Module

« Technologie des réseaux WAN »

Elément de module : Commutation et Routage dynamique

Filière RST – S7

Pr Chaïmaâ KISSI
 IPv4 Switching & Routing
 ACL Operation
• Purpose and operation of ACLs in small to medium-sized business networks :
- How ACLs filter traffic ?
- How ACLs use wildcard masks ?
- How to create ACLs ?
- How to place ACLs ?
 Standard IPv4 ACLs
• Configure standard IPv4 ACLs to filter traffic in a small to medium-sized business network :
- Configure standard IPv4 ACLs to filter traffic to meet networking requirements
- Use sequence numbers to edit existing standard IPv4 ACLs
- Configure a standard ACL to secure VTY access
 Troubleshoot ACLs
• How a router processes packets when an ACL is applied ?
• Troubleshoot common standard IPv4 ACL errors using CLI commands
 IPv4 Switching & Routing
 What is an ACL?
• An ACL is a series of IOS commands that control whether a router forwards or drops packets based on information found in
the packet header.
 ACLs are not configured by default on a router.
 ACL performing tasks
• Limit network traffic to increase network performance.
 For example, video traffic could be blocked if it's not permitted.
• Provide traffic flow control.
 ACLs can help verify routing updates are from a known source.
• ACLs provide security for network access and can block a host or a network.
• Filter traffic based on traffic type such as Telnet traffic.
• Screen hosts to permit or deny access to network services such as FTP or HTTP.
 IPv4 Switching & Routing
 Packet Filtering
• An ACL is a sequential list of permit or deny statements, known as access control entries (ACEs).
 ACEs are commonly called ACL statements
 Definition
• When network traffic passes through an interface configured with an ACL, the router compares the information within the
packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs.
• This is referred to as packet filtering.
 Tasks
Packet Filtering :
- Can analyze incoming and/or outgoing packets.
- Can occur at Layer 3 or Layer 4.
Important remark !!!
• The last statement of an ACL is always an implicit deny.
• This is automatically inserted at the end of each ACL and blocks
all traffic. Because of this, all ACLs should have at least one permit
statement.
 IPv4 Switching & Routing
 Inbound vs Outbound ACL
• ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the
router, and packets that exit outbound interfaces of the router.
• ACLs can be configured to apply to inbound traffic and outbound traffic :
- Inbound ACLs : Incoming packets are processed before they are routed to the outbound interface.
- Outbound ACLs : Incoming packets are routed to the outbound interface, and then they are processed through the
outbound ACL.
 IPv4 Switching & Routing
 ACL Wildcard Masking
• IPv4 ACLs require the use of wildcard masks.
 Definition
• A wildcard mask is a string of 32 binary digits (1s and 0s) used by the router to determine which bits of the address to
examine for a match.
• Wildcard masks are often referred to as an inverse mask since unlike a subnet mask where a binary 1 is a match, a binary 0 is
a match with wildcard masks.
 Examples
• Example of Wildcard Masks to Match IPv4 Hosts & Subnets is treated in this section. The aim is to calculate the wildcard
mask to match IPV4 subnets takes practice.

 Example 1 : The wildcard mask stipulates that every bit in the IPv4 192.168.1.1 address must match exactly.

 Example 2 : The wildcard mask stipulates that anything will match.

=> Example 3: The wildcard mask stipulates that any host within the 192.168.1.0/24 network will match.
 Calculating the Wildcard Mask
• Example 1
- Assume you want to permit access to all users in the 192.168.3.0 network with the subnet mask of 255.255.255.0.
- Subtract the subnet from 255.255.255.255 and the result is : 0.0.0.255.
• Example 2
- Assume you want to permit network access for the 14 users in the subnet 192.168.3.32/28 with the subnet mask of
255.255.255.240.
- After subtracting the subnet maks from 255.255.255.255, the result is 0.0.0.15.

• Example 3
- Assume you want to match only networks 192.168.10.0 and 192.168.11.0 with the subnet mask of 255.255.254.0.
- After subtracting the subnet mask from 255.255.255.255, the result is 0.0.1.255.
 Wildcard Mask Keywords
• To make wildcard masks easier to read, the keywords host and any can help identify the most common uses of wildcard
masking.
• host substitutes for the 0.0.0.0 mask
• any substitutes for the 255.255.255.255 mask
Easy Tips !!!!
• If you would like to match the 192.169.10.10 address :
- you could use 192.168.10.10 0.0.0.0 or,
- you can use: host 192.168.10.10
• In Example 2, instead of entering 0.0.0.0 255.255.255.255 -> you can use the keyword any by itself.
 Example of Wildcard Mask Keywords
• The figure demonstrates how to use the any keyword to substitute the IPv4 address 0.0.0.0 with a wildcard mask of
255.255.255.255.

• The figure shows how to use the host keyword to substitute for the wildcard mask when identifying a single host.
 Guidelines for Creating ACLs
• The general guidelines for creating ACLs are summarized in the following steps :
- Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
- Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of
your internal network.
- Configure ACLs on border routers such as those situated at the edge of your network. This will provide a basic buffer from
the outside network that is less controlled.
- Configure ACLs for each network protocol configured on the border router interfaces.
 ACL traffic filtering on a Router

Important Remark !!!

With 2 interfaces + 2 protocols running => 8 separate ACLs can be applied
Rules for applying ACLs !!!
You can only have 1 ACL per protocol, per interface and per direction :
- 1 ACL per protocol (IPv4 or IPv6)
- 1 ACL per direction (In or Out)
- 1 ACL per interface (Go0/0, ...)
• ACL Best Practices

Important Remark !!!

