NAT ### Sitiations when NAT is usefull: - You need to connect the Internet and your host don't

have globally unique IP addresses. - You change to a new ISP that requires you to renumber your network. - You need to merge two intranets with duplicate addresses. Advantages: - conserved legally registred addresses - reduces address overlap occurence - increasing flexibility when connecting to the internet - eliminates address reumbering at network changes Disadvantages: - Translation increase the switching overhead/delay - Loss of end-to-end traceability. - Certain application won't function with NAT enabled. Dynamic NAT (one private to one public address, where the association ++++++++++ is done by accidentally) It gives you the possibility to map an unregistred IP address (private) to a registred IP address (public), that is chosen from the available pool range. The private - public association is done dynamically. (But you have to provide enough registred public IP address to give a service for everyone who wants communicate on the Internet.) Static NAT (one private to one public PERMANENT address, where the ++++++++ association is given in advance) In the case of a static NAT the private-public paars are definiated in advance. Overloading NAT ++++++++++++ It maps many unregistred (private) IP to a single registred (public) IP by using different ports.This is called port address translation other words PAT. NAT Names +++++++++ Local addresses: used before NAT Global addresses: used after the NAT Local inside address: it's the private address of the sending host. Global inside address: It's the public address of the sending host after NAT. Outside local: the name of the destination host Outside global: the name of the destination host after NAT NAT Operations +++++++++++ BASIC NAT translation: ---------------------------------Topology: Inside-------------------R(border)---------------INTERNET------HOST-B inside local - inside global 10.1.1.3 10.1.1.3 --- 170.168.2.4

63.40.7.3

10.1.1.2 10.1.1.1

10.1.1.2 --- 170.168.2.3 10.1.1.1 --- 170.168.2.2 NAT-TABLE

The router identifies the IP address as an inside local address, the translates the address and documents this fact in the NAT table. The packet from the outside interface of the router will be foward to the destination with the inside global address as source address. The target host-B responses to the packet to the public address mentioned above, where the R translates the IP back to the suitable private address by usng the NAT table. BASIC PAT translation --------------------------------With overloading the inside host will be translated to only one public address. The PAT uses port number to identify the connection between the two sides. PAT allows us to use the Transport layer to identify the hosts, which in turn allows us to use (theoretically) up to 65.000 host with one real IP address. Topology: Inside-------------------R(border)---------------INTERNET------HOST-B inside local - inside global 10.1.1.3 10.1.1.3:1723 --- 170.168.2.2:2492 63.40.7.3:23 10.1.1.2 10.1.1.2 :1723 --- 170.168.2.2:1723 10.1.1.1 10.1.1.1:1024 --- 170.168.2.2:1024 NAT-TABLE Configuration +++++++++ Static NAT config ------------------------e.x-1.) ip nat inside source 10.1.1.1 170.46.2.1 -->--static translation between private and public address ! interface ethernet0 ip address 10.1.1.10 255.255.255.0 IP nat inside -->-- this command identify the interface as inside ! interface serial0 ip address 170.46.2.1 255.255.255.0 ip nat outside -->-- this command identify the interface as outside ! e.x-2.) R(ISP)(s0/0)----------R(CORP)(STATIC-NAT)-------LOCAL-NETWORK | | 64.64.64.65 172.16.10.5 Step-1.) Define a static route on the remote router, stating where the public address or pools should be routed. Without it the packet won't be able to travel back! ISP(config)#ip route 64.64.64.64 255.255.255.128 s0/0 Step-2.) Create static mapping: CORP(config)#ip nat inside source static 172.16.10.5 64.64.64.65

