Chapter 39 - Network Address Translation

Question 1

What is CIDR?

Answer 1

• Classless Inter Domain Routing
• A technology that allows an RIR (Regional Internet Registry) to assign any sized subnet to an organisation instead of only being able to assign /8s, /16s, or /24s
• RFC 4632
• Defines a method of summarising and aggregating routes to reduce the size of routing tables

Question 2

What is NAT?

Answer 2

• Network Address Translation
• Allows hosts that don’t have public addresses to connect to the internet from a private address by presenting the private addresses as this public address.

Question 3

What is Static NAT?

Answer 3

• A form of NAT that maps a specific private address to present out as a specific public address
• Also known as one-to-one NAT

Question 4

What are Private and Public addresses also known as by Cisco?

Answer 4

• Private - Inside Local
• Public - Inside Global

Question 5

What is Outside NAT?

Answer 5

• Used in Destination NAT
• The Outside Global address is also used in source NAT. It is the side of the NAT translation that is outside the organisation (e.g. the recipient of the NAT’d traffic would be considered outside). NAT never changes this in source NAT.
• The Outside Local address is the outside host’s address from the perspective of the inside host. This will always be the same as the Outside Global address since the inside host isn’t aware of the outside network’s LAN. Unless Dst NAT is used.

Question 6

What is Inside NAT?

Answer 6

• Used in Source NAT
• Inside refers to the location of the sending host from the organisation’s perspective. It is inside the organisation.
• The Inside Global address is the address that the host’s private address is represented by when outside the organisation’s network. It is the public address.
• The Inside Local address is the address that the host is represented by when inside the organisation’s network. It is the private address.

Question 7

What is Dynamic NAT?

Answer 7

• Similar to Static NAT (still one to one mapping) but this is not statically defined. Rather there will be a pool of inside global addresses that the router will choose to NAT inside local addresses to depending on the criteria.
• When the first packet hits the NAT device it checks configured rules to see what should be NAT’d.
• If the packet should be NAT’d, an entry is added to the device’s NAT table with the inside local address and corresponding inside global address it is being NAT’d to.
• The entry will remain in the table until the timeout elapses.

Question 8

What command can you use to clear the NAT table of dynamic entries?

Answer 8

‘clear ip nat translation *’

• This will not clear static entries

Question 9

What happens if there are no inside global addresses to NAT inside local addresses to?

Answer 9

The incoming packet will be dropped and will not be NAT’d

Question 10

What is PAT?

Answer 10

• Port Address Translation
• Also known as NAT Overload
• Allows for TCP/UDP port translation as well as IP address translation meaning that a single inside global address can send connections from different inside local addresses using different ephemeral port numbers

Question 11

What commands do you use to configure Static NAT mappings?

Answer 11

To create the mapping
- ‘ip nat inside source static <inside> <inside>' from global config</inside></inside>

To set an interface as inside the organisation
- ‘ip nat inside’ from interface config

To set an interface as outside the organisation
- ‘ip nat outside’ from interface config

Question 12

What information will the ‘show ip nat translations’ command show you?

Answer 12

Active translations

Question 13

What information will the ‘show ip nat statistics’ command show you?

Answer 13

• Outside interfaces
• Inside interfaces
• Expired mappings
• Hits - The number of packets that have had their address translated
• misses - The number of packets that have entered the NAT process that don’t already have an entry in the NAT table. One will be added.
• Misses (under Dynamic Mappings) - The number of packets that have met the requirements to be NAT’d but have not been as there are no addresses free.
• Allocated - The amount of dynamic addresses that have been assigned from a pool

Question 14

What commands do you use to configure Dynamic NAT? What other command is used to configured Dynamic PAT?

Answer 14

To configure an ACL that the device can use to know what inside local addresses to NAT
- ‘access-list <number> <permit/deny> <IP>' from global config</IP></number>

To set an interface as inside the organisation
- ‘ip nat inside’ from interface config

To set an interface as outside the organisation
- ‘ip nat outside’ from interface config

To define a pool of inside global addresses that can be translated to
- ‘ip nat pool <pool> <first> <last> netmask <subnet>' from global config</subnet></last></first></pool>

To ensure the ACL addresses are NAT’d to the pool addresses and finish the configuration. To change this to Dynamic PAT just add the word ‘overload’ at the end of the command.
- ‘ip nat inside source list <acl> pool <pool>' from global config</pool></acl>

Question 15

What commands do you use to configure Static PAT?

Answer 15

To configure an ACL that the device can use to know what inside local addresses to NAT
- ‘access-list <number> <permit/deny> <IP>' from global config</IP></number>

To set an interface as inside the organisation
- ‘ip nat inside’ from interface config

To set an interface as outside the organisation
- ‘ip nat outside’ from interface config

To ensure the ACL addresses are NAT’d to an interface’s IP address
- ‘ip nat inside source list <acl> interface <interface> overload</interface></acl>

Question 16

Things to check when troubleshooting NAT issues

Answer 16

• Incorrect inside and outside interfaces
• Addresses wrong way round in the ‘ip nat inside source static <inside> <inside>' command when configuring Static NAT</inside></inside>
• Ensure that the ACL for Dynamic NAT matches the correct inside local addresses
• Ensure that the pool for Dynamic NAT matches the correct inside global addresses and the netmask and range in the ‘ip nat pool <pool> <first> <last> netmask <subnet>' command match.</subnet></last></first></pool>
• Ensure that when intending to use PAT, the ‘overload’ keyword is added
• Check there are no ACLs filtering packets. Packets entering a router are run through ACLs before NAT. Packets leaving a router they are run through NAT before outbound ACLs.
• Ensure routing is correct to match the destination of the packet at either end of the connection
• Ensure that user traffic matches the NAT parameters

Question 17

What will happen if you attempt to statically map an multiple inside local addresses to a single inside global address?

Answer 17

The original inside local address will remain in the NAT Table and any following commands will be rejected.

Question 18

What will happen if an ACL is used in Dynamic NAT that denies a packet that has been received by a NAT device?

Answer 18

The packet will not be NAT’d. It will also not be dropped.

Question 19

What is NAT Pool Exhaustion?

Answer 19

This occurs in Dynamic NAT when there are not enough inside global addresses to be assigned one to one to inside local addresses

Question 20

True or False. Static NAT mappings are permanent and will not be timed out from the NAT Table.

Answer 20

True.

Question 21

How long does it take for Dynamic NAT entries to timeout?

Answer 21

24 hours.