TABLE OF CONTENTS

CHAPTER NO. TITLE PAGE NO.

1. INTRODUCTION

2. OPERATION

3. SYSTEM REQUIREMENTS

4. CONFIGURATION

5. SCOPE OF PROJECT

6. REFERENCES

1
 Chapter no. 1
INTRODUCTION

Network address translation (NAT) is a method of mapping an

IP address space into another by modifying network address information in the IP
header of packets while they are in transit across a traffic routing device.[1] The
technique was originally used to bypass the need to assign a new address to every
host when a network was moved, or when the upstream Internet service
provider was replaced, but could not route the network's address space. It has
become a popular and essential tool in conserving global address space in the face
of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway
can be used for an entire private network.[2]

As network address translation modifies the IP address information in packets,

NAT implementations may vary in their specific behavior in various addressing
cases and their effect on network traffic. The specifics of NAT behavior are not
commonly documented by vendors of equipment containing NAT
implementations.

Note: In this document, when the internet, or an internet device is referred to, it
means a device on any external network.

Overview-

2
 About Project

In today’s Internet the two main problems related to the IP protocol are
shortage of IP addresses and scaling in routing. Long-term solutions to these
problems are being developed, like Ipv6, but they will take their time to be widely
accepted. Meanwhile, short-term solutions are proposed and used, that help to
delay the problems for some time. One of these solutions is Network Address
Translation (NAT), implementation of which is the subject of our project.

The principle of NAT is IP address reuse that can be used in small and mid-
range local networks. NAT uses the fact that in these environments a very small
percentage of hosts are communicating outside their local domain at any given
time. That is to say, almost all TCP/TP packets on the local network are destined to
hosts in this local network, and thus these hosts can have IP addresses that are not
globally unique. The NAT module placed at the border router of the domain
performs IP address translation inside IP datagrams passing through it in both
directions. When an IP datagram is sent from a local host to the Internet with local
IP address that is not globally unique, the NAT module substitutes it with a
globally unique IP address taken from a pool, and sends the datagram out. In
reverse direction the reverse translation is needed.

The possible changes in datagram’s involved in the translation are as follows:

change of Source or Destination IP address in IP header; adjustment of the IP

3
Checksum in IP header because of changes in the header; also a TCP Checksum,
because it reflects changes in IP address, and all places in the data portion of TCP,
UDP, ICMP and other packets, where source or destination IP addresses are stored.
Undoubtedly, it is impossible to do the right translation needed in all possible
TCP/IP applications. So our implementation of NAT will support the general set of
protocols and applications, such as FTP, Telnet, HTTP, ICMP and others.

Types of NAT

NAT can be implemented using one of three methods:

Static NAT –
In this, a single unregistered (Private) IP address is mapped with a legally
registered (Public) IP address i.e one-to-one mapping between local and global
addresses. This is generally used for Web hosting. These are not used in
organizations as there are many devices that will need Internet access and to
provide Internet access, a public IP address is needed.

Suppose, if there are 3000 devices that need access to the Internet, the organization
has to buy 3000 public addresses that will be very costly.

Dynamic NAT –
In this type of NAT, an unregistered IP address is translated into a registered
(Public) IP address from a pool of public IP addresses. If the IP address of the pool
is not free, then the packet will be dropped as only a fixed number of private IP
addresses can be translated to public addresses.

4
Suppose, if there is a pool of 2 public IP addresses then only 2 private IP addresses
can be translated at a given time. If 3rd private IP address wants to access the
Internet then the packet will be dropped therefore many private IP addresses are
mapped to a pool of public IP addresses. NAT is used when the number of users
who want to access the Internet is fixed. This is also very costly as the organization
has to buy many global IP addresses to make a pool.

NAT Overload Or Port Address Translation (PAT) –

This is also known as NAT overload. In this, many local (private) IP addresses can
be translated to a single registered IP address. Port numbers are used to distinguish
the traffic i.e., which traffic belongs to which IP address. This is most frequently
used as it is cost-effective as thousands of users can be connected to the Internet by
using only one real global (public) IP address.

NAT Terminology
Specific terms are used to identify the various NAT addresses:

•Inside Local –
An IP address that is assigned to a host on the Inside (local) network. The address
is probably not an IP address assigned by the service provider i.e., these are private
IP addresses. This is the inside host seen from the inside network.

