Network Address Translation

Network Address Translation (known as NAT in network lingo) has become a

generic term for several related but different processes. The basic principle

involves changing the source IP of a host in the packet header as its traffic crosses

the NAT device. We examine the three main implementations of NAT on

Cisco routers, along with the applications, advantages, and disadvantages of the

NAT service, and finally the configuration commands to implement, verify, and

troubleshoot it.

  Introduction to Wide-Area Networks

NAT Terminology

A number of unfortunately confusing terms are associated with NAT that in a

typically evil plot are usually testable. The next figure diagrams a typical, simple

NAT setup and accurately locates the terms you need to know.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The terms you need to be familiar with are as follows:

. Inside—This refers (typically) to the private side of the network, usually

the source of addresses that are being translated.

. Outside—This is typically the public side of the network, the address

space to which inside hosts are being translated.

 . Inside Local—These addresses are assigned to inside hosts and are the

ones being translated. Inside Local IPs are often RFC 1918 private IPs

such as 192.168.x.x, 172.16–31.x.x and 10.x.x.x, but this is by no means

a requirement.

. Inside Global—These are the addresses to which Inside Locals get

translated; often registered IPs obtained from the ISP.

. Outside Global—These are typically registered IPs assigned to web

servers, mail servers, or any host that is reachable on the public network

(Internet, usually) itself.

. Outside Local—These are the addresses of Outside Global hosts as they

appear on the Inside network; they might or might not have been translated

from Outside to Inside, depending on the configuration.

These terms are confusing, and explaining them tends to make things worse.

As a simplification, start with Local and Global: Local addresses are most often

the RFC 1918 private ones that we are so familiar with; these will be on the private

side of an Internet router. Global addresses are usually real, live, registered

IPs, such as www.cisco.com, which at the time of this writing was 198.133.219.25.

From this toehold on the terms, you should be able to reconstruct the others—

an outside host with a local IP; an inside host with a global IP, and so on.

 

Applications, Advantages, and

Disadvantages of NAT

NAT has three main applications:

. If you have more inside hosts than you have outside IP addresses, the NAT

service can translate multiple inside hosts to a single outside IP. The two

most common scenarios for this are a typical Internet access router, where

all the hosts on the inside are granted Internet access using very few—or

even just one—outside IP address, or a modification of that example in

which a lot of IPs are available, but not enough for our requirements. In

both cases, the problem that NAT solves is the depletion of IP addresses;

the fact is that very few registered IPs are available any more, so being able

to “reuse” them by NATing many hosts to a few of them is very helpful in

extending the lifespan of the Internet address space.

. NAT can be used to solve two related and vexing network issues: The

Overlapping Address Space and the Well-Meaning Admin Error. The

Overlapping Address Space happens when we connect to another network

that uses the same IP address range as we do; typically, this happens

when we merge with another company. The problem is that we will

have duplicate routes in different locations when the routers start updating

each other, leading to instability, misrouting, and general mayhem.

The Well-Meaning Admin Error happens when the person responsible

for the network design either fails to plan for future growth of his network,

or simply makes a mistake because of ignorance or arrogance. This

most often takes the form of a private network being addressed with

public IPs that belong to someone else.

A real-world example of this occurred when a representative from the

ISP told their customer (a credit union where I worked) to use the

address space of 191.168.0.0 /24 for the inside network. This worked

fine until Internet connectivity was required; at which time, it was pointed

out that the 191.168.0.0 network was a registered Internet range

belonging to an insurance firm in the Carolinas. This did cause some

issues (for example, when one wanted to ping a domain controller in the

head office in Vancouver, the replies came back from a large router

somewhere on the East Coast), but the problem was largely hidden by

the NAT service, which translated all those inside local IPs (which were

incorrectly using outside global addresses) to appropriate outside global

addresses.

. NAT can also be used to give a whole cluster of machines (each with different

inside local IPs) a single IP address that the clients can use. This is

called load distribution, and works well for high-volume server clusters

such as databases or web servers in which all the clients can use a single

virtual IP to reach the service, and that single IP is NATed to all the real

IPs of the physical servers.

The advantages of NAT are first and foremost that it conserves the registered IP

address space. There is a critical shortage of IPs now, so being able to connect

hundreds of hosts to the Internet through a single address is a huge benefit. NAT

also provides a certain degree of security because it hides the originating IP

Network Address Translation

 address and, if configured properly, prevents bad guys on the Internet from connecting

to inside hosts. (The usual caveats here… NAT alone does not provide

adequate security, but it can form a part of a secure configuration.) It also helps

as a workaround alternative to having to readdress entire networks when address

schemes overlap, and makes it easy to change ISP addresses without having to

readdress all the inside hosts.

The disadvantages of NAT are primarily that by its very nature, it changes the

source IP of traffic, from the actual IP of the host to the Inside Global IP to

which it is translated. Some applications do not like this loss of end-to-end IP

traceability and stop working. NAT also makes it more difficult when troubleshooting

because of that source IP change—and you might be NATed a couple

times or more on the journey through the internetwork. Last, the NAT

process introduces a certain delay in the transmission of packets as they are

rewritten and the translation information is looked up. Spending more money on

your NAT box might help speed this up. Call your authorized Cisco VAR, quick!

