,

    You can use NAT between private to private IP addresses, e.g. 192.168.1.0 to 172.16.0.0.
  • mattrgeemattrgee Member Posts: 201
    I've just made a strange observation.

    I've configured Dynamic NAT and configured an access list to permit traffic from two specific hosts, I created the address pool and tied the acl with the pool. Everything works fine.

    I then removed the access list with 'no access-list 1' and sure enough the acl was gone. However, host are still being nat'd and can still ping the remote address.

    Does the contents of the acl stay in memory or something?
  • mattrgeemattrgee Member Posts: 201
    Ah I figured it out. I cleared the ip nat translations table and all was good in the world again.
Sign In or Register to comment.