• Inside Global –

5
The address that identifies an inside host to the outside world (usually a public
address). Essentially, this is the dynamically or statically-assigned public address
assigned to a private host.

• Outside Global
– The address assigned to an outside host (usually a public address).

• Outside Local
– The address that identifies an outside host to the inside network. Often, this is the

Same
Address as the Outside Global.
However, it is occasionally necessary to translate an outside (usually
Public) address to an inside (usually private) address.

6
 Chapter NO. 2
Operation
Generally, the border router is configured for NAT i.e the router which
has one interface in the local (inside) network and one interface in the global
(outside) network. When a packet traverse outside the local (inside) network, then
NAT converts that local (private) IP address to a global (public) IP address. When a
packet enters the local network, the global (public) IP address is converted to a
local (private) IP address.
If NAT runs out of addresses, i.e., no address is left in the pool configured then the
packets will be dropped and an Internet Control Message Protocol (ICMP) host
unreachable packet to the destination is sent.

7
 SYSTEM REQUIREMENTS 

 Hardware
1. Monitor
2. Keyboard
3. Mouse

 Software
1. Windows 7 or more
2. Cisco Packet Tracer 7.0 or higher

8
 S/W & H/W Requirement specification

The information in this document is based on these software and hardware

versions:

 Cisco 2500 Series Routers

 Cisco IOS® Software Release 12.2 (10b)
 Cisco Switches
 Cisco Hubs
 Wireless Device
 Copper Straight-Through Cable
 Copper Cross-Over Cable
 Fiber Optics Cable
 Coaxial Cable
 Serial DCE Cable
 Serial DTE Cable

The information in this document was created from the devices in a specific lab
environment. All of the devices used in this document started with a cleared
(default) configuration. If your network is live, make sure that you understand the
potential impact of any command.

Windows xp

Windows server 2003

Server & Client

And also this document is not restricted to specific software and hardware
versions.

9
  Protocol Used

 Transmission Control Protocol

Similar to incoming translation

thread, the cases of establishment and termination of connections regarding to
SYN and FIN flags, are the same. The special case here is FTP Command. (We
detect FTP Command connection by the destination port number 21 in the TCP
header). It can contain the Source IP address in the ASCII form inside the data
portion of TCP segment. (PORT command). It should be translated also, as the
Source IP in the IP header. We need also adjust the TCP Checksum because it
covers the whole TCP segment including the data. Also we must fix the IP total
length field, because the replaced IP was in ASCII, and the new one could be
shorter or longer (in ASCII).

In case SYN flag is on, it means that a TCP connection is being established.So we
must trace the TCP 3-way handshake to be sure that a connection has been
established, and then raise flag in the Translation Table telling that there is an
active TCP connection in this entry. In case FIN flag is on, it means that a TCP
connection is being terminated.So we must trace the TCP connection shutdown
mechanism to be sure that the connection has been closed. Then we clear the flag,
and this entry can be cleared in case of global IP addresses shortage.

 Local_IP

10
 The local IP address of the local host

 Global_IP

The globally unique IP (that is bound to local IP if this entry is in

use)

 Conn Protocol

This field is for identifying which type of connection this

host is using: TCP or other. Used in Timeout detection algorithm (as will be
described below)

 Timestamp

Also used in Timeout detection algorithm. This field is

updated each time this entry is used, i.e. the IP packet is sent from or to this IP
address. Thus we can always find an entry which is the longest idle session.

 TCP_State

This field reflects current state of TCP connection, for use

with Timeout detection algorithm. Used to trace when the TCP connection is
completely established or shut down.

 ICMP

when an ICMP error message arrives, besides of the regular

NAT IP header translation, we need also to change the data ICMP field because it

11
contains the IP header + the first 8 bytes of data of original IP datagram that
generated the problem. We need to fix the IP address in this header, (inside the
ICMP data field) and the ICMP checksum as well.The rest of the protocols need no
changes in their headers and data

Work Flow Diagram

12
 Configuring Static NAT

The first step to configure

Static NAT is to identify the inside (usually private) and outside (usually public)
interfaces:

Router(config)# int e0/0

Router(config)# int s0/0
Router(config-if)# ip nat inside
Router(config-if)# ip nat outside

To statically map a public address to a private address, the syntax is as follows:

Router(config)#
ip nat inside source static 172.16.1.1 158.80.1.40
This command performs a static translation of the source address
172.16.1.1(located on the inside of the network), to the outside address of
158.80.1.40.

