nat latest

7/25/2019 NAT Latest

1/16

Network Address

Translation (NAT)

Copyright 2005 and Trademark by Wiley Publishing, Inc. All rights reserved.


2/16

At the end of Chapter 2, Internet Protocols of the Sybex CCNA

Study GuideStandard and CCNA Study GuideDeluxe Editions,

I provided a section called Introduction to Network Address

Translation. In it, I explained some basic terms, but Ive been hearing from readers that itdoesnt have enough information. I really have to expand on Network Address Translation

(NAT) in order to equip you with a thorough understanding of this very important topic.

So whats new here? Well, in this update, Im going to give you the skinny on NAT, Dynamic

NAT, and Port Address Translation (PAT)also known as NAT Overloadin a lot more

detail. And Im going to finish this update with an important hands-on lab so you can test your

understanding of these topics.

Im giving you this update with the assumption that youve read at least

through Chapter 6, Enhanced IGRP (EIGRP) and Open Shortest Path First

(OSPF), of the CCNA Study Guide. Of course, it will be even better if youve

read the entire book!

So When Do We Use NAT?NAT, at times, decreases the overwhelming amount of Public IP addresses required in your net-

working environment. And NAT comes in really handy when two companies that have dupli-

cate internal addressing schemes merge. NAT is also great to have around when an organization

changes its Internet Service Provider (ISP) and the networking manager doesnt want to hassle

with changing the internal address scheme.

Heres a list of situations when its best to have NAT on your side: You need to connect to the Internet and your hosts dont have globally unique IP addresses.

You change to a new ISP that requires you to renumber your network.

You require two intranets with duplicate addresses to merge.

You typically use NAT on a border router. For an illustration of this, check out Figure 1.1.

Okayso yeah. NATs totally cool. Its the grooviest greatest network gadget, and you just

gotta have itright? Well, hang on a minute. There are truly some serious snags related to NAT

use. Ohdont get me wrong. It really can save you sometimes, but theres a dark side you needto know about too! To give you a visual of the pros and cons linked to using NAT, check out

Table 1.1.



3/16

Types of Network Address Translation 3

F I G U R E 1 . 1 Where to configure NAT

The most obvious advantage associated with NAT is that it allows you to con-

serve your legally registered address scheme. And by the way, this is the rea-

son we havent run out of IPv4 addressesthink about it.

Types of Network Address Translation

Next, Im going to go over the three types of NAT with you:

Static NAT This type of NAT is designed to allow one-to-one mapping between local and

global addresses. Keep in mind that the static flavor requires that you have one real Internet

IP address for every host on your network.

T A B L E 1 . 1 Advantages and Disadvantages of Implementing NAT

Advantages Disadvantages

Conserves legally registered addresses Translation introduces switching path delays

Reduces address overlap occurrence Loss of end-to-end IP traceability

Increases flexibility when connecting to

Internet

Certain applications will not function with

NAT enabled.

Eliminates address renumbering asnetwork changes

Corporate Engineering Sales

Internet



4/16

4 Network Address Translation (NAT)

Dynamic NAT This version gives you the ability to map an unregistered IP address to a reg-

istered IP address from out of a pool of registered IP addresses. You dont have to statically con-

figure your router to map an inside to an outside address like you would using static NAT, but

you do have to have enough real, bona-fide IP addresses for everyone whos going to be sending

packets to and from the Internet.

Overloading Okayhere it is peoplethe most popular type of NAT configuration! Under-

stand that overloading really is a form of dynamic NAT that maps multiple unregistered IP

addresses to a single registered IP addressmany-to-oneby using different ports. Now, why

is this so special? Well, because its also known as Port Address Translation, or, PAT. And by

using PAT, (NAT Overload), you get to have thousands of users connect to the Internet usingonly one real global IP addresspretty slick, yeah? Seriously, NAT Overload is truly the reason

we havent run out of valid IP address on the Internet! ReallyIm not joking.

No worries Ill show you how to configure all three types of NAT in the hands-on

lab at the end of this update!