Using ACLs requires significant attention to detail. Mistakes can be very costly in terms of downtime, troubleshooting efforts,
and poor network performance.
Standard vs Extended ACLs
• The proper placement of an ACL can make the network operate more efficiently. For example, and ACL can be placed to
reduce unnecessary traffic => Every ACL should be placed where it has the greatest impact on efficiency.
- Standard ACLs : Since standard ACLs do not specify destination addresses, they should be configured as close to the
destination as possible.
- Extended ACLs : Configure extended ACLs as close as possible to the source of the traffic to be filtered. This will prevent
undesirable traffic as close to the source without it crossing the network infrastructure.
 Example of Standard ACL Placement
• This example demonstrates the proper placement of the standard ACL that is configured to block traffic from the
192.168.10.0/24 network to the 192.168.30.0/24 network.
• There are two possible places to configure the access-list on R3.
• If the access-list is applied to the S0/0/1 interface, it will block traffic to the 192.168.30.0/24 network, but also, going to the
192.168.31.0/24 network.
• The best place to apply the access list is on R3’s G0/0 interface. The accesslist list should be applied to traffic exiting the
G0/0 interface. Packets from 192.168.10.0/24 can still reach 192.168.31.0/24.
 Standard IPv4 ACL Syntax
• The access-list global configuration command defines a standard ACL with a number in the range of 1 through 99.
• The full syntax of the standard ACL command is as follows :
Router(config)# access-list accesslist-number { deny | permit | remark } source [ source-wildcard ][ log ]
• To remove the ACL, the global configuration no access-list command is used. Use the show access-list command to verify the
removal of the ACL.
 Applying Standard IPv4 ACLs to Interfaces
• After a standard IPv4 ACL is configured, it is linked to an interface using the ip access-group command in interface
configuration mode :
Router(config-if)# ip access-group { access-list-number | access-listname } { in | out }
• To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global
no access-list command to remove the entire ACL.
 Standard IPv4 ACL Examples
 Example 1
• The figure shows an example of an ACL that permits traffic from a specific subnet but denies traffic from a specific host on
that subnet.
• Below is provided the description of each line of the commands set on the CLI (Command Line Interface) :
- The no access-list 1 command deletes the previous version of ACL 1.
- The next ACL statement denies the host 192.168.10.10.
- What is another way to write this command without using host?
- All other hosts on the 192.168.10.0/24 network are then permitted.
- There is an implicit deny statement that matches every other network.
- Next, the ACL is reapplied to the interface in an outbound direction.
 Standard IPv4 ACL Examples
 Example 2
• This example demonstrates an ACL that denies a specific host but will permit all other traffic.
• Below is provided the description of each line of the commands set on the CLI (Command Line Interface) :
- The first ACL statement deletes the previous version of ACL 1.
- The next command, with the deny keyword, will deny traffic from the PC1 host that is located at 192.168.10.10.
- The access-list 1 permit any statement will permit all other hosts.
- This ACL is applied to interface G0/0 in the inbound direction since it only affects the 192.168.10.0/24 LAN.
 Named Standard IPv4 ACL Syntax
• In fact, identifying an ACL with a name rather than with a number makes it easier to understand its function.
• The example shows how to configured a named standard access list. Notice how the commands are slightly different :
- Use the ip access-list command to create a named ACL. Names are alphanumeric, case sensitive, and must be unique.
- Use permit or deny statements as needed. You can also use the remark command to add comments.
- Apply the ACL to an interface using the ip access-group name command.
 Modify IPv4 ACLs
 Method 1 : Use Sequence Numbers
• The figure demonstrates the steps used to make changes to a numbered ACL using sequence numbers.
• Step 1 identifies the problem :
- The deny 192.168.10.99 statement is incorrect.
- The host to deny should be 192.168.10.10
• To make the edit, Step 2 shows how to go into standard
access-list 1 and make the change.
- The misconfigured statement had to be deleted with the
no command: no 10
• Once it was deleted, the new statement with the correct
host was added : 10 deny host 192.168.10.10
 Modify IPv4 ACLs
 Method 2 : Editing Standard Named ACLs
• By referring to statement sequence numbers, individual statements can be easily inserted or deleted.
• The figure shows an example of how to insert a line into a named ACL.
• By numbering it 15, it will place the command in between statement 10 and 20.
• Please notice that when the ACL was originally created, the network administrator spaced each command by 10 which left
room for edits and additions.
• The no sequence-number named ACL command is used to delete individual statements.
 Verifying ACLs
• Use the show ip interface command to verify that the ACL is applied to the correct interface.
• The output will display the name of the access list and the direction in which it was applied to the interface.
• Use the show access-lists command to display the access-lists configured on the router.
• Notice how the sequence is displayed out of order for the NO_ACCESS access list.
 Securing VTY ports with a Standard IPv4 ACL
• The access-class Command is used to secure VTY ports with a Standard IPv4 ACL.
• Administrative VTY access to Cisco devices should be restricted to help improve security.
• Restricting VTY access is a technique that allows you define which IP addresses are allowed remote access to the router EXEC
process.
• The access-class command configured in line configuration mode will restrict incoming and outgoing connections between a
particular VTY (into a Cisco device) and the addresses in an access list.
Router(config-line)# access-class access-list-number {in [vrf-also ] | out }
 Securing VTY ports with a Standard IPv4 ACL
 Security verification
• Verification of the ACL configuration used to restrict VTY access is important.
• The figure shows 2 devices trying to ssh into 2 different devices.
• The show access-lists command output shows the results after the SSH attempts by PC1 and PC2.
• Notice the match results in the permit and the deny statements.

• SSH attempts results :

 Troubleshoot ACLs
 Implicit Deny Any
• A single-entry ACL with only one deny entry has the effect of denying all traffic.
• At least one permit ACE must be configured in an ACL or all traffic will be blocked.
Question !!!!!
Study the two ACLs in the figure.
Will the results be the same or different?
 Troubleshoot ACLs
 Order of ACEs in an ACL
• The order in which ACEs are configured are important since ACEs are processed sequentially.
• The figure demonstrates a conflict between two statements since they are in the wrong order.
POR QUE ????
• The first deny statement blocks everything in the 192.168.10.0/24 network.
• However, the second permit statement is attempting to allow host 192.168.10.10 through.
• This statement is rejected since it is a subset of the previous statement.
• Reversing the order of these two statements will solve the problem.
 Troubleshoot ACLs
 Order of ACEs in an ACL
• The order in which ACEs are configured are important since ACEs are processed sequentially.
• The figure demonstrates a conflict between two statements since they are in the wrong order.
POR QUE ????
• The first deny statement blocks everything in the 192.168.10.0/24 network.
• However, the second permit statement is attempting to allow host 192.168.10.10 through.
• This statement is rejected since it is a subset of the previous statement.
• Reversing the order of these two statements will solve the problem.
 Troubleshoot ACLs
 Reordering Standard ACLs
• Cisco IOS Reorders Standard ACLs
• Note the order in which the access-list statements were entered during configuration.
• Notice how the order was changed when you enter the show running config command.
• The host statements are listed first, however, not in the order they were entered.
• The IOS puts host statements in an order using a special hashing function. The resulting order optimizes the search for a
host ACL entry.
• The range statements are displayed in the order they were entered. The hashing function is applied to host statements.
 Routing Processes and ACLs
Reordering Standard ACLs
• The figure shows the logic of routing and ACL processes.
• When a packet arrives at a router interface, the router process is the same, whether ACLs are configured or not.
• After the frame information is stripped off, the router checks for an ACL on the inbound interface. If an ACL exists, the
packet is tested against the statements.
• If the packet matches a statement, the packet is either permitted or denied.
• If the packet is permitted, and after the router processes the packet, the outgoing interface will also be checked for an ACL.
 Common IPv4 Standard ACL Errors
• This section is reserved to address/display common IPv4 and the troubleshooting process. Few examples will be presented.
 Example 1
• The most common errors involving ACLs :
- Entering ACEs in the wrong order
- Not specifying adequate ACL rules
- Applying the ACL using the wrong direction, wrong
- interface, or wrong source address.
• In the figure, PC2 should not be able to access the File Server.
• However, PC1 can not access it either.

• The output of the show access-list command shows the one deny statement in the ACL.
• The set of commands listed below shows the solution
 The permit statement allows other devices to access since the implicit deny was blocking other traffic.
 Common IPv4 Standard ACL Errors
 Example 2
• The 192.168.11.0/24 network should not be able to access the 192.168.10.0/24 network.
• PC2 cannot access PC1 as planned, however, it also cannot access the Internet through R2.
• Problem :/ :/ :/ access-list 20 was applied to G0/1 on an inbound direction
Question => Where should ACL 20 be applied and in which direction?
Answer => In order for PC2 to access the Internet, ACL 20 needs to be removed from the G0/1 interface and applied outbound
on the G0/0 interface.
 Common IPv4 Standard ACL Errors
 Example 3
• Scenario => Only PC1 should be allowed to SSH to R1.
• Problem => There is a problem with the config in the figure
since PC1 is unable to SSH to R1.