Configuring Dynamic NAT

When configuring Dynamic NAT , the inside and outside interfaces must first be
identified:

Router(config)# int e0/0

Router(config)# int s0/0
Router(config-if)# ip nat inside
Router(config-if)# ip nat outside

Next, a pool of global addresses must be specified. Inside hosts will

dynamically choose the next available address in this pool, when

13
communicating outside the local network:

Router(config)#
ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask 255.255.255.0
The above command specifies that the pool named POOLNAME contains a range
of public addresses from 158.80.1.1 through 158.80.1.50.
Finally, a list of private addresses that are allowed to be dynamically translated
must be specified:

Router(config)# ip nat inside source list 10 pool POOLNAME

Router(config)# access-list 10 permit 172.16.1.0 0.0.0.255

The first command states that any inside host with a source that matches access- list
10 can be translated to any address in the pool named POOLNAME.
The access-list specifies any host on the 172.16.1.0 network.

Configuring NAT Overload (or PAT)

Recall that NAT Overload (or PAT ) is necessary when the number of internal
clients exceeds the available global addresses. Each internal host is translated to a
unique port number off of a single global address.

Configuring NAT overload is relatively simple

Router(config)# int e0/0

Router(config-if)# ip nat inside
Router(config)# int s0/0
Router(config-if)# ip nat outside
Router(config)# ip nat inside source list 10 interface Serial0/0 overload
Router(config)# access-list 10 permit 172.16.1.0 0.0.0.255

Any inside host with a source that matches access- list 10 will be translated with
overload to the IP address configured on the Serial0/0 interface.

To clear all dynamic NAT entries from the translation table:

Quick Start Steps for Configuring and Deploying NAT

14
When you configure NAT, it is sometimes difficult to know where to begin,
especially if you are new to NAT. These steps guide you to define what you want
NAT to do and how to configure it:

1. Define NAT inside and outside interfaces.

o Do users exist off multiple interfaces?
o Are there multiple interfaces going to the internet?
2. Define what you're trying to accomplish with NAT.
o Are you trying to allow internal users to access the internet?
o Are you trying to allow the internet to access internal devices (such as
a mail server or web server)?
o Are you trying to redirect TCP traffic to another TCP port or address?
o Are you using NAT during a network transition (for example, you
changed a server's IP address and until you can update all the clients
you want the non-updated clients to be able to access the server using
the original IP address as well as allow the updated clients to access
the server using the new address)?
o Are you using NAT to allow overlapping networks to communicate?
3. Configure NAT in order to accomplish what you defined above. Based on
what you defined in step 2, you need determine which of the following
features to use:
o Static NAT
o Dynamic NAT
o Overloading
o Any combination of the above
4. Verify the NAT operation.

Each of the following NAT examples guides you through steps 1 through 3 of the
Quick Start Steps above. These examples describe some common scenarios in
which Cisco recommends you deploy NAT.

Defining NAT Inside and Outside Interfaces

The first step in deploying NAT is to define NAT inside and outside interfaces.
You may find it easiest to define your internal network as inside, and the external
network as outside. However, the terms internal and external are subject to
arbitration as well. The figure below shows an example of this.

15
Example: Allowing Internal Users to Access the Internet

You may want to allow internal users to access the internet, but you may not have
enough valid addresses to accommodate everyone. If all communication with
devices in the internet will originate from the internal devices, you need a single
valid address or a pool of valid addresses.

The figure below shows a simple network diagram with the router interfaces
defined as inside and outside:

16
In this example, we want NAT to allow certain devices (the first 31 from each
subnet) on the inside to originate communication with devices on the outside by
translating their invalid address to a valid address or pool of addresses. The pool
has been defined as the range of addresses 172.16.10.1 through 172.16.10.63.

Now you are ready to configure NAT. In order to accomplish what is defined
above, use dynamic NAT. With dynamic NAT, the translation table in the router is
initially empty and gets populated once traffic that needs to be translated passes
through the router. (As opposed to static NAT, where a translation is statically
configured and is placed in the translation table without the need for any traffic.)

