DHCP & NAT

1
Configure DHCP in an Enterprise Branch Network

2
Configure DHCP in an Enterprise Branch Network
 Describe how DHCP dynamically assigns an IP address to a
client

3
 DHCPDISCOVER message:
 Broadcast forwarded by the host looking for a DHCP server.
 Messages are forwarded to the DHCP BOOTP server, using UDP port 67.
 DHCPOFFER message:
 When the DHCPDISCOVER messages reaches the DHCP server, the server responds
with a unicast DHCPOFFER message containing the MAC address o f the client,
offered IP address and mask, default gateway, and the IP address of the server.
 Messages are forwarded to the DHCP BOOTP client, using UDP port 68.
 DHCPREQUEST message:
 Used for two purposes: first, to initially negotiate an IP address lease, and the second
is to renegotiate (or renew) the IP address halfway through its lease time.
 The client broadcasts the DHCPREQUEST message to the DHCP server using UDP
port 67.
 DHCPACK message:
 Nearly identical to the original DHCPOFFER but sent to the client to confirm that it now
can use that address using UDP port 68.

4
 Step 1. Define a range of addresses that DHCP is not to allocate. These
are usually static addresses reserved for the router interface, switch
management IP address, servers, and local network printers.

 Step 2. Create the DHCP pool using the ip dhcp pool command.

5
 Step 3. Configure the specifics of the pool

6
 DHCP Relay can be used to configure a router to relay DHCP messages
when the server and the client are not on the same segment
 enables routers to forward DHCP broadcasts to the DHCP servers. When
a router forwards address assignment/parameter requests, it is acting as a
DHCP relay agent.

7
 DHCP problems can arise for a multitude of reasons, such
as software defects in operating systems, NIC drivers, or
DHCP/BOOTP relay agents, but the most common are
configuration issues. Because of the number of potentially
problematic areas, a systematic approach to troubleshooting
is required.

8
Network Address Translation

9
Network Address Translation

• An IP address is either local or global.

• Local IP addresses are seen in the inside network.
10
• Global IP addresses are seen in the outside network.
11
 What is NAT?
Inside local address - Usually not an IP address assigned by a RIR or service provider
and is most likely an RFC 1918 private address. In the figure, the IP address
192.168.10.10 is assigned to the host PC1 on the inside network.
Inside global address - Valid public address that the inside host is given when it exits
the NAT router. When traffic from PC1 is destined for the web server at 209.165.201.1,
router R2 must translate the address. In this case, IP address 209.165.200.226 is used
as the inside global address for PC1.
Outside global address - Valid public IP address assigned to a host on the Internet.
For example, the web server is reachable at IP address 209.165.201.1.
Outside local address - The local IP address assigned to a host on the outside
network. In most situations, this address will be identical to the outside global address of
that outside device.

12
Forms of NAT
 Static NAT
–Allow one-to-one mapping of local and global addresses.
–Useful when device needs to be accessible from the outside network

 Dynamic NAT
–Any IP address from a pool of global IP addresses is assigned to a
local address.

 Overloading (PAT)
–Maps multiple private IP addresses to a single public IP address by
using different ports.

13
Port Address Translation

14
Translating Inside Source Addresses

15
Configuring Static Translation

Router(config)#ip nat inside source static local-ip global-ip

• Establishes static translation between an inside local address and

an inside global address

Router(config-if)#ip nat inside

• Marks the interface as connected to the inside

Router(config-if)#ip nat outside

• Marks the interface as connected to the outside

16
Enabling Static NAT
Address Mapping Example

17
Configuring Dynamic Translation
Router(config)#access-list access-list-number permit
source [source-wildcard]

• Defines a standard IP ACL permitting those inside local addresses

that are to be translated.

Router(config)#ip nat pool pool-name start-ip end-ip

{netmask netmask | prefix-length prefix-length}

• Defines a pool of global addresses to be allocated as needed.

Router(config)#ip nat inside source list access-list-number

pool pool-name

• Establishes dynamic source translation, specifying the ACL that

was defined in the prior step.

Router(config-if)#ip nat inside

Router(config-if)#ip nat outside

18
Dynamic Address Translation Example

19
Overloading an Inside Global Address

20
Configuring Overloading Using One Address

Router(config)#access-list access-list-number permit

source source-wildcard

• Defines a standard IP ACL that will permit the inside local

addresses that are to be translated

Router(config)#ip nat inside source list access-list-number

interface interface overload

• Establishes dynamic source translation, specifying the ACL that

was defined in the prior step

Router(config-if)#ip nat inside

Router(config-if)#ip nat outside

21
Overloading an Inside
Global Address Example

23
 Clearing the NAT Translation Table

Router#clear ip nat translation *

• Clears all dynamic address translation entries

Router#clear ip nat translation inside global-ip

local-ip [outside local-ip global-ip]
• Clears a simple dynamic translation entry that contains an inside
translation or both an inside and outside translation

Router#clear ip nat translation outside

local-ip global-ip
• Clears a simple dynamic translation entry that contains an outside
translation

Router#clear ip nat translation protocol inside global-ip

global-port local-ip local-port [outside local-ip
local-port global-ip global-port]

24
• Clears an extended dynamic translation entry
Displaying Information with show Commands

Router#show ip nat translations

• Displays active translations

Router#show ip nat translation

Pro Inside global Inside local Outside local Outside global
--- 172.16.131.1 10.10.10.1 --- ---

Router#show ip nat statistics

• Displays translation statistics

Router#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
…
25
Using the debug ip nat Command

Router#debug ip nat

NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]

NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]

26
Translation Not Installed in the Translation
Table?
Verify that:
–The configuration is correct
–There are not any inbound ACLs denying the packets entry to the NAT router
–The ACL referenced by the NAT command is permitting all necessary
networks
–There are enough addresses in the NAT pool
–The router interfaces are appropriately defined as NAT inside or NAT outside

27
Summary
–NAT enables private IP internetworks that use non-registered IP
addresses to connect to the Internet. PAT, a feature of NAT, enables
several internal addresses to be translated to only one or a few
external addresses.
–You can translate your own IP addresses into globally unique IP
addresses when you are communicating outside of your network.
–Overloading is a form of dynamic NAT that maps multiple
unregistered IP addresses to a single registered IP address (many-to-
one) by using different ports, known also as PAT.
–Once NAT is configured, the clear and show commands can be used
to verify that it is operating as expected.
–The debug command can be used to troubleshoot NAT connectivity
problems.

28