POR QUE ????

• The ACL is permitting the 192.168.10.1 address which is the G0/0 interface.
However, the address that should be permitted is the PC1 host address of 192.168.10.10.
Solution !!!!!!
 TO DO ACTIVITY §§§§§§§
• Objective
The aim of this activity is to troubleshoot various IPv4 ACL issues.
• Topology
The network topology is described at the right.
• Scenario => This network is meant to have the following 3 policies
implemented :
- Hosts from the 192.168.0.0/24 network are unable to access network
10.0.0.0/8
- L3 can’t access any devices in network 192.168.0.0/24
- L3 can’t access Server1 or Server2. L3 should only access Server3
- Hosts from the 172.16.0.0/16 network have full access to Server1,
Server2 and Server3
 NAT (Network Address Translation)
 Objectives

• Defining NAT and Port Address Translation (PAT)

• Configuring Static NAT
• Configuring Dynamic NAT
• Configuring PAT
• Troubleshooting NAT/PAT
• Troubleshooting Example
 NAT (Network Address Translation)
 Introduction
• It is necessary to change the identity of a private host to a legal public host.
 This process is called Network Address Translation (NAT) and may be implemented on Cisco firewall products
and Cisco routers.
 The firewall device(s) at the Internet demarcation point is by far the more popular way to implement NAT, but
routers are used in small offices or small-to-medium-sized networks in which a separate firewalling solution is
not possible or affordable.
 The focus of this course is on the router-based NAT solution.
 Definition
• Network Address Translation (NAT) allows private users to access the Internet by sharing one or more public IP addresses.
• An IP address is either local or global.
• Local IPv4 addresses are seen in the inside network.
• Global IPv4 addresses are seen in the outside network.
• Inside Local Addresses are the private addresses
used within the enterprise network and cannot be
used in the public network (the Internet).
• Inside Global Addresses are assigned by either an
Internet authority or an Internet Service Provider (ISP)
and are allowed on the Internet.
• Outside Global Addresses are assigned by either an Internet authority or an ISP to Internet users in companies and
organizations, as well as to individuals that are located where the local translation occurs.
• Outside Local Addresses are the private (inside local) addresses of entities on the other side of the Internet and should never
be known to a local entity doing NAT except in one special case.
 Types of NAT
NAT can work in many forms :
• Static NAT (one-to-one)
• Dynamic NAT (many-to-many)
• NAT overloading (also known as Port Address Translation) (many-to-one)
Remark !!!!!
• NAT operation is transparent to users.
• Benefits include improved security and scalability.
• Drawbacks include performance degradation and incompatibility with certain applications that depend on end-to-end
functionality.
Important notions :
• Static NAT, as the name implies => provides a permanent private (inside local) to public (inside global) translation, which never
ages out of the translation table and is much like a static route. It creates a security issue because it allows outside hosts to
come through NAT inbound, but may be necessary for small companies to provide access to their website.
• Dynamic NAT => implies that there are exactly the same number of inside local hosts as inside global hosts. This is rarely the
case with the scarcity of public addresses.
• Port Address Translation (called NAT overload in the Cisco IOS) => is by far the most common NAT installation.
 PAT (Port Address Translation)
 Concept Illustration
• The graphic further clarifies the idea of PAT.
• Along with the inside local address to be translated to an inside global address as the packet exits the router, the
port number (both source and destination) is recorded.
Note :
In the case where non-TCP packets are used, such as ping packets, NAT/PAT creates a source and destination port.
=> This enables several thousand inside local hosts to be translated to one inside global host IP address.
 Translating Inside Source Addresses
• Now, back to NAT and lets focus on how to translate Inside Source Addresses.
• The figure illustrates the detailed process described below :
1. The packet is generated by the host with an inside local
address.
2. The packet arrives at the NAT inside interface
(configured as part of the NAT installation).
3. The inside local address is translated to an inside global
address.
4. The packet arrives at outside global host B.
5. The return packet is translated back from the NAT outside
interface to the originating inside local host.
 Configuring Static NAT
• This section displays a set of commands for Configuring and
Verifying Static Translation.
• The graphic illustrates the commands used to configure
static NAT :
- The inside and outside NAT interfaces must be defined.
- The static NAT translation details are defined.
=> The configuration can be verified with the show ip nat
translation command.
• This graphic provides an example of a static NAT configuration
and verification on a Cisco router:
 Configuring Static NAT
• This section displays a set of commands for Configuring and
Verifying Static Translation.
• The graphic illustrates the commands used to configure
static NAT :
- The inside and outside NAT interfaces must be defined.
- The static NAT translation details are defined.
=> The configuration can be verified with the show ip nat
translation command.
• This graphic provides an example of a static NAT configuration
and verification on a Cisco router:
 Configuring Dynamic NAT
• This section displays a set of commands for Configuring
and Verifying Dynamic Translation.
• This This graphic is similar to a previous one and shows
the same five translation steps with a bit more detail in the
address tables.
 Remember with dynamic NAT, the number of inside hosts
should be the same as the number of outside (inside global)
hosts.

The configuration now involves additional elements :

- A block of inside global addresses is identified with an ACL.
- A pool of outside local addresses is identified with a pool
name. With NAT overload or PAT, there is another way to do
this.
- A command is needed to define the inside local to inside
global translation mapping of the ACL and the pool name.
- The inside and outside IP NAT interfaces must still be
defined.
- The verification is show ip nat translations as before.
 Configuring Dynamic NAT
• The graphic shows a completed dynamic NAT configuration.
=> Note that the translation configuration line includes a network mask or prefix following the address pool.
 Configuring NAT Overload—PAT
• As described earlier, PAT or NAT overload deploys the same five-step process as before, except that the source and destination
UPD/TCP port number is recorded along with the IP address as part of the translation.
• This is how thousands of inside local IP hosts may be translated to one inside global host.

Remark :
- The ACL is still used to define the inside local address
block.

• Commands to configure overloading :

 Configuring NAT Overload—PAT
• This section presents an example of NAT Overloading.
• The next graphics provide a working example with two inside NAT interfaces and one outside.

