CCNA_NAT.

fm Page 1 Saturday, June 4, 2005 12:18 AM

Network Address
Translation (NAT)

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 2 Saturday, June 4, 2005 12:18 AM

At the end of Chapter 2, Internet Protocols of the Sybex CCNA

Study Guide Standard and CCNA Study Guide Deluxe Editions,
I provided a section called Introduction to Network Address
Translation. In it, I explained some basic terms, but Ive been hearing from readers that it
doesnt have enough information. I really have to expand on Network Address Translation
(NAT) in order to equip you with a thorough understanding of this very important topic.
So whats new here? Well, in this update, Im going to give you the skinny on NAT, Dynamic
NAT, and Port Address Translation (PAT)also known as NAT Overloadin a lot more
detail. And Im going to finish this update with an important hands-on lab so you can test your
understanding of these topics.

Im giving you this update with the assumption that youve read at least
through Chapter 6, Enhanced IGRP (EIGRP) and Open Shortest Path First
(OSPF), of the CCNA Study Guide. Of course, it will be even better if youve
read the entire book!

So When Do We Use NAT?

NAT, at times, decreases the overwhelming amount of Public IP addresses required in your networking environment. And NAT comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also great to have around when an organization
changes its Internet Service Provider (ISP) and the networking manager doesnt want to hassle
with changing the internal address scheme.
Heres a list of situations when its best to have NAT on your side:

You need to connect to the Internet and your hosts dont have globally unique IP addresses.

You change to a new ISP that requires you to renumber your network.

You require two intranets with duplicate addresses to merge.

You typically use NAT on a border router. For an illustration of this, check out Figure 1.1.
Okayso yeah. NATs totally cool. Its the grooviest greatest network gadget, and you just
gotta have itright? Well, hang on a minute. There are truly some serious snags related to NAT
use. Ohdont get me wrong. It really can save you sometimes, but theres a dark side you need
to know about too! To give you a visual of the pros and cons linked to using NAT, check out
Table 1.1.

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 3 Saturday, June 4, 2005 12:18 AM

Types of Network Address Translation

FIGURE 1.1

Where to configure NAT

Corporate

Engineering

Sales

Internet

TABLE 1.1

Advantages and Disadvantages of Implementing NAT

Advantages

Disadvantages

Conserves legally registered addresses

Translation introduces switching path delays

Reduces address overlap occurrence

Loss of end-to-end IP traceability

Increases flexibility when connecting to

Internet

Certain applications will not function with

NAT enabled.

Eliminates address renumbering as

network changes

The most obvious advantage associated with NAT is that it allows you to conserve your legally registered address scheme. And by the way, this is the reason we havent run out of IPv4 addressesthink about it.

Types of Network Address Translation

Next, Im going to go over the three types of NAT with you:
Static NAT This type of NAT is designed to allow one-to-one mapping between local and
global addresses. Keep in mind that the static flavor requires that you have one real Internet
IP address for every host on your network.

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 4 Saturday, June 4, 2005 12:18 AM

Network Address Translation (NAT)

Dynamic NAT This version gives you the ability to map an unregistered IP address to a registered IP address from out of a pool of registered IP addresses. You dont have to statically configure your router to map an inside to an outside address like you would using static NAT, but
you do have to have enough real, bona-fide IP addresses for everyone whos going to be sending
packets to and from the Internet.
Overloading Okayhere it is peoplethe most popular type of NAT configuration! Understand that overloading really is a form of dynamic NAT that maps multiple unregistered IP
addresses to a single registered IP addressmany-to-oneby using different ports. Now, why
is this so special? Well, because its also known as Port Address Translation, or, PAT. And by
using PAT, (NAT Overload), you get to have thousands of users connect to the Internet using
only one real global IP addresspretty slick, yeah? Seriously, NAT Overload is truly the reason
we havent run out of valid IP address on the Internet! ReallyIm not joking.

No worries Ill show you how to configure all three types of NAT in the hands-on
lab at the end of this update!

