To reach to the Internet, we need to get an
public IP address and it is unique all over the world. If each host in the
world required a unique public IP address, we would have run out of IP address
years ago. But by using Network Address Translation (NAT) we can save tons of
IP addresses for later uses. We can understand NAT like this:
“NAT
allows a host that does not have a valid registered IP address to communicate
with other hosts through the Internet”
For example, your computer
is assigned a private IP address of 10.0.0.9 and of course this address cannot
be routed on the internet but you can still access the internet. This is
because your router (or modem) translates this address into a public IP
address, 123.12.23.1 for example, before routing your data into the internet.
Of course, when your router receives a
reply packet destined for 123.12.23.1 it will convert back to your private IP
10.0.0.9 before sending that packet to you.
Maybe you will ask “hey, I don’t see any
difference of using NAT to save tons of IP addresses because you still need a
public IP address for each host to access the Internet and it doesn’t save you
anything, why you need to use NAT?”
Ok, you are right :), in the above example
we don’t see its usefulness but you now understand the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but
your Internet Service Provider (ISP) only gives you 50 public IP addresses. It
means that you can only allow 50 hosts to access the internet at the same time.
Here NAT comes to save your life!
One thing you should notice that in real
life, not all of your employees uses internet at the same time. Say, maybe 50
of them use internet to read newspaper at the morning; 50 others use internet
at noon for checking mail… By using NAT you can dynamically assign these 50
public IP addresses to those who really need them at that time. This is
called dynamic NAT.
But the above NAT solution does not solve
our problem completely because in some days there can be more than 50 people
surfing web at the morning. In this case, only the first 50 people can access
internet, others must wait to their turns.
Another problem is, in fact, your ISP only
gives you much lesser IP addresses than the number 50 because each public IP is
very precious now.
To solve the two problems above, another
feature of NAT can be used: NAT
Overload or sometimes called Port Address Translation (PAT)
PAT permits multiple devices on a local
area network (LAN) to be mapped to a single public IP address with different
port numbers. Therefore, it’s also known as port address translation (PAT).
When using PAT, the router maintains unique source port numbers on the inside global IP
address to distinguish between translations. In the below example, each host is
assigned to the same public IP address 123.1.1.1 1 but with different port
numbers (from 1000 to 1002).
Note: Cisco
uses the term inside
local for the private IP addresses and inside global for
the public IP addresses replaced by the router.
The outside host IP address can also be changed
with NAT. The outside
global address represents the outside host with a public
IP address that can be used for routing in the public Internet.
The last term, outside local address,
is a private address of an external device as it is referred to by devices on
its local network. You can understand outside local address as the inside local
address of the external device which lies at the other end of the Internet.
Maybe you will ask how many ports can we use
for each IP? Well, because the port number field has 16 bits, PAT can support
about 216 ports, which is more than 64,000 connections using
one public IP address.
Now you have learned all the most useful
features of NAT but we should summary all features of NAT:
There
are two types of NAT translation: dynamic and static.
Static NAT:
Designed to allow one-to-one mapping between local and global addresses. This
flavor requires you to have one real Internet IP address for every host on your
network.
Dynamic NAT: Designed
to map an unregistered IP address to a registered IP address from a pool of
registered IP addresses. You don’t have to statically configure your router to
map an inside to an outside address as in static NAT, but you do have to have
enough real IP addresses for everyone who wants to send packets through the
Internet. With dynamic NAT, you can configure the NAT router with more IP
addresses in the inside local address list than in the inside global address
pool. When being defined in the inside global address pool, the router
allocates registered public IP addresses from the pool until all are allocated.
If all the public IP addresses are already allocated, the router discards the
packet that requires a public IP address.
PAT (NAT Overloading): is also
a kind of dynamic NAT that maps multiple private IP addresses to a single
public IP address (many-to-one) by using different ports. Static NAT and
Dynamic NAT both require a one-to-one mapping from the inside local to the
inside global address. By using PAT, you can have thousands of users connect to
the Internet using only one real global IP address. PAT is the technology that
helps us not run out of public IP address on the Internet. This is the most
popular type of NAT.
Besides NAT gives you the option to
advertise only a single address for your entire network to the outside world.
Doing this effectively hides the internal network from the public world really
well, giving you some additional security for your network.
NAT terms:
* Inside local address –
The IP address assigned to a host on the inside network. The address is usually
not an IP address assigned by the Internet Network Information Center
(InterNIC) or service provider. This address is likely to be an RFC 1918
private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.