• Two private networks -192.168.3.0/24 and 192.168.4.0/24

• Overload to router outside S0 interface address -209.165.200.225/32
 Clearing the NAT Translation Table
• It is sometimes necessary for a network administrator to clear IP NAT translations from the table before they expire, generally
for troubleshooting.
• The graphic shows a series of commands to do this based on the complexity of the translation being cleared.
• Clear ip nat translations * command will clear all of them.
•
 Troubleshooting NAT/PAT
• There are very few commands for verifying and troubleshooting NAT on a Cisco router :
- Show ip nat statistics => verifies the proper configuration of the inside and outside interfaces and the translation command
from inside local to inside global.
- Show ip nat translations => shows the actual address and port translations that have recently occurred.
- Show access-list => can be used to verify the ACL defining the inside local block.
- Debug ip nat => can be used to see the translations occurring in real time.
 Translation Not Occurring: Translation Not Installed in the Table
The solution is to verify that :
- No inbound ACLs are denying the packets entry to the NAT router
- The ACL referenced by the NAT command is permitting all necessary networks
- There are enough addresses in the NAT pool
- The router interfaces are appropriately defined as NAT inside or NAT outside
 Troubleshooting NAT/PAT
 Translation Not Occurring: Translation Not Installed in the Table
The solution is to verify that :
- No inbound ACLs are denying the packets entry to the NAT router
- The ACL referenced by the NAT command is permitting all necessary networks
- There are enough addresses in the NAT pool
- The router interfaces are appropriately defined as NAT inside or NAT outside
 Basic IPv4 ACLs
 Introduction
• IPv4 access control lists (ACL) give network engineers the ability to program a filter into a router.
Important Remarks :
- Each router, on each interface, for both the inbound and outbound direction, can enable a different ACL with different rules.
- Each ACL’s rules tell the router which packets to discard and which to allow through.
• IPv4 ACLs perform many functions in Cisco routers, with the most common use as a packet filter.
• Engineers can enable ACLs on a router so that the ACL sits in the forwarding path of packets as they pass through the router.
• After it is enabled, the router considers whether each IP packet will either be discarded or allowed to continue as if the ACL did
not exist.
 ACL impact on QoS
• ACLs can be used for many other IOS features as well.
• As an example, ACLs can be used to match packets for applying Quality of Service (QoS) features.
• QoS allows a router to give some packets better service, and other packets worse service.
• For example, packets that hold digitized voice need to have very low delay, so ACLs can match voice packets, with
QoS logic in turn forwarding voice packets more quickly than data packets.
 Important Guidelines
• This section introduces IP ACLs as used for packet filtering, focusing on these aspects of ACLs :
- The locations and direction in which to enable ACLs ;
- Matching packets by examining headers ;
- Taking action after a packet has been matched.

 ACL Location and Direction

• Cisco routers can apply ACL logic to packets at the point at which the IP packets enter an interface, or the point at which they
exit an interface.
• In other words, the ACL becomes associated with an interface and for a direction of packet flow (either in or out).
• That is, the ACL can be applied inbound to the router, before the router makes its forwarding (routing) decision, or outbound,
after the router makes its forwarding decision and has determined the exit interface to use.
• The arrows in the figure show the locations at which you
could filter packets flowing left to right in the topology.
 Example :
Imagine that you wanted to allow packets sent by host A to
server S1, but to discard packets sent by host B to server S1.
-> Each arrowed line represents a location and direction at
which a router could apply an ACL, filtering the packets sent
by host B.
 Explanation :
• The four arrowed lines in the figure point out the location
and direction for the router interfaces used to forward the
packet from host B to server S1.
• In this particular example, those interfaces and direction
are :
- inbound on R1’s F0/0 interface,
- outbound on R1’s S0/0/0 interface,
- inbound on R2’s S0/0/1 interface,
- outbound on R2’s F0/0 interface.
- If, for example, you enabled an ACL on R2’s F0/1 interface, in either direction, that ACL could not possibly filter the
packet sent from host B to server S1, because R2’s F0/1 interface is not part of the route from B to S1.
 Conclusion
• In short, to filter a packet, you must enable an ACL on an interface that processes the packet, in the same direction the
packet flows through that interface.
• When enabled, the router then processes every inbound or outbound IP packet using that ACL.
• For example, if enabled on R1 for packets inbound on interface F0/0, R1 would compare every inbound IP packet on
F0/0 to the ACL to decide that packet’s fate : to continue unchanged or to be discarded .
 Important Guidelines
 ACL Location and Direction
• Matching packets refers to how to configure the ACL commands to look at each packet, listing how to identify
which packets should be discarded and which should be allowed through.
• Each IP ACL consists of one or more configuration commands, with each command listing details about values to
look for inside a packet’s headers.
 Generally, an ACL command uses logic like “look for these values in the packet header, and if found, discard the
packet.”
 The action could instead be to allow the packet, rather than discard.
 Specifically, the ACL looks for header fields you should already know well, including the source and destination IP
addresses, plus TCP and UDP port numbers.
 ACL Location and Direction
 Example Statement
• Consider an example with the figure, in which you want to allow packets from host A to server S1, but to discard
packets from host B going to that same server.
• The hosts all now have IP addresses, and the figure shows pseudocode for an ACL on R2.
• Figure 2-2 also shows the chosen location to enable the ACL: inbound on R2’s S0/0/1 interface.
Explanation :
• Figure 2-2 shows a two-line ACL in a rectangle at the bottom, with simple matching logic: both statements just
look to match the source IP address in the packet.
• When enabled, R2 looks at every inbound IP packet on that interface and compares each packet to those two
ACL commands.
 Packets sent by host A (source IP address
10.1.1.1) are allowed through,
 and those sourced by host B (source IP address
10.1.1.2) are discarded .
 What would be done if a match occurs ???
• When using IP ACLs to filter packets, only one of two actions can be chosen.
• The configuration commands use the keywords deny and permit, and they mean (respectively) to discard the
packet or to allow it to keep going as if the ACL did not exist.
 Types of IP ACLs
• Beginning with the original standard numbered IP ACLs in the early days of IOS, which could enable the logic
shown earlier around Figure 2-2, Cisco has added many ACL features, including the following :
- Standard numbered ACLs (1–99)
- Extended numbered ACLs (100–199)
- Additional ACL numbers (1300–1999 standard, 2000–2699 extended)
- Named ACLs
- Improved editing with sequence numbers
Brief !!!!
• Briefly, IP ACLs will be either numbered or named in that the configuration identifies the ACL either using a
number or a name.
• ACLs will also be either standard or extended, with extended ACLs having much more robust abilities in matching
packets.
• Figure 2-3 summarizes the big ideas related to categories of IP ACLs .
 Standard Numbered IPv4 ACLs
• This section is about a type of Cisco filter (ACL) that matches only the source IP address of the packet (standard),
is configured to identify the ACL using numbers rather than names (numbered), and looks at IPv4 packets.
 Steps followed :
This section examines the particulars of standard numbered IP ACLs.
• First, it examines the idea that one ACL is a list and what logic that list uses.
• Following that, the text closely looks at how to match the source IP address field in the packet header, including
the syntax of the commands.
• This section ends with a complete look at the configuration and verification commands to implement standard
ACLs .
 List Logic with IP ACLs (ACE statement)
• A single ACL is both a single entity and, at the same time, a list of one or more configuration commands.
• As a single entity, the configuration enables the entire ACL on an interface, in a specific direction, as shown earlier
in Figure 2-1.
• As a list of commands, each command has different matching logic that the router must apply to each packet
when filtering using that ACL.
 Standard Numbered IPv4 ACLs
• When doing ACL processing, the router processes
the packet, compared to the ACL, as follows :
- ACLs use first-match logic.
- Once a packet matches one line in the ACL, the router
takes the action listed in that line of the ACL and stops
looking further in the ACL.
 Example :
• To see exactly what that means, consider the example
built around Figure 2-4.
• This example applies ACL 1 on R2’s S0/0/1 interface,
inbound.
• This sequence of processing an ACL as a list happens for
any type of IOS ACL: IP, other protocols, standard or extended
, named or numbered.
• Finally, if a packet does not match any of the items in the
ACL, the packet is discarded.
• The reason is that every IP ACL has a deny all statement implied at the end of the ACL.
• It does not exist in the configuration, but if a router keeps searching the list, and no match is made by the end of the list,
IOS considers the packet to have matched an entry that has a deny action.
 Matching Logic and Command Syntax
• Standard numbered IP ACLs use the following global command :

