Module 6: NAT for IPv4 Flashcards
1
Q
What does NAT stand for?
A
Network Address Translation?
2
Q
What purpose does NAT have?
A
To allow networks to use private IPv4 addressess internally and providing translation to a public address only when needed.
3
Q
What is a NAT pool?
A
One or more valid public IPv4 addresses configured on a NAT-enabled router.
4
Q
Where does a NAT router typically operate?
A
Within the border of a stub network (a network with only one exit point to the internet)
5
Q
What happens when a device inside the stub network wants to communicate with a device outside of the stub network?
A
It’s packets are forwarded to the border router, which performs the NATprocess, translating the internal private address to a public outside routable address.
6
Q
What is the “Inside network” and what is the “Outside network”?
A
Inside Network = The private network subject to translation
Outside Network = All other networks
7
Q
What is a “Demarcation point”?
A
The point where the inside network becomes the outside network.
8
Q
What are meant by the acroynyms “SA” and “DA”?
A
Source Address and Destination Address
9
Q
What is the “Inside address”?
A
The address of the device which is being translated by NAT.
10
Q
What is the “Outside address”?
A
The address of the destination device.
11
Q
What is a “Local address”?
A
A local address is any address that appears on the inside portion of the network.
12
Q
What is a “Global address”?
A
A global address is any address that appears on the outside portion of the network.
13
Q
What four columns of addresses does NAT use?
A
- Inside local address
- Inside global address
- Outside local address
- Outside global address
14
Q
What is an “Inside local address”?
A
The address of the source as seen from inside the network.
15
Q
What is an “Inside global address”?
A
The address of the source as seen from outside the network.
16
Q
What is an “Outside global address”?
A
The address of the destination as seen from outside the network.
17
Q
What is an “Outside local address”?
A
The address of the destination as seen from inside the network.
18
Q
True or False?
The outside local and outside global address are translated.
A
False.
The outside local and outside global address is the destination (outside device) which is not typically translated because it is already a public IPv4 address.
19
Q
True or False?
The inside local address is translated to an inside global address.
A
True.
The private internal IP address is translated by the NAT router into a publically routable private ip address.
20
Q
A remote Web Server has an IP address of 209.165.201.10 what type of NAT address is this?
A
Outside Global
21
Q
A local PC1 has an IP address of 192.168.10.10 what type of NAT address is this?
A
Inside Local
22
Q
Local PC1 has had it’s IP address of 192.168.10.10 translated into 209.165.200.226 what type of NAT address is this?
A
Inside Global
23
Q
How does Static NAT map local and global addresses?
A
One-to-One Mapping, so that each local address has its own global address
24
Q
When is Static NAT typically used? Name some examples
A
For services that require a consistent address accessible from the internet, such as web servers, SSH access, VPN access.
25
Why might you not want to (or be able to) use static NAT?
You might not have enough static global addresses to map them one-to-one for each local address
26
How does Dynamic NAT map local and global addresses?
Using a NAT pool of global (public) IP addresses dynamically given out on a first-come first-served basis.
27
Why is Dynamic NAT considered a legacy system that is not used in most real world scenarios?
The cost of public IP addresses, and the existance of PAT (Port Address Translation), make the need for randomly assigned inside global addresses redundant.
28
What does PAT stand ford?
Port Address Translation
29
What is another name for Port Address Translation?
NAT Overload
30
How does PAT map local and global addresses?
Port Address Translation maps multiple private IP addresses to a single public IP address. It then differentiates the local devices by also assigning them a port number.
31
Why, and how, does PAT assign port numbers?
It assigns a unique port number to each session (not each device). The source port is randomly generated and stored, so that on the return trip the destination port maps to the internal session that generated it.
32
In what way does PAT add a level of security?
The port number used is randomly generated and must match the source port number that is stored. So incoming packets must be in response and match outgoing packets.
33
Using PAT, what happens when a device tries to use a port number that has already been used by another session?
PAT attempts to preserve the original source port, but uses the 'Next Available Port' if it cannot.
So if PC1 sends a packet as 192.168.10.10:1445 and then PC2 tries to send a packet as 12.168:10.11:1445 then PC will actually use port :1446 instead.
34
A device using PAT has had it's port changed from :1445 to :1446 due to Next Available Port. What happens when the packet is received back from port :1446?
It gets changed back to port :1445 by the NAT router before being sent back to the source device.
35
What is the difference between NAT and PAT?
NAT translates inside local addresses to unique inside global addresses, either one-to-one via static NAT or from a pool via dynamic NAT.
PAT instead translates inside local addresses to a single inside global address, using the port number to uniquely identifiy them.
36
How does PAT translate packets without a Layer 4 Segment?
Packets without a TCP/UDP segment, such as an ICMPv4 echo request and replies, instead used a Query ID to uniquely identify each request with its corresponding reply.
37
What are some advantages of NAT? (4)
* Conservation of public IP addressess by sharing them among devices.
* Multiple NAT pools can be used to provide redundancy or load-balancing to increase reliability.
* Ease of management because even if the public IP address of the network changes, clients do not need to be reconfigured.
* NAT hides the private IP addresses of the internal network (although experts agree NAT does not actually provide true security compared to a firewall).
38
What are some disadvantages of NAT? (6)
* Complicates troubleshooting by hiding internal IPs.
* Breaks end-to-end IP connectivity.
* Some protocols (VoIP, FTP) may require special handling.
* Adds processing overhead that slightly impacts performance.
* Limits access to internal devices without port forwarding.
* NAT can cause issues with IPsec because NAT modifies the header values.
39
True or False? A side effect of NAT is that it hides the inside local IP address of a host from the outside network.
True. NAT hides the IPv4 addresses of inside hosts from the outside network.
40
True or False? With NAT overload, each inside local IP address is translated to a unique inside global IP address on a one-for-one basis.
False. NAT with overload (PAT) allows many internal hosts to share a single, or very few, public IPv4 addresses.
41
True or False? The use of NAT makes end-to-end traceability between source and destination easier.
False. With NAT, end-to-end traceability is lost, making it more difficult to trace packets and to perform troubleshooting.
42
True or False? Tunneling protocols such as IPsec do not work well through NAT.
True. NAT complicates the use of tunneling protocols, such as IPsec, because NAT modifies values in the headers, causing integrity checks to fail.
43
What two steps are required when configuring static NAT?
1. Create the mapping between the inside local address and the inside global address.
2. Configure the interfaces participating in the translation as either inside or outside relative to NAT.
44
What IOS command would be used to configure static NAT on the inside address 192.168.10.254 to the inside global address 209.165.201.5
`ip nat inside source static 192.168.10.254 209.165.201.5`
45
What IOS commands would be used to:
* Enter configuration mode for interface Serial 0/1/0
* Configure the IP address and subnet mask 192.168.1.2 255.255.255.252
* Configure Serial 0/1/0 as inside of the NAT
```
interface serial 0/1/0
ip address 192.168.1.2 255.255.255.252
ip nat inside
exit
```
46
What IOS commands would be used to:
* Enter configuration mode for interface Serial 0/1/1
* Configure the IP address and subnet mask 209.165.200.1 255.255.255.252
* Configure Serial 0/1/1 as inside of the NAT
```
interface serial 0/1/1
ip address 20.165.200.1 255.255.255.252
ip nat outside
exit
```
47
What IOS commands could be used to verify a static NAT? (2)
`show ip nat translations` and `show ip nat statistics`
Statistics can be cleared with `clear ip nat statistics`
48
What IOS command would be used to create a NAT pool called NAT-POOL1 from 209.165.200.226 to .240 with a subnet mask of 255.255.255.224 ?
`ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224`
49
What parameters are used to define an IP NAT pool?
Starting IPv4 address, ending IPv4 address, netmask or prefix-length
## Footnote
The netmask indicates which address bits belong to the network and which belong to the host.
50
What is the command to configure a standard ACL for NAT?
access-list {access-list-number/name} permit {network-ip-address} {wildcard-mask}
## Footnote
This ACL permits addresses in the specified range for translation.
51
What is the consequence of having an ACL that is too permissive?
It can lead to unpredictable results
52
What statement is implicit at the end of each ACL?
`Deny all`
53
What command binds an ACL to a NAT pool?
`ip nat inside source list {access-list-number/name} pool {pool-name}`
54
What does binding the ACL to the pool accomplish?
Identifies which devices receive which NAT pool
55
What command identifies interfaces as inside for NAT?
`ip nat inside`
56
What command identifies interfaces as outside for NAT?
`ip nat outside`
57
Fill in the blank: The command to define a NAT pool is _______.
`ip nat pool {pool-name} {starting-ip} {ending-ip} netmask {subnet-mask}`
58
What IOS command can be used to verify dynamic NAT? (3)
`show ip nat translations`
`show ip nat statistics`
`show run | include NAT`
59
What IOS command can be used to remove all dynamic NAT entries, before they have timed out?
`clear ip nat translation *`
60
What is the default dynamic NAT entry timeout? How can it be changed?
24 hours.
`ip nat translation timeout {timeout-seconds}`
61
What 4 steps are required to configure a single IPv4 PAT?
1. Configure an ACL of permitted hosts `access-list {acl-number/name} permit {host-ip-addresses} {wildcard-mask}`
2. Configure NAT with the overload keyword `ip nat inside source list {acl-number/name} interface {interface} overload`
3. Enter config mode for the inside interface(s) and then configure them `ip nat inside`
4. Repeat for the outside interface(s) `ip nat outside`
62
What additional step is required when configuring PAT to use an address pool? How does the NAT configuration command change?