In this example, we can configure NAT to translate each of the inside devices to a
unique valid address, or to translate each of the inside devices to the same valid
address. This second method is known as overloading. An example of how to
configure each method is given below.

Configuring NAT to Allow Internal Users to Access the Internet

NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 0 with an IP address and

as a NAT inside interface.

17
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 1 with an IP address and

as a NAT inside interface.

interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside

!--- Defines serial 0 with an IP address and as a

NAT outside interface.

ip nat pool no-overload 172.16.10.1

172.16.10.63 prefix 24
!

!--- Defines a NAT pool named no-overload with

a range of addresses
!--- 172.16.10.1 - 172.16.10.63.

ip nat inside source list 7 pool no-overload

!
!

!--- Indicates that any packets received on the

inside interface that
!--- are permitted by access-list 7
!--- will have the source address translated to an
address out of the
!--- NAT pool "no-overload".

access-list 7 permit 10.10.10.0 0.0.0.31

18
access-list 7 permit 10.10.20.0 0.0.0.31

!--- Access-list 7 permits packets with source

addresses ranging from
!--- 10.10.10.0 through 10.10.10.31 and
10.10.20.0 through 10.10.20.31.

Note: Cisco highly recommends that you do not configure access lists referenced
by NAT commands with permit any. Using permit any can result in NAT
consuming too many router resources which can cause network problems.

Notice in the above configuration that only the first 32 addresses from subnet
10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are permitted by
access-list 7. Therefore, only these source addresses are translated. There may be
other devices with other addresses on the inside network, but these won't be
translated.

The final step is to verify that NAT is operating as intended.

Configuring NAT to Allow Internal Users to Access the Internet Using

Overloading

NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.

interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.

interface serial 0

19
ip address 172.16.10.64 255.255.255.0
ip nat outside

!--- Defines serial 0 with an IP address and as a NAT outside interface.

ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24

!

!--- Defines a NAT pool named ovrld with a range of a single IP

!--- address, 172.16.10.1.

ip nat inside source list 7 pool ovrld overload

!
!
!
!

!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 will have the source address
!--- translated to an address out of the NAT pool named ovrld.
!--- Translations will be overloaded which will allow multiple inside
!--- devices to be translated to the same valid IP address.

access-list 7 permit 10.10.10.0 0.0.0.31

access-list 7 permit 10.10.20.0 0.0.0.31

!--- Access-list 7 permits packets with source addresses ranging from

!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.

Note in the second configuration above, the NAT pool "ovrld"only has a
range of one address. The keyword overload used in the ip nat inside source list 7
pool ovrld overload command allows NAT to translate multiple inside devices to
the single address in the pool.

20
 Configuring NAT for Use During a Network Transition

NAT Router

interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside

!--- Defines Ethernet 0 with an IP address and as a NAT outside interface.

interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside

!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.

interface serial 0
ip address 200.200.200.5 255.255.255.252

!--- Defines serial 0 with an IP address. This interface is not

!--- participating in NAT.

ip nat inside source static 172.16.50.8 172.16.10.8

!--- States that any packet received on the inside interface with a
!--- source IP address of 172.16.50.8 will be translated to 172.16.10.8.

21
 Note that the inside source NAT command in this example also implies that
packets received on the outside interface with a destination address of 172.16.10.8
will have the destination address translated to 172.16.50.8.

The final step is to verify that NAT is operating as intended.

Example: Using NAT in Overlapping Networks

Overlapping networks result when you assign IP addresses to internal

devices that are already being used by other devices within the internet.
Overlapping networks also result when two companies, both of whom use RFC
1918 IP addresses in their networks, merge. These two networks need to
communicate, preferably without having to readdress all their devices. Refer to
Using NAT in Overlapping Networks for more information about configuring
NAT for this purpose.