• Each standard numbered ACL has one or more access-list commands with the same number, any number from
the ranges shown in the preceding line of syntax.
• IOS refers to each line in an ACL as an Access Control Entry (ACE), but many engineers just call them ACL
statements.
QUE PASA NEXT ????
• Besides the ACL number, each access-list command also lists the action (permit or deny), plus the matching logic.
• The rest of this section examines how to configure the matching parameters, which, for standard ACLs, means
that you can only match the source IP address or portions of the source IP address using something called an ACL
wildcard mask.
 Matching the Exact IP Address
• To match a specific source IP address, the entire IP address, all you have to do is type that IP address at the end of
the command.

• Note that in later IOS versions, if you use the host keyword, IOS accepts the command but then removes the
keyword.
 Matching a Subset of the Address with Wildcards
 Context and reasons :
• Often , the business goals you want to implement with an ACL do not match a single particular IP address, but
rather a range of IP addresses.
• Maybe you want to match all IP addresses in a subnet.
• Maybe you want to match all IP addresses in a range of subnets.
• Regardless, you want to check for more than one IP address in a range of addresses.
 Solution !!!!
• IOS allows standard ACLs to match a range of addresses using a tool called a wildcard mask.
• Note that this is not a subnet mask.
• The wildcard mask (which abbreviates as WC mask) gives the engineer a way to tell IOS to ignore parts of the
address when making comparisons, essentially treating those parts as wildcards, as if they already matched.
Logical processing idea :
• You can think about WC masks in decimal and in binary, and both have their uses.
• To begin, think about WC masks in decimal, using these rules :
- Decimal 0: The router must compare this octet as normal.
- Decimal 255: The router ignores this octet, considering it to already match.
 Matching a Subset of the Address with Wildcards
• Keeping these two rules in mind, consider Figure 2-6, which demonstrates this logic using 3 different but popular
WC masks :
- one that tells the router to ignore the last octet,
- one that tells the router to ignore the last 2 octets,
- and one that tells the router to ignore the last 3 octets.
 Figure interpretation :
• The example on the left shows WC mask 0.0.0.255, which tells the router to treat the last octet as a wildcard,
essentially ignoring that octet for the comparison.
• Similarly, the middle example shows WC mask 0.0.255.255, which tells the router to ignore the 2 octets on the
right.
• The rightmost case shows WC mask 0.255.255.255, telling the router to ignore the last three octets when
comparing values.
 Matching a Subset of the Address with Wildcards
 Example interpretation :
• Figure 2-7 shows the updated version of Figure 2-4,
but with the completed, correct syntax, including the
WC masks.
• In particular, note the use of WC mask 0.0.0.255 in
the second command, telling R2 to ignore the last octet of the number 10.1.1.0, and the WC mask 0.255.255.255 in
the third command, telling R2 to ignore the last three octets in the value 10.0.0.0.
 Finding the Right Wildcard Mask to Match a Subnet
• In many cases, an ACL needs to match all hosts in a particular subnet.
• To match a subnet with an ACL, you can use the following shortcut :
- Use the subnet number as the source value in the access-list command.
- Use a wildcard mask found by subtracting the subnet mask from 255.255.255.255.
• For example, for subnet 172.16.8.0 255.255.252.0, use the subnet number (172.16.8.0) as the address parameter,
and then do the following math to find the wildcard mask :
 Matching Any/All Addresses
• In some cases, you will want one ACL command to match any and all packets that reach that point in the ACL.
• For example, to permit all packets :
 Implementing Standard IP ACLs
• The command is :
 Process to follow :
 Standard Numbered ACL Examples
 Example 1
• The first example shows the configuration for the same requirements demonstrated with Figure 2-4 and Figure 2-
5.
• Restated, the requirements for this ACL are as follows :
• Example 2-1 shows a completed correct configuration, starting with the configuration process, followed by
output from the show running-config command.
 Standard Numbered ACL Examples
 Example 1 (suite)
• Example 2-2 lists some output from Router R2 that shows information about this ACL.
• The show ip access-lists command lists details about IPv4 ACLs only, while the show access lists command lists
details about IPv4 ACLs plus any other types of ACLs that are currently configured; for example, IPv6 ACLs .
Command interpretation :
• The first line of output in this case notes the type (standard)
and the number.
• If more than one ACL existed, you would see multiple stanzas of
output, one per ACL, each with a heading line like this one.
• Next, these commands list packet counts for the number of
packets that the router has matched with each command.
• For example, 107 packets so far have matched the first line in
the ACL.
 Example 2
o Scenario :
• For the second example, use Figure 2-8, and imagine your boss gives you some requirements hurriedly in the hall.
• At first, he tells you he wants to filter packets going from the servers on the right toward the clients on the left.
• Then, he says he wants you to allow access for hosts A, B, and other hosts in their same subnet to server S1, but
deny access to that server to the hosts in host C’s subnet.
• Then, he tells you that, additionally, hosts in host A’s subnet should be denied access to server S2, but hosts in
host C’s subnet should be allowed access to server S2—all by filtering packets going right to left only.
• He then tells you to put the ACL inbound on R2’s F0/0 interface.
o Answer :

