Network Address Translation (NAT).
The best way to describe how NAT work is to liken it to an extension of an office telephone line.
An outside caller calls only the main number that connects to the office and the switchboard operator looks through the office telephone list and connects the caller to the particular office the call is meant for. The particular office could leave instruction with the receptionist or whomever works at the switchboard to forward or not to forward the call.
Unlike DHCP server that assigns IP dynamic addresses to devices inside the network, NAT-enabled routers retain one or many valid Internet IP addresses outside of the network. When the client sends packets out of the network, NAT translates the internal IP address of the client to an external address.
To outside users, all traffic coming to and going from the network has the same IP address or is from the same pool of addresses.
NAT has different functions, but its key function is to save IP addresses by allowing networks to use private IP addresses. NAT translates private, internal addresses into public, external addresses.
NAT has an added benefit of adding a degree of privacy and security to a network because it hides internal IP addresses from outside networks.
The following terms are used when discussing NAT:
•
Inside local address - Usually not an IP address assigned by a service provider and is most likely a private address.
•
Inside global address - Valid Public IP address that the inside host is given when it exits the NAT configured router.
•
Outside global address - Valid public IP address assigned to a host on the Internet.
•
Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device.
To make it clearer, the address internal devices use to communicate with other internal devices is the inside local address.
The address internal devices use to communicate with external devices is the outside local address.
The address external devices uses to communicate with internal devices is the inside global address.
Finally, external devices communicate with one another using outside global addresses.
How NAT Works.
In the example below, an inside host (192.168.1.10) wants to communicate with an outside web server (199.100.20.1). It sends a packet to the NAT-configured gateway router for the network.
The gateway router reads the source IP address of the packet and checks if the packet matches the
criteria specified for translation.
The gateway router has an ACL (Access Control List) that identifies the inside network as valid hosts for translation. Therefore, it translates an inside local IP address into inside global IP address, which in this case is 199.100.10.34. It stores this translated local to global address in the NAT table. The gateway router then sends the packet to its destination.
When the web server responds, the packet comes back to the global address of gateway router (199.100.10.34).
The gateway router refers to its NAT table and sees that this was a previously translated IP address.
Then, it translates the inside global address to the inside local address, and the packet is forwarded to host at IP address 192.168.1.10. If it does not find a translation that match, the packet is dropped.
Static and Dynamic NAT.
Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.
Static NAT
Static NAT also called inbound mapping, is the process of mapping an unregistered IP address to a
registered IP address on a one-to-one basis. The unregistered or mapped IP address is assigned with
the same registered IP address each time the request comes through. This process is particularly
useful for web servers or hosts that must have a consistent address that is accessible from the Internet.
Simply, Static NAT enables a PC on a stub domain to maintain an assigned IP address when communicating with other devices outside its network or the Internet.
Static NAT configuration commands example:
R1#config t
R1(config)#ip nat inside source static 10.10.10.2 212.165.200.123 R1(config)#interface fa0/0 10.10.10.1 255.255.255.0
R1(config)#ip nat inside
R1(config)#interface se0/0 192.168.1.1 255.255.255.0 R1(config)#ip nat outside
The above configuration creates a permanent entry in the NAT table as long as the configuration is present and enables both inside and outside hosts to initiate a connection.
All you need to do in static NAT configuration is to define the addresses to translate and then configure NAT on the right interfaces. Packets arriving on an inside interface from the identified IP addresses are subject to translation. Packets arriving on an outside interface addressed to the
identified IP address are subject to translation.
Dynamic NAT
Unlike static NAT that provides a permanent mapping between an internal address and a specific public address, dynamic NAT maps private IP addresses to public addresses. Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis.
When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP
address from the pool that is not already in use by another host. Dynamic NAT is useful when fewer
addresses are available than the actual number of hosts to be translated.
Dynamic NAT configuration commands example:
R1#config t
R1(config)#ip nat-pool 179.9.8.80 179.9.8.95 netmask 255.255.255.0 R1 (config #ip nat inside source list 1 pool nat-pool1
R1 (config)#interface fa0/0 10.10.10.1 255.255.255.0 R1(config)#ip nat inside
R1(config)#interface se0/0
R1(config)#ip address 192.168.1.1 255.255.255.0 R1(config)#ip nat outside
R1(config)#access-list 1 permit 10.10.10.0 0.0.0.255
While static NAT provides a permanent mapping between an internal address and a specific public address, dynamic NAT maps private IP addresses to public addresses. These public IP addresses come from a NAT pool.
Note: When configuring dynamic NAT, you need an ACL to permit only those addresses that are to be translated. Remember, you have to add an implicit "deny all" at the end of each ACL.
NAT Overload or PAT.
NAT overload sometimes called PAT (Port Address Translation) maps multiple unregistered or private IP addresses to a single registered or public IP address by using different ports. This is what most home broadband routers do. Your ISP assigns an IP address to your router, but you find out that all the computers in the house could connect to the Internet at the same time.
PAT uses unique source port numbers on the inside global IP address to distinguish between translations
When a client logs on the Internet, the NAT router assigns a port number to its source address. NAT
overload or PAT ensures that clients use a different TCP port number for each client session with a
server on the Internet. When the server response, the client router routes the packet based on the
source port number, which had become the destination port number. This process also validates that
the incoming packets were requested, thus adding a degree of security to the session.
NAT Overload Table
Looking at the figure above, NAT overload or PAT used unique source port numbers on the inside global IP address to distinguish between translations. As NAT processes each packet, it uses a port number to identify the packet source - 2333 and 1555 in the above figure -.
* The source address (SA) is the inside local IP address with the assigned port number attached.
* The destination address (DA) is the outside local IP address with the service port number attached, in this case port 80: HTTP (Internet).
At the border gateway router (R1), NAT overload changes the SA to the inside global IP address of the client, again with the port number attached. The DA is the same address, but is now referred to as the outside global IP address. When the web server replies, the same path is followed but in reverse.
Inside Local IP Address
Inside Global IP Address
Outside Global IP Address
Outside Local IP
Address
10.10.10.2:1555 209.165.200.226:1555 209.165.201.1:80 209.165.201.1:80
10.10.10.3:2333 209.165.200.226:2333 209.165.202.129:80 209.165.202.129:80
•Static NAT - Maps an unregistered IP address to a registered IP address on a one-to-one basis. It’s particularly useful when a device needs to be accessible from outside the network. In dynamic NAT, the computer with the IP address 192.168.1.10 will translate to the first available address in the range from 202.1.13.10 to 202.1.13.15.
(Config)# ipnat inside source static 192.168.1.10 202.1.13.10/* Static Binding (Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0 (Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.10 255.255.255.0 (Config-if)# ipnat outside
•Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
(Config)# ipnat pool cisco202.1.13.10 202.1.13.15netmask 255.255.255.0 /*created a pool for dynamic allocation
(Config)# ipnat inside source list 1 pool cisco (Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0 (Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1255.255.255.0 (Config-if)# ipnat outside
(Config)# access-list 1 permit192.168.1 0.0.0.255
•Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
(Config)# ipnat pool cisco 202.1.13.10 202.1.13.10 netmask 255.255.255.0 (Config)# ipnat inside source list 1 pool cisco overload
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0 (Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1 255.255.255.0 (Config-if)# ipnat outside
(Config)# access-list 1 permit 192.168.1 0.0.0.255
