cover

NAT

tech
top
Index
1 Goal
2 The network
3 Building
4 Static NAT
5 NAT overload
6 Dynamic NAT

6. Dynamic NAT

The last form of NAT is dynamic NAT. This allows the use of multiple IP addresses on the outside.

The source wil be an ACL and the outside addresses will be in a pool. 
ip access-list standard NAT        
permit 10.128.2.1 0.0.0.255

This is the same as for NAT overload. 
ip nat pool NATPOOL 10.128.1.65 10.128.1.66 netmask 255.255.255.248         

The netmask is a piece of redundant information that needs to be supplied. 
int e0/0 
ip nat outside
int e0/1
ip nat inside
exit
ip nat inside source list NAT pool NATPOOL

So what do we see if we ping from host1 to the user1? 
vagrant ssh precise1 -c 'ping -c5 10.128.101.100'

If we capture a packet at r4 e0/0:

dynamicnatping.png>

As we expect, the source address for the ping is the first address of the pool (10.128.1.65). So this works nicely.

And pinging from the next host, host2 with 
vagrant ssh precise2 -c 'ping -c5 10.128.101.100'

gives:

dynamicnatping2.png>

So the second address in the dynamic NAT pool. So now both addresses of the NAT pool are in use. What would happen if we try the same from host3? 
vagrant ssh precise3 -c 'ping -c5 10.128.101.100'
PING 10.128.101.100 (10.128.101.100) 56(84) bytes of data.
From 10.128.2.1 icmp_seq=1 Destination Host Unreachable
From 10.128.2.1 icmp_seq=1 Destination Host Unreachable
From 10.128.2.1 icmp_seq=2 Destination Host Unreachable
From 10.128.2.1 icmp_seq=2 Destination Host Unreachable
From 10.128.2.1 icmp_seq=3 Destination Host Unreachable
--- 10.128.101.100 ping statistics ---
3 packets transmitted, 0 received, +5 errors, 100% packet loss, time 2002ms

The pool is exhausted, there is no NAT address available for host3. You can see this on r1: 
 R1#sh ip nat translations
 Pro Inside global      Inside local       Outside local      Outside global
 --- 10.128.1.65        10.128.2.101       ---                ---
 --- 10.128.1.66        10.128.2.102       ---                ---
 R1#

So, if we reload r1 and start the other way around: 
ljm@verlaine nat]$ vagrant ssh precise3 -c 'ping -c1 10.128.101.100'  
PING 10.128.101.100 (10.128.101.100) 56(84) bytes of data.
64 bytes from 10.128.101.100: icmp_req=1 ttl=62 time=28.1 ms
--- 10.128.101.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 28.182/28.182/28.182/0.000 ms
Connection to 127.0.0.1 closed.
[ljm@verlaine nat]$ vagrant ssh precise2 -c 'ping -c1 10.128.101.100'
PING 10.128.101.100 (10.128.101.100) 56(84) bytes of data.
64 bytes from 10.128.101.100: icmp_req=1 ttl=62 time=41.4 ms
--- 10.128.101.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 41.455/41.455/41.455/0.000 ms
Connection to 127.0.0.1 closed.
[ljm@verlaine nat]$ vagrant ssh precise1 -c 'ping -c1 10.128.101.100'
PING 10.128.101.100 (10.128.101.100) 56(84) bytes of data.
From 10.128.2.1 icmp_seq=1 Destination Host Unreachable
--- 10.128.101.100 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
Connection to 127.0.0.1 closed.

and: 
R1#sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- 10.128.1.66        10.128.2.102       ---                ---
--- 10.128.1.65        10.128.2.103       ---                ---
R1#

Which is exactly what we'd expect.