Address Translation commonly referred to as either NAT or PAT is the process of altering traffic as it passes through a router so that it appears to come from different addresses. Address translation is particularly useful due to the limited supply of IPv4 addresses. Networks can have a much larger number of internal-only addresses behind a smaller number (usually one) public internet address.
The translation process is performed by a router usually on the edge of a network, connecting to an internet service provider. In routed networks usually just the source and destination MAC address are changed as they pass through routers, with address translation the source IP address (and port) is also changed.
Generally speaking, there are two types of address translation:
- NAT
Network Address Translation translates the source address to one from a list of public addresses. The downside to this approach is that for each internal host on the network you also need an external address. - PAT
Port Address Translation usually has a single outside IP address and alters the source port when traffic leaves the router, that way traffic can be mapped back to internal addresses
Cisco has a few different NAT configurations depending on the scenario, I’ll cover them in more detail below. Before we get started, let’s assume we have the following configuration:
! Internal interface representing a LAN interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! Outside interface representing the internet interface FastEthernet0/2 ip address 1.1.1.1 255.255.255.0
The first thing we need to do is specify which interface is inside our network and which is outside:
Router(config)# int Fa0/1 Router(config-if)# ip nat inside Router(config-if)# int Fa0/2 Router(config-if)# ip nat outside
When executing the “ip nat inside/outside” commands the router may hang for a second, it’s normal behaviour. This doesn’t usually happen in Packet Tracer but may do on production devices.
Dynamic NAT
Dynamic NAT is what was traditionally NAT. Inside hosts are each translated to their own outside address. It’s referred to as dynamic because once communication stops the outside address is freed up for the next internal host.
The first step is to setup a list, or “pool” of outside addresses to be used for translation. Lets say we have 10 addresses from our outside 1.1.1.1/24 network:
Router(config)# ip nat pool DynamicNAT 1.1.1.10 1.1.1.19 netmask 255.255.255.0
With our pool of external addresses assigned, we now need to create an ACL to group together all our inside network addresses that will be translated, in this case the entire 192.168.1.0/24 network:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Finally we create the dynamic NAT configuration, using our ACL and NAT pool:
Router(config)# ip nat inside source list 1 pool DynamicNAT
If we try and access a web-server on the “outside” interface from a PC on the “inside” interface, we can see the translation taking place on the router:
Router#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 1.1.1.10:1026 192.168.1.2:1026 1.1.1.2:80 1.1.1.2:80
The next client would then get the 1.1.1.11 address and so on.
NAT Overload (PAT)
Overloading allows multiple inside IP addresses to be translated to a single outside address. This works by using the source port numebrs as a method of identifying translated inside addresses.
The first step is to create an ACL to group together all our inside network addresses that will be translated, in this case the entire 192.168.1.0/24 network:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
The next and final step is to configure the router to perform the translations:
Router(config)# ip nat inside source list 1 interface FastEthernet0/2 overload
One of the easy bits of the “ip nat” command to miss is the “overload” bit, without it only the first device to send traffic will be translated.
If we try and access a web-server on the “outside” interface from a PC on the “inside” interface, we can see the translation taking place on the router:
Router#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 1.1.1.1:1025 192.168.1.2:1025 1.1.1.2:80 1.1.1.2:80
Static NAT
Static NAT maps an unspecified source address to a single IP address, typically used for port-forwarding from an external address. This works bidirectionally, so return traffic is automatically translated.
If we want to translate traffic for a web-server running on 192.168.1.100, we’d use the following command:
Router(config)# ip nat inside source static tcp 192.168.1.100 80 1.1.1.1 80
Once that’s in place, we can see the translation in place even when nothing is sending traffic.
Router#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 1.1.1.1:80 192.168.1.100:80 --- ---
There is an additional type of NAT not mentioned herein, Overlapping NAT. Overlapping NAT is used when two networks share the same address information need to communicate. I’ll cover that another day.
The post Cisco Basics: NAT and PAT appeared first on Blog of Dave Hope.