1. The NAT pool must be created `ip nat pool {pool-name} {start-address} {end-address} netmask {subnet-mask}
2. The command needs to reference the pool `ip nat inside source list {acl-number/name} pool {pool-name} overload`
63
What is NAT64?
NAT64 is a network address translation method for providing access between IPv6-only and IPv4-only networks.
## Footnote
NAT64 is not used for private IPv6 to global IPv6 translation.
64
What is the primary purpose of NAT for IPv6?
To provide transparent access between IPv6-only and IPv4-only networks.
## Footnote
This differs from NAT for IPv4, which has different use cases.
65
What is the ideal scenario for IPv6 usage?
IPv6 should be run natively wherever possible.
## Footnote
This means IPv6 devices should communicate over IPv6 networks.
66
What are the transition techniques developed by the IETF for moving from IPv4 to IPv6?
The transition techniques include:
* Dual-stack
* Tunneling
* Translation
## Footnote
These techniques accommodate various IPv4-to-IPv6 scenarios.
67
What does dual-stack mean?
Dual-stack refers to devices running protocols associated with both IPv4 and IPv6.
## Footnote
This allows for communication over both types of networks.
68
What is tunneling in the context of IPv6?
Tunneling is the process of encapsulating an IPv6 packet inside an IPv4 packet.
## Footnote
This enables the transmission of IPv6 packets over IPv4-only networks.
69
Is NAT for IPv6 recommended as a long-term strategy?
No, NAT for IPv6 should not be used as a long-term strategy but as a temporary mechanism.
## Footnote
It assists in the migration from IPv4 to IPv6.
70
What is NAT-PT and its current status?
NAT-PT (Network Address Translation-Protocol Translation) has been deprecated by IETF in favor of NAT64.
## Footnote
NAT-PT was an earlier method that is no longer recommended.
71
What is NAT64 and its current status?
NAT64 allows for protocol translation between IPv4 and IPv6 and is currently the main method of doing so.
72
A network administrator wants to examine the active NAT translations on a border router. Which command would perform the task?
`R1# show ip nat translations`
73
What are two tasks to perform when configuring static NAT?
1. Create a mapping between the inside local and inside global addresses.
2. Identify the participating interfaces as inside or outside interfaces.
74
What is a disadvantage of NAT?
It allows sites to connect IPv6 hosts to an IPv4 network by translating the IPv6 addresses to IPv4 addresses.
75
What address translation is performed by static NAT?
An inside local address is translated to a specified inside global address.
76
Using NAT terminology, what is the address of the source host on a private network as seen from inside the network?
Inside local
77
Why is NAT not needed in IPv6?
Any host or user can get a public IPv6 network address because the number of available IPv6 addresses is extremely large.
78
A company designs its network so that the PCs in the internal network are assigned IP addresses from DHCP servers, and the packets that are sent to the Internet are translated through a NAT-enabled router. What type of NAT enables the router to populate the translation table from a pool of unique public addresses, as the PCs send packets through the router to the Internet?
Dynamic NAT
79
What is a security feature of using NAT on a network - although experts agree it is not true security?
Allows internal IP addresses to be concealed from external users
80
When dynamic NAT without overloading is being used, what happens if seven users attempt to access a public server on the Internet when only six addresses are available in the NAT pool?
The request to the server for the seventh user fails.
81
A company has been assigned the 203.0.113.0/27 block of IP addresses by the ISP. The company has over 6000 internal devices. What type of NAT would be most appropriate for the employee workstations of the company?
Dynamic NAT overload using the pool of addresses
82
Which version of NAT allows many hosts inside a private network to simultaneously use a single inside global address for connecting to the Internet?
PAT
83
What is a disadvantage when both sides of a communication use PAT?
End-to-end IPv4 traceability is lost.
84
What 5 steps are taken when an internal host with IP address 192.168.10.10 attempts to send a packet to an external server 209.165.200.254 across router R1 running dynamic NAT?
1. The host sends packets that request a connection to the server address 209.165.200.254
2. R1 checks the NAT configuration to determine if the packet should be translated.
3. If there are no translation entries for this IP, R1 determines it should translate the source address 192.168.10.10
4. R1 selects an available global address from the dynamic address pool
5. R1 replaces the 192.168.10.10 address with a translated inside global address
85
What two addresses are specified in a static NAT configuration?
Inside local address and inside global address
86
In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet?
Outside global
87
Based on the output that is shown, what type of NAT has been implemented?
PAT using an external interface
88
What is the purpose of the overload keyword in the ip nat inside source list 1 pool NAT_POOL overload command?
It allows many inside hosts to share one or a few inside global addresses.
89
What does NAT overloading use to track multiple internal hosts that use one inside global address?
Port Numbers
90
What type of address is 192.168.7.98?
Private