NAT Names
The names we use to describe the addresses used with NAT are pretty simple. Addresses used
after NAT translations are called global addresses. These are usually the public addresses used
on the Internet, but remember, you dont need public addresses if you arent going on the Internetright?
Local addresses are the ones we use before NAT translation. So, the inside local address is
actually the private address of the sending host thats trying to get to the Internet, while the outside local address is the address of the destination host. The latter is usually a public address
(web address, mail server, etc) and is how the packet begins its journey.
After translation, the inside local address is then called the inside global address and the outside global address then becomes the name of the destination host. Check out Table 1.2, which
lists all this terminology for a clear picture of the various names used with NAT.
TABLE 1.2

NAT Terms

Names

Meaning

Local addresses

Name of local hosts before translation

Global addresses

Names of address after translation

Inside local

Name of inside source address before translation

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 5 Saturday, June 4, 2005 12:18 AM

How NAT Works

TABLE 1.2

NAT Terms (continued)

Names

Meaning

Outside local

Name of destination host before translation

Inside global

Name of inside hosts after translation

Outside global

Name of outside destination host after translation

How NAT Works

Okaynow its time to look at how this whole NAT thing works. Im going to start by using
Figure 1.2 to describe the basic translation of NAT:
In the example shown in Figure 1.2, host 10.1.1.1 sends an outbound packet to the border
router configured with NAT. The router identifies the IP address as an inside local IP address
destined to an outside network and translates the address and documents the translation in the
NAT table.
FIGURE 1.2

Basic NAT translation

Inside

10.1.1.3

3
DA
10.1.1.1

DA
170.168.2.2

SA
170.168.2.2

Host B
63.40.7.3

Internet
10.1.1.2
SA
10.1.1.1

10.1.1.1

NAT Table
Inside Local
IP Address

Inside Global
IP Address

10.1.1.3

170.168.2.4

10.1.1.2

170.168.2.3

10.1.1.1

170.168.2.2

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 6 Saturday, June 4, 2005 12:18 AM

Network Address Translation (NAT)

The packet is sent to the outside interface with the new translated source address. The external
host returns the packet to the destination host and the NAT router translates the inside global IP
address back to the inside local IP address using the NAT table. This is as simple as it gets.
Lets take a look at a more complex configuration using overloading, or what is also referred
to as Port Address Translation (PAT). Ill use Figure 1.3 to demonstrate how PAT works.
With overloading, all inside hosts get translated to one single IP addresshence the term
overloading. Again, the reason we have not run out of available IP addresses on the Internet is
because of overloading (PAT).
Take a look at the NAT table in Figure 1.3 again. In addition to the inside local IP address
and outside global IP address, we now have port numbers. These port numbers help the router
identify which host should receive the return traffic.
Port numbers are used at the Transport layer to identify the local host, in this example. If
we had to use IP addresses to identify the source hosts, that would be called static NAT and we
would run out of addresses. PAT allows us to use the Transport layer to identify the hosts,
which in turn, allows us to use (theoretically) up to 65,000 hosts with one real IP address.
FIGURE 1.3

NAT overloading example (PAT)

Inside

10.1.1.3
DA
10.1.1.1

DA
170.168.2.2

SA
170.168.2.2

Host B
63.40.7.3

Internet
DA
170.168.2.2

10.1.1.2
SA
10.1.1.1

Host C
63.40.7.3

10.1.1.1
NAT Table
Protocol
10.1.1.1

Inside Local IP
Address: Port

Inside Global IP
Address: Port

Outside Global IP
Address: Port

TCP

10.1.1.3:1723

170.168.2.2:1492

63.41.7.3:23

TCP

10.1.1.2:1723

170.168.2.2:1723

63.41.7.3:23

TCP

10.1.1.1:1024

170.168.2.2:1024

63.40.7.3:23

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 7 Saturday, June 4, 2005 12:18 AM

How NAT Works

Static NAT Configuration

Lets take a look at a simple basic static NAT configuration.
ip nat inside source static 10.1.1.1 170.46.2.1
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 172.46.2.1 255.255.255.0
ip nat outside
!

In the above router output, the ip nat inside source command identifies what IP
addresses will be translated. In this configuration example, the ip nat inside source command configures a static translation between the inside local IP address 10.1.1.1 to the outside
global IP address 170.46.2.2.
If we look further down in the configuration, we see that we have an ip nat command under
each interface. The ip nat inside command identifies that interface as an inside source. The
ip nat outside command identifies that interface as an outside source.