Below
article demonstrate how to configure NAT using GNS3
To configure static NAT we need to complete these tasks:
* Define the router’s interfaces as inside or outside:
R0uter(config-if)#ip nat inside (or ip nat outside)
* Define the router’s interfaces as inside or outside:
R0uter(config-if)#ip nat inside (or ip nat outside)
* Define static mapping between the inside address and the
outside address:
R0uter(config)#ip nat inside source static
R0uter(config)#ip nat inside source static
+ Static NAT:
To make everything clear, we will configure static NAT in GNS3.
Open your GNS3 and build a topology like this:
We should use 3 routers in this topology but I want to save some
RAM and demonstrate how to ping from the loopback interface so I only use two
:) Therefore we should configure the loopback interface of R0 as the source IP
address and the fa0/0 interface of R0 as the “outgoing static NAT” address.
R0#configure terminal
R0(config)#int loopback0
R0(config-if)#ip address 10.0.0.1 255.0.0.0
R0(config-if)#ip nat inside
R0(config)#int loopback0
R0(config-if)#ip address 10.0.0.1 255.0.0.0
R0(config-if)#ip nat inside
R0(config-if)#int f0/0
R0(config-if)#ip address 200.0.0.1 255.255.255.0
R0(config-if)#no shutdown
R0(config-if)#ip nat outside
R0(config-if)#exit
R0(config-if)#ip address 200.0.0.1 255.255.255.0
R0(config-if)#no shutdown
R0(config-if)#ip nat outside
R0(config-if)#exit
Finally, we have to tell the router to translate my private
IP 10.0.0.1 to
public IP 200.0.0.2 so
that I can go to the Internet!
R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2
In R1 we just assign the IP address and no shut its interface.
R1#config terminal
R1(config)#int f0/0
R1(config-if)#ip address 200.0.0.10 255.255.255.0
R1(config-if)#no shutdown
R1(config)#int f0/0
R1(config-if)#ip address 200.0.0.10 255.255.255.0
R1(config-if)#no shutdown
Check if all things are right or not:
R0#show ip nat translations
In this article we don’t use a host attached to R0 so if we want
to test our NAT configuration we have to ping from R0’s loopback interface by
using the ping extended command:
We can use the extended ping command by typing only “ping” at
the privileged mode, specify the “target IP address” and type “y” at the
“Extended commands” and specify the “source address or interface” at shown
below:
To approve NAT works well we can disable static NAT with the
following command
R0(config)#no ip nat inside source static 10.0.0.1 200.0.0.2
Now if we use the extended ping command (without NAT
configured):
-> We can’t ping from the loopback interface.
+ Dynamic NAT:
To configure dynamic NAT we need to complete these tasks:
* Define a pool of addresses (public IP) to be used for dynamic
NAT allocation
Router(config)#ip nat pool pool_name start_ip end_ip { netmask netmask | prefix-length prefix-length }
* Configure a standard access control list to define what
internal traffic will be translated
Router(config)#access-list access-list-number permit source [source-wildcard]
Link the access list to the NAT pool
Router(config)#ip nat inside source list access-list-number pool pool_name
Define interfaces as either inside and outside
Router(config-if)# ip nat inside (on
fa0/0, for example)
Router(config-if)#ip nat outside (on fa0/1, for example)
Router(config-if)#ip nat outside (on fa0/1, for example)
* Dynamic NAT configuration example:
RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat pool PoolforNAT 200.23.123.6 200.23.123.10 netmask 255.255.255.0
RouterA(config)# ip nat inside source list 1 pool PoolforNAT
RouterA(config)# ip nat pool PoolforNAT 200.23.123.6 200.23.123.10 netmask 255.255.255.0
RouterA(config)# ip nat inside source list 1 pool PoolforNAT
Note: In the above command, the word “inside” means “I want to
NAT from inside to outside”; “list 1” means “the source IP addresses to NAT are
included in Access-list 1”; “pool PoolforNAT” means “NAT to the IP addresses
specified in PoolforNAT”.
