Thursday, 7 September 2017

Network Address Translation [NAT]

To reach to the Internet, we need to get an public IP address and it is unique all over the world. If each host in the world required a unique public IP address, we would have run out of IP address years ago. But by using Network Address Translation (NAT) we can save tons of IP addresses for later uses. We can understand NAT like this:
“NAT allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet”
For example, your computer is assigned a private IP address of 10.0.0.9 and of course this address cannot be routed on the internet but you can still access the internet. This is because your router (or modem) translates this address into a public IP address, 123.12.23.1 for example, before routing your data into the internet.




Of course, when your router receives a reply packet destined for 123.12.23.1 it will convert back to your private IP 10.0.0.9 before sending that packet to you.
Maybe you will ask “hey, I don’t see any difference of using NAT to save tons of IP addresses because you still need a public IP address for each host to access the Internet and it doesn’t save you anything, why you need to use NAT?”
Ok, you are right :), in the above example we don’t see its usefulness but you now understand the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but your Internet Service Provider (ISP) only gives you 50 public IP addresses. It means that you can only allow 50 hosts to access the internet at the same time. Here NAT comes to save your life!
One thing you should notice that in real life, not all of your employees uses internet at the same time. Say, maybe 50 of them use internet to read newspaper at the morning; 50 others use internet at noon for checking mail… By using NAT you can dynamically assign these 50 public IP addresses to those who really need them at that time. This is called dynamic NAT.
But the above NAT solution does not solve our problem completely because in some days there can be more than 50 people surfing web at the morning. In this case, only the first 50 people can access internet, others must wait to their turns.
Another problem is, in fact, your ISP only gives you much lesser IP addresses than the number 50 because each public IP is very precious now.
To solve the two problems above, another feature of NAT can be used: NAT Overload or sometimes called Port Address Translation (PAT)

PAT permits multiple devices on a local area network (LAN) to be mapped to a single public IP address with different port numbers. Therefore, it’s also known as port address translation (PAT). When using PAT, the router maintains unique source port numbers on the inside global IP address to distinguish between translations. In the below example, each host is assigned to the same public IP address 123.1.1.1 1 but with different port numbers (from 1000 to 1002).


Note: Cisco uses the term inside local for the private IP addresses and inside global for the public IP addresses replaced by the router.
The outside host IP address can also be changed with NAT. The outside global address represents the outside host with a public IP address that can be used for routing in the public Internet.
The last term, outside local address, is a private address of an external device as it is referred to by devices on its local network. You can understand outside local address as the inside local address of the external device which lies at the other end of the Internet.
Maybe you will ask how many ports can we use for each IP? Well, because the port number field has 16 bits, PAT can support about 216 ports, which is more than 64,000 connections using one public IP address.
Now you have learned all the most useful features of NAT but we should summary all features of NAT:
There are two types of NAT translation: dynamic and static.
Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor requires you to have one real Internet IP address for every host on your network.
Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as in static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT router with more IP addresses in the inside local address list than in the inside global address pool. When being defined in the inside global address pool, the router allocates registered public IP addresses from the pool until all are allocated. If all the public IP addresses are already allocated, the router discards the packet that requires a public IP address.
PAT (NAT Overloading): is also a kind of dynamic NAT that maps multiple private IP addresses to a single public IP address (many-to-one) by using different ports. Static NAT and Dynamic NAT both require a one-to-one mapping from the inside local to the inside global address. By using PAT, you can have thousands of users connect to the Internet using only one real global IP address. PAT is the technology that helps us not run out of public IP address on the Internet. This is the most popular type of NAT.
Besides NAT gives you the option to advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the public world really well, giving you some additional security for your network.
NAT terms:
* Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.




Below article demonstrate how to configure NAT using GNS3
To configure static NAT we need to complete these tasks:
* Define the router’s interfaces as inside or outside: 
R0uter(config-if)#ip nat inside 
(or ip nat outside)
* Define static mapping between the inside address and the outside address: 
R0uter(config)#ip nat inside source static
+ Static NAT:
To make everything clear, we will configure static NAT in GNS3. Open your GNS3 and build a topology like this:


We should use 3 routers in this topology but I want to save some RAM and demonstrate how to ping from the loopback interface so I only use two :) Therefore we should configure the loopback interface of R0 as the source IP address and the fa0/0 interface of R0 as the “outgoing static NAT” address.
R0#configure terminal
R0(config)#int loopback0
R0(config-if)#ip address 10.0.0.1 255.0.0.0
R0(config-if)#ip nat inside
R0(config-if)#int f0/0
R0(config-if)#ip address 200.0.0.1 255.255.255.0
R0(config-if)#no shutdown
R0(config-if)#ip nat outside
R0(config-if)#exit
Finally, we have to tell the router to translate my private IP 10.0.0.1 to public IP 200.0.0.2 so that I can go to the Internet!
R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2
In R1 we just assign the IP address and no shut its interface.
R1#config terminal
R1(config)#int f0/0
R1(config-if)#ip address 200.0.0.10 255.255.255.0
R1(config-if)#no shutdown
Check if all things are right or not:
R0#show ip nat translations

  

In this article we don’t use a host attached to R0 so if we want to test our NAT configuration we have to ping from R0’s loopback interface by using the ping extended command:
We can use the extended ping command by typing only “ping” at the privileged mode, specify the “target IP address” and type “y” at the “Extended commands” and specify the “source address or interface” at shown below:











 To approve NAT works well we can disable static NAT with the following command
R0(config)#no ip nat inside source static 10.0.0.1 200.0.0.2
Now if we use the extended ping command (without NAT configured):