Dynamic NAT Configuration

Dynamic NAT means that we have a pool of addresses that we will use to provide real IP
addresses to a group of users on the inside. We do not use port numbers, so we have to have real
IP addresses for every user trying to get outside the local network.
Here is a sample output of a dynamic NAT configuration:
ip nat pool dyn-nat 170.168.2.2 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool dyn-nat
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 8 Saturday, June 4, 2005 12:18 AM

Network Address Translation (NAT)

The ip nat inside source list 1 pool dyn-nat command tells the router to translate
IP addresses that match access-list 1 to an address found in the IP NAT pool named dyn-nat.
The ip nat pool dyn-nat 170.168.2.2 192.168.2.254 command creates a pool of
addresses that will be distributed to those hosts that require NAT.

PAT (Overloading) Configuration

This last example shows how to configure inside global address overloading. This is the typical
NAT that we would use today. It is rare that we would use static or dynamic NAT unless we
were statically mapping a server, for example.
Here is a sample output of a PAT configuration:
ip nat pool globalnet 170.168.2.1 170.168.2.1
netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255

The nice thing about PAT is that the only difference with this configuration and the previous
dynamic NAT configuration is that our pool of addresses has shrunk to only one IP address, and
at the end of our ip nat inside source command we included the overload command.

Verifying NAT
Once you have configured the type of NAT you are going to use, typically overload (PAT), you
need to be able to verify the configuration.
To see basic IP address translation information, use the following command:
Router#show ip nat translation

When looking at the IP NAT translations, you may see many translations from the same host
to the same host at the destination. This is typical of many connections to the Web.

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 9 Saturday, June 4, 2005 12:18 AM

Testing Your Understanding

In addition, you can verify your NAT configuration with the debug ip nat command. This output will show the sending address, the translation, and the destination address on each debug line.
Router#debug ip nat

How do you clear your NAT entries from the translation table? Use the clear ip nat
translation command. To clear all entries from the NAT table, use the asterisks (*).

Testing Your Understanding

Before we move on to the hands-on lab section of this update, lets go through a couple NAT
examples and see if you can determine the configuration that needs to be used.
Look at Figure 1.4. Where would you implement NAT in this design, and what type of NAT
would you configure?
FIGURE 1.4

NAT example
Corporate

Engineering

Sales

Internet

In Figure 1.4, the NAT configuration would be placed on the corporate router and the configuration would be dynamic NAT with overload (PAT).
In the next NAT example, what type of NAT is being used?
Ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask 255.255.255.0

The above command uses dynamic NAT. The pool in the command gives the answer away.
In the next NAT example, well use Figure 1.5 to see if we can figure out the configuration needed.

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 10 Saturday, June 4, 2005 12:18 AM

10

Network Address Translation (NAT)

FIGURE 1.5

ISP

Another NAT example

Lab_A

192.1.2.110
S0/1

F0/0
192.168.10.126

S0/0
192.1.2.109

Console

The example in Figure 1.5 shows a border router that needs to be configured with NAT that
will allow six public IP address using 198.18.131.65-70. On the inside network, you have 63
hosts that use the private addresses of 192.168.10.129 through 190. What would your NAT
configuration be on the border router?
ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255.255.248
access-list 1 permit 192.168.10.128 0.0.0.63
ip nat inside source list 1 pool Todd overload

The command ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255

.255.248 sets the pool name as Todd and creates a dynamic pool of addresses for the NAT
to use from 65 to 70. Instead of the netmask command, you can also use the prefixlength 29 statement. No, you cannot do this on router interfaces as wellI knew what you
were thinking!
If you do not understand the second line where the access-list is set, please see Chapter 10,
Managing Traffic with Access Lists of the CCNA Study Guide.
The command ip nat inside source list 1 pool Todd overload command sets the
dynamic pool to use Port Address Translation (PAT) by using the overload command.
Be sure to add the ip nat inside and ip nat outside statements on the appropriate
interfaces.

Hands-on Lab: Network Address

Translation
In this lab, you will configure NAT on router Lab_A to translate the private IP address of
192.168.10.0 to a public address of 171.16.10.0. I use three 2500 routers and one 2600 series
router, but you can use any type of routers for this lab. (The 2600 series router is the Lab_A router)
Table 1.3 shows the commands we will use and the purpose of each command.