o Issue :
• As it turns out, you cannot do everything your boss asked with a standard ACL.
• For example, consider the obvious command for requirement number 2: access-list 2 permit 10.2.2.1.
• That permits all traffic whose source IP is 10.2.2.1 (server S1).
• The very next requirement asks you to filter (deny) packets sourced from that same IP address!
• Even if you added another command that checked for source IP address 10.2.2.1, the router would never get to it,
because routers use first-match logic when searching the ACL.
• You cannot check both the destination and source IP address, because standard ACLs cannot check the
destination IP address.
o Solution :
• To solve this problem, you should get a new boss!
• No, seriously, you have to rethink the problem and
change the rules.
• In real life, you would probably use an extended ACL
instead, which lets you check both the source and destination IP address.
Tips :
• For the sake of practicing another standard ACL,
imagine your boss lets you change the requirements.
• First, you will use two outbound ACLs, both on Router
R1.
• Each ACL will permit traffic from a single server to be
forwarded onto that connected LAN, with the following
modified requirements :
o Interpretation details :
• As highlighted in the example, the solution with ACL number 2 permits all traffic from server S1, with that logic
enabled for packets exiting R1’s F0/0 interface.
• All other traffic will be discarded because of the implied deny all at the end of the ACL.
• In addition, ACL3 permits traffic from server S2, which is then permitted to exit R1’s F0/1 interface.
• Also, note that the solution shows the use of the access-list remark parameter, which allows you to leave text
documentation that stays with the ACL.
 Troubleshooting and Verification Tips
• Troubleshooting IPv4 ACLs requires some attention to detail.
• In particular, you have to be ready to look at the address and wildcard mask and confidently predict the addresses
matched by those two combined parameters.
• First, you can tell if the router is matching packets or not with a couple of tools.
 Example :
• Example2-2 already showed that IOS keeps statistics about the packets matched by each line of an ACL.
• In addition, if you add the log keyword to the end of an access-list command, IOS then issues log messages with
occasional statistics about matches of that particular line of the ACL.
• Both the statistics and the log messages can be helpful in deciding which line in the ACL is being matched by a
packet.
• Example 2-4 shows an updated version of ACL 2 from Example 2-3, this time with the log keyword added.
• The bottom of the example then shows a typical log message, this one showing the resulting match based on a
packet with source IP address 10.2.2.1 (as matched with the ACL), to destination address 10.1.1.1 .
MUY IMPORTANTE !!!!!!!
• When you troubleshoot an ACL for the first
time, before getting into the details of the
matching logic, take the time to think about
both the interface on which the ACL is
Enabled and the direction of packet flow.
 Sometimes, the matching logic is perfect—
but the ACL has been enabled on the wrong interface, or for the wrong direction, to match the packets as
configured for the ACL.
 Example :
• Figure 2-9 repeats the same ACL shown earlier in Figure 2-7.
• The first line of that ACL matches the specific host address 10.1.1.1. If that ACL exists on Router R2, placing that
ACL as an inbound ACL on R2’s S0/0/1 interface can work, because packets sent by host 10.1.1.1—on the left side
of the figure—can enter R2’s S0/0/1 interface.
 However, if R2 enables ACL 1 on its F0/0 interface, for inbound packets, the ACL will never match a packet with
source IP address 10.1.1.1, because packets sent by host 10.1.1.1 will never enter that interface.
 Packets sent by 10.1.1.1 will exit R2’s F0/0 interface, but never enter it, just because of the network topology.
 Extended Numbered IPv4 ACLs
 Standard vs Extended
• Extended IP access lists have many similarities compared to the standard numbered IP ACLs discussed in the
previous chapter.
• Extended ACLs differ from standard ACLs mostly because of the larger variety of packet header fields that can be
used to match a packet.
• One extended ACE (ACL statement) can examine multiple parts of the packet headers, requiring that all the
parameters be matched correctly to match that one ACE.
 Matching the Protocol, Source IP, and Destination IP
• Like standard numbered IP ACLs, extended numbered IP ACLs also use the access-list global command.
• The syntax is identical, at least up through the permit or deny keyword.
• In particular, the extended ACL access-list command requires three matching parameters:
- the IP protocol type,
- the source IP address,
- and the destination IP address.
 Extended Numbered IPv4 ACLs
• The IP header’s Protocol field identifies the header that follows the IP header.
• Figure 3-2 shows the location of the IP Protocol field, the concept of it pointing to the type of header that follows,
along with some details of the IP header for reference.

• IOS requires that you configure parameters for the three highlighted parts of Figure 3-2.
• For the protocol type, you simply use a keyword, such as
tcp, udp, or icmp, matching IP packets that happen to have
a TCP, UDP, or ICMP header, respectively, following the IP
header.
• Or you can use the keyword ip, which means “all IPv4
packets.”
• You also must configure some values for the source and destination IP address fields that follow.
 Extended Numbered IPv4 ACLs
• Table 3-2 lists several sample access-list commands that use only the required matching parameters.

 Matching TCP and UDP Port Numbers

• Extended ACLs can also examine parts of the TCP and UDP headers, particularly the source and destination port
number fields.
• The port numbers identify the application that sends or receives the data.
• Figure 3-4 shows the location of the port numbers
in the TCP header, following the IP header.
 Extended Numbered IPv4 ACLs
• Figure 3-5 shows the positions of the source and destination port fields in the access-list command and these port
number keywords.
 Example :
• Consider the simple network shown in
Figure 3-6.
• The FTP server sits on the right, with the
client on the left.
• The figure shows the syntax of an ACL that matches the following :
- Packets that include a TCP header
- Packets sent from the client subnet
- Packets sent to the server subnet
- Packets with TCP destination port 21
(FTP server control port)
 Inverse Process :
• Conversely, Figure 3-7 shows the reverse flow, with a packet sent by the server back toward PC1.
• In this case, the packet’s TCP header has a source port of 21, so the ACL must check the source port value of 21,
and the ACL must be located on different interfaces.
• In this case, the eq 21 parameters follow the source address field but come before the destination address field.
 ACL Examination :
• When examining ACLs that match port numbers, first consider the location and direction in which the ACL will be
applied.
• That direction determines whether the packet is being sent to the server or from the server.
• At that point, you can decide whether you need to check the source or destination port in the packet.
• For reference, Table 3-3 lists many of the popular port numbers and their transport layer protocols and
applications.
 Note that the syntax of the access-list commands accepts both the port numbers and a shorthand version of the
application name.
 Extended IP ACL Configuration
• The configuration process for extended ACLs mostly
matches the same process used for standard ACLs.
• You must choose the location and direction in which
to enable the ACL, particularly the direction, so that you
can characterize whether certain addresses and ports
will be either the source or destination.
• Configure the ACL using access-list commands, and
when complete, then enable the ACL using the same
ip access-group command used with standard ACLs.
 MUY IMPORTANTE REMARK !!!!!
• Place extended ACLs as close as possible to the source of the packets that will be filtered.
• Filtering close to the source of the packets saves some bandwidth.
=> Remember that all fields in one access-list command must match a packet for the packet to be considered to
match that access-list statement.
 Use numbers of 100–199 and 2000–2699 on the access-list commands; no one number is inherently better than
another.
 Extended IP Access Lists Example
• This example focuses on understanding basic
syntax.
• In this case, the ACL denies Bob access to all
FTP servers on R1’s Ethernet, and it denies Larry
access to Server1’s web server.
• Figure 3-8 shows the network topology;
Example 3-1 shows the configuration on R1.
 Extended IP Access Lists Example

• This example uses the eq parameter, meaning “equals,” to check the destination port numbers for FTP
control (keyword ftp) and HTTP traffic (keyword www).
• You can use the numeric values—or, for the more popular options, a more obvious text version is valid.
• If you were to type eq 80, the config would show eq www.
• This example enables the ACL in two places on R1: inbound on each serial interface.
• These locations achieve the goal of the ACL.
• However, that initial placement was made to make the point that Cisco suggests that you locate them as
close as possible to the source of the packet.
 Extended IP Access Lists Example

• Example 3-2 achieves the same goal as Example 3-1 of stopping Bob’s access to FTP servers at the main site, and it
does so with an ACL on R3.
• The new configuration on R3 meets the goals to filter Bob’s traffic, while also meeting the overarching design goal
of keeping the ACL close to the source of the packets.
• ACL 103 on R3 looks a lot like ACL 101 on R1 from Example 3-1, but this time, the ACL does not bother to check for
the criteria to match Larry’s traffic, because Larry’s traffic will never enter R3’s Ethernet 0 interface.
• ACL 103 filters Bob’s FTP traffic to destinations in subnet 172.16.1.0/24, with all other traffic entering R3’s E0
interface making it into the network.
Named ACLs and ACL Editing
• Figure 3-10 shows just such a conversion, using a simple three-line standard ACL number 1.

