Cisco CCNA Certification Training

Introduction To Network Address Translation ( NAT ) Chris Bryant, CCIE #12933 Network Address Translation (NAT) is not only an important topic for CCNA and CCNP exams, but it’s also a very commonly used technique for allowing end users access to the Internet while not revealing the end user’s true IP address. CCNA and CCNP candidates need to know how to configure NAT, and so does anyone who works in network administration. NAT is one of the most commonly used network technologies out there, and understanding how and why it is used is vital to all network personnel. Why Do We NAT?NAT allows private networks all over the world to use the same internal network numbers, while still allowing their users (or perhaps just some users) access to the Internet. In this way, NAT serves as a form of IP address conservation. Imagine how many IP addresses would be necessary if every single office around the world required IP addresses that were not duplicated anywhere else in the world! The addresses that private networks around the world use are the RFC 1918 private addresses, sometimes referred to as “1918 addresses”. A word to the wise: Know these, and know them cold. I should be able to call you at 2AM and ask you what these are, and get an immediate response. 🙂 The RFC 1918 Private AddressesClass A / 8 Class B / 12 Class C /16 Note that the masks used with the RFC 1918 private addresses are NOT the default masks for Class A, B, and C. These IP addresses are not used on any public networks. By public networks, we mean networks connected to the Internet. It’s my experience that the Class C 1918 addresses are the most commonly used by offices, banks, and other organizations. If a bank and a school in your home city are both using the /16 network on their internal networks, there’s no problem until some of the users on either network want to access the Internet. Using private addresses is fine until a host using a private address wants to communicate with a device on the Internet. In this situation, no user on a private network can successfully communicate with an Internet host. These networks can communicate with Internet hosts by using NAT. NAT stands for Network Address Translation, and that’s exactly what is going to happen: the RFC 1918 source address is going to be translated to another address as it leaves the private network, and it will be translated back to its original address as the return data enters the private network. NAT can be defined statically or dynamically. While you need to know both for your CCNA and CCNP exams, I recommend you use dynamic NAT whenever possible. The average office has enough users to make configuring static NAT a royal pain. If a limited number of hosts on a private network need Internet access, static NAT may be the appropriate choice. Static NAT maps a private address to a public one. In this example, there are three internal PCs on an RFC1918 private network. The router’s ethernet0 interface is connected to this network, and the Internet is reachable via the Serial0 interface. The IP address of the serial interface is /24, with all other addresses on the /24 network available. Three static mappings are needed to use Static NAT. The interfaces must be configured for NAT as well. Configuring the interfaces for Network Address Translation. The Ethernet network is the “inside” network; the Serial interface leading to the Internet is the “outside” network. R3(config)#interface ethernet0 R3(config-if)#ip address R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip address R3(config-if)#ip nat outside The static mappings are created and verified. R3#conf t R3(config)#ip nat inside source static R3(config)#ip nat inside source static R3(config)#ip nat inside source static R3#show ip nat translations Pro Inside global Inside local Outside local Outside global — — — — — — — — — R3#show ip nat statistics Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 0 Misses: 0 Expired translations: 0 “show ip nat statistics” displays the number of static and dynamic mappings. If you only have a few users on your RFC 1918 network that will use the Internet (or should be allowed to), static NAT will do just fine. For most networks, though, dynamic NAT is a better solution.

 Cisco CCNA Exam Training: Password Recovery Procedures Chris Bryant, CCIE #12933 It might happen on your CCNA exam, it might happen on your production network – but sooner or later, you’re going to have to perform password recovery on a Cisco router or switch. This involves manipulating the router’s configuration register, and that is enough to make some CCNA candidates and network administrators really nervous! It’s true that setting the configuration register to the wrong value can damage the router, but if you do the proper research before starting the password recovery process, you’ll be fine. Despite what some books say, there is no “one size fits all” approach to Cisco password recovery. What works on a 2500 router may not work on other routers and switches. There is a great master Cisco document out on the Web that you should bookmark today, and here it is: The following procedure describes the process in recovering from a lost password on a Cisco 2500 router. As always, don’t practice this at home. It is a good idea to get some practice with this technique in your CCNA/CCNP home lab, though! The router must first be rebooted and a “break” performed within the first 60 seconds of the boot process. This break sequence can also vary depending on what program is used to access the router, but is the usual key combination. Hyperterminal, particulary on PCs running Windows XP, can give you some trouble in sending a break signal. If this combination doesn’t work for you, use your favorite search engine to find the proper break signal for your system. The router will go into ROM Monitor mode. From the rom monitor prompt, change the default configuration register of 0x2102 to 0x2142 with the o/r 0x2142 command. Reload the router with the letter i. (As you can see, ROM Monitor mode is a lot different than working with the IOS!) This particular configuration register setting will cause the router to ignore the contents of NVRAM. Your startup configuration is still there, but it will be ignored on reload. When the router reloads, you’ll be prompted to enter Setup mode. Answer “N”, and type enable at the router> prompt. Be careful here. Type configure memory or copy start run. Do NOT type write memory or copy run start! Enter the command show running-config. You’ll see the passwords in either their encrypted or unencrypted format. Type config t, then use the appropriate command to set a new enable secret or enable password. Don’t forget to change the configuration register setting back to the original value! The command config-register 0x2102 will do the job. Save this change with write memory or copy run start, and then run reload one more time to restart the router. What happens if you forget to set the configuration register setting back to 0x2102? Nothing – until that router gets reloaded. Nothing will actually happen to the startup configuration, but it will be ignored since the register is still set to 0x2142. When that router reloads, it’ll come up to the setup mode prompt – and I can practically guarantee you that panic will soon follow! The password recovery process sounds hard, but it’s really not. You just have to be careful, particularly when you’re copying the startup config over the running config. You don’t want to get that backwards! So take your time, check the online Cisco documentation before starting, get some practice with this procedure with lab equipment, and you’ll be ready for success on the CCNA exam and in your production network!

Source-Chris Bryant


Explore posts in the same categories: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: