Network Address Translation (NAT) is
designed for IP address conservation. It enables private IP networks that use
unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not
globally unique) addresses in the internal network into legal addresses, before
packets are forwarded to another network.
As part of this capability, NAT can
be configured to advertise only one address for the entire network to the
outside world. This provides additional security by effectively hiding the
entire internal network behind that address. NAT offers the dual functions of
security and address conservation and is typically implemented in remote-access
environments.
 |
| NAT (Network Address Translation) |
When IP addressing first came out,
everyone thought that there were plenty of addresses to cover any need.
Theoretically, you could have 4,294,967,296 unique addresses (232). The actual
number of available addresses is smaller (somewhere between 3.2 and 3.3
billion) because of the way that the addresses are separated into classes, and
because some addresses are set aside for multicasting, testing or other special
uses.
This is where NAT (RFC 1631) comes to
the rescue. Network Address Translation allows a single device, such as a
router, to act as an agent between the Internet (or "public network")
and a local (or "private") network. This means that only a single,
unique IP address is required to represent an entire group of computers.
But the shortage of IP addresses is
only one reason to use NAT.
Cisco's version of NAT lets an administrator create
tables that map:
- A local IP address to one global IP address statically,
- A local IP address to any of a rotating pool of global IP addresses that a company may have,
- A local IP address plus a particular TCP port to a global IP address or one in a pool of them,
- A global IP address to any of a pool of local IP addresses on a round-robin basis.
Developed by Cisco, Network Address
Translation is used by a device (firewall, router or computer that sits between
an internal network and the rest of the world.
NAT has many forms and can work
in several ways:
- Static NAT
Mapping an unregistered
IP address to a registered IP address on a one-to-one basis. Particularly
useful when a device needs to be accessible from outside the network.
- Dynamic NAT
Maps an unregistered IP
address to a registered IP address from a group of registered IP addresses.
- NAT Overload or PAT
A form of
dynamic NAT that maps multiple unregistered IP addresses to a single registered
IP address by using different ports. This is known also as PAT (Port Address
Translation), single address NAT or port-level multiplexed NAT.
- Overlapping
When the IP addresses
used on your internal network are registered IP addresses in use on another network,
the router must maintain a lookup table of these addresses so that it can
intercept them and replace them with registered unique IP addresses. It is
important to note that the NAT router must translate the "internal"
addresses to registered unique addresses as well as translate the
"external" registered addresses to addresses that are unique to the
private network. This can be done either through static NAT or by using DNS and
implementing dynamic NAT.
The following list describes the
different types of addresses:
- Local
This refers to what happens on
the inside of your network.
- Global
This refers to what happens on
the outside of your network.
- Inside Local Address
This is an
address of a host on your internal network, for example, 192.168.8.25.
- Inside Global Address
This is the
mapped address that people on the Internet would see, which represents the
inside host.
- Outside Global Address
The IP
address of a remote Internet-based host as assigned by the owner that can
communicate with an inside host, for example, 192.0.2.100.
- Outside Local Address
This is the
address that the inside hosts use to reference an outside host. The outside
local address may be the outside host’s actual address or another translated
private address from a different private address block.
Therefore, the router could translate
that address to 192.168.10.50, or it could be the public address of the
external host. The internal hosts would contact this address to deal with the
external host.
NAT Configuration
Basically, NAT allows a single
device, such as a router, to act as an agent between the Internet (or public
network) and a local network (or private network), which means that only a
single unique IP address is required to represent an entire group of computers
to anything outside their network.
In order to configure traditional
NAT, you need to make at least one interface on a router (NAT outside) and
another interface on the router (NAT inside) and a set of rules for translating
the IP addresses in the packet headers (and payloads if desired) need to be
configured.
 |
| Example Config for Static, Dynamic, Overload/PAT NAT |
Here we need to add Double Serial
interfaces on each ISPs routers
R1 (config) #int s0/0
R1 (config-if) #ip add 12.1.1.1 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #clock rate 64000
R1 (config-if) #int s0/1
R1 (config-if) #ip add 41.1.1.2 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #clock rate 64000
R1 (config-if) #int s0/2
R1 (config-if) #ip add 101.1.1.1 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #clock rate
64000
Now on R2
R2 (config) #int s0/0
R2 (config-if) #ip add 12.1.1.2 255.255.255.0
R2 (config-if) #no shut
R2 (config-if) #int s0/1
R2 (config-if) #ip add 23.1.1.1 255.255.255.0
R2 (config-if) #no shut
R2 (config-if) #clock rate
64000
Now on R3
R3 (config) #int s0/0
R3 (config-if) #ip add 23.1.1.2 255.255.255.0
R3 (config-if) #no shut
R3 (config-if) #int s0/1
R3 (config-if) #ip add 34.1.1.1 255.255.255.0
R3 (config-if) #no shut
R3 (config-if) #clock rate 64000
R3 (config-if) #int s0/2
R3 (config-if) #ip add 201.1.1 255.255.255.0
R3 (config-if) #no shut
R3 (config-if) #clock rate 64000
R3 (config-if) #int fa0/0
R3 (config-if) #ip add 40.1.1.1 255.255.255.0
R3 (config-if) #no shut
Now on R4
R4 (config) #int s0/0
R4 (config-if) #ip add 34.1.1.2 255.255.255.0
R4 (config-if) #no shut
R4 (config-if) #int s0/1
R4 (config-if) #ip add 41.1.1.1 255.255.255.0
R4 (config-if) #no shut
R4 (config-if) #clock rate 64000
R4 (config-if) #int fa0/0
R4 (config-if) #ip add 30.1.1.1 255.255.255.0
R4 (config-if) #no shut
Now on HO Router
HO (config) #int s0/0
HO (config-if) #ip add 101.1.1.10 255.255.255.0
HO (config-if) #no shut
HO (config-if) #clock rate 64000
HO (config-if) #int fa0/0
HO (config-if) #ip add 192.168.1.1 255.255.255.0
HO (config-if) #no shut
Now on BO Router
BO (config) #int s0/0
BO (config-if) #ip add 201.1.1.10 255.255.255.0
BO (config-if) #no shut
BO (config-if) #clock rate 64000
BO (config-if) #int fa0/0
BO (config-if) #ip add 192.168.1.1 255.255.255.0
BO (config-if) #no shut
Now here we will run routing protocol
on ISP's router
R1 (config) #router ei 100
R1 (config-router) #network 0.0.0.0
R1 (config-router) #no
auto-summary
R2 (config) #router ei 100
R2 (config-router) #network 0.0.0.0
R2 (config-router) #no
auto-summary
R3 (config) #router ei 100
R3 (config-router) #network 0.0.0.0
R3 (config-router) #no
auto-summary
R4 (config) #router ei 100
R4 (config-router) #network 0.0.0.0
R4 (config-router) #no
auto-summary
Now we will provide the IP address to
the Server
Server 1 30.1.1.2
Server 2 40.1.1.2
Now server will ping all four routers
of ISPs.
R1 ping HO router but HO would not
ping r2. R1 ping because it’s directly connected with HO router.
Now here I will perform default
routing on HO router
HO (config) #ip route
0.0.0.0 0.0.0.0 101.1.1.1
Now HO would be able to ping all the
ISPs router and server.
Now I will perform default routing on
BO also
BO (config) #ip route
0.0.0.0 0.0.0.0 201.1.1.1
Now BO would also be able to ping all
the ISPs routers and server. BO would also be able to ping HO Router.
Now we will give the IP to BOs PC
192.168.1.2
192.168.1.3
192.168.1.4
Here we will provide the IP to HOs
PC
192.168.1.2
192.168.1.3
192.168.1.4
What we can see here is we can’t pint
ISPs router through HOs Host. Because private IP add doesn’t work over the
internet. It would not ping either server.
Now suppose we purchased three Public
IP of the same range
101.1.1.2
101.1.1.3
101.1.1.4
- Here we will perform Static NATting
HO (config) #int s0/0
HO (config-if) #ip nat outside
HO (config-if) #int fa0/0
HO (config-if) #ip nat inside
HO (config-if) #exit
HO (config) #ip nat inside source static 192.168.1.2
101.1.1.2
HO (config) #ip nat inside source static 192.168.1.3
101.1.1.3
HO (config) #ip nat inside
source static 192.168.1.4 101.1.1.4
Now HOs PC would be able to ping ISPs
router and server also.
HO#sh ip nat translation
HO#sh ip nat statistics
Now here we will perform static
routing on BO routers
Suppose we purchased these public IP
addresses
201.1.1.2
201.1.1.3
201.1.1.4
BO (config) #int fa0/0
BO (config-if) #ip nat inside
BO (config-if) #int s0/0
BO (config-if) #ip nat outside
BO (config-if) #exit
BO (config) #ip nat inside source static 192.168.1.2
201.1.1.2
BO (config) #ip nat inside source static 192.168.1.3
201.1.1.3
BO (config) #ip nat inside source static 192.168.1.4
201.1.1.4
BO #sh ip nat translation
Now here BO would ping ISPs router
and server. Now on HO we will connect three more PCs.
