Unsérie de services peuvent s’implémenter sur un routeur Cisco comme le NAT/PAT, DNS, DHCP ou DHCPv6. Cette partie aborde aussi les concepts de configuration des ACLs, liste de filtrage, en Cisco IOS. Il s’agit toujours ici de configurations simples et fondamentales.
PAT which is also known as NAT overloading, uses 16-bit source port numbers to map and track traffic between an internal host and the Internet. As you can see, the first letter in each acronym denotes the difference between NAT (Network Address Translation) and PAT (Port Address Translation), which should make it easier for you to remember which does what.
Whatare NAT and PAT? : explained with the configuration of NAT with PAT in Cisco packet tracer. We will also enable PAT as it immensely increases the capability of NAT. NAT (Network Address Translation) is used to translate the
Documenttrop vieux, donc préférer les guides Cisco SAFE ou les excellents recommandations & guides de l'ANSSI. Documents utilisés Cisco Guide to Harden Cisco IOS Devices (fichier PDF) UREC: Sécurité des systèmes et des réseaux Secuser.com, les guides gratuits Configuration
Lune de ces solutions, largement mise en oeuvre, est la traduction d’adresses réseau (NAT). NAT est un mécanisme permettant de conserver les adresses IP enregistrées dans des réseaux de grande taille et de simplifier la gestion de l’adressage IP. Lorsqu’un paquet est routé par un équipement de réseau, généralement un pare-feu
Vay Nhanh Fast Money. Published On August 6áµ—Ę°, 2019 0207 IP Addressing NAT Configuration Guide, Cisco IOS XE Gibraltar The Network Address Translation 46 NAT 46 feature solves IPv4 to IPv6 connectivity by providing a mechanism for connectivity of IPv4 hosts to IPv6 internet when dual stack and IPv6 tunneling solutions cannot be used. Note NAT 46 is supported only on Cisco ISR 4000 platforms. Feature Information for Connectivity Between IPv4 and IPv6 Hosts Using Stateless NAT 46 Restrictions for NAT 46 Information About NAT 46 Configuring Network Address Translation 46 Verifying the NAT 46 Configuration Feature Information for Connectivity Between IPv4 and IPv6 Hosts Using Stateless NAT 46 The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to An account on is not required. Table 1. Feature Information for Connectivity Between IPv4 and IPv6 Hosts Using Stateless NAT 46 Feature Name Releases Feature Information Connectivity Between IPv4 and IPv6 Hosts Using Stateless NAT 46 Cisco IOS XE Gibraltar Release The Network Address Translation 46 NAT 46 feature solves IPv4 to IPv6 connectivity by providing a mechanism for connectivity of IPv4 hosts to IPv6 internet when dual stack and IPv6 tunneling solutions cannot be used. Note NAT 46 is supported only on Cisco ISR 4000 platforms. Restrictions for NAT 46 Only Domain Name System DNS application layer gateway ALG is supported. Fragmented packet is not supported. Maximum Transmission Unit MTU discovery after converting to IPv6 packets is not supported. Virtual Routing and Forwarding-aware NAT 46 is not supported. Both NAT44 static, dynamic, and PAT configuration and stateful NAT46 configurations are not supported on the same interface. High-speed Logging HSL is not supported. Several IPv4 stateful features PBR, ZBFW, WAAS, WCCP, NBAR, and so on do not work after converting to IPv6 packets, and are not supported. High availability is not supported. Information About NAT 46 Overview of NAT 46 Scalability on NAT 46 NAT 46 Prefix Overview of NAT 46 The NAT46 solution solves IPv4 host to IPv6 internet connectivity. IPv4 hosts trying to reach a server, first initiate a DNS type A query packet. The NAT 46 router changes this to type AAAA query. When the query response is received, NAT 46 retrieves the IPv6 address from the response packet. An IPv4 address is allocated from the configured NAT 46 pool and an address binding is done for the retrieved IPv6 address and the allocated IPv4 address. An IPv4 address DNS response is sent to the IPv4 host. The source address of packets originating from IPv4 hosts is converted using a configured NAT 46 IPv6 prefix. The destination IPv4 address is translated to IPv6 address using pool address binding created during DNS packet