Let’s look now at the three main NAT implementations.

Static NAT

Static NAT refers to the creation of a one-to-one mapping of an Inside Local IP

to an Inside Global IP. Note that this type of NAT does not conserve IP addresses

at all because we need one outside IP for every inside IP. Static NAT gives

hosts such as mail or web servers access to the Internet even though they are

physically on the private network. Perhaps more importantly, it allows us to

access that web server from the Internet by creating a static NAT entry from an

outside global IP to the server’s inside local IP.

Configuring a static NAT entry is easy. The only trick is to make sure that you

get NAT working in the right direction: You must be very clear when identifying

the Inside interface and the Outside. Figure 7.11 shows a simple network

that we use to learn NAT configuration.

Let’s create a static NAT entry for the MX (Mail Exchanger) server with the IP

of 192.168.0.25. The ISP has told us that we can use a block of IP addresses as

shown, from 24.1.1.2 through 24.1.1.6, for our Inside Global addresses. We

have decided to use 24.1.1.2 for the Inside Global IP of the MX host.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The global-config static NAT command uses fairly logical syntax:

ip nat inside source static <inside local IP> <inside global IP>

For our example, the command to enter on the NAT router would look like this:

NAT(config)#ip nat inside source static 192.168.0.25 24.1.1.2

Next, we have to identify the Inside and Outside interfaces:

NAT(config)#interface e0

NAT(config-if)#ip nat inside

NAT(config-if)#interface s0

NAT(config-if)#ip nat outside

And that’s all there is to creating a static NAT entry. Remember that static NAT

entries use up one outside IP for every inside IP, so they do not conserve the IP

address space at all.

www.cisco.com

198.133.219.25

Internet

ISP Addresses:

24.1.1.2

24.1.13

24.1.1.4

24.1.1.5

Mask /24

MX

192.168.0.25

192.168.0.0/24

NAT

Router

Outside

Inside

E0

S0

 Dynamic NAT

Dynamic NAT enables an inside host to get an outside address when needed;

this saves us the trouble of creating multiple static maps, one for each host that

wants to use the Internet. Dynamic NAT entries still don’t conserve IPs, since

we still need one IP for every host that wants to connect to the Internet.

Remember that if you have more hosts than outside IPs, some hosts will not get

a translation entry and will not be capable of using the Internet. For this reason,

it is not used much for Internet connectivity.

One of the interesting concepts introduced with dynamic NAT is that of the

NAT pool: A pool is a defined group of addresses that are available for translation.

Configuring dynamic NAT involves identifying which hosts are to be

translated, and to which addresses they should be translated. Both of these steps

can use the pool command, but it is more common to use an access list for the

inside source and a pool for the outside addresses. The syntax to build a NAT

pool looks like this:

ip nat pool [pool-name] [first-IP] [last-IP] netmask [mask]

The pool name is arbitrary. You can pick something that is meaningful to you.

The first-IP and last-IP are the first and last IPs in the pool range, and the mask

is the subnet mask of the network those outside IPs are on. Note that you must

have the word netmask in the syntax! Here’s what this command would look like

if we used the same network shown in Figure 7.11 and wanted to use the last

four IPs in the range that the ISP gave us:

NAT(config)#ip nat pool MyPool 24.1.1.3 24.1.1.6 netmask 255.255.255.0

Next, we need to identify what hosts get to be translated; we could build another

pool to do this, but it is more commonly done with a standard access list:

NAT(config)#access-list 1 permit 192.168.0.0 0.0.0.255

This list permits any address that starts with 192.168.0.x. Note that in this case,

the list is not permitting traffic to or from the hosts; rather, it is identifying those

hosts that can be translated.

EXAM ALERT

Be very familiar with the static NAT syntax, including the command prompt level at

which it is used.

160

Chapter 7: Introduction to Wide-Area Networks

So at this point, we have built the pool of addresses that we will be translating

to, we have identified which hosts can be translated (and possibly those that cannot),

and all that is left is to configure the NAT process itself:

NAT(config)#ip nat inside source list 1 pool MyPool

NAT(config)#interface e0

NAT(config-if)#ip nat inside

NAT(config)#interface s0

NAT(config-if)#ip nat outside

The first line tells the router to use List 1 (which we built previously) to identify

which hosts can be translated (these are the Inside Source addresses), and then

identifies the pool called MyPool as the addresses to which the Inside Source

Addresses should be translated.

The next lines, as before, tell the router which interface should be Inside and

Outside. Remember, if you get these backwards, you will be translating the

Internet into your private network…that could be bad.

Note that with a pool of only four addresses, the first four hosts who request a

translation will get one (which they keep for 24 hours by default), and any additional

hosts who request a translation will not be able to get one. The next section

shows how PAT resolves this limitation.