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 11 Saturday, June 4, 2005 12:18 AM

Hands-on Lab: Network Address Translation

TABLE 1.3

Command Summary for NAT/PAT Hands-on Lab

Command

Purpose

ip nat inside source list acl pool name

Translates IPs that match the ACL from

the Pool

Ip nat inside source static

inside_addr outside_addr

Statically maps an inside address to an

outside address

IP nat pool name

Creates an address Pool

IP nat inside

Set an interface to be an inside interface

IP nat outside

Set an interface to be an outside interface

Show ip nat translations

Shows current NAT translations

R3
E0

E0
R2
S0

S0/0
R1
S0/2

S0/0
ISP

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

11

CCNA_NAT.fm Page 12 Saturday, June 4, 2005 12:18 AM

Network Address Translation (NAT)

12

Step 1: Preparing for NAT

In this step, youll setup your routers with IP addresses and RIP routing.
1.

Configure the routers with the IP addresses listed here:

Router

Interface

IP Address

ISP

S0

171.16.10.1/24

Lab_A

S0/2

171.16.10.2/24

Lab_A

S0/0

192.168.20.1/24

Lab_B

S0

192.168.20.2/24

Lab_B

E0

192.168.30.1/24

Lab_C

E0

192.168.30.2/24

2.

After you configure the routers, you should be able to ping from router to router, but since
we do not have a routing protocol running until the next step, you can only verify from one
router to another, but not through the network until RIP is set up. You can use any routing
protocol you wish, I am just using RIP for simplicity sake. Lets just use a simple routing protocol to get this up and running.

3.

On Lab_A, configure RIP routing, set a passive interface and configure the default network.
Lab_A#config t
Lab_A(config-router)#network 192.168.20.0
Lab_A(config-router)#network 171.16.0.0
Lab_A(config-router)#passive-interface s0/2
Lab_A(config-router)#exit
Lab_A(config)#ip default-network 171.16.10.1

The passive-interface command stops RIP updates from being sent to the ISP and the
ip default-network command advertises a default network to the other routers so they
know how to get the Internet.
4.

On Lab_B, configure RIP routing

Lab_B#config t
Lab_B(config)#router rip
Lab_B(config-router)#network 192.168.30.0
Lab_B(config-router)#network 192.168.20.0

5.

On Lab_C, configure RIP routing, but also use the passive-interface command since
there is no reason to send our routing table to the ISP.
Lab_C#config t
Lab_C(config)#router rip
Lab_C(config-router)#network 192.168.30.0

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 13 Saturday, June 4, 2005 12:18 AM

Hands-on Lab: Network Address Translation

6.

13

On the ISP Router, configure a default route to the corporate network

ISP#config t
ISP(config)#ip route 0.0.0.0 0.0.0.0 s0

7.

Configure the ISP router so you can telnet into the router without being prompted for
a password
ISP#config t
ISP(config)#line vty 0 4
ISP(config-line)#no login

8.

Verify that you can ping from the ISP router to the Lab_C router and from the Lab_C
router to the ISP router. If you cannot, troubleshoot your network.

Step 2: Configuring Dynamic NAT

In this step, youll configure dynamic NAT on the Lab_A router.
1.

Create a pool of address called GlobalNet on the Lab_A router. The pool should contain
a range of addresses of 171.16.10.50 through 171.16.10.55.
Lab_A(config)#ip nat pool GlobalNet 171.16.10.50 171.16.10.55 net
255.255.255.0

2.

Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.30.0 network to be translated.
Lab_A(config)#access-list 1 permit 192.168.20.0 0.0.0.255
Lab_A(config)#access-list 1 permit 192.168.30.0 0.0.0.255

3.

Map the access list to the pool that was created.

Lab_A(config)#ip nat inside source list 1 pool GlobalNet

4.

Configure serial 0/0 as an inside NAT interface.

Lab_A(config)#int s0/0
Lab_A(config-if)#ip nat inside

5.

Configure serial 0/2 as an outside NAT interface.

Lab_A(config-if)#int s0/2
Lab_A(config-if)#ip nat outside

6.

Log in to the Lab_C router. Telnet from the Lab_C router to the ISP router.
Lab_C#telnet 171.16.10.1

7.

Log in to the Lab_B router. Telnet from the Lab_B router to the ISP router.
Lab_B#telnet 171.16.10.1

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 14 Saturday, June 4, 2005 12:18 AM

14

8.