• Example 3-4 shows the configuration of a named extended ACL.

Named ACLs and ACL Editing
• Named ACLs allow the user to delete and add new lines to the ACL from within ACL configuration mode.
• Example 3-5 shows how, with the no deny ip… command deleting a single entry from the ACL.
 Editing ACLs Using Sequence Numbers
• Example 3-6 shows the configuration of a standard numbered IP ACL, using this alternative configuration style.
• In this example, the following occurs :
 Network Address Translation
 Motivation
• This chapter examines a very popular and very important part of both enterprise and small office/home office
(SOHO) networks : Network Address Translation (NAT).
• NAT helped solve a big problem with IPv4 : the IPv4 address space would have been completely consumed by the
mid-1990s.
• After it was consumed, the Internet could not continue to grow, which would have significantly slowed the
development of the Internet.

 Content
• This chapter breaks the topics into three major sections :
- The first section explains the challenges to the IPv4 address space caused by the Internet revolution of the 1990s.
- The second section explains the basic concept behind NAT, how several variations of NAT work, and how the Port
Address Translation (PAT) option conserves the IPv4 address space.
- The final section shows how to configure NAT from the Cisco IOS Software command-line interface (CLI) and how
to troubleshoot NAT.
 NAT Concepts
o Need for NAT
• NAT , defined in RFC 3022, allows a host that does not have a valid, registered, globally unique IP address to
communicate with other hosts through the Internet.
• The hosts might be using private addresses or addresses assigned to another organization.
• In either case, NAT allows these addresses that are not Internet ready to continue to be used and still allows
communication with hosts across the Internet.
o Operation
• NAT achieves its goal by using a valid registered
IP address to represent the private address to the
rest of the Internet.
• The NAT function changes the private IP
addresses to publicly registered IP addresses
inside each IP packet, as shown in Figure 10-2 .
 Remark :
• Notice that the router, performing NAT, changes the packet’s source IP address when the packet leaves the private
organization.
• The router performing NAT also changes the destination address in each packet that is forwarded back into the
private network.
 Network 200.1.1.0 is a registered network in Figure 10-2.
• The NAT feature, configured in the router labeled NAT, performs the translation.
o Static NAT
• Static NAT works just like the example shown in Figure 10-2, but with the IP addresses statically mapped to each
other.
• To help you understand the implications of static NAT and to explain several key terms, Figure 10-3 shows a similar
example with more information.
Explanation :
• First, the company’s ISP has assigned it registered
network 200.1.1.0.
• Therefore, the NAT router must make the private
IP addresses look like they are in network
200.1.1.0.
 To do so, the NAT router changes the source IP addresses in the packets going from left to right in the figure.
• In this example, the NAT router changes the source address (SA in the figure) of 10.1.1.1 to 200.1.1.1.
• With static NAT, the NAT router simply configures a one-to-one mapping between the private address and the
registered address that is used on its behalf.
• The NAT router has statically configured a mapping between private address 10.1.1.1 and public, registered
address 200.1.1.1.
o More informations
• Supporting a second IP host with static NAT requires a second static one-to-one mapping using a second
IP address in the public address range.
• For example, to support 10.1.1.2, the router statically maps 10.1.1.2 to 200.1.1.2.
• Because the enterprise has a single registered Class C network, it can support at most 254 private IP
addresses with NAT, with the usual two reserved numbers (the network number and network broadcast
address).
• The terminology used with NAT, particularly with configuration, can be a little confusing.
Important Remark !!!!
• Notice in Figure 10-3 that the NAT table lists the private IP addresses as “private” and the public,
registered addresses from network 200.1.1.0 as “public.”
• Cisco uses the term inside local for the private IP addresses in this example and inside global for the
public IP addresses .
o NAT Terminology (Inside local vs Inside global)
• Using NAT terminology, the enterprise network that uses private addresses, and therefore needs NAT, is the
“inside” part of the network.
• The Internet side of the NAT function is the “outside” part of the network.
• A host that needs NAT (such as 10.1.1.1 in the example) has the IP address it uses inside the network, and it needs
an IP address to represent it in the outside network.
• So, because the host essentially needs two different addresses to represent it, you need two terms.
• Cisco calls the private IP address used in the inside network the inside local address and the address used to
represent the host to the rest of the Internet the inside global address.
• Figure 10-4 repeats the same example, with some of the terminology shown.
o Dynamic NAT
 Introduction
• Dynamic NAT has some similarities and differences compared to static NAT.
• Like static NAT, the NAT router creates a one-to-one mapping between an inside local and inside global address,
and changes the IP addresses in packets as they exit and enter the inside network.
• However, the mapping of an inside local address to an inside global address happens dynamically.
 Concept
• Dynamic NAT sets up a pool of possible inside
global addresses and defines matching criteria to
determine which inside local IP addresses should
be translated with NAT.
• For example, in Figure 10-5, a pool of five inside
global IP addresses has been established :
200.1.1.1 through 200.1.1.5.
• NAT has also been configured to translate any
inside local addresses that start with
10.1.1.
• The numbers 1, 2, 3, and 4 in the figure refer to the following sequence of events :
1. Host 10.1.1.1 sends its first packet to the server at
170.1.1.1.
2. As the packet enters the NAT router, the router applies
some matching logic to decide whether the packet should
have NAT applied.
Because the logic has been configured to match source IP
addresses that begin with 10.1.1, the router adds an entry
in the NAT table for 10.1.1.1 as an inside local address.
3. The NAT router needs to allocate an IP address from the
pool of valid inside global addresses.
It picks the first one available (200.1.1.1, in this case) and adds it to the NAT table to complete the entry.
4. The NAT router translates the source IP address and forwards the packet.
• You can also manually clear the dynamic entries from the table using the clear ip nat translation * command.
 Overloading NAT with PAT (Port Address Translation)
 Need & Motivation
• Some networks need to have most, if not all, IP hosts reach the Internet.
• If that network uses private IP addresses, the NAT router needs a very large set of registered IP addresses.
• With static NAT, for each private IP host that needs Internet access, you need a publicly registered IP address,
completely defeating the goal of reducing the number of public IPv4 addresses needed for that organization.
 Solution of some issues
• Dynamic NAT lessens the problem to some degree, because every single host in an internetwork should seldom
need to communicate with the Internet at the same time.
• However, if a large percentage of the IP hosts in a network will need Internet access throughout that company’s
normal business hours, NAT still requires a large number of registered IP addresses, again failing to reduce IPv4
address consumption.
• The NAT Overload feature, also called Port Address Translation (PAT), solves this problem.
• Overloading allows NAT to scale to support many clients with only a few public IP addresses.
 Overloading NAT with PAT (Port Address Translation)
 Need & Motivation
• The key to understanding how overloading works is to recall how hosts use TCP and User Datagram Protocol (UDP)
ports.
• To see why, first consider the idea of 3 separate
TCP connections to a web server, from 3 different
hosts, as shown in Figure 10-6.
• Next, compare those three TCP connections in
Figure 10-6 to three similar TCP connections, now
with all three TCP connections from one client, as
shown in Figure 10-7.
• The server does realize a difference because
the server sees the IP address and TCP port number used by the clients in both figures.
• However, the server really does not care whether the TCP connections come from different hosts or the same
host; the server just sends and receives data over each connection.
• NAT takes advantage of the fact that, from a transport layer perspective, the server doesn’t care whether it has
one connection each to three different hosts or three connections to a single host IP address.
• NAT overload (PAT) translates not only the address, but the port number when necessary, making what looks like
many TCP or UDP flows from different hosts look like the same number of flows from one host.
• Figure 10-8 outlines the logic.
• When PAT creates the dynamic mapping, it selects not only an inside global IP address but also a unique port
number to use with that address.
• The NAT router keeps a NAT table entry for every unique combination of inside local IP address and port, with
translation to the inside global address and a unique port number associated with the inside global address.
• And because the port number field has 16 bits, NAT overload can use more than 65,000 port numbers, allowing it
to scale well without needing many registered IP addresses—in many cases, needing only one inside global IP
address.
 NAT Configuration and Troubleshooting
• The following sections describe how to configure the three most common variations of NAT :
- Static NAT,
- Dynamic NAT,
- PAT,
… along with the show and debug commands used to troubleshoot NAT.
 Static NAT Configuration
• Static NAT configuration requires only a few configuration steps.
• Each static mapping between a local (private) address and a global (public) address must be configured.
• In addition, because NAT may be used on a subset of interfaces, the router must be told on which interfaces it
should use NAT.
• Those same interface subcommands tell NAT whether the interface is inside or outside.
• The specific steps are as follows :
 Static NAT Configuration
• Figure 10-9 shows the familiar network used in the description of static NAT earlier in this chapter, which is also
used for the first several configuration examples.
• In Figure 10-9, you can see that Certskills has obtained Class C network 200.1.1.0 as a registered network number.
• That entire network, with mask 255.255.255.0, is configured on the serial link between Certskills and the Internet.
• With a point-to-point serial link, only two of the 254 valid IP addresses in that network are consumed, leaving 252
addresses.
 Important Remark !!!!
• When planning a NAT configuration, you must find some IP addresses to use as inside global IP addresses.
• Because these addresses must be part of some registered IP address range, it is common to use the extra
addresses in the subnet connecting the enterprise to the Internet—for example, the extra 252 IP addresses in
network 200.1.1.0 in this case.
• The router can also be configured with a loopback interface and assigned an IP address that is part of a globally
unique range of registered IP addresses.
• Example 10-1 lists the NAT configuration, using 200.1.1.1 and 200.1.1.2 for the two static NAT mappings.
 Important command to set NAT !!!!
=> The static mappings are created using the ip nat inside source static command.
• The inside keyword means that NAT translates addresses for hosts on the inside part of the network.
• The source keyword means that NAT translates the source IP address of packets coming into its inside interfaces.
• The static keyword means that the parameters define a static entry, which should never be removed from the NAT
table because of timeout.
• Because the design calls for two hosts—10.1.1.1 and 10.1.1.2—to have Internet access, 2 ip nat inside commands
are needed.
• After creating the static NAT entries, the router needs to know which interfaces are “inside” and which are
“outside.”
• The ip nat inside and ip nat outside interface subcommands identify each interface appropriately.
Other commands :
• A couple of show commands list the most important information about NAT.
• The show ip nat translations command lists the two static NAT entries created in the configuration.
• The show ip nat statistics command lists statistics, listing things such as the number of currently active translation
table entries.
• The statistics also include the number of hits, which increments for every packet for which NAT must translate
addresses.
 Dynamic NAT Configuration
• Dynamic NAT still requires that each interface be identified as either an inside or outside interface, and of course
static mapping is no longer required.
Dynamic NAT uses an access control list (ACL) to identify which inside local (private) IP addresses need to have
their addresses translated, and it defines a pool of registered public IP addresses to allocate.
• The specific steps are as follows :
• The next example shows a sample dynamic NAT configuration using the same network topology as the previous
example (see Figure 10-9).
• In this case, the same two inside local addresses—10.1.1.1 and 10.1.1.2—need translation.
• However, unlike the previous static NAT example, the configuration in Example 10-2 places the public IP addresses
(200.1.1.1 and 200.1.1.2) into a pool of dynamically assignable inside global addresses.