Step-3.) Define which interfaces are local: CORP(config-if)#ip nat inside Step-4.) Define which interfaces are outside: CORP(config-if)#ip nat outside Dynamic NAT config -----------------------------In this case we have a pool of addresses to provide real IP address to a froup of users inside.We don't use port numbers, so we have to have a bunch of real IP addresses (expensive!, lack of it!). e.x-1.) ip nat pool todd 170.168.2.2 170.168.2.254 netmask 255.255.255.0 -->-creates the pool of addresses to distributed host, that required NAT. ip nat inside source list 1 pool todd -->-- tell to translate addresses match the ACL to the public IP from the pool ! interface ethernet0 ip address 10.1.1.10 255.255.255.0 IP nat inside -->-- this command identify the interface as inside ! interface serial0 ip address 170.46.2.1 255.255.255.0 ip nat outside -->-- this command identify the interface as outside ! access-list 1 permit 10.1.1.0 0.0.0.255 -->-- mark the valuable addresses ! e.x-2.) R(ISP)(s0/0)----------R(CORP)(DYNAMIC-NAT)-------LOCAL-NETWORK | | pool: 64.64.64.65-126 172.16.10.x Step-1.) Define a static route on the remote router, stating where the public address or pools should be routed. Without it the packet won't be able to travel back! ISP(config)#ip route 64.64.64.64 255.255.255.128 s0/0 Step-2.) Create a pool of usable public addresses, tha can be used to perform NAT. CORP(config)#ip nat pool jeno 64.64.64.70 64.64.64.126 netmask 255.255.255.128 Step-3.) Create an access controll-list, that will identify which private IP addresses have to be translated: CORP(config)#access-list 1 permit 172.16.10.0 0.0.0.255 Step-4.) Link the ACL to the pool. CORP(config)#ip nat inside source list 1 pool jeno

Step-5.) Define which interfaces are local: CORP(config-if)#ip nat inside Step-5.) Define which interfaces are outside: CORP(config-if)#ip nat outside PAT (overloading) config ----------------------------------This is the typical NAT that we would use today. It's rare that we use static or dynamic MAP unless we were statically mapping a server for example. e.x-1.) ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0 -->-creates the pool of addresses to distributed among hosts required NAT. ip nat inside source list 1 pool globalnet overload-->-- tell to translate addresses match the ACL to the public IP from the pool ! interface ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside -->-- this command identify the interface as inside ! interface serial0 ip address 170.46.2.1 255.255.255.0 ip nat outside -->-- this command identify the interface as outside ! access-list 1 permit 10.1.1.0 0.0.0.255 -->-- mark the valuable addresses ! e.x-2.) R(ISP)(s0/0)----------R(CORP)(PAT-NAT)-------LOCAL-NETWORK | s0/0/0 | pool: 64.64.64.70-70 172.16.10.x Step-1.) Define a static route on the remote router, stating where the public address or pools should be routed. Without it the packet won't be able to travel back! ISP(config)#ip route 64.64.64.64 255.255.255.128 s0/0 Step-2.) Create a pool of usable public addresses, tha can be used to perform NAT. CORP(config)#ip nat pool jeno 64.64.64.70 64.64.64.70 netmask 255.255.255.128 Step-3.) Create an access controll-list, that will identify which private IP addresses have to be translated: CORP(config)#access-list 1 permit 172.16.10.0 0.0.0.255 Step-4.) Link the ACL to the pool. CORP(config)#ip nat inside source list 1 pool jeno overload

OR CORP(config)#ip nat inside source list 1 serial 0/0/0 overload Step-5.) Define which interfaces are local: CORP(config-if)#ip nat inside Step-5.) Define which interfaces are outside: CORP(config-if)#ip nat outside Note: The only difference between this configuration and the previos dynamic NAT, that the pool contains only one IP address and we included the overload command. Of course you can add addtional IP addresses to the pool if available. Verificaton of NAT +++++++++++++ R#show ip nat translation -->--to see the translation table R#show ip nat statistics --> to displays NAT statistics R#clear ip nat translations inside a.b.c.d outside e.f.g.h R#clear ip nat translation * --> clear all entry from the NAT tabe R# debug ip nat -->-- the output show the sending address, the translation, and the destinaton address off each debug line (it's need much CPU resource!)