Difference between One-to-One Mapping and Many-to-Many

A static NAT configuration creates a one-to-one mapping and translates a

specific address to another address. This type of configuration creates a permanent
entry in the NAT table as long as the configuration is present and enables both
inside and outside hosts to initiate a connection. This is mostly useful for hosts that
provide application services like mail, web, FTP and so forth. For example:

Router(config)#ip nat inside source static 10.3.2.11 10.41.10.12

Router(config)#ip nat inside source static 10.3.2.12 10.41.10.13

Dynamic NAT is useful when fewer addresses are available than the actual
number of hosts to be translated. It creates an entry in the NAT table when the host
initiates a connection and establishes a one-to-one mapping between the addresses.
But, the mapping can vary and it depends upon the registered address available in
the pool at the time of the communication. Dynamic NAT allows sessions to be
initiated only from inside or outside networks for which it is configured. Dynamic
NAT entries are removed from the translation table if the host does not
communicate for a specific period of time which is configurable. The address is
then returned to the pool for use by another host.

For example, complete these steps of the detailed configuration:

1. Create a pool of addresses

22
 1. Router(config)#ip nat pool MYPOOLEXAMPLE
2. 10.41.10.1 10.41.10.41 netmask 255.255.255.0
3. Create an access-list for the inside networks that has to be mapped
Router(config)#access-list100 permit ip 10.3.2.0 0.0.0.255 any
4. Associate the access-list 100 that is selecting the internal network
10.3.2.0 0.0.0.255 to be natted to the pool MYPOOLEXAMPLE and
then overload the addresses.
5. Router(config)#ip nat inside source list 100 pool
6. MYPOOLEXAMPLE overload

Verifying NAT Operation

Once you've configured NAT, verify that it is operating as expected. You can do
this in a number of ways: using a network analyzer, show commands, or debug
commands. For a detailed example of NAT verification, refer to Verifying NAT
Operation and Basic NAT Troubleshooting.

23
 TESTING

Troubleshooting NAT

To view all current static and dynamic translations:

Router# show ip nat translations

To view whether an interface is configure as an inside or outside NAT interface,

and to display statistical information regarding active NAT translations:

Router# show ip nat statistics

To view NAT translations in real-time:

Router# debug ip nat

To view the active NAT translations is used with the -s state option. This option
will list all the current NAT sessions:

# pfctl -s state
TCP 192.168.1.35:2132 > 24.5.0.5:53136 > 65.42.33.245:22
TIME_WAIT:TIME_WAIT
UDP 192.168.1.35:2491 > 24.5.0.5:60527 > 24.2.68.33:53
MULTIPLE:SINGLE

TCP

The protocol being used by the connection. 192.168.1.35:2132

The IP address (192.168.1.35) of the machine on the internal network. The source
port (2132) is shown after the address. This is also the address that is replaced in
the IP header.

24
The IP address (24.5.0.5) and port (53136) on the gateway that packets are being
translated to.

The IP address (65.42.33.245) and the port (22) that the internal machine is
connecting to.

25
 SNAP SHOTS

Simple Static routing In NAT:-

Dynamic Routing In NAT:

26
Dynamic Routing With Clock Rate In NAT:-

EIGRP In NAT:-

27
Inter V-Lan 1 In NAT:-

28
Inter V-Lan 2 In NAT:-

Inter V-Lan 3 In NAT:-

29
DHCP In NAT:-

Access List In NAT:-

FUTURE SCOPE

30
Telephony: Configuring Voice VLANs

If you do yoga, meditate, chain smoke, or consume mass quantities of

comfort food when stressed, take a little break and do that now because, and I’m
going to be honest, this isn’t the easiest part of the chapter—or even the book, for
that matter. But I promise that I’ll do my best to make this as painless for you as
possible.
The voice VLAN feature enables access ports to carry IP voice traffic from
an IP phone.
When a switch is connected to a Cisco IP phone, the IP phone sends voice traffic
with layer 3 IP precedence and layer 2 class of service (CoS) values, which are both
set to 5 for voice traffic; all other traffic defaults to 0.
Because the sound quality of an IP phone call can deteriorate if the data is
unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p
CoS. (802.1p provides a mechanism for implementing QoS at the MAC level.) The
802.1p field is carried in the 802.1Q trunk header. If you look at the fields in an
802.1Q tag, you will see a field called the priority field; this is where the 802.1p
information goes. QoS uses classification and scheduling to send network traffic
from the switch in an organized, predictable manner.
The Cisco IP phone is a configurable device, and you can configure it to forward
traffic with an IEEE 802.1p priority. You can also configure the switch to either
trust or override the traffic priority assigned by an IP phone—which is exactly what
we’re going to do. The Cisco phone basically has a three-port switch: one to
connect to the Cisco switch, one to a PC device, and one to the actual phone, which
is internal.
You can also configure an access port with an attached Cisco IP phone to use one
VLAN for voice traffic and another VLAN for data traffic from a device attached to
the phone—like a PC. You can configure access ports on the switch to send Cisco
Discovery Protocol (CDP) packets that instruct an attached Cisco IP phone to send
voice traffic to the switch in any of these ways:
In the voice VLAN tagged with a layer 2 CoS priority value
In the access VLAN tagged with a layer 2 CoS priority value
In the access VLAN, untagged (no layer 2 CoS priority value)

