Network Address Translation NAT

1
Network AddressTranslation(NAT)

• TSM 352

2
Introduction

• NAT is a feature that dynamically modifies the
  contents of IP packets flowing through the router
  so that the source and/or destination IP
  addresses are altered.
• Packets leaving the router will have the source
  or destination address translated to a different
  IP address so an administrator can hide the IP
  addresses in use on an internal network behind a
  router performing NAT.
• This technique is a requirement for organizations
  using addresses from the RFC 1918 unregistered
  address space or using IP addresses that are
  registered to other organizations.

3
Introduction, cont

• NAT is most often used at administrative domain
  boundaries such as the Internet or connections
  between different organizations.
• NAT is useful not only for organizations that do
  not have registered IP addresses, but also for
  organizations that have a registered IP address
  range but have more hosts than can be
  accommodated by the number of addresses.
• Unregistered addresses may be used internally and
  registered addresses used only when packets
  communicate with external networks.
• The NAT process is transparent to both source and
  destination hosts for most applications.

4
Shortcomings

• The central difficulty with NAT is that some
  applications imbed the original source IP address
  in the data portion of the IP packet. Therefore,
  after undergoing NAT, the source IP address of
  the packet does not match the IP address imbedded
  in the data portion of the packet.
• Applications which imbed the IP address in the
  data portion of the packet function improperly if
  the source IP address in the IP header does not
  match the source IP address imbedded in the data
  portion of the packet.

5
Applications Supported by Cisco NAT

• Any TCP/UPD traffic that does not carry the
  source or destination IP as data
• IP addresses in the data portion of the IP packet
• ICMP
• FTP
• NetBIOS over TCP (except session services)
• RealAudio
• CUSeeMe (White Pines)
• Streamworks
• DNS "A" and "PTR" queries
• H.323 (NetMeeting)
• VDOLive
• Vxtreme

6
Not Supported by Cisco NAT

• IP Multicast
• DNS Zone Transfers
• BOOTP
• Talk, ntalk
• SNMP
• NetShow

7
NAT Terminology

• Inside local address. IP addresses assigned to
  hosts on the internal network. These addresses
  are normally only known by internal hosts.
• Inside global address. IP addresses assigned to
  internal hosts by the NAT process the addresses
  of internal hosts as seen by external hosts.
• 0utside local addresses. IP addresses assigned to
  external hosts by the NAT process the addresses
  of external hosts as seen by internal hosts.
• Outside global addresses. IP addresses assigned
  to hosts on the external network. These addresses
  are known by external hosts but may not be known
  by internal hosts.

8
NAT Terminology cont

• Inside addresses are used by the internal network
  and may or may not be translated.
• Outside addresses are used by external networks
  and also may or may not be translated.
• The term local refers to addresses as seen by
  internal hosts.
• The term global refers to addresses as seen by
  external hosts.
• Note that outside local and outside global
  addresses may be the same if outside addresses
  are not being translated by NAT. That is, the
  addresses of external hosts may be the same on
  external networks as on the internal network. In
  fact, this is usually the case.

9
NAT Terminology cont

• The easiest way to remember this terminology is
  that the first word, inside or outside, reflects
  the origination of the packet.
• The terms inside local and inside global address
  both indicate that the packet originated from the
  inside network.
• The second word, local or global, indicates where
  the addresses are seen.
• Local addresses are seen locally on the inside
  network.
• Global addresses are seen globally on the outside
  network.
• An inside local address originated from the
  inside network and that is how the addresses are
  seen on the inside network. These addresses would
  not have undergone NAT since they originated on
  the inside and are being seen by inside devices.
• Conversely, inside global addresses originated
  from the inside network but are being viewed on
  the outside network. These addresses would
  normally be the NAT translated addresses.

