Professional Documents
Culture Documents
Network Address
Translation (NAT)
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
Im giving you this update with the assumption that youve read at least
through Chapter 6, Enhanced IGRP (EIGRP) and Open Shortest Path First
(OSPF), of the CCNA Study Guide. Of course, it will be even better if youve
read the entire book!
You need to connect to the Internet and your hosts dont have globally unique IP addresses.
You change to a new ISP that requires you to renumber your network.
You typically use NAT on a border router. For an illustration of this, check out Figure 1.1.
Okayso yeah. NATs totally cool. Its the grooviest greatest network gadget, and you just
gotta have itright? Well, hang on a minute. There are truly some serious snags related to NAT
use. Ohdont get me wrong. It really can save you sometimes, but theres a dark side you need
to know about too! To give you a visual of the pros and cons linked to using NAT, check out
Table 1.1.
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
FIGURE 1.1
Engineering
Sales
Internet
TABLE 1.1
Advantages
Disadvantages
The most obvious advantage associated with NAT is that it allows you to conserve your legally registered address scheme. And by the way, this is the reason we havent run out of IPv4 addressesthink about it.
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
Dynamic NAT This version gives you the ability to map an unregistered IP address to a registered IP address from out of a pool of registered IP addresses. You dont have to statically configure your router to map an inside to an outside address like you would using static NAT, but
you do have to have enough real, bona-fide IP addresses for everyone whos going to be sending
packets to and from the Internet.
Overloading Okayhere it is peoplethe most popular type of NAT configuration! Understand that overloading really is a form of dynamic NAT that maps multiple unregistered IP
addresses to a single registered IP addressmany-to-oneby using different ports. Now, why
is this so special? Well, because its also known as Port Address Translation, or, PAT. And by
using PAT, (NAT Overload), you get to have thousands of users connect to the Internet using
only one real global IP addresspretty slick, yeah? Seriously, NAT Overload is truly the reason
we havent run out of valid IP address on the Internet! ReallyIm not joking.
No worries Ill show you how to configure all three types of NAT in the hands-on
lab at the end of this update!
NAT Names
The names we use to describe the addresses used with NAT are pretty simple. Addresses used
after NAT translations are called global addresses. These are usually the public addresses used
on the Internet, but remember, you dont need public addresses if you arent going on the Internetright?
Local addresses are the ones we use before NAT translation. So, the inside local address is
actually the private address of the sending host thats trying to get to the Internet, while the outside local address is the address of the destination host. The latter is usually a public address
(web address, mail server, etc) and is how the packet begins its journey.
After translation, the inside local address is then called the inside global address and the outside global address then becomes the name of the destination host. Check out Table 1.2, which
lists all this terminology for a clear picture of the various names used with NAT.
TABLE 1.2
NAT Terms
Names
Meaning
Local addresses
Global addresses
Inside local
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
TABLE 1.2
Names
Meaning
Outside local
Inside global
Outside global
Inside
10.1.1.3
3
DA
10.1.1.1
DA
170.168.2.2
SA
170.168.2.2
Host B
63.40.7.3
Internet
10.1.1.2
SA
10.1.1.1
10.1.1.1
NAT Table
Inside Local
IP Address
Inside Global
IP Address
10.1.1.3
170.168.2.4
10.1.1.2
170.168.2.3
10.1.1.1
170.168.2.2
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
The packet is sent to the outside interface with the new translated source address. The external
host returns the packet to the destination host and the NAT router translates the inside global IP
address back to the inside local IP address using the NAT table. This is as simple as it gets.
Lets take a look at a more complex configuration using overloading, or what is also referred
to as Port Address Translation (PAT). Ill use Figure 1.3 to demonstrate how PAT works.
With overloading, all inside hosts get translated to one single IP addresshence the term
overloading. Again, the reason we have not run out of available IP addresses on the Internet is
because of overloading (PAT).
Take a look at the NAT table in Figure 1.3 again. In addition to the inside local IP address
and outside global IP address, we now have port numbers. These port numbers help the router
identify which host should receive the return traffic.
Port numbers are used at the Transport layer to identify the local host, in this example. If
we had to use IP addresses to identify the source hosts, that would be called static NAT and we
would run out of addresses. PAT allows us to use the Transport layer to identify the hosts,
which in turn, allows us to use (theoretically) up to 65,000 hosts with one real IP address.