NAT Names

The names we use to describe the addresses used with NAT are pretty simple. Addresses used

after NAT translations are calledglobaladdresses. These are usually the public addresses used

on the Internet, but remember, you dont need public addresses if you arent going on the Inter-

netright?Local addresses are the ones we use before NAT translation. So, the inside local address is

actually the private address of the sending host thats trying to get to the Internet, while the out-

side local address is the address of the destination host. The latter is usually a public address

(web address, mail server, etc) and is how the packet begins its journey.

After translation, the inside local address is then called the inside global addressand the out-

side global address then becomes the name of the destination host. Check out Table 1.2, which

lists all this terminology for a clear picture of the various names used with NAT.

T A B L E 1 . 2 NAT Terms

Names Meaning

Local addresses Name of local hosts before translation

Global addresses Names of address after translation

Inside local Name of inside source address before translation



5/16

How NAT Works 5

How NAT Works

Okaynow its time to look at how this whole NAT thing works. Im going to start by using

Figure 1.2 to describe the basic translation of NAT:

In the example shown in Figure 1.2, host 10.1.1.1sends an outbound packet to the border

router configured with NAT. The router identifies the IP address as an inside local IP address

destined to an outside network and translates the address and documents the translation in the

NAT table.

F I G U R E 1 . 2 Basic NAT translation

Outside local Name of destination host before translation

Inside global Name of inside hosts after translation

Outside global Name of outside destination host after translation

T A B L E 1 . 2 NAT Terms (continued)

Names Meaning

10.1.1.3

10.1.1.2

Host B63.40.7.3

10.1.1.1

Internet

DA10.1.1.1

SA170.168.2.2

DA170.168.2.2

SA10.1.1.1

3

Inside

NAT Table

Inside LocalIP Address

10.1.1.3

10.1.1.2

10.1.1.1

Inside GlobalIP Address

170.168.2.4

170.168.2.3

170.168.2.2



6/16


The packet is sent to the outside interface with the new translated source address. The external

host returns the packet to the destination host and the NAT router translates the inside global IP

address back to the inside local IP address using the NAT table. This is as simple as it gets.Lets take a look at a more complex configuration using overloading, or what is also referred

to as Port Address Translation (PAT). Ill use Figure 1.3 to demonstrate how PAT works.

With overloading, all inside hosts get translated to one single IP addresshence the term

overloading. Again, the reason we have not run out of available IP addresses on the Internet is

because of overloading (PAT).

Take a look at the NAT table in Figure 1.3 again. In addition to the inside local IP address

and outside global IP address, we now have port numbers. These port numbers help the router

identify which host should receive the return traffic.

Port numbers are used at the Transport layer to identify the local host, in this example. If

we had to use IP addresses to identify the source hosts, that would be called static NATand we

would run out of addresses. PAT allows us to use the Transport layer to identify the hosts,

which in turn, allows us to use (theoretically) up to 65,000 hosts with one real IP address.

F I G U R E 1 . 3 NAT overloading example (PAT)

10.1.1.3

10.1.1.2

Host B

63.40.7.3

Host C63.40.7.3

10.1.1.1

Internet

DA

10.1.1.1

SA

170.168.2.2

DA170.168.2.2

DA170.168.2.2

SA10.1.1.1

Inside

Protocol10.1.1.1

TCP

TCP

TCP

Inside Local IPAddress: Port

10.1.1.3:1723

10.1.1.2:1723

10.1.1.1:1024

Inside Global IPAddress: Port

170.168.2.2:1492

170.168.2.2:1723

170.168.2.2:1024

Outside Global IPAddress: Port

63.41.7.3:23

63.41.7.3:23

63.40.7.3:23

NAT Table



7/16

How NAT Works 7

Static NAT Configuration

Lets take a look at a simple basic static NAT configuration.

ip nat inside source static 10.1.1.1 170.46.2.1

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 172.46.2.1 255.255.255.0

ip nat outside

!

In the above router output, the ip nat inside sourcecommand identifies what IP

addresses will be translated. In this configuration example, the ip nat inside sourcecom-

mand configures a statictranslation between the inside local IP address 10.1.1.1 to the outside

global IP address 170.46.2.2.

If we look further down in the configuration, we see that we have an ip natcommand under

each interface. The ip nat insidecommand identifies that interface as an inside source. The

ip nat outsidecommand identifies that interface as an outside source.

