Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT sim on ccna . . . 1

Status
Not open for further replies.

SnowNinja

IS-IT--Management
Apr 21, 2005
36
US
I've been working on my NAT labs, I know that the NAT pool sims are particularly popular, but I'm wondering about how the situation would go and how much information they will give me.

In my study guide, I have a NAT pool scenario that, in short, states what the range of private IPs that need translating are and more or less tells you where it would need to be implemented (everything else is set up, like the nat direction on the interfaces, etc.)

Okay, this scenario is easy enough according to the study guide. It says that really the only thing you need to do is set up an access list specifying the 62 ip addresses, starting with the first one. So, if the range is 192.168.10.10 and it goes to 192.168.10.40, the standard access list would look like this;

access-list 10 pemit 192.168.10.10 0.0.0.39

Then apply the access list with the nat command;

ip nat inside source list 10 interface Serial 0 overload

And, according to the guide, that's all that's needed (in a situation where you have only 6 available public IPs, I forgot to mention, sorry.)


My CCNA lab sim package has a pool lab in it also, but things are a little different. It specifies the creation of a loopback 0 interface and the solution for the lab necessitates the creation of a pool with the nat command. So, basically, the commands for nat with a pool range of 192.168.200.2-101 go like this;

ip nat pool goodpool 192.168.200.2 192.168.200.101 netmask 255.255.255.0

access-list 10 permit 192.168.101.0 0.0.0.255

ip nat inside source list 10 pool goodpool


So, really, I have two questions;

1 - Would the solution in the first scenario be able to work? I got it working in my sim, but sims are known to be flakey.

2 - Supposing that on the exam I would need to create a pool with the nat command before applying it and an access list together, how can it possibly be graded? To begin with with, there are a number of variables that Cisco likely does not supply; the name of the pool to be created and the specific number of the ACL.

If an OSPF lab is on the test, grading it I guess is simple enough because the variables for setting up the area and such are on the other routers in the lab situation. Really, you need to know how setting up the network parameters work in a VLSM situation (find the network number, apply the wildcard mask to the network added).

Can someone help me get a handle on how the NAT scenario will work and which solution they're looking for? I need help and don't want to retake the exam again.

-SnowNinja
 
Sorry, I messed up the numbers in this part of my question :(

Okay, this scenario is easy enough according to the study guide. It says that really the only thing you need to do is set up an access list specifying the 62 ip addresses, starting with the first one. So, if the range is 192.168.10.10 and it goes to 192.168.10.40, the standard access list would look like this;

access-list 10 pemit 192.168.10.10 0.0.0.39


I meant to write;

Okay, this scenario is easy enough according to the study guide. It says that really the only thing you need to do is set up an access list specifying the 30 ip addresses, starting with the first one. So, if the range is 192.168.10.10 and it goes to 192.168.10.40, the standard access list would look like this;

access-list 10 pemit 192.168.10.10 0.0.0.39
 
I've never used the ip nat inside source list 10 interface Serial 0 overload command so can't really comment, but the scenario where you create a pool looks fine.

The access list looks a bit funny, though. Those numbers you've supplied won't work (well not in the way you intend them to anyway). Generally the wildcard mask would have a bunch of contiguous 1's at the end. You're more likely to be given a situation that says something like "Set up an access list to match addresses 192.168.10.1 through to 192.168.10.31" in which case the command would be

access-list 10 permit 192.168.10.1 0.0.0.31

which would match all addresses from 192.168.10.0 through to 192.168.10.31. Remember with a wildcard mask, a 0 = don't care, 1 = must match.

Remeber to specify your inside and outside interfaces!

In the exam, any details you need to know will be given to you, or you can find out in some way. If it's not given (the name of the NAT pool, for example) then it won't matter. The sim will be smart enough to cope with whatever name you give it.

As far as I know grading is not done until you click the "Finish" or "Next" button. So you can type the commands in whichever order, and if you make a mistake (type in the wrong address range on the NAT pool for example) you can go back and change it.

