Search this blog

Sunday, January 17, 2010

Day 18: NAT

If you've ever wondered why we're not all using IPv6 yet, the simple answer is Network Address TranslationNAT (NAT overload or PAT).

As seen on day 20, the RPC1918 has identified the private networks. These addresses don't allow us to connect to the Internet, routers cannot route these private IP addresses (they get dropped). A router can however receive a public Internet-routable address from the ISP and provide Internet connectivity for the hosts on the local private network. The router will use NAT to exchange private IP addresses for a public IP address or a pool of public IP addresses. This translation allows an internal host to appear as though it has a public IP address. Nat also provides some basic security.

NAT was developed because of too few available IP addresses. Here are some terms:
  • inside local network: the privately addressed internal network connected to a router
  • inside local address: internal IP address assigned to a host on the inside, private network. This is usually a private IP address
  • outside global network: any network outside the local network that would also not recognize the private addresses assigned to hosts in the local network
  • inside global address: a registered, Internet-routable IP address that represents one or more inside local IP addresses to the outside world
  • outside local address: destination address of the packet while on the inside local network - typically the same as the outside global address. So it's the IP address of an outside host as it appears to the inside, private network.
  • outside global address: actual destination address of the intended external host on the Internet. The IP address assigned to a host on the outside network by the host's owner - usually a routable IP address.
Static NAT translates one private address to one public address. In dynamic NAT will have a pool of public addresses to temporarily assign for internal hosts (the public address will afterwards return to the pool).
A router uses NAT overload, or port address translation (PAT) to allow multiple internal hosts to communicate with just one public IP address. The router uses source port numbers to identify the internal connection request. Note that this implicates that internal hosts must initiate communications with outside networks. If you're wondering what would happen if two hosts used the same source port (from the 65535), it's simple: whoever gets there first gets that port, the other one will get a different one - for example 61751 would then become 61752.

To configure static NAT, you have to designate an inside interface (this is the interface connected to the private network). You also have to designate the interface connected to the outside world as the outside interface. Needed commands:
ip nat outside
ip nat inside
ip nat inside source static local-IP-address global-IP-address

We don't have to know the CLI for ICND1 but I'll give a quick overview, we're preparing for the CCNA - please try it with SDM (use GNS3 if needed).

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 1/0
Router(config-if)#ip nat outside
Router(config-if)#interface fa 0/0
Router(config-if)#ip nat inside
Router(config)#ip nat inside source static

NAT with overload enables PAT (a many-to-one mapping). Use the access-list command to define the private address pool that you want to translate to a single IP address. An access list uses a wildcard mask instead of a subnet mask to identify the bits available for use as hosts in the pool. Needed commands (see the differences above):
access-list access-list-number permit  inside-network wildcard-mask
ip nat inside source list access-list-number interface interface overload
ip nat outside
ip nat inside
Router(config)#access-list 1 permit
Router(config)#ip nat inside source list 1 interface serial 1/0 overloadRouter(config)#interface serial 1/0
Router(config-if)#ip nat outside
Router(config-if)#interface fa 0/0
Router(config-if)#ip nat inside
Look at as a reversed subnet mask. The overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different source port numbers. Use show run and show ip nat translations to verify NAT configuration. A useful command for testing/troubleshooting is debug ip icmp which outputs any ICMP traffic processed by the router. Don't forget to turn it off with undebug all or u all. The clear ip nat translation * command clears all the NAT translations in the NAT table, its useful for troubleshooting.
A useful link is

1 comment: