Wednesday, 21 November 2007

NAT in a Nutshell

Network Address Translation (NAT) and Port Address Translation (PAT)

NAT operates on a Cisco router, usually connecting two networks together, and translates the private (inside local) addresses in the internal network to public addresses (inside global) before packets are forwarded to another network.

As part of this functionality, you can configure NAT to advertise only one address for the entire network to the outside world. This effectively hides the internal network from the world, thus providing additional security.

In NAT terminology, the inside network is the set of networks that are subject to translation. The outside network refers to all other addresses. Usually these are valid addresses located on the Internet.

Cisco defines the following NAT terms:

  • Inside local address: The IP address assigned to a host on the inside network. The address is likely not an IP address assigned by the NIC or service provider.
  • Inside global address: A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
  • Outside local address: The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
  • Outside global address: The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.

NAT has many different forms and can work in the following ways:

  • Static NAT: Maps an unregistered IP address to a registered IP address on a one-to-one basis. Static NAT is particularly useful when a device needs to be accessible from outside the network.
  • Dynamic NAT: Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
  • Overloading: is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports, known also as PAT.
    PAT uses unique source port numbers on the inside global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number of internal addresses that can be translated using NAT to one external address could theoretically be as many as 65,536 per IP address.

Configuring Static Translation

The ip nat inside source static command establishes static translation between an inside local address and an inside global address.

Router(config)#ip nat inside source static local-ip global-ip

To remove static translation use no ip nat inside source static

The ip nat inside command marks the interface as connected to the inside.

Router(config-if)#ip nat inside

The ip nat outside command marks the interface as connected to the outside.

Router(config-if)#ip nat outside

The complete process is below (variables in italics):

Router(config)#
ip nat inside source static local-ip global-ip
Router(config)#
interface type number
Router(config-if)#ip_address subnetmask
Router(config-if)#
ip nat inside
Router(config-if)#
interface type number
Router(config-if)#ip_address subnetmask
Router(config-if)#
ip nat outside

Configuring Dynamic Translation

The ip nat pool command defines a pool of global addresses to be allocated as needed.

Router(config)#ip nat pool name start-ip end-ip {netmask netmask prefix-length prefix-length}

To remove dynamic translation use the no ip nat pool command.

The access-list access-list-number command defines a standard IP access list permitting those inside local addresses that are to be translated.

Router(config)#access-list access-list number permit source [source-wildcard]

The ip nat inside source command establishes dynamic source translation, specifying the access list defined in the prior step.

The complete process is shown below:

Router(config)#ip nat pool name start-ip end-ip {netmask netmask prefix-length prefix length}
Router(config)#access-list access-list-number permit source [source-wildcard]
Router(config)#ip nat inside source list access-list-number pool pool-name
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#interface type number
Router(config-if)#ip nat outside

Configuring Overloading (PAT)

The access-list access-list-number command defines a standard IP access list permitting those inside local addresses that are to be translated.

Router(config)#access-list access-list-number permit source source-wildcard

Enter the global no access-list access-list-number command to remove the access list.

The ip nat inside source list command establishes dynamic source translation, specifying the access list defined in the prior step.

Router(config)#ip nat inside source list access-list-number interface interface_type/number overload

It is the “overload” keyword that enables PAT.

The complete process is shown below:

Router(config)#access-list access-list-number permit source [source-wildcard]
Router(config)#ip nat inside source list access-list-number interface interface_type/number overload
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#interface type number
Router(config-if)#ip nat outside

Example:

Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255
Router(config)#access-list 1 permit 192.168.4.0 0.0.0.255
Router(config)#ip inside nat source list 1 interface Serial0 overload
Router(config)#interface Ethernet0
Router(config-if)#ip address 192.168.3.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config)#interface Ethernet1
Router(config-if)#ip address 192.168.4.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config)#interface Serial0
Router(config-if)#ip address 172.17.38.1 255.255.255.0
Router(config-if)#ip nat outside

Clearing the NAT translation table

After you have configured NAT, verify that it is operating as expected. You can do this by using the clear and show commands.

Router#clear ip nat translation *
This clears all dynamic address translation entries from the NAT translation table, the * is a wildcard meaning "all".

Router#clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]
This clears a simple dynamic translation entry containing an inside translation, or both inside and outside translation.

Router#clear ip nat translation outside local-ip global-ip
This clears a simple dynamic translation entry containing an outside translation.

Router#clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port, global-ip global-port]
This clears an extended dynamic translation entry.

Displaying NAT information

You can display translation information by performing one of the following tasks in EXEC mode.

Router#show ip nat translations – displays active translations

Router#show ip nat statistics – displays translation statistics.

Troubleshooting the NAT and PAT Configuration

Use Router#debug ip nat

5 comments:

  1. Hi Chris,

    I would like to ask you a question about NAT.
    Our network use Class B and /16 mask and have a lot of subnets.
    We want to control internet access for user using ACL on router.
    I created Named ACL for each of department so that I can manage easily.
    My question is: Can I use all department Named ACL with NAT?
    e.g ip nat inside source list HR pool Outside overload
    ip nat inside source list FIN pool Outside overload

    Thanks and looking forward hearing from you soon.

    ReplyDelete
  2. Hi,

    There are two ways I would imagine you could do this. The damn right dirty way or the nice and elegant way and it depends on if you're reusing your access-lists for other purposes.

    The dirty way would be to create one big access-list rather than dept specific lists.

    The elegant way would be to use a route-map to refer out to your dept-specific access-lists as below:

    route-map NATMAP permit 10
    match ip address HR
    route-map NATMAP permit 20
    match ip address FIN
    route-map NATMAP deny 30

    ip nat inside source route-map NATMAP interface Dialer0 overload

    I reckon this should do the trick.

    Good luck!

    Chris

    ReplyDelete
  3. Hi Chris,

    Thanks for your time and knowledge sharing.

    I want to filter ip to allow access to internet. I am thinking of two ways.
    1) Create an ACL for all allowable IPs and attach to Inside Router port. So that we can filter IP before entering to router.
    2) OR using route-map with NAMED ACL that represent individual Departments users' IP.

    Could you give me any suggestions?

    ReplyDelete
  4. hi CHRIS ,
    I am a big fan of your blog , i also follow your solutions on Sadikhov. Can you please write a tutorial on ACL and ROUTE-MAPS!!!

    ReplyDelete
  5. Hi Joel,

    Firstly, thanks for your support! I've just taken some time out from studying and am slowly getting back into the groove. I've even picked up the CCIE books again so you may well see some more posts coming along soon including route-maps and ACLs.

    If you could be more specific as to what is actually troubling you then I will give it a shot sooner rather than later.

    Good luck with your studies!

    Chris

    ReplyDelete