PT Advanced NAT –Static NAT and Static PAT v4

Open the PT file called PT Advanced NAT.pkt

This version of the lab instructions does not show all the screen shots when testing

Task 2 Static NAT, Static PAT

Click on the cloud called Static NAT

Task2A Configure Static NAT on the router R-SNAT to satisfy the following
requirement:

 The FTP server (10.1.1.101) is statically translated to the public address

208.8.8.201

!R-SNAT
ip nat inside source static 10.1.1.101 208.8.8.201

 On R_SNAT, the command show ip nat translation shows the static NAT entry

 Use this entry so that the FTP server can browse the cisco.com server.
This successful browse produces a tcp port 80 entry associated with the static
entry

 Confirm that a static NAT entry is bidirectional,

=> The outside PC can browse the FTP server (DNS name is ftp)
 The browse is successful
 This successful browse produces a tcp port 80 entry associated with the
static entry

PT Static NAT,PAT v4 1 of 5 Rudy Drew

We just tested the direction Outside to inside from the outside PC to the inside FTP
server

Now test the other direction Inside to Ouside from the inside FTP server
to the outside PC.

 the inside FTP server can ping the outside PC.

 This successful ping produces an icmp entry associated with the static entry

Notice that the static entry does not specify any port numbers. This is why it is a staic
NAT entry rather than a static PAT entry.

Let us check that any application can use this static NAT entry. We will use FTP to test
this static entry

Check
 PC1 Outside can FTP to myftp.com and can successfully login using username
cisco password cisco

 On R_SNAT, the command show ip nat translation shows the static entry for
the FTP server mapping and a related FTP control entry from the outside PC1

Use the dir command to view the files on the FTP server

 On R_SNAT, the command show ip nat translation shows the static entry for
the FTP server mapping and a related entry for the ftp data connection from the
outside PC1
note: You don’t need to know why the port being used is not port 20
It is related to Active or Passive FTP mode.

PT Static NAT,PAT v4 2 of 5 Rudy Drew

  On the R1-NAT router, clear the NAT table

!R1-NAT
clear ip nat translation *

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On the R1-NAT router, clear the access list counters and clear the NAT table

!R1-NAT
clear access-list counters
clear ip nat translation *

Task2B part 1
In this example, PCs on the outside will use the same public address to access
two different internal servers. We will use port numbers to decide which internal
server is chosen

Configure Static PAT on the router R-SNAT to satisfy the following requirements:

 The HTTP server (10.1.1.100) is statically translated to the public address

208.8.8.200, but only for port 80 browsing
 The HTTPS server (10.1.1.105) is statically translated to the public address
208.8.8.200, but only for port 443 browsing

!R-SNAT
ip nat inside source static tcp 10.1.1.100 80 208.8.8.200 80
!
ip nat inside source static tcp 10.1.1.105 443 208.8.8.200 443

Check
 PC1 Outside can browse to the public address 208.8.8.200 and a web page
displays for the HTTP server

 PC1 Outside can securely browse to the public address 208.8.8.200 and a web
page displays for the HTTPS server

 On R_SNAT, the command show ip nat translation shows the static entry for
the port 80 mapping and a related entry for the browse from the outside PC1

 On R_SNAT, the command show ip nat translation shows the static entry for
the port 443 mapping and a related entry for the browse from the outside PC1

Clear the nat transation table dynamic entries

R-SNAT1#clear ip nat translation *

PT Static NAT,PAT v4 3 of 5 Rudy Drew

 Task2B part 2
So far, our static PAT has changed the ip address but left the port unchanged.
Now, we will try to change the port also.

Configure Static PAT on the router R-SNAT to satisfy the following

requirements:
Clients on the outside can browse to the Log server (10.1.1.106) under these
conditions

 To access the Log server, the clients must use the public address 208.8.8.210.
 Outside PCs must use http to request access but this port 80 request must be
changed to a port 8080 which is often used as a proxy port for port 80 in internal
networks

!R-SNAT
ip nat inside source static tcp 10.1.1.106 8080 208.8.8.210 80

 On the outside PC, browse port 80 to 208.8.8.210

On PT this will fail ...of course…. We can’t modify browsing on a
Packet Tracer server to listen on non-standard ports like 8080

 On R_SNAT, the command show ip nat translation shows the static

PAT entry

Task 2B part 3
In Task 2B part 1, PCs on the outside used the same public address to access
two different internal servers.
In this example we will use two different public addresses but both will send
packets to the same internal server.

Configure Static PAT on the router R-SNAT to satisfy the following

requirements:
Clients on the outside can access the TFTP server (10.1.1.107) under these
conditions

 To access the Logging server using port 443, the clients must use the public
address 208.8.8.220.
To access the Logging server using port 80, the clients must use the public
address 208.8.8.230

!R-SNAT
ip nat inside source static tcp 10.1.1.106 443 208.8.8.220 443
!
ip nat inside source static tcp 10.1.1.106 80 208.8.8.230 80

 On the outside PC, browse port 80 to 208.8.8.230

 On R_SNAT, the command show ip nat translation shows the static

PAT entry

 On the outside PC, browse port 80 to 208.8.8.220 fails

PT Static NAT,PAT v4 4 of 5 Rudy Drew

  On the outside PC, secure browse port 443 to 208.8.8.220

 On R_SNAT, the command show ip nat translation shows the static

PAT entry

PT Static NAT,PAT v4 5 of 5 Rudy Drew