flow. Example Configured Prefix IPv4 Address IPv4-Embedded IPv6 Address 20020DB8/96 20020DB8C000221 Scalability on NAT 46 There is no limitation to the number of private IPv4 addresses that can be supported because no sessions are maintained. The number of IPv6 hosts that can be represented by the IPv4 pool address should be scalable up to 40,000. NAT 46 Prefix The NAT 46 prefix cannot be same as the interface prefix. Neighbor Discovery Neighbor/Router Solicitation messages for the addresses in the NAT 46 prefix are not answered by the NAT 46 router. Hence, NAT 46 prefix cannot be same as the interface prefix. If a larger network smaller prefix that is less than 96 is obtained from the service provider, the network can be subdivided into multiple smaller networks and NAT 46 prefix can be configured with a smaller network prefix 96 bits. In addition, the NAT 46 router needs to be configured as a gateway or next hop router for the IPv6 hosts on an adjacent router of the service provider network. Configuring Network Address Translation 46 Procedure Step 1 enable Example Device> enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 configure terminal Example Device configure terminal Enters global configuration mode. Step 3 interface type number Example Deviceconfig interface gigabitethernet 1/2/0 Configures an interface and enters interface configuration mode. Step 4 ip address ip-address mask Example Deviceconfig-if ip address Configures an IPv4 address for an interface. Step 5 nat64 enable Example Deviceconfig-if nat64 enable Enables NAT46 translation on an IPv4 interface. Step 6 exit Example Deviceconfig-if exit Exits interface configuration mode and enters global configuration mode. Step 7 interface type number Example Deviceconfig interface gigabitethernet 0/0/0 Configures an interface and enters interface configuration mode. Step 8 ipv6 enable Example Deviceconfig-if ipv6 enable Enables IPv6 processing on an interface. Step 9 ipv6 address {ipv6-address/prefix-length prefix-name sub-bits/ prefix-lenth Example Deviceconfig-if ipv6 address 2001DB811/96 Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface. Step 10 nat64 enable Example Deviceconfig-if nat64 enable Enables NAT46 translation on an IPv6 interface. Step 11 exit Example Deviceconfig-if exit Exits interface configuration mode and enters global configuration mode. Step 12 nat64 settings nat46 enable Example Deviceconfig nat64 settings nat46 enable Enables NAT46 in the NAT64 settings. Step 13 nat46 v6 prefix ipv6 prefix/prefix-length Example Deviceconfig nat46 v6 prefix 2001/96 Configures the NAT46 IPv6 prefix. Step 14 nat46 v4 pool pool-name pool-address-range Example Deviceconfig nat46 v4 nat46_pool Configures the NAT46 pool address range. Step 15 end Example Deviceconfig end Exits global configuration mode and returns to privileged EXEC mode. Verifying the NAT 46 Configuration Use the show nat64 statistics command to view the NAT 46 statistics. The following is sample output of the command. SUMMARY STEPS show nat64 statistics DETAILED STEPS show nat64 statistics Example Router show nat64 statistics NAT64 Statistics Total active translations 0 0 static, 0 dynamic; 0 extended Sessions found 0 Sessions created 0 Expired translations 0 Global Stats Packets translated IPv4 -> IPv6 Stateless 0 Stateful 0 MAP-T 0 NAT46 30 Packets translated IPv6 -> IPv4 Stateless 0 Stateful 0 MAP-T 0 NAT46 30
With static NAT, routers or firewalls translate one private IP address to a single public IP address. Each private IP address is mapped to a single public IP address. Static NAT is not often used because it requires one public IP address for each private IP configure static NAT, three steps are required1. configure private/public IP address mapping by using the ip nat inside source static PRIVATE_IP PUBLIC_IP command 2. configure the router’s inside interface using the ip nat inside command 3. configure the router’s outside interface using the ip nat outside commandHere is an A requests a web resource from S1. Computer A uses its private IP address when sending the request to router R1. Router R1 receives the request, changes the private IP address to the public one, and sends the