Network Address Translation (NAT)

Execute the command show users from the ISP router. (This shows who is accessing the
VTY lines)
ISP#show users

What does it show as your source IP Address?________________

What is your Real Source IP address?__________________
The show users output should look something like this:
ISP>sh users
Line
User
0 con 0
2 vty 0
* 3 vty 1
Interface User
ISP>

Host(s)
idle
idle
idle
Mode

Idle
Location
00:03:32
00:01:33 171.16.10.50
00:00:09 171.16.10.51
Idle Peer Address

Notice that there is a one-to-one translation. Which means you must have a
real IP address for every host that wants to get to the Internet, which is not
always possible.

9.

Leave the session open on the Core and connect to Lab_A. (use the Ctrl, Shift, 6, let go and
then press X).

10. Log in to your Lab_A router and view your current translations by entering the show ip

nat translation command. You should see something like this:

Lab_A#sh ip nat translations
Pro Inside global
Inside local
--- 171.16.10.50
192.168.30.2
--- 171.16.10.51
192.168.20.2
Lab_A#

Outside local
-----

Outside global
-----

Oh my gosh, this really works!

11. If you turn on debug ip nat on the Lab_A router and then ping through the router, you

will see the actual NAT process take place, which will look something like this:
00:32:47: NAT*: s=192.168.30.2->171.16.10.50, d=171.16.10.1 [5]
00:32:47: NAT*: s=171.16.10.1, d=171.16.10.50->192.168.30.2

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 15 Saturday, June 4, 2005 12:18 AM

Hands-on Lab: Network Address Translation

15

Step 3: Configuring PAT

In this step, youll configure Port Address Translation (PAT) on the Lab_A router. We will use
PAT because we dont want a one-to-one translation, which want to just use one IP address for
every user on the network.
1.

On the Lab_A router, delete the translation table and remove the dynamic NAT pool
Lab_A#clear ip nat translation *
Lab_A#config t
Lab_A(config)#no ip nat pool GlobalNet 171.16.10.50 171.16.10.55 netmask
255.255.255.0
Lab_A(config)#no ip nat inside source list 1 pool GlobalNet

2.

On the Lab_A router, create a NAT pool with one address called Lammle. The pool should
contain a single address 171.16.10.100 Enter the command below:
Lab_A#config t
Lab_A(config)#ip nat pool Lammle 171.16.10.l00 171.16.10.100 net 255.255.255.0

3.

Create access-list 2. It should permit networks 192.168.20.0 and 192.168.30.0 to

be translated.
Lab_A(config)#access-list 2 permit 192.168.20.0 0.0.0.255
Lab_A(config)#access-list 2 permit 192.168.30.0 0.0.0.255

4.

Map the access-list 2 to the new pool, allowing PAT to occur by using the overload
command.
Lab_A(config)#ip nat inside source list 2 pool Lammle overload

5.

Login to the Lab_C router and telnet to the ISP router; Also, login to the Lab_B router and
telnet to the ISP router.

6.

From the ISP router use the show users command. The output should look like this:
ISP>sh users
Line
* 0 con 0
2 vty 0
4 vty 2
Interface

User

User

Host(s)
idle
idle
idle
Mode

Idle
Location
00:00:00
00:00:39 171.16.10.51
00:00:37 171.16.10.50
Idle Peer Address

ISP>

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.

CCNA_NAT.fm Page 16 Saturday, June 4, 2005 12:18 AM

16

7.

Network Address Translation (NAT)

From the Lab_A router use the show ip nat translations command.
Lab_A#sh ip nat translations
Pro Inside global
Inside local
Outside local
tcp 171.16.10.100:11001 192.168.20.2:11001 171.16.10.1:23
tcp 171.16.10.100:11002 192.168.30.2:11002 171.16.10.1:23
tcp 171.16.10.100:1024 192.168.20.2:11002 171.16.10.1:23

8.

Outside global
171.16.10.1:23
171.16.10.1:23
171.16.10.1:23

Also make sure that the debug ip nat command is on the Lab_A router. If you ping from
the Lab_C router to the ISP router, the output will look like this:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:36:
01:12:37:
01:12:37:

NAT: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [35]

NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [35]
NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [36]
NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [36]
NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [37]
NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [37]
NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [38]
NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [38]
NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [39]
NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [39]

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.