Graham
 
If the range of IPs for the subnet were .1-.31 wouldn't the entry look like;

access-list 1 permit 192.168.10.1 0.0.0.30

That is to say, that the allowable range of hosts would begin with .1 and increase another 30 to get to .31?

I believe access-list 10 permit 192.168.10.1 0.0.0.31 would mean "start at .1, stop at .32", no?

-SnowNinja
 
No, access-list use wildcard masks which are in essence subnet masks in reverse. That is,

a wildcard mask bit 0 means "check the corresponding bit value"
a wildcard mask bit 1 means "don't check the corresponding bit value"

So you have to resort to binary to work it all out.
 
"No, access-list use wildcard masks which are in essence subnet masks in reverse. That is,

a wildcard mask bit 0 means "check the corresponding bit value"
a wildcard mask bit 1 means "don't check the corresponding bit value"

So you have to resort to binary to work it all out."


Hmmm. Okay. Can you show an example of your math?

-SnowNinja
 
255.255.255.255
-255.255.255.224 (the subnet mask that would allow 32 hosts)
=000.000.000.031 (the wildcard (inverse) mask)

Hope that helps.
 
I'm sorry, I couldn't figure out how to edit my post, two things:

One, sorry about the space, it was there, but the forum server must have automatically omitted the space I put.

Second, in the second solution, shouldn't the ACL be 200.0 instead of 101.0? Is there something to the setup I'm missing. This was the big question I missed on my last attempt so I'd really like to know how to solve it.
 
To match addresses from 192.168.10.0 through to 192.168.10.31 the command would be

access-list 10 permit 192.168.10.1 0.0.0.31

A wildcard mask bit 0 means "check the corresponding bit value"
A wildcard mask bit 1 means "don't check the corresponding bit value"

So for the first three octets, the numbers must match exactly (ie must be 192.168.10) as the first three octets in your wildcard mask are 00000000.00000000.00000000 in binary.

Let's concentrate on the last octet. If you write out decimal 31 in binary, it is 00011111

This means that in the last octet, your first three (or the leftmost) bits in any host address must be 0 to match the access list. The last five (the rightmost) bits can be anything, as they are not checked against the wildcard mask.

EG wildcard mask 00011111 will match
host 00000001 (1)
host 00000101 (5)
host 00010001 (17)
host 00011111 (31)

wildcard mask 00011111 will NOT match
host 00100000 (32)
host 01000100 (68)

and so on.

Hope this helps.
 
No, it doesn't quite help. I'm eager to figure out which way is correct.

In the context of an access control list, where the range does not start with .0, how do you set up the range. Let's say the start of the range is 192.168.10.11 and you want it to go to 192.168.10.43. What would that ACL look like?

To me, from what I understand, the ACL would look like this;

access-list 10 permit 192.168.10.11 0.0.0.32

If anyone can add to this and set me straight, please do.

-SnowNinja
 
ok, let me see if i can explain. Write out 192.168.10.43 and 192.168.10.11 in binary like so...

11000000.10101000.00001010.00001011 (.11)
11000000.10101000.00001010.00101011 (.43)

now, anywhere where they match is a 0 which brings us to

00000000.00000000.00000000.00111111 (0.0.0.63)

I think I'm good so far (haven't done this in about 3 months) which brings us to why I said it was an inverse subnet mask. If you invert all of those numbers, you will get 255.255.255.192 which is your subnet mask. The reason? You have 33 hosts that you want in your pool (but you might as well use 62 of them) so those all belong in the same subnet of 192.168.10.0 through 192.168.10.63; The way I usually find a wildcard mask is to do all the steps I just said in reverse, figure out the mask, then invert and you'll have it, saves you the binary. Am I completely wrong in this?
 
You're correct. Once you can do this in binary and understand what is happening and why, then by all means use the shortcuts to save time.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top