Dynamic NAT Configuration

Dynamic NAT means that we have a pool of addresses that we will use to provide real IPaddresses to a group of users on the inside. We do not use port numbers, so we have to have real

IP addresses for every user trying to get outside the local network.

Here is a sample output of a dynamic NAT configuration:

ip nat pool dyn-nat 170.168.2.2 170.168.2.254 netmask 255.255.255.0

ip nat inside source list 1 pool dyn-nat

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!

access-list 1 permit 10.1.1.0 0.0.0.255

!



8/16


The ip nat inside source list 1 pool dyn-nat command tells the router to translate

IP addresses that match access-list 1to an address found in the IP NAT pool named dyn-nat.

The ip nat pool dyn-nat 170.168.2.2 192.168.2.254command creates a pool ofaddresses that will be distributed to those hosts that require NAT.

PAT (Overloading) Configuration

This last example shows how to configure inside global address overloading. This is the typical

NAT that we would use today. It is rare that we would use static or dynamic NAT unless we

were statically mapping a server, for example.

Here is a sample output of a PAT configuration:

ip nat pool globalnet 170.168.2.1 170.168.2.1

netmask 255.255.255.0

ip nat inside source list 1 pool globalnet overload

!

interface Ethernet0/0

ip address 10.1.1.10 255.255.255.0ip nat inside

!

interface Serial0/0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!


The nice thing about PAT is that the only difference with this configuration and the previous

dynamic NAT configuration is that our pool of addresses has shrunk to only one IP address, and

at the end of our ip nat inside sourcecommand we included the overloadcommand.

Verifying NAT

Once you have configured the type of NAT you are going to use, typically overload (PAT), you

need to be able to verify the configuration.To see basic IP address translation information, use the following command:

Router#show ip nat translation

When looking at the IP NAT translations, you may see many translations from the same host

to the same host at the destination. This is typical of many connections to the Web.



9/16

Testing Your Understanding 9

In addition, you can verify your NAT configuration with the debug ip natcommand. This out-

put will show the sending address, the translation, and the destination address on each debug line.

Router#debug ip nat

How do you clear your NAT entries from the translation table? Use the clear ip nat

translationcommand. To clear all entries from the NAT table, use the asterisks (*).

Testing Your Understanding

Before we move on to the hands-on lab section of this update, lets go through a couple NAT

examples and see if you can determine the configuration that needs to be used.

Look at Figure 1.4. Where would you implement NAT in this design, and what type of NAT

would you configure?

F I G U R E 1 . 4 NAT example

In Figure 1.4, the NAT configuration would be placed on the corporate router and the con-

figuration would be dynamic NAT with overload (PAT).

In the next NAT example, what type of NAT is being used?

Ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask 255.255.255.0

The above command uses dynamic NAT. The poolin the command gives the answer away.

In the next NAT example, well use Figure 1.5 to see if we can figure out the configura-

tion needed.

Corporate Engineering Sales

Internet



10/16


F I G U R E 1 . 5 Another NAT example

The example in Figure 1.5 shows a border router that needs to be configured with NAT that

will allow six public IP address using 198.18.131.65-70. On the inside network, you have 63

hosts that use the private addresses of 192.168.10.129through 190. What would your NAT

configuration be on the border router?

ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255.255.248


ip nat inside source list 1 pool Todd overload

The command ip nat pool Todd 198.18.131.65 198.18.131.70 netmask 255.255

.255.248sets the pool name as Todd and creates a dynamic pool of addresses for the NAT

to use from 65 to 70. Instead of the netmaskcommand, you can also use the prefix-

length 29statement. No, you cannot do this on router interfaces as wellI knew what youwere thinking!

If you do not understand the second line where the access-listis set, please see Chapter 10,

Managing Traffic with Access Lists of the CCNA Study Guide.

The command ip nat inside source list 1 pool Todd overloadcommand sets the

dynamic pool to use Port Address Translation (PAT) by using the overload command.

Be sure to add the ip nat insideand ip nat outsidestatements on the appropriate

interfaces.