It is a good idea (a best practice) to specifically deny any hosts that you do not want

translated, using your access list. For example, because we already have a static NAT

entry for the MX server in our example, we don’t want it to get another dynamic translation,

so we would start the access list with the line

NAT(config)#access-list 1 deny host 192.168.0.25

 ow the syntax to create a pool of addresses to which hosts can be translated!

PAT

PAT (Port Address Translation, also known as an extended NAT entry) leverages

the nature of TCP/IP communication by using the source ports of hosts to distinguish

them from each other when they are all being translated, possibly to a

single outside address.

Network Address Translation

With PAT, an inside host is given a translation entry that uses not only the host’s

IP address, but also its source port. Figure 7.12 illustrates the process as three

inside hosts are translated to a single outside IP address as they contact different

web servers.

 

 

 

 

 

 

 

 

 

So you can see now how PAT can hugely extend the registered Internet address

space: We could in theory translate thousands of private IPs to a single IP (often,

the IP assigned to our Outside interface) using PAT, by extending the Inside Local

IP with the randomly generated source port and mapping that to the Inside Global

IP extended by the same port number. With more than 64,000 ports available for

this extended translation entry, the chances of two hosts randomly choosing the same

source port are slim; if it does happen, the conflicting hosts are forced to reset and

choose a different port number. We can further reduce the chances of this conflict

happening by using a pool for PAT, which makes it very unlikely indeed that two

hosts would get the same port and Inside Global IP from the pool.

The Cisco term for PAT is overload because we are overloading a single Inside

Global IP with many Inside Local+Port mappings.

Configuring PAT is very easy; the commands are very similar to dynamic NAT,

with the addition of the keyword overload as shown:

NAT(config)#access-list 1 permit 192.168.0.0 0.0.0.255

NAT(config)#ip nat inside source list 1 interface serial 0 overload

NAT(config)#interface e0

NAT(config-if)#ip nat inside

NAT(config)#interface s0

NAT(config-if)#ip nat outside

Note that we have used the parameters interface serial 0 overload at the end of the

NAT command; the keyword overload turns on PAT, and the interface serial 0

parameter simply instructs the NAT service to use the existing IP of Serial 0 as the

Inside Global IP for the translation. Here is a sample configuration that ties

together a static NAT entry, creates a pool, and overloads that pool to enable PAT:

NAT(config)#access-list 1 deny host 192.168.0.25

NAT(config)#access-list 1 permit 192.168.0.0 0.0.0.255

NAT(config)#ip nat inside source static 192.168.0.25 24.1.1.2

NAT(config)#ip nat pool MyPool 24.1.1.3 24.1.1.6 netmask 255.255.255.0

NAT(config)#ip nat inside source list 1 pool MyPool overload

NAT(config)#interface e0

NAT(config-if)#ip nat inside

NAT(config)#interface s0

NAT(config-if)#ip nat outside

EXAM ALERT

This configuration, because it is such a fundamental and important one for Internetconnected

networks, is highly tested. You should practice entering this configuration

on a real router or router sim until you are totally comfortable with the commands.

Verification and Troubleshooting NAT and PAT

The main command used to verify that your NAT configuration is working is

show ip nat translations. The following sample output demonstrates which

could have come from the NAT router in our previous examples.

NAT#show ip nat translations

Pro Inside Global Inside Local Outside Local Outside Global

tcp 24.1.1.1:1812 192.168.0.66:1812 63.240.93.157 63.240.93.157

tcp 24.1.1.1:5440 192.168.0.13:5440 198.133.219.25 63.240.93.157

tcp 24.1.1.1:2112 192.168.0.8:2112 64.233.187.104 64.233.187.104

Note that all three inside hosts have been translated to the same Inside Global

IP (which likely means that we have overloaded the S0 interface). We have

proved that the PAT service is functioning because we can see the different port

number extensions listed for each host. Note that the Outside Global and

Outside Local IPs are the same; this is because we are not translating those IPs

back into our inside network. If we were trying to solve the overlapping address

space problem, those two IPs would be different for each outside host.

The command show ip nat statistics gives us a snapshot of how many translations

have been performed, a general overview of how the NAT device is configured,

and how much of our pool has been used, as demonstrated in the following

output.

Network Address Translation

163

NAT#show ip nat statistics

Total translations: 3 (0 static, 0 dynamic, 3 extended)

Outside interfaces: Serial0

Inside interfaces: Ethernet)

Hits: 38 Misses: 3

Expired Translations: 0

Dynamic Mappings:

-- Inside source

access-list 1 pool MyPool refcount 3

Pool MyPool: netmask 255.255.255.0

Start 24.1.1.3 end 24.1.1.6

Type generic, total addresses 4, allocated 3 (75%), misses 0

If you can successfully ping a remote host, chances are good that your NAT/

PAT config is at least partially functional.

If you do run into problems, it is possible to clear the NAT translations from the

router, using clear ip nat translation *. This command clears all dynamic

and extended translation entries. To clear a static entry, you must remove the

command from your running-config.