request to S1. S1 responds to R1. R1 receives the response, looks it up in its NAT table, and changes the destination IP address to the private IP address of Computer the example above, we need to configure static NAT. To do that, the following commands are required on R1R1configip nat inside source static R1configinterface fastEthernet 0/0 R1config-ifip nat inside R1config-ifinterface fastEthernet 0/1 R1config-ifip nat outsideUsing the commands above, we have configured a static mapping between Computer A’s private IP address of and the router’s R1 public IP address of To check NAT, you can use the show ip nat translations commandR1show ip nat translations Pro Inside global Inside local Outside local Outside global icmp - - -Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of from over 30,000 public reviews and is the gold standard in CCNA training
PAT Port Address Translation uses port numbers to convert private IP addresses to global IP to Configure NAT PAT on Cisco RouterPAT is the most commonly used method according to Static NAT and Dynamic NAT configuration. It is often used by home users or small businesses. ADSL Modems access the Internet with a single ISP IP address. PAT is applied when all computers over the local network access the Internet with a single global IP is also called NAT Overload. When a computer on the local network or remote network sends a packet to the destination computer, the port number is added to the IP default, PAT is enabled on the ADSL modem device used by home enable PAT with Packet Tracer, follow the steps below. Step 1First open the Cisco simulator program and create a topology as in the image below, then assign IP addresses to the devices and add comments to the workspace. Step 2Configure the TCP/IP settings of PC0 and PC1 as follows. Step 3To enable PAT at the Cisco Routers CLI command prompt, perform the following commands in conf t Routerconfig interface gigabitethernet 0/0 Routerconfig-if ip address Routerconfig-if ip nat inside Routerconfig-if no shutdown Routerconfig-if exit Routerconfig interface gigabitethernet 0/1 Routerconfig-if ip address Routerconfig-if ip nat outside Routerconfig-if no shutdown Routerconfig-if exit Routerconfig access-list 1 permit Routerconfig ip nat inside source list 1 interface gigabitethernet0/1 overload Routerconfig end Router wr Step 4After configuring PAT, test the network connection by pinging the IP address from the computers on the local computers on the local network have successfully connected to the Cisco Router R1 as in the following image. Step 5Click Router0 and execute the show IP nat translations command in privileged configuration mode and examine the NAT CommandsRouter0show ip nat translations Pro Inside global Inside local Outside local Outside global icmp icmp icmp icmp icmp icmp icmp Router0show ip nat statistics Total translations 0 0 static, 0 dynamic, 0 extended Outside Interfaces GigabitEthernet0/1 Inside Interfaces GigabitEthernet0/0 Hits 7 Misses 8 Expired translations 8 Dynamic mappings Router0show running-config Building configuration... Current configuration 772 bytes ! version no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ip cef no ipv6 cef ! license udi pid CISCO1941/K9 sn FTX1524V4OL ! spanning-tree mode pvst ! interface GigabitEthernet0/0 ip address ip nat inside duplex auto speed auto ! interface GigabitEthernet0/1 ip address ip nat outside duplex auto speed auto ! interface Vlan1 no ip address shutdown ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip classless ! ip flow-export version 9 ! ! access-list 1 permit ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! end Router Router1show running-config Building configuration... Current configuration 617 bytes ! version no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ! ip cef no ipv6 cef ! ! license udi pid CISCO1941/K9 sn FTX15247004 ! ! spanning-tree mode pvst ! ! interface GigabitEthernet0/0 ip address duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Vlan1 no ip address shutdown ! ip classless ! ip flow-export version 9 ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! end Router VideoYou can watch the video below to configure Port Address Translation on the Cisco router and also subscribe to our YouTube channel to support us! Final WordIn this article, we have examined how to configure NAT PAT with simulator software. The PAT process is the most widely used method and uses more than 64,000 port numbers, and it is unlikely that router addresses will be exhausted. Thanks for following us! Related Articles♦ Static NAT ♦ Dynamic NAT ♦ VLAN Settings ♦ VLAN Routing ♦ Port Security