Hands-on Lab: Network Address

Translation

In this lab, you will configure NAT on router Lab_A to translate the private IP address of

192.168.10.0 to a public address of 171.16.10.0. I use three 2500 routers and one 2600 seriesrouter, but you can use any type of routers for this lab. (The 2600 series router is the Lab_A router)

Table 1.3 shows the commands we will use and the purpose of each command.

ISP

Lab_A192.1.2.110S0/1

S0/0192.1.2.109

Console

F0/0192.168.10.126



11/16

Hands-on Lab: Network Address Translation 11

T A B L E 1 . 3 Command Summary for NAT/PAT Hands-on Lab

Command Purpose

ip nat inside source list acl pool name Translates IPs that match the ACL fromthe Pool

Ip nat inside source staticinside_addr outside_addr

Statically maps an inside address to anoutside address

IP nat pool name Creates an address Pool

IP nat inside Set an interface to be an inside interface

IP nat outside Set an interface to be an outside interface

Show ip nat translations Shows current NAT translations

R3

R2

R1

ISP

E0

E0

S0

S0/2

S0/0

S0/0



12/16


Step 1: Preparing for NAT

In this step, youll setup your routers with IP addresses and RIP routing.1. Configure the routers with the IP addresses listed here:

2. After you configure the routers, you should be able to ping from router to router, but since

we do not have a routing protocol running until the next step, you can only verify from one

router to another, but not through the network until RIP is set up. You can use any routing

protocol you wish, I am just using RIP for simplicity sake. Lets just use a simple routing pro-

tocol to get this up and running.

3. On Lab_A, configure RIP routing, set a passive interface and configure the default network.

Lab_A#config t

Lab_A(config-router)#network 192.168.20.0

Lab_A(config-router)#network 171.16.0.0

Lab_A(config-router)#passive-interface s0/2

Lab_A(config-router)#exit

Lab_A(config)#ip default-network 171.16.10.1

The passive-interfacecommand stops RIP updates from being sent to the ISP and the

ip default-networkcommand advertises a default network to the other routers so they

know how to get the Internet.

4. On Lab_B, configure RIP routingLab_B#config t

Lab_B(config)#router rip

Lab_B(config-router)#network 192.168.30.0

Lab_B(config-router)#network 192.168.20.0

5. On Lab_C, configure RIP routing, but also use the passive-interfacecommand since

there is no reason to send our routing table to the ISP.

Lab_C#config t

Lab_C(config)#router rip

Lab_C(config-router)#network 192.168.30.0

Router Interface IP Address

ISP S0 171.16.10.1/24

Lab_A S0/2 171.16.10.2/24

Lab_A S0/0 192.168.20.1/24

Lab_B S0 192.168.20.2/24

Lab_B E0 192.168.30.1/24

Lab_C E0 192.168.30.2/24



13/16


6. On the ISP Router, configure a default route to the corporate network

ISP#config t

ISP(config)#ip route 0.0.0.0 0.0.0.0 s0

7. Configure the ISP router so you can telnet into the router without being prompted for

a password

ISP#config t

ISP(config)#line vty 0 4

ISP(config-line)#no login

8. Verify that you can ping from the ISP router to the Lab_C router and from the Lab_C

router to the ISP router. If you cannot, troubleshoot your network.

Step 2: Configuring Dynamic NAT

In this step, youll configure dynamic NAT on the Lab_A router.

1. Create a pool of address called GlobalNet on the Lab_A router. The pool should contain

a range of addresses of 171.16.10.50 through 171.16.10.55.Lab_A(config)#ip nat pool GlobalNet 171.16.10.50 171.16.10.55 net255.255.255.0

2. Create access-list 1. This list permits traffic from the 192.168.20.0 and 192.168.30.0 net-

work to be translated.

