NAT/PAT4.1 # NETWORK ADDRESS TRANSLATION
Similar to Classless Inter-Domain Routing (CIDR), the original intention for NAT was to slow the depletion of available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses.
Since then, it’s been discovered that NAT is also a useful protocol for network migrations and mergers, sever load sharing and creating “virtual servers.” At times, NAT really decreases the overwhelming amount of public IP addresses required in your networking environment. NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization changes its Internet service provider (ISP) and the networking manager doesn’t want the hassle of changing the internal address scheme.
Here’s a list of situations when it’s best to have NAT on your side:
o You need to connect to the Internet and your hosts don’t have globally unique IP addresses.
o You have to change a new ISP that requires you to renumber your network.
o You need to merge two intranets with duplicate addresses.
A NAT (Network Address Translation or Network Address Translator) is the virtualization of Internet Protocol (IP) addresses. NAT helps improve security and decrease the number of IP addresses an organization needs. It is include as part of a router and is often part of a corporate firewall. Network administrators create a NAT table does the global-to-local and local-to-global IP address mapping. NAT can also be used conjunction with policy routing. It can be statically defined as well as dynamically defined. NAT is described in general terms in RFC 1631 which discusses NAT’s relationship to CIDR as a way to reduce the IP address depletion problem.
NAT can be implemented using one of three methods:
1) Static NAT : It performs a static one-to-one translation between two addresses, or between a port on one address to a port on another address. Static NAT is most often used to assign a public address to a device behind a NAT-enabled firewall / router.
2) Dynamic NAT : It utilizes a pool of global addresses to dynamically translate the outbound traffic of clients behind a NAT-enabled device.
3) NAT Overload or Port Address Translation (PAT) : It translates the outbound traffic of clients to unique port numbers off of a single global address. PAT is necessary when the number of internal clients exceeds the available global addresses. Here look at the inbound and outbound traffic, let me explain
What is outbound traffic with example ?
Outbound traffic, in this context, is network traffic originating from a private host or enclave destined towards untrusted networks. For example: An enterprise desktop intranet user connecting to www.example.com. An internal mail server connecting to an external mail server, mail.example.com
What is inbound traffic with example ?
Inbound Traffic, in this context, is network traffic originating from an untrusted network towards a private host or enclave. For example: An untrusted network host connecting to a internal commercial portal, shopping.example.com. An external mail server connecting to an internal mail server, mail.example.com.
# Advantages and Disadvantages of implementing NAT
| Advantages | Disadvantages |
|---|---|
| Conserves legally registered addresses. | Translation introduces switching path delays. |
| Reduces address overlap occurrence. | Loss of end – to – end IP traceability. |
| Increases flexibility when connecting to internet. | Certain applications will not function with NAT enabled. |
| Eliminates address renumbering as network changes. | N/A |
# NAT name and terminology
The names we use to describe the addresses used with NAT are pretty simple. Addresses used after NAT translations are called global addresses. These are usually the public addresses used on the internet but remember, you don’t need public addresses if you aren’t going to the Internet.
Local addresses are the ones we use before NAT translation. So, the inside local address is actually the private address of the sending host that’s trying to get to the Internet, while the outside local address is the address of the destination host. The latter is usually a public address (web address, mail server, etc.) and is how the packet begins its journey.
After translation, the inside local address is then called the inside global address and the outside global address then becomes the name of the destination host.
Specific terms are used to identify the various NAT addresses : -
o Inside Local: Name of inside source address before translation.
o Inside Global: Name of inside host after translation.
o Outside Local: Name of destination host before translation.
o Outside Global: Name of outside destination host after translation.
For simplicity sake, it is generally acceptable to associate global addresses with public addresses, and local addresses with private addresses. However, remember that public-to-public and private-to-private translation is still possible. Inside hosts are within the local network, while outside hosts are external to the local network.
# How does NAT works
A router configured with NAT will have at least one interface to the inside network and one to the outside network. In a typical environment, NAT is configured at the exit router between a stub domain and the backbone. When a packet leaves the domain, NAT translates the locally significant source address into a globally unique address. When a packet enters the domain, NAT translates the globally unique destination address into a local address. If more than one exit point exists, each NAT must have the same translation table. If NAT cannot allocate an address because it has run out of addresses, it drops the packet and sends an Internet Control Message Protocol (ICMP) host unreachable packet.
| Class | Private IP address range | Public IP address range |
|---|---|---|
| Class A | 10.0.0.0 -- 10.255.255.255 | 1.0.0.0 – 9.255.255.255 11.0.0.0 – 126.255.255.255 |
| Class B | 172.16.0.0 -- 172.31.255.255 | 128.0.0.0 – 172.15.255.255 172.32.0.0 – 191.255.255.255 |
| Class C | 192.168.0.0 -- 192.168.255.255 | 192.0.0.0 – 192.167.255.255 192.169.0.0 – 223.255.255.255 |
4.2 # EXPLAINATION AND CONFIGURATION OF NAT (Static, Dynamic and Overload) LAB
Diagram : -
# Syntax of Static NAT : -
Router(config)# ip nat inside source static
Define a enable translation of the Inside Local Address
Router(config-if)# ip nat inside
Define a specifies the interface to which the Router is connected to the Inside.