RouterA(config)# int loopback0
RouterA(config-if)# ip nat inside
RouterA(config-if)# ip nat inside
RouterA(config-if)# int fa0/0
RouterA(config-if)# ip nat outside
RouterA(config-if)# ip nat outside
Configure PAT (NAT Overload)
* Configure a standard access list to define what internal
traffic will be translated
* Link the access list to the interface to be used for PAT
* Define interfaces as either inside or outside
* Link the access list to the interface to be used for PAT
* Define interfaces as either inside or outside
PAT router commands
RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat inside source list 1 interface fa0/0 overload
RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat inside source list 1 interface fa0/0 overload
(Notice the “interface fa0/0” means “NAT out of this interface”
and the keyword overload for
PAT in the above command)
RouterA(config)# interface fa0/0
RouterA(config-if)# ip nat outside
RouterA(config-if)# ip nat outside
RouterA(config-if)# interface loopback0
RouterA(config-if)# ip nat inside
RouterA(config-if)# ip nat inside
CCNA: NAT CHEAT SHEET
Key Characteristics
Standard:RFC3022
Short
term solution to overcome the address requirement to connect with internet
Enables
an organization to use Private AddressingScheme(definedinRFC1918) and
Still
connect to the internet
Private
Address Space
Private
IPaddressing is defined in RFC1918 according which the following Ipaddress
blocks
Can
be used within an organization for private use:
1.10.0.0.0/8
2.172.16.0.0/12
3.192.168.0.0/16
NAT Address Types
Inside
Local Address: the IP Address assigned to the host on the inside
network.This address is usually from the RFC1918 Private address space.
Inside Global Address: It is the Ip address of an inside host(oragroupofhosts) as it appears to
the
outside network. It is usually an address that is globally routable.
Outside Local Address: the IP address assigned to an outside host as it appears to the inside network. The address is allocated from an address space routable on inside network
Outside Global Address: the IP address of an outside host assigned by the owner/administrator of the host. Allocated from a globally routable address space.
Types
of NAT
There
are 3 types:
1.Static
NAT
•A
single local IPaddress is mapped to single global IPaddress. Also called
one-to-one NAT
2.Dynamic NAT
•A
pool of global addresses is used to translate local IP addresses. Each
inside host is assigned a global address for the duration of the session.
If the session is timed-out, the specific IPaddress is available to use for other inside hosts
If the session is timed-out, the specific IPaddress is available to use for other inside hosts
3.Port Address Translation
•Also
called overloading NAT.If a large number of host need to access the internet,
then static and dynamic NAT are not feasible
solutions as a large number of public IP addresses will be required.PAT
actually translates multiple local addresses to asingle global address using
different ports.
Configuration Example: Static NAT
Router
R1:
interface
fastethernet0/1
ipaddress
192.168.1.1 255.255.255.0
ip
nat inside
!
interface
fastethernet0/0
ipaddress
10.1.1.1 255.255.255.0
ip
nat outside
!
ip
nat inside source static 192.168.1.10 172.16.1.1
R1#sh
ip nat translation
Pro
Inside global Inside local Outside local Outside global
---172.16.1.1
192.168.1.10 ------
Configuration
Example: Dynamic NAT
Router
R1:
interface
fastethernet0/1
ipaddress
192.168.1.1 255.255.255.0
ipnatinside
!
interface
fastethernet0/0
ipaddress
10.1.1.1 255.255.255.0
ipnatoutside
!
ipaccess-list
standard INSIDE-HOSTS
permit
192.168.1.0 0.0.0.255
!
ipnatpool
NAT-POOL 155.1.1.1 155.1.1.254 netmask255.255.255.0
!
ipnatinside
source list INSIDE-HOSTS pool NAT-POOL
R1#sh ipnattranslation
Pro
Inside globalInside local Outside local Outside global
---155.1.1.1
192.168.1.1 ------
---155.1.1.2
192.168.1.2 ------
---155.1.1.3
192.168.1.3 ------
Configuration
Example: Port Address Translation
Router
R1:
interface
fastethernet0/1
ipaddress
192.168.1.1 255.255.255.0
ipnatinside
!
interface
fastethernet0/0
ipaddress
10.1.1.1 255.255.255.0
ipnatoutside
!
ipaccess-list
standard INSIDE-HOSTS
permit
192.168.1.0 0.0.0.255
!
ip
nat inside source list INSIDE-HOSTS interface fastethernet0/0 overload
R2#sh ip nat translation
Pro
Inside global Inside local Outside local Outside global
Icmp10.1.1.1:5
192.168.1.1 10.1.1.3:5 10.3.3.3:5
icmp10.1.1.1:6
192.168.1.2 10.1.1.4:6 10.3.3.4:6
tcp10.1.1.1:41683
192.168.1.3:41683 10.1.1.3:23 10.3.3.3:23
tcp10.1.1.1:51780
192.168.1.3:51780 10.3.1.4:80 10.3.3.4:80
Troubleshooting Command
1.show
ip nat translation
2.show
ip nat translation verbose
3.debug
ip nat [detailed]
Still
if further more clarification is required please go through the below videos.
ReplyDeleteIt is very useful and knowledgeable. Therefore, I would like to thank you for the efforts you have made in writing this article.
WS-C3650-24PS-E
WS-C3650-24TD-L
WS-C3650-24PD-S