Lab_A(config)#access-list 1 permit 192.168.20.0 0.0.0.255


3. Map the access list to the pool that was created.

Lab_A(config)#ip nat inside source list 1 pool GlobalNet

4. Configure serial 0/0 as an inside NAT interface.

Lab_A(config)#int s0/0

Lab_A(config-if)#ip nat inside

5. Configure serial 0/2 as an outside NAT interface.Lab_A(config-if)#int s0/2

Lab_A(config-if)#ip nat outside

6. Log in to the Lab_C router. Telnet from the Lab_C router to the ISP router.

Lab_C#telnet 171.16.10.1

7. Log in to the Lab_B router. Telnet from the Lab_B router to the ISP router.

Lab_B#telnet 171.16.10.1



14/16


8. Execute the command show usersfrom the ISP router. (This shows who is accessing the

VTY lines)

ISP#show users

What does it show as your source IP Address?________________

What is your Real Source IP address?__________________

The show usersoutput should look something like this:

ISP>sh users

Line User Host(s) Idle Location

0 con 0 idle 00:03:32

2 vty 0 idle 00:01:33 171.16.10.50

* 3 vty 1 idle 00:00:09 171.16.10.51

Interface User Mode Idle Peer Address

ISP>

Notice that there is a one-to-one translation. Which means you must have areal IP address for every host that wants to get to the Internet, which is not

always possible.

9. Leave the session open on the Core and connect to Lab_A. (use the Ctrl, Shift, 6, let go and

then press X).

10. Log in to your Lab_A router and view your current translations by entering the show ip

nat translationcommand. You should see something like this:

Lab_A#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 171.16.10.50 192.168.30.2 --- ---

--- 171.16.10.51 192.168.20.2 --- ---

Lab_A#

Oh my gosh, this really works!

11. If you turn on debug ip naton the Lab_A router and then ping through the router, youwill see the actual NAT process take place, which will look something like this:

00:32:47: NAT*: s=192.168.30.2->171.16.10.50, d=171.16.10.1 [5]

00:32:47: NAT*: s=171.16.10.1, d=171.16.10.50->192.168.30.2



15/16


Step 3: Configuring PAT

In this step, youll configure Port Address Translation (PAT) on the Lab_A router. We will usePAT because we dont want a one-to-one translation, which want to just use one IP address for

every user on the network.

1. On the Lab_A router, delete the translation table and remove the dynamic NAT pool

Lab_A#clear ip nat translation *

Lab_A#config t

Lab_A(config)#no ip nat pool GlobalNet 171.16.10.50 171.16.10.55 netmask

255.255.255.0Lab_A(config)#no ip nat inside source list 1 pool GlobalNet

2. On the Lab_A router, create a NAT pool with one address called Lammle. The pool should

contain a single address 171.16.10.100 Enter the command below:

Lab_A#config t

Lab_A(config)#ip nat pool Lammle 171.16.10.l00 171.16.10.100 net 255.255.255.0

3. Create access-list 2. It should permit networks 192.168.20.0 and 192.168.30.0 to

be translated.



4. Map the access-list 2 to the new pool, allowing PAT to occur by using the overload

command.

Lab_A(config)#ip nat inside source list 2 pool Lammle overload

5. Login to the Lab_C router and telnet to the ISP router; Also, login to the Lab_B router and

telnet to the ISP router.

6. From the ISP router use the show userscommand. The output should look like this:

ISP>sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:00:39 171.16.10.51

4 vty 2 idle 00:00:37 171.16.10.50

Interface User Mode Idle Peer Address

ISP>



16/16


7. From the Lab_A router use the show ip nat translationscommand.

Lab_A#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 171.16.10.100:11001 192.168.20.2:11001 171.16.10.1:23 171.16.10.1:23

tcp 171.16.10.100:11002 192.168.30.2:11002 171.16.10.1:23 171.16.10.1:23

tcp 171.16.10.100:1024 192.168.20.2:11002 171.16.10.1:23 171.16.10.1:23

8. Also make sure that the debug ip natcommand is on the Lab_A router. If you ping from

the Lab_C router to the ISP router, the output will look like this:

01:12:36: NAT: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [35]01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [35]

01:12:36: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [36]

01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [36]

01:12:36: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [37]

01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [37]

01:12:36: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [38]

01:12:36: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [38]

01:12:37: NAT*: s=192.168.30.2->171.16.10.100, d=171.16.10.1 [39]

01:12:37: NAT*: s=171.16.10.1, d=171.16.10.100->192.168.30.2 [39]


nat latest

Documents