NAT

4. Static NAT

The r2-network will be statically natted:

host	precise	ip	nat-IP
host4	precise4	10.128.2.104	10.128.1.104
host5	precise5	10.128.2.105	10.128.1.105
host6	precise6	10.128.2.106	10.128.1.106

The gateway address on the sw2-side of r2 will be 10.128.2.1.

For NAT, we'll need to define which network is 'inside' and which network is 'outside'. In our case, the sw2 network is inside, while the dc_core is outside.

This should be all the information required to set-up NAT.

The core-interface of r2 has already been configured:

R2#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.128.1.2      YES NVRAM  up                    up      
Ethernet0/1                unassigned      YES NVRAM  administratively down down    
Ethernet0/2                unassigned      YES NVRAM  administratively down down

The e0/1 should be 10.128.2.1 on a /24 network:

int e0/1
ip address 10.128.2.1 255.255.255.0
no shut

Now, host4 should be available:

R2#ping 10.128.2.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.128.2.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/32 ms
R2#

To configure NAT, we'll issue the following commands:

ip nat inside source static 10.128.2.104 10.128.1.104
ip nat inside source static 10.128.2.105 10.128.1.105
ip nat inside source static 10.128.2.106 10.128.1.106
int e0/1
ip nat inside
int e0/0
ip nat outside

Now, we cannot ping host4 on its real IP address, but we should be able to ping it on its NATted address. From user1:

user1> ping 10.128.2.104
10.128.2.104 icmp_seq=1 timeout
10.128.2.104 icmp_seq=2 timeout
10.128.2.104 icmp_seq=3 timeout
10.128.2.104 icmp_seq=4 timeout
10.128.2.104 icmp_seq=5 timeout
user1> ping 10.128.1.104
10.128.1.104 icmp_seq=1 timeout
84 bytes from 10.128.1.104 icmp_seq=2 ttl=62 time=24.148 ms
84 bytes from 10.128.1.104 icmp_seq=3 ttl=62 time=39.642 ms
84 bytes from 10.128.1.104 icmp_seq=4 ttl=62 time=36.118 ms
84 bytes from 10.128.1.104 icmp_seq=5 ttl=62 time=23.619 ms
user1>

This means that NAT works.

From host1, we're not able to ping host5:

vagrant ssh precise1 -c 'ping -c5 10.128.1.104'
PING 10.128.1.104 (10.128.1.104) 56(84) bytes of data.
--- 10.128.1.104 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
Connection to 127.0.0.1 closed.

So, what goes wrong? Starting a trace on e0/1 of r2 shows the following:

All the requests come in, but no replies come through. The problem is that host4 thinks that 10.128.2.0/24 is directly connected and, therefore, will try to find the reply address via arp. And of course, that does not work.