Router(config-if)# ip nat outside
Define a specifies the interface to which the Router is connected to the outside.
Verifying NAT Configuration : -
Router# show ip nat translations
Define a display the active Nat Translations.
Now,
Configuration of Static NAT : -
RA(config)# ip nat inside source static 10.10.10.10 64.10.75.99
!
RA(config)# interface Fa 0/0
RA(config-if)# ip nat inside
RA(config-if)# exit
!
RA(config)# interface S0/0/0
RA(config-if)# ip nat outside
RA(config-if)# exit
!
# Syntax of Dynamic NAT : -
Router(config)# ip nat pool
Define a pool of inside Global (Pubic) IP Addresses to use for dynamic translation.
Router(config)# access-list
Defines a extndard ACL to specify which Private Network is allowed to be translated.
Router(config)# ip nat inside source list
Define a enable translation of the Inside Local Address
Router(config-if)# ip nat inside
Specifies the interface to which the Router is connected to the Inside.
Router(config-if)# ip nat outside
Specifies the interface to which the Router is connected to the outside.
Now,
Configuration of Dynamic NAT : -
RA(config)# ip nat pool test 64.10.75.80 64.10.75.99 netmask 255.255.255.0
RA(config)# access-list 10 permit 10.10.10.0 0.0.0.255
RA(config)# ip nat inside source list 10 pool test
!
RA(config)# interface Fa 0/0
RA(config-if)# ip nat inside
RA(config-if)# exit
!
RA(config)# interface S 0/0/0
RA(config-if)# ip nat outside
RA(config-if)# exit
!
Diagram of PAT (Overload) : -
| Host Name | Inside Local | Inside Global | Outside Global |
|---|---|---|---|
| Host A | 10.10.10.10::5097 | 64.10.75.34::5097 | 74.57.43.19::80 |
| Host B | 10.10.10.20::5097 | 64.10.75.34::6021 | 74.57.43.20::80 |
| Host C | 10.10.10.30::9000 | 64.10.75.34::8701 | 74.57.43.20::80 |
# Syntax of PAT : -
Router(config)# access-list
Now,
Configuration of PAT (Overload)
RA(config)# access-list 10 permit 10.10.10.0 0.0.0.255
RA(config)# ip nat inside source list 10 interface S 0/0/0 overload
!
RA(config)# interface Fa 0/0
RA(config-if)# ip nat inside
RA(config-if)# exit
!
RA(config)# interface S 0/0/0
RA(config-if)# ip nat outside
RA(config-if)# exit
!
# Syntax of Dynamic NAT with Overloading : -
Router(config)# ip nat pool
Define a pool of inside Global (Pubic) IP Addresses to use for dynamic translation.
Router(config)# access-list
Defines a extended ACL to specify which Private Network is allowed to be translated.
Router(config)# ip nat inside source list
Define a enable translation of the Inside Local Address to the Inside Global address. Overload enables PAT.
Router(config-if)# ip nat inside
Define a specifies the interface to which the Router is connected to the Inside.
Router(config-if)# ip nat outside
Define a specifies the interface to which the Router is connected to the outside.
Now,
Configuration of dynamic NAT with overloading
RA(config)# ip nat pool test 64.10.75.80 64.10.75.99 netmask 255.255.255.0
RA(config)# access-list 10 permit 10.10.10.0 0.0.0.255
RA(config)# ip nat inside source list 10 pool test overload
!
RA(config)# interface Fa 0/0
RA(config-if)# ip nat inside
RA(config-if)# exit
!
RA(config)# interface S 0/0/0
RA(config-if)# ip nat outside
RA(config-if)# exit
!
# NOTE FOR GOOD PRACTICAL
First, If we shall be completed the next chapter (Access List), then we shall perform a good practical for ISP (How to work the website on locally and globally. Please keep the remembership of this one and next one chapter).
Be updated into yourself and improve lives through DIT
0 Comments