Telephony: Configuring Voice VLANs

31
 The switch can also process tagged data traffic (traffic in IEEE 802.1Q or
IEEE 802.1p frame types) from the device attached to the access port on the Cisco
IP phone. You can con-figure layer 2 access ports on the switch to send CDP
packets that instruct the attached Cisco IP phone to configure the IP phone access
port in one of these modes:
In trusted mode, all traffic received through the access port on the Cisco IP
phone passes through the IP phone unchanged.
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames
received through the access port on the IP phone receive a configured layer 2 CoS
value. The default layer 2 CoS value is 0. Untrusted mode is the default.

Configuring the Voice VLAN

By default, the voice VLAN feature is disabled; you enable it by using the
interface command switchport voice vlan. When the voice VLAN feature is
enabled, all untagged traffic is sent according to the default CoS priority of the port.
The CoS value is not trusted for IEEE 802.1p or IEEE 802.1Q tagged traffic.
These are the voice VLAN configuration guidelines:
You should configure voice VLAN on switch access ports; voice VLAN isn’t
supported on trunk ports, even though you can actually configure it! The voice
VLAN should be present and active on the switch for the IP phone to correctly
communicate on it. Use the show vlan privileged EXEC command to see if the
VLAN is present—if it is, it’ll be listed in the display.
Before you enable the voice VLAN, it’s recommend that you enable QoS on the
switch by entering the mls qos global configuration command and set the port trust
state to trust by entering the mls qos trust cos interface configuration command.
You must make sure that CDP is enabled on the switch port connected to the Cisco
IP phone to send the configuration. This is on by default, so unless you disabled it,
you shouldn’t have a problem.
The PortFast feature is automatically enabled when the voice VLAN is
configured, but when you disable the voice VLAN, the PortFast feature isn’t
automatically disabled.
To return the port to its default setting, use the no switchport voice vlan interface
configuration command.

32
Configuring IP Phone Voice Traffic

You can configure a port connected to the Cisco IP phone to send CDP packets to
the phone to configure the way in which the phone sends voice traffic. The phone
can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a
layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a
higher priority as well as forward all voice traffic through the native (access)
VLAN. The IP phone can also send untagged voice traffic, or use its own
configuration to send voice traffic in the access VLAN. In all configurations, the
voice traffic carries a layer 3 IP precedence value—again, for voice the setting is
usually 5.

33
 CONCLUSION

The examples in this document demonstrate quick start steps can help you
configure and deploy NAT. These quick start steps include:

1. Defining NAT inside and outside interfaces.

2. Defining what you are trying to accomplish with NAT.
3. Configuring NAT in order to accomplish what you defined in Step 2.
4. Verifying the NAT operation.

In each of the examples above, various forms of the ip nat inside command were
used. You can also use the ip nat outside command to accomplish the same
objectives, keeping in mind the NAT order of operations. For configuration
examples using the ip nat outside commands, refer to Sample Configuration
Using the ip nat outside source list Command and Sample Configuration Using
the ip nat outside source static Command.

The examples above also demonstrated the following:

Command Action

 Translates the source of IP packets that are

traveling inside to outside.
ip nat inside source  Translates the destination of the IP packets
that are traveling outside to inside.

34
  Translates the source of the IP packets that
are traveling outside to inside.
ip nat outside source  Translates the destination of the IP packets
that are traveling inside to outside.

35
 BIBLIOGRAPHY

1. www.cisco.com

2. Wikipedia

3. CCNA E-Book

4. RFC 1631: The IP NAT

5. RFC 1918: Address Allocation For Private Internet

6. RFC 3022: (Traditional NAT)

7. Technical Support And Documentation - Cisco systems

36