• Dynamic NAT configures the pool of public (global)

addresses with the ip nat pool command listing the first and
last numbers in an inclusive range of inside global addresses.
• For example, if the pool needed 10 addresses, the
command might have listed 200.1.1.1 and 200.1.1.10, which
means that NAT can use 200.1.1.1 through 200.1.1.10.
 Important Remark !!!!!
• One other big difference between the dynamic NAT and static NAT configuration in Example 10-1 has to do with
two options in the ip nat inside source command.
• The dynamic NAT version of this command refers to the
name of the NAT pool it wants to use for inside global
addresses—in this case, fred.
• It also refers to an IP ACL, which defines the matching logic
for inside local IP addresses.
• So, the logic for the ip nat inside source list 1 pool fred
command in this example is as follows :
- Create NAT table entries that map between hosts matched
by ACL 1, for packets entering any inside interface, allocating
an inside global address from the pool called fred.
 Dynamic NAT Verification
• Examples 10-3 and 10-4 show the evidence that dynamic NAT begins with no NAT table entries, but the router reacts after user
traffic correctly drives the NAT function.
• Example 10-3 shows the output of the show ip nat translations and show ip nat statistics commands before any users
generate traffic that makes NAT do some work.
• The show ip nat translations command, which lists the NAT table entries, lists a blank line; the show ip nat statistics
command, which shows how many times NAT has created a NAT table entry, shows 0 active translations.
 NAT Overload (PAT) Configuration
• The static and dynamic NAT configurations matter, but the NAT overload (PAT) configuration in this section
matters more.
• This is the feature that saves public IPv4 addresses and prolonged IPv4’s life.
• NAT overload, as mentioned earlier, allows NAT to support many inside local IP addresses with only one or a few
inside global IP addresses.
• By essentially translating the private IP address and port number to a single inside global address, but with a
unique port number, NAT can support many (more than 65,000) private hosts with only a single public, global
address.
 Command Lines :
• Example 10-2 demonstrated a dynamic NAT configuration.
• To convert it to a PAT configuration, you would use the ip nat inside source list 1 pool fred overload command instead, simply
adding the overload keyword.
• The next example shows PAT configuration using a single interface IP address.
• Figure 10-10 shows the same familiar network, with a few changes.
• In this case, the ISP has given Certskills a subset of network 200.1.1.0: CIDR subnet 200.1.1.248/30.
• In other words, this subnet has two usable addresses: 200.1.1.249 and 200.1.1.250.
• These addresses are used on either end of the serial link between Certskills and its ISP.
• The NAT feature on the Certskills router translates all NAT addresses to its serial IP address, 200.1.1.249.
 Example :
• In Example 10-6, which shows the NAT overload configuration, NAT translates using inside global address
200.1.1.249 only, so the NAT pool is not required.
• In the example, host 10.1.1.2 creates two Telnet connections, and host 10.1.1.1 creates one Telnet connection,
causing three dynamic NAT entries, each using inside global address 200.1.1.249, but each with a unique port
number.