FIGURE 1.3
Inside
10.1.1.3
DA
10.1.1.1
DA
170.168.2.2
SA
170.168.2.2
Host B
63.40.7.3
Internet
DA
170.168.2.2
10.1.1.2
SA
10.1.1.1
Host C
63.40.7.3
10.1.1.1
NAT Table
Protocol
10.1.1.1
Inside Local IP
Address: Port
Inside Global IP
Address: Port
Outside Global IP
Address: Port
TCP
10.1.1.3:1723
170.168.2.2:1492
63.41.7.3:23
TCP
10.1.1.2:1723
170.168.2.2:1723
63.41.7.3:23
TCP
10.1.1.1:1024
170.168.2.2:1024
63.40.7.3:23
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
In the above router output, the ip nat inside source command identifies what IP
addresses will be translated. In this configuration example, the ip nat inside source command configures a static translation between the inside local IP address 10.1.1.1 to the outside
global IP address 170.46.2.2.
If we look further down in the configuration, we see that we have an ip nat command under
each interface. The ip nat inside command identifies that interface as an inside source. The
ip nat outside command identifies that interface as an outside source.
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
The ip nat inside source list 1 pool dyn-nat command tells the router to translate
IP addresses that match access-list 1 to an address found in the IP NAT pool named dyn-nat.
The ip nat pool dyn-nat 170.168.2.2 192.168.2.254 command creates a pool of
addresses that will be distributed to those hosts that require NAT.
The nice thing about PAT is that the only difference with this configuration and the previous
dynamic NAT configuration is that our pool of addresses has shrunk to only one IP address, and
at the end of our ip nat inside source command we included the overload command.
Verifying NAT
Once you have configured the type of NAT you are going to use, typically overload (PAT), you
need to be able to verify the configuration.
To see basic IP address translation information, use the following command:
Router#show ip nat translation
When looking at the IP NAT translations, you may see many translations from the same host
to the same host at the destination. This is typical of many connections to the Web.
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
In addition, you can verify your NAT configuration with the debug ip nat command. This output will show the sending address, the translation, and the destination address on each debug line.
Router#debug ip nat
How do you clear your NAT entries from the translation table? Use the clear ip nat
translation command. To clear all entries from the NAT table, use the asterisks (*).
NAT example
Corporate
Engineering
Sales
Internet
In Figure 1.4, the NAT configuration would be placed on the corporate router and the configuration would be dynamic NAT with overload (PAT).
In the next NAT example, what type of NAT is being used?
Ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask 255.255.255.0
The above command uses dynamic NAT. The pool in the command gives the answer away.
In the next NAT example, well use Figure 1.5 to see if we can figure out the configuration needed.
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
10
FIGURE 1.5
ISP
Lab_A
192.1.2.110
S0/1
F0/0
192.168.10.126
S0/0
192.1.2.109
Console
The example in Figure 1.5 shows a border router that needs to be configured with NAT that
will allow six public IP address using 198.18.131.65-70. On the inside network, you have 63
hosts that use the private addresses of 192.168.10.129 through 190. What would your NAT
configuration be on the border router?
ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255.255.248
access-list 1 permit 192.168.10.128 0.0.0.63
ip nat inside source list 1 pool Todd overload
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
TABLE 1.3
Command
Purpose
IP nat inside
IP nat outside
R3
E0
E0
R2
S0
S0/0
R1
S0/2
S0/0
ISP
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
11
12
Interface
IP Address
ISP
S0
171.16.10.1/24
Lab_A
S0/2
171.16.10.2/24
Lab_A
S0/0
192.168.20.1/24
Lab_B
S0
192.168.20.2/24
Lab_B
E0
192.168.30.1/24
Lab_C
E0
192.168.30.2/24
2.
After you configure the routers, you should be able to ping from router to router, but since
we do not have a routing protocol running until the next step, you can only verify from one
router to another, but not through the network until RIP is set up. You can use any routing
protocol you wish, I am just using RIP for simplicity sake. Lets just use a simple routing protocol to get this up and running.
3.
On Lab_A, configure RIP routing, set a passive interface and configure the default network.
Lab_A#config t
Lab_A(config-router)#network 192.168.20.0
Lab_A(config-router)#network 171.16.0.0
Lab_A(config-router)#passive-interface s0/2
Lab_A(config-router)#exit
Lab_A(config)#ip default-network 171.16.10.1
The passive-interface command stops RIP updates from being sent to the ISP and the
ip default-network command advertises a default network to the other routers so they
know how to get the Internet.
