11 Network Address Translation (NAT) Flashcards
Network Address Translation (NAT)
Network Address Translation (NAT) original intention was to slow the depletion of available IP address space by allowing multiple, private IP addresses to be represented by a much smaller number of public IP addresses. You typically use NAT on a border router (connected to internet). Useful cases:
■ When you need to connect to the Internet and your hosts don’t have globally unique IP addresses
■ When you’ve changed to a new ISP that requires you to renumber your network
■ When you need to merge two intranets with duplicate addresses
Advantages and disadvantages of implementing NAT
Advantages
• Conserves legally registered addresses.
• Remedies address overlap events.
• Increases flexibility when connecting to the Internet.
• Eliminates address renumbering as a network evolves.
Disadvantages
• Translation results in switching path delays.
• Causes loss of end-to-end IP traceability.
• Certain applications will not function with NAT
enabled.
• Complicates tunneling protocols such as IPsec
because NAT modifies the values in the header.
Types of Network Address Translation (Static NAT (one-to-one) )
This type of NAT is designed to allow one-to-one mapping between local and global addresses. Keep in mind that the static version requires you to have one real Internet IP address for every host on your network.
Types of Network Address Translation (Dynamic NAT (many-to-many))
This version gives you the ability to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map each inside address to an individual outside address as you would using static NAT, but you do have to have enough real, bona fide IP addresses for everyone who’s going to be sending packets to and receiving them from the Internet at the same time.
Types of Network Address Translation (Overloading (one-to-many))
This is the most popular type of NAT configuration.
Overloading is really a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different source ports. It’s also known as Port Address Translation (PAT), which is also commonly referred to as NAT Overload. Using PAT allows you to permit thousands of users to connect to the Internet using only one real global IP address! NAT Overload is the real reason we haven’t run out of valid IP addresses on the Internet.
NAT Names
The names used to describe the addresses used with NAT are easy to remember. Addresses used after NAT translations are called global addresses. These are usually the public addresses used on the Internet, which you don’t need if you aren’t going on the Internet. Local addresses are the ones used before NAT translation. This means that the inside local address is actually the private address of the sending host that’s attempting to get to the Internet. The outside local address would typically be the router interface connected to your ISP and is also usually a public address used as the packet begins its journey. After translation, the inside local address is then called the inside global address, and the outside global address then becomes the address of the destination host.
Inside local
Source host inside address before translation—typically an RFC 1918 address.
Outside local
Address of an outside host as it appears to the inside network. This is usually the address of the router interface connected to ISP—the actual Internet address.
Inside global
Source host address used after translation to get onto the Internet. This is also the actual Internet address.
Outside global
Address of outside destination host and, again, the real Internet address.
How NAT Works
host 10.1.1.1 sending an Internet-bound packet to the border router configured with NAT. The router identifies the source IP address as an inside local IP address destined for an outside network, translates the source IP address in the packet, and documents the translation in the NAT table. The packet is sent to the outside interface with the new, translated source address. The external host returns the packet to the destination host and the NAT router translates the inside global IP address back to the inside local IP address using the NAT table.
How PAT works
With PAT, all inside hosts get translated to one single IP address, hence the term overloading. In addition to the inside local IP address and inside global IP address, we now have port numbers. These port numbers help the router identify which host should receive the return traffic. The router uses the source port number from each host to differentiate the traffic from each of the hosts. In this example, the packet has a destination port number of 80 when it leaves the router, and the HTTP server sends back the data with a destination port number of 1026. This allows theNAT translation router to differentiate between hosts in the NAT table and then translate the destination IP address back to the inside local address. Port numbers are used at the Transport layer to identify the local host. If we had to use real global IP addresses to identify the source hosts, that’s called static NAT and we would run out of addresses. PAT allows us to use the Transport layer to identify the hosts, which in turn allows us to theoretically use up to about 65,000 hosts with only one real IP address!