10
Enabling NAT step 1

• First, you need to determine the interfaces on
  which you will enable NAT and whether they will
  be an inside or outside interface.
• Normally, the interface that connects to your
  internal network will be the NAT inside and any
  interfaces that connects to external networks,
  such as the Internet, will be the NAT outside
  interface.
• The syntax of each interface command is
• ip nat inside outside

11
Enabling NAT step 2

• Once you have determined the interfaces where you
  will enable NAT, you must then determine your
  inside global addresses. Remember from our
  definitions that these will be the addresses that
  are seen on external networks for packets
  originating from the internal network. These will
  normally be the translated addresses.
• The translated addresses to be used can be
  dynamic or static.
• We define this pool of addresses with the ip nat
  pool command
• ip nat pool (netmask
  prefix-length ) type
  (rotary)
• Examples
• ip nat pool test 171.100.1.1 171.100.1.50 netmask
  255.255.255.0
• ip nat pool test 171.100.1.1 171.100.1.50
  prefix-length 24

12
Enabling NAT step 3

• Once we define a NAT pool, the router will pick
  the first address available from the pool when a
  new mapping from an inside local address needs to
  be made to an inside global address. You cannot
  determine beforehand which address will be chosen
  from the pool.
• If you need a predetermined IP address mapping
  from an inside local address to an inside global
  address, you will need to use a static mapping.
  We will see an example of this later.
• In the ip nat pool command syntax, the rotary
  keyword is used to have an available pool of
  inside local IP addresses mapped to the same
  inside global IP. This is useful, for example, if
  you have a busy Web site and want to have
  multiple servers answer incoming Web requests to
  the same IP address.

13
Enabling NAT step 4

• Once you have created a pool of available inside
  global addresses, you need to specify which
  packets will be allowed to obtain addresses from
  the pool by using an access list with the ip nat
  inside source command. You can also specify
  static mappings between inside local and inside
  global addresses. With either method you use the
  ip nat inside source command as shown here
• ip nat inside source (list pool
  overload static )
• Examples
• ip nat inside source list 101 pool test
• ip nat inside source static 10.1.1.100
  171.100.1.1

14
Enabling NAT step 5

• When used with the list keyword, this command
  specifies that packets matching the access list
  "list" are allowed to obtain addresses from the
  NAT pool named in name.
• The overload keyword specifies that port address
  translation (PAT) is to be enabled. PAT allows
  translation of many inside local addresses to a
  single inside global address by maintaining
  TCP/UDP port information as well as IP address
  information in the NAT translation table.
• This feature is useful in situations with a
  limited number of inside global addresses. The
  single PAT address can be the same IP address as
  that of the NAT outside interface, which is
  useful in companies with only one available
  address from an ISP. In most configurations, the
  Internet connected router must itself have a
  globally routable IP address, so it is useful to
  use this same address as the PAT address. An
  alternative syntax can be used in this situation
• ip nat inside source list interface
  overload

15
Our Configuration Part 1

• ! Go to the configuration terminal mode
• Enable
• Conf t
• ! Now move to the configuration mode for the Fast
  Ethernet Interface
• ! 0/0 (the inside interface)
• int fa0/0
• !
• ! Set up the IP address and netmask
• ip address 192.168.1.254 255.255.255.0
• ! Turn it on
• no shutdown
• ! Set duplex to half to accommodate our hubs
• duplex half
• ! Move to the configuration mode for the other
  interface (the outside ! interface)
• int fa0/1
• ! Set up the ip address and netmask (use the ip
  address supplied in the ! address assignment
  table for you Island)
• ip address 216.249.144.xxx 255.255.255.128
• ! Turn it on
• no shutdown

16
Our Configuration Part 2

• ! Now set up a pool of NAT addresses
• ! Use the range of addresses listed in the
  Address Assignment
• ! table for you Island
• ! We will call this pool outlan
• ip nat pool outlan 216.249.144.???
  216.249.144.??? netmask 255.255.255.128
• ! Now set up a list of addresses on the inside
  that are
• ! allowed to use NATing (all of our inside
  addresses)
• access-list 1 permit 192.168.1.0 0.0.0.255
• ! Now apply this list to the NAT pool
• ip nat inside source list 1 pool outlan
• ! Now turn on natting on the outside interface
• int fa0/1
• ip nat outside
• ! .. and for the inside interface
• int fa0/0
• ip nat inside
• ! Write this setup to non-volatile RAM
• exit
• write memory