ICND2 OECG Chapter 16 NAT
Posted by Aragoen Celtdra on 28th May 2008
Network Address Translation
- NAT is defined in RFC 3022. SImply put, it allows hosts with private IP addresses (RFC 1918 ) to be able to communicate with other hosts on the Internet. NAT “translates” these private addresses into a valid registered IP address that can communicate with the Internet. There is a lot more to be defined but for the purposes if CCNA, this will do for now.
- To setup NAT, you need a router the performs the NAT functions. When the packet from the private enterprise hits the NAT router, NAT changes the packet’s source IP address to a globally unique Internet address as it leaves the organization.
- NAT is just one of several solutions created for the purpose of preserving the IPv4 address space – to slow down the inevitable depletion of the number of available publicly assignable addresses. In brief, the following summarizes some of the other solutions:
- Classless Interdomain Routing (CIDR) - This allows ISPs to reduce the amount of wasted IP addresses by assigning only a portion of a network number instead of assigning a whole network. CIDR’s main goals are:
- Route aggregation for shorter routing tables – allows for easier route aggregation in the Internet. Instead of listing a whole bunch of classful networks on a router’s routing table, route aggregation can reduce the number of routes processed.
- IPv4 Address Conservation - CIDR gives ISPs the ability to assign only a subset of a Class of network to customers. Example, instead of assigning the customer 198.8.3.16/30, instead of assigning the whole 198.8.3.0/24 network.
- Private Addressing – RFC 1918, Address Allocation for Private Numbers defines a subset of network numbers that will never be assigned to the public as a registered network number. Any organization can use this subset of private addresses and implement it on their network. These numbers cannot be advertised to the Internet. But with the use of NAT, this can be made possible.
- IPv6 – The ultimate goal is to implement this new addressing scheme. IPv6 uses a 128-bit address versus the 32-bit address used in IPv4. This will give us an address space of about 1038 addresses.
- NAT – this is of course what this whole chapter is about.
- Classless Interdomain Routing (CIDR) - This allows ISPs to reduce the amount of wasted IP addresses by assigning only a portion of a network number instead of assigning a whole network. CIDR’s main goals are:
Terminologies
- Inside Local – The actual IP address assigned to the host of an enterprise network.
- Inside Global – Represents the inside host, within the enterprise, using the public address assigned by the ISP. The inside global IP address will be used to represent the private IP address of the host coming from the inside to the outside.
- Outside Local – The IP address that represent the host from outside the network
- Outside Global – Represents the outside host with a public IP address that can be used in the public Internett
The following diagrams help to illustrate the concepts and terminologies as pertains to NAT.
source:http://www.cisco.com/warp/public/556/8.html
Following is a summary of the main types of NAT
Static NAT
- Static NAT configures a one-to-one mapping of the private IP address to the publicly registered IP address. That is, the inside local address is statically mapped to the inside global address that represents it to the public.
- For instance, a company with assigned network 200.1.1.0 can use any valid IP (200.1.1.1, for example) to map to a private host on the enterprise (to 10.1.1.1 for example). When the host 10.1.1.1 hits the NAT router (with Source Address (SA) 10.1.1.1) to go out to the Internet, the router changes the SA to 200.1.1.1, which is a public address capable of routing through the internet.
- If you want a different host to go out to the internet as well, you’ll have to configure a second static one-to-one mapping. For example, 10.1.1.2 to 200.1.1.2.
Dynamic NAT
- Dynamic NAT is similar to Static Nat in that the NAT router creates a one-to-one mapping between the inside local and the inside global addresses. The difference is the mapping happens dynamically.
- To create the mapping, you have to configure a pool of inside global (registered IP) addresses that can be used to map existing inside local (private) addresses. To determine which inside local addresses will be allowed to be NATted, an IP access-list has to be configured to filter what can be translated and what doesn’t.
- As the host passes through the NAT router, the router maps the inside local address to an available address from the pool of inside global addresses.
- The number of addresses that can be mapped depends on the number of inside global addresses are configured in the pool.
- If more packet arrives than there are available inside global addresses in the pool, the packet gets discarded.
- A timeout value can be configured to tell the router to remove a dynamic entry if it hasn’t translated any packet for the amount of timeout period.
- The dynamic mapping can be manually cleared using the clear ip translation command.
NAT Overload and PAT
- NAT Overload, also called Port Address Translation (PAT) allows NAT to map more private addresses with fewer public IP addresses to map to. This is done by the use of port (as in TCP/UDP) mapping.
- To create a dynamic mapping, PAT selects an inside global IP address to map with the inside local address, and additionally, it selects a unique port number to use with that address. Every unique combination of local inside addresses and port numbers are stored in a table and paired with the inside global address-port number combination.
Translating Overlapping Addresses
- Another variation of NAT allows the translation of both the source and destination addresses. Where this would be utilized is in a network setup where there are two networks that have overlapping IP addresses.
- This scenario happens when one network uses an IP addressing scheme that is registered to someone else. In other words, they are inappropriately using a registered IP address. When this is the case, the two networks will not be able to forward traffic to each other because every time they try to send a packet destined to an address in the same network, the packet will never be sent to the gateway to leave the network because the addressing assumes that the destination address is in the same network.
- Refer to the example given with the diagram below:
- Host 170.1.1.10 in Company A tries to send a packet to a server outside its network with the destination IP of 170.1.1.1.
- Without NAT, the packet obviously stays in the same network and not get forwarded to the gateway. The packet might go to another host in the network that has the IP address 170.1.1.1 or if it doesn’t exist, may just be discarded.
- NAT can solve this problem by changing the destination address (as well as the source address as it passes the NAT router). This new destination address represents the local address of the server on the other network. Technically this is called the outside local address.
- As it passes the NAT router, the source address is mapped to the inside global IP address (200.1.1.1) and the destination is also changed to the publicly registered IP address of the server on the other side. This is called the outside global address.
- The NAT configuration includes a static mapping between the real IP address (outside global), 170.1.1.1 and the private IP address (outside local) used to represent it inside the private network (192.128.1.1)
- This setup requires the use of a DNS server. When the client on the left network requests to reach cisco.com, the DNS server modifies its response as it passes the IP information to the requestor. As it passes the NAT router, NAT changes the DNS reply so that the requestor thinks that www.cisco.com’s IP is 192.168.1.1.
Posted in CCNA Notes, NAT | No Comments » | 