-> We can’t ping from the loopback interface.
+ Dynamic NAT:
To configure dynamic NAT we need to complete these tasks:
* Define a pool of addresses (public IP) to be used for dynamic NAT allocation
Router(config)#ip nat pool pool_name start_ip end_ip { netmask netmask | prefix-length prefix-length }
* Configure a standard access control list to define what internal traffic will be translated
Router(config)#access-list access-list-number permit source [source-wildcard]
Link the access list to the NAT pool
Router(config)#ip nat inside source list access-list-number pool pool_name
Define interfaces as either inside and outside
Router(config-if)# ip nat inside (on fa0/0, for example)
Router(config-if)#ip nat outside 
(on fa0/1, for example)
* Dynamic NAT configuration example:
RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat pool PoolforNAT 200.23.123.6 200.23.123.10 netmask 255.255.255.0
RouterA(config)# ip nat inside source list 1 pool PoolforNAT
Note: In the above command, the word “inside” means “I want to NAT from inside to outside”; “list 1” means “the source IP addresses to NAT are included in Access-list 1”; “pool PoolforNAT” means “NAT to the IP addresses specified in PoolforNAT”.
RouterA(config)# int loopback0
RouterA(config-if)# ip nat inside
RouterA(config-if)# int fa0/0
RouterA(config-if)# ip nat outside
Configure PAT (NAT Overload)
* Configure a standard access list to define what internal traffic will be translated
* Link the access list to the interface to be used for PAT
* Define interfaces as either inside or outside
PAT router commands
RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat inside source list 1 interface fa0/0 overload
(Notice the “interface fa0/0” means “NAT out of this interface” and the keyword overload for PAT in the above command)
RouterA(config)# interface fa0/0
RouterA(config-if)# ip nat outside
RouterA(config-if)# interface loopback0
RouterA(config-if)# ip nat inside

CCNA: NAT CHEAT SHEET
Key Characteristics
Standard:RFC3022
Short term solution to overcome the address requirement to connect with internet
Enables an organization to use Private AddressingScheme(definedinRFC1918) and
Still connect to the internet
Private Address Space
Private IPaddressing is defined in RFC1918 according which the following Ipaddress blocks
Can be used within an organization for private use:
1.10.0.0.0/8
2.172.16.0.0/12
3.192.168.0.0/16

NAT Address Types
Inside Local Address:  the IP Address assigned to the host on the inside network.This address is usually from the RFC1918 Private address space.

Inside Global Address: It is the Ip address of an inside host(oragroupofhosts) as it appears to
the outside network. It is usually an address that is globally routable.

Outside Local Address: the IP address assigned to an outside host as it appears to the inside network. The address is allocated from an address space routable on inside network

Outside Global Address: the IP address of an outside host assigned by the owner/administrator of the host. Allocated from a globally routable address space.

Types of NAT
There are 3 types:
1.Static NAT
•A single local IPaddress is mapped to single global IPaddress. Also called one-to-one NAT

2.Dynamic NAT
•A pool of global addresses is used to translate local IP addresses.  Each inside host is assigned a global address for the duration of the session.
If the session is timed-out, the specific IPaddress is available to use for other inside hosts

3.Port Address Translation


•Also called overloading NAT.If a large number of host need to access the internet,
then static and dynamic NAT are not feasible solutions as a large number of public IP addresses will be required.PAT actually translates multiple local addresses to asingle global address using different ports.

Configuration Example: Static NAT
Router R1:
interface fastethernet0/1
ipaddress 192.168.1.1 255.255.255.0
ip nat inside
!
interface fastethernet0/0
ipaddress 10.1.1.1 255.255.255.0
ip nat outside
!
ip nat inside source static 192.168.1.10 172.16.1.1
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
---172.16.1.1 192.168.1.10 ------

Configuration Example: Dynamic NAT
Router R1:
interface fastethernet0/1
ipaddress 192.168.1.1 255.255.255.0
ipnatinside
!
interface fastethernet0/0
ipaddress 10.1.1.1 255.255.255.0
ipnatoutside
!
ipaccess-list standard INSIDE-HOSTS
permit 192.168.1.0 0.0.0.255
!
ipnatpool NAT-POOL 155.1.1.1 155.1.1.254 netmask255.255.255.0
!
ipnatinside source list INSIDE-HOSTS pool NAT-POOL

R1#sh ipnattranslation
Pro Inside globalInside local Outside local Outside global
---155.1.1.1 192.168.1.1 ------
---155.1.1.2 192.168.1.2 ------
---155.1.1.3 192.168.1.3 ------

Configuration Example: Port Address Translation
Router R1:
interface fastethernet0/1
ipaddress 192.168.1.1 255.255.255.0
ipnatinside
!
interface fastethernet0/0
ipaddress 10.1.1.1 255.255.255.0
ipnatoutside
!
ipaccess-list standard INSIDE-HOSTS
permit 192.168.1.0 0.0.0.255
!
ip nat inside source list INSIDE-HOSTS interface fastethernet0/0 overload

R2#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
Icmp10.1.1.1:5 192.168.1.1 10.1.1.3:5 10.3.3.3:5
icmp10.1.1.1:6 192.168.1.2 10.1.1.4:6 10.3.3.4:6
tcp10.1.1.1:41683 192.168.1.3:41683 10.1.1.3:23 10.3.3.3:23
tcp10.1.1.1:51780 192.168.1.3:51780 10.3.1.4:80 10.3.3.4:80

Troubleshooting Command
1.show ip nat translation
2.show ip nat translation verbose
3.debug ip nat [detailed]

Still if further more clarification is required please go through the below videos.










1 comment:


  1. It is very useful and knowledgeable. Therefore, I would like to thank you for the efforts you have made in writing this article.

    WS-C3650-24PS-E
    WS-C3650-24TD-L
    WS-C3650-24PD-S

    ReplyDelete

Note: only a member of this blog may post a comment.