Static NAT Configuration
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
The ip nat inside source command identifies which
IP addresses will be translated. The ip nat inside source command configures a static translation between the inside local IP address 10.1.1.1 and the outside global IP address 170.46.2.2. The ip nat inside command identifies that interface as the inside interface, and the ip nat outside command identifies that interface as the outside interface. When you look back at the ip nat inside source command, you can see that the command is referencing the inside interface as the source or starting point of the translation. You could also use the command like this: ip nat outside source. This option indicates the interface that you designated as the outside interface should become the source or starting point for the translation.
Dynamic NAT Configuration
Dynamic NAT really means we have a pool of addresses that we’ll use to provide real IP addresses to a group of users on the inside. Because we don’t use port numbers, we must have real IP addresses for every user who’s trying to get outside the local network simultaneously.
ip nat pool todd 170.168.2.3 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
The ip nat inside source list 1 pool todd command tells the router to translate IP addresses that match access-list 1 to an address found in the IP NAT pool named todd. Here the ACL isn’t there to filter traffic for security reasons by permitting or denying traffic. In this case, it’s there to select or designate what we often call interesting traffic. When interesting traffic has been matched with the access list, it’s pulled into the NAT process to be translated. This is actually a common use for access lists, which aren’t always there just blocking traffic at an interface! The command ip nat pool todd 170.168.2.3 170.168.2.254 netmask 255.255.255.0 creates a pool of addresses that will be distributed to the specific hosts requiring global addresses. When troubleshooting NAT for the Cisco objectives, always check this pool to confi rm that there are enough addresses in it to provide translation for all the inside hosts. Lastly, check to make sure the pool names match exactly on both lines, remembering that they’re case sensitive. If they don’t match, the pool won’t work!
PAT (Overloading) Configuration
This is the form of NAT that we typically use today. It’s actually pretty rare to use static or dynamic NAT now unless it’s for something like statically mapping a server.
ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
Simple Verification of NAT
Router#show ip nat translations
When looking at the IP NAT translations, you’ll probably see lots of translations from the same host to the corresponding host at the destination. This is normal when there are many connections to the same server. You can also verify your NAT configuration via the debug ip nat command. The output will show the sending address, the translation, and the destination address on each debug line:
Router#debug ip nat
How do you clear your NAT entries from the translation table? Just use the clear ip nat translation command, and if you want to clear all entries from the NAT table, just use an asterisk (*) at the end of the command.
Testing and Troubleshooting NAT
When something goes wrong, you can figure out some of the more common culprits by running through this list of potential causes:
■ Check the dynamic pools. Are they composed of the right scope of addresses?
■ Check to see if any dynamic pools overlap.
■ Check to see if the addresses used for static mapping and those in the dynamic pools overlap.
■ Ensure that your access lists specify the correct addresses for translation.
■ Make sure there aren’t any addresses left out that need to be there, and ensure that none are included that shouldn’t be.
■ Check to make sure you’ve got both the inside and outside interfaces delimited properly.
One of the most common problems with a new NAT configuration usually involves a routing blooper. So, because you’re changing a source or destination address in a packet, make sure your router still knows what to do with the new address after the translation!
NAT Troubleshooting Commands
Router#show ip nat trans
Pro Inside global Inside local Outside local Outside global
— 192.2.2.1 10.1.1.1 — —
— 192.2.2.2 10.1.1.2 — —
By looking at the output, you can’t tell if it’s static or dynamic per se, but you absolutely can tell you’re not using PAT because there are no port numbers.
Router#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 170.168.2.1:11003 10.1.1.1:11003 172.40.2.2:23 172.40.2.2:23
tcp 170.168.2.1:1067 10.1.1.1:1067 172.40.2.3:23 172.40.2.3:23
Output is using NAT Overload (PAT). The protocol in this output is TCP, and the inside global address is the same for both entries.
Router#debug ip nat
NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0]
NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0]
NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1]
NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2]
NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3]
NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1]
The three methods of NAT (Summary)
Static, dynamic, and overloading (also called PAT)
static NAT
This type of NAT is designed to allow one-to-one mapping between local and global addresses.
Dynamic NAT
This version gives you the ability to map a range of unregistered IP addresses to a registered IP address from out of a pool of registered IP addresses.
Overloading
Overloading is really a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports. It’s also known as PAT.