4.
5.
On Lab_C, configure RIP routing, but also use the passive-interface command since
there is no reason to send our routing table to the ISP.
Lab_C#config t
Lab_C(config)#router rip
Lab_C(config-router)#network 192.168.30.0
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
6.
13
7.
Configure the ISP router so you can telnet into the router without being prompted for
a password
ISP#config t
ISP(config)#line vty 0 4
ISP(config-line)#no login
8.
Verify that you can ping from the ISP router to the Lab_C router and from the Lab_C
router to the ISP router. If you cannot, troubleshoot your network.
Create a pool of address called GlobalNet on the Lab_A router. The pool should contain
a range of addresses of 171.16.10.50 through 171.16.10.55.
Lab_A(config)#ip nat pool GlobalNet 171.16.10.50 171.16.10.55 net
255.255.255.0
2.
Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.30.0 network to be translated.
Lab_A(config)#access-list 1 permit 192.168.20.0 0.0.0.255
Lab_A(config)#access-list 1 permit 192.168.30.0 0.0.0.255
3.
4.
5.
6.
Log in to the Lab_C router. Telnet from the Lab_C router to the ISP router.
Lab_C#telnet 171.16.10.1
7.
Log in to the Lab_B router. Telnet from the Lab_B router to the ISP router.
Lab_B#telnet 171.16.10.1
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
14
8.
Execute the command show users from the ISP router. (This shows who is accessing the
VTY lines)
ISP#show users
Host(s)
idle
idle
idle
Mode
Idle
Location
00:03:32
00:01:33 171.16.10.50
00:00:09 171.16.10.51
Idle Peer Address
Notice that there is a one-to-one translation. Which means you must have a
real IP address for every host that wants to get to the Internet, which is not
always possible.
9.
Leave the session open on the Core and connect to Lab_A. (use the Ctrl, Shift, 6, let go and
then press X).
10. Log in to your Lab_A router and view your current translations by entering the show ip
Outside local
-----
Outside global
-----
will see the actual NAT process take place, which will look something like this:
00:32:47: NAT*: s=192.168.30.2->171.16.10.50, d=171.16.10.1 [5]
00:32:47: NAT*: s=171.16.10.1, d=171.16.10.50->192.168.30.2
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
15
On the Lab_A router, delete the translation table and remove the dynamic NAT pool
Lab_A#clear ip nat translation *
Lab_A#config t
Lab_A(config)#no ip nat pool GlobalNet 171.16.10.50 171.16.10.55 netmask
255.255.255.0
Lab_A(config)#no ip nat inside source list 1 pool GlobalNet
2.
On the Lab_A router, create a NAT pool with one address called Lammle. The pool should
contain a single address 171.16.10.100 Enter the command below:
Lab_A#config t
Lab_A(config)#ip nat pool Lammle 171.16.10.l00 171.16.10.100 net 255.255.255.0
3.
4.
Map the access-list 2 to the new pool, allowing PAT to occur by using the overload
command.
Lab_A(config)#ip nat inside source list 2 pool Lammle overload
5.
Login to the Lab_C router and telnet to the ISP router; Also, login to the Lab_B router and
telnet to the ISP router.
6.
From the ISP router use the show users command. The output should look like this:
ISP>sh users
Line
* 0 con 0
2 vty 0
4 vty 2
Interface
User
User
Host(s)
idle
idle
idle
Mode
Idle
Location
00:00:00
00:00:39 171.16.10.51
00:00:37 171.16.10.50
Idle Peer Address
ISP>
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.
16
7.
From the Lab_A router use the show ip nat translations command.
Lab_A#sh ip nat translations
Pro Inside global
Inside local
Outside local
tcp 171.16.10.100:11001 192.168.20.2:11001 171.16.10.1:23
tcp 171.16.10.100:11002 192.168.30.2:11002 171.16.10.1:23
tcp 171.16.10.100:1024 192.168.20.2:11002 171.16.10.1:23
8.
Outside global
171.16.10.1:23
171.16.10.1:23
171.16.10.1:23
Also make sure that the debug ip nat command is on the Lab_A router. If you ping from
the Lab_C router to the ISP router, the output will look like this:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:37:
01:12:37:
Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.