192.168.1.5
192.168.1.6
192.168.1.7
But the new PC would not ping their
server.
Now we will create here Dynamic NAT
On HO we need to remove static NAT
first
HO (config) #no ip nat inside source static 192.168.1.2
101.1.1.2
HO (config) #no ip nat inside source static 192.168.1.3
101.1.1.3
HO (config) #no ip nat
inside source static 192.168.1.4 101.1.1.4
In Dynamic NAT First come First Serve
would work
HO (config) #access-list 10 permit 192.168.1.0 0.0.0.255
HO (config) #int fa0/0
HO (config-if) #ip nat inside
HO (config-if) #int s0/0
HO (config-if) #ip nat outside
HO (config-if) #exit
HO (config) #ip nat pool HR ?
HO (config) #ip nat pool 101.1.1.2 101.1.1.4 netmask 255.255.255.0
HO (config) #ip nat inside
source list 10 pool HR
Now From HO all the PC would ping the
ISP and server.
HO#sh ip nat translation
HO #clear ip nat translation
HO#sh ip nat translation
Now here we will remove Dynamic NAT
HO (config) #ip nat pool HR 101.1.1.2 101.1.1.4 netmask 255.255.255.0
HO (config) #no ip nat inside source list 10 pool HR
HO (config) #no access-list
10
- Now here we will perform NAT Overload/PAT
HO (config) #int s0/0
HO (config-if) #ip nat outside
HO (config-if) #int fa0/0
HO (config-if) #ip nat inside
HO (config) #access-list 10 permit 192.168.1.0 0.0.0.255
HO (config) #ip nat inside
source list 10 int s0/0 overload
Now HOs all the PC will ping ISPs
router and server.
HO#sh ip nat translation
HO #Clear Ip nat translation
- Overlapping
 |
| Example Config for Overlapping NAT |
Let’s talk through what we are going
to do here. We want R1 to be able to hit
R4′s loopback and vice-versa, but we need to trick both routers in a way. If R1 just tries to ping 100.0.0.4 nothing is
going to go down because R1 has a directly connected route for
100.0.0.0/24. If R4 tries to ping
100.0.0.1 it will have the same issue. We will use NAT in both directions to
solve this problem. In other words, R1 has to believe it is talking to some
other IP address other than 100.0.0.4 and R4 has to believe it is talking to
something other than 100.0.0.1. Before
we do that, let’s setup some basic default routing on R1 and R4.
R1(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.2
R4(config)#ip route 0.0.0.0
0.0.0.0 24.24.24.2
let’s setup our NAT on R2
R1(config)#interface FastEthernet0/0.12
R1(config-if)# ip nat inside
R1(config)#interface FastEthernet0/0.24
R1(config-if)#ip nat outside
R1(config)#ip nat inside source static 100.0.0.1
11.11.11.11
R1(config)#ip nat outside
source static 100.0.0.4 44.44.44.44
Let’s break down what the packet flow
is going to look like here. When R1
sources a ping packet from 100.0.0.1 destined to 44.44.44.44 two things will
happen. Our inside NAT rule there will
translate the source of the packet to 11.11.11.11. At the same time, the outside NAT rule will
translate the destination of the packet to 100.0.0.4.
If everything gets routed OK, R4 will
receive an ICMP echo packet sourced from 11.11.11.11 and destined to 100.0.0.4
and it will send an ICMP echo reply sourced from 100.0.0.4 and destined to
11.11.11.11. When R2 receives the
packet, it will then translate the source of the packet to 44.44.44.44 and
translate the destination of the packet to 100.0.0.1 at the same time.
The thing to keep in mind is that
both the inside and outside NAT rules work bidirectionally. In other words, when I say ip nat inside
source static 100.0.0.1 11.11.11.11 I am actually telling the router to do two
things. If the packet is sourced from
100.0.0.1 on the inside interface, translate the source to 11.11.11.11. Also, if the packet is destined to
11.11.11.11 on the outside interface, translate the destination to
100.0.0.1. The outside NAT rule is
similar in accomplishing two things.
When I say ip nat outside source static 100.0.0.4 44.44.44.44 I am telling the router to do two
things. If the packet is sourced from
100.0.0.4 and coming in the outside interface, translate the source to
44.44.44.44. When packets come in the
inside interface destined to 44.44.44.44, translate the destination to
100.0.0.4.
No comments:
Post a Comment