pour Multipoint; tous les liaisons est dans un seul sous-réseau. Règle Routerconfiginterface type numéroRouterconfig-ifno shutdownRouterconfig-ifip address masque Routerconfig-ifencapsulation frame-relayRouterconfig-ifframe-relay map ip ip dlci broadcast vérification Routershow frame-relay map sur cloud-création dlci sur les interfaces-sur le bouton frame relay liée les dlci Exemple sur HubHubconfiginterface serial 0/0Hubconfig-ifno shutdownHubconfig-ifip address frame-relayHubconfig-ifframe-relay map ip 102 broadcastHubconfig-ifframe-relay map ip 103 broadcastHubconfig-ifexitsur Spoke1Spoke1configinterface serial 0/0Spoke1config-ifno shutdownSpoke1config-ifip address frame-relaySpoke1config-ifframe-relay map ip 201 broadcastSpoke1config-ifexitsur Spoke2Spoke2configinterface serial 0/0Spoke2config-ifno shutdownSpoke2config-ifip address frame-relaySpoke2config-ifframe-relay map ip 301 broadcastSpoke2config-ifexit
Configuring NAT for multiple Vlans on a Cisco router is a challenge that many inexperienced Cisco network engineers have had to contend with at one stage of their careers or the other. While NAT implementation is really not a big deal, its successful implementation on a Cisco router configured for multiple vlans can give you a grief, if you do not know what you are doing. In my previous post, I shared with us on how to configure dhcp on a Cisco router with multiple vlans. You can find it here. In this post, using a slightly modified version of the previous network topology, I will share with us on how to configure NAT for multiple vlans on a Cisco router. Network topology Objective Our objective in this lab is to configure NAT for the three vlans represented in the network topology. We can NAT all three vlans to one public IP or to separate public IPs. For this demonstration, each vlan will be NATed to the public IP on the WAN interface of the router. Public IPs to be used in the NAT for multiple vlans Vlan 10 private subnet= Public IP= Vlan 20 private subnet= Public IP= Vlan 30 private subnet= Public IP= You may also like How to redistribute static routes into eigrp using Cisco Packet Tracer Configuring NAT for multiple vlans First, we create three access-lists to match the private subnets. Routerconfigaccess-list 10 permit Routerconfigaccess-list 20 permit Routerconfigaccess-list 30 permit Next, we create pools for the vlans. Routerconfigip nat pool timigate netmask Configure the NAT statement. Each statement will reference corresponding access-list and NAT pool for that vlan. See below. Routerconfigip nat inside source list 10 pool timigate overload Routerconfigip nat inside source list 20 pool timigate overload Routerconfigip nat inside source list 30 pool timigate overload The final step is to define the inside and outside interfaces. This is where most people run into trouble. They use the physical interface instead of the sub-interfaces. Where sub-interfaces are used for vlans, these sub-interfaces must be defined and used as the NAT inside interfaces. See below. Routerconfigint f0/1 Routerconfig-ifip nat outside Routerconfigint f0/ Routerconfig-subifip nat inside Routerconfig-subifint f0/ Routerconfig-subifip nat inside Routerconfig-subifint f0/ Routerconfig-subifip nat inside Routerconfig-subif Verification To verify that NAT is working as it should, we turn on debug on the router, using the debug ip nat command. After that, we run a ping from the computers on the LAN to the ISP router. The output below will be displayed on the core router. From the output above, we can see the source address being translated to as it heads out to destination and on the second link we see the reverse process of going to destination before it gets directed to
configuration nat et pat cisco pdf
