In a simple way, we can say that NAT (Network Address Translation) allows us to translate the source and/or destination addresses of an IP packet. There are several reasons for this, like save IP addresses or to hide entire networks. NAT is an example of a well-designed technology. Thanks to it we managed to delay the implementation of IPv6.

Let’s see now some basic concepts about NAT:

  • Inside Local IP. It is how the internal address is seen from the viewpoint of internal hosts. From the LAN perspective is the real host IP.
  • Inside Global IP. It is how the internal address is seen from the viewpoint of outside hosts. From the outside network perspective is the translated address of the internal host.
  • Outside Local IP. It is how the external address is seen from the viewpoint of internal hosts. From the LAN perspective is the translated address of the external host.
  • Outside GLobal IP. It is how the external address is seen from the viewpoint of outside hosts. From the LAN perspective is the real address of external host.

Internal translation is used frecuently in current networks. In the case we have 7000 hosts in our LAN and we want every host to access the Internet, we should have one public IP address for each of them. Such an achievement is quite expensive, or if we take money out of the way our ISP does not even have for us.

NAT is the solution. We can translate all IP addresses on our LAN to a single public IP address using NAT overload. The first question that comes to mind is how the router can distinguish the packets after returning from the Internet. NAT additionally translates the source port in Layer 4 header. Initially rewrites the packets by changing the source IP. If another host initiates a connection using the same port, the router generates another translation by using the next free port.

Based on this simple mechanism, the router is able to create 64511 (65535-1024) unique sessions to a single public IP address. Remember that this awesome level of translation it is not recommended. The maximum recommended number of translations per IP is 400.

Another example of NAT translation is 1-1. This allows us to hide the actual address of a computer (typically in RFC1918) with a public IP address.

Topology

NAT and PAT

NAT Overload

This is a tipical configuration:

For FastEthernet0/0, we need to define that it will be the internal interface, using the ip nat inside command.

R1# show running-config | section FastEthernet0/0
interface FastEthernet0/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
R1#

For FastEthernet0/1, we say it will be the outside interface with ip nat outside.

R1# show running-config | section FastEthernet0/1
  interface FastEthernet0/1  ip address 10.0.0.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
R1#

We also need an access list that defines traffic, or the range of addresses we want translated.

R1# show ip access-list
Extended IP access list lannat 
10 permit ip 192.168.1.0 0.0.0.255 any (1 match)
R1#

And finally we need to specify the translation rule. In this case we’ll say that all the traffic that matches the ACL lannat, will be overloades with the IP address of interface_FastEthernet0/1_.

R1# show running-config | include overload
  ip nat inside source list lannat interface FastEthernet0/1 overload
R1#

Now we can see that the first thing that happens on the router is the creation of a virtual interface NVI0 (NAT Virtual Interface). This one really avoid us from the task of defining internal or external interfaces. We could only use the ip nat enable command. Let’s skip this now.

R1# show ip interface brief | exclude unassigned
Interface         IP-Address  OK?  Method     Status  Protocol
FastEthernet0/0   192.168.1.1 YES  manual     up      up
FastEthernet0/1   10.0.0.1    YES  manual     up      up
NVI0              192.168.1.1 YES  unset      up      up
R1#

This is the translations table generated in the memory of the router wen we start to generate network traffic:

R1# show ip nat translations
Pro Inside global Inside local     Outside local Outside global
icmp 10.0.0.1:512 192.168.1.10:512  10.0.0.100:512 10.0.0.100:512
tcp 10.0.0.1:1182 192.168.1.10:1182 10.0.0.100:80  10.0.0.100:80
tcp 10.0.0.1:1183 192.168.1.10:1183 10.0.0.100:80  10.0.0.100:80
R1#

As we see, entries are created following the guidelines given by the commands above. Look at the last 2 ones. The first one was built for a connection from PC to the Server on port 80. The next is exactly the same with the difference that as the router already had a translation it rewrote the source port giving the next book. Thus, the router may return traffic back to the correct host. If nothing is done, there would be no way to know which host to send the return traffic.

Static NAT

Starting with the same topology, now we’ll do a 1-1 NAT so that will map the internal IP with the public one. This way only this host will access the external network. And from the standpoint of the external network the host has the public IP.

R1# show running-config | include static
ip nat inside source static 192.168.1.10 interface FastEthernet0/1
R1#

Now the NAT table is some kind different:

R1# show ip nat translations
Pro Inside global  Inside local         Outside local   Outside global
tcp 10.0.0.1:1113  192.168.1.10:11133   10.0.0.100:3389 10:0.0.100:3389
tcp 10.0.0.1:3389  192.168.1.10:3389    10.0.0.100:1437 10.0.0.100:1437
--- 10.0.0.1       192.168.1.10         
---
---
R1#

Now there’s one entry, the last one, that is permanent and is the one that indicates we are doing 1-1 NAT. So the 192.168.1.10 is translated to the FastEthernet0/1 interface address.

Dynamic NAT

In this kind of NAT the router has a set of IP addresses what will be used to translate local addresses. Each connection will use IPs on the pool sequentially. This way, we can translate an entire internal network so it looks like addressing is different.

Configuration is a slightly different. First we need to choose which hosts will be translated. As always we use an ACL:

R2# sh ip access-l
Extended IP access list 101
10 permit ip 192.168.1.0 0.0.0.255 any (3 matches)
R2#

Now we need to set the pool. These will be the public IPs used for translation. In this example we called it_test_:

R2# sh run | s nat pool
ip nat pool test 10.0.0.150 10.0.0.155 netmask 255.255.255.0
R2#

And now the translation rule:

R2# sh run | s inside source
ip nat inside source list 101 pool test
R2#

As you see, addresses are being assigned sequentially:

R2# sh ip nat tra
Pro Inside global   Inside local       Outside local      Outside global
--- 10.0.0.151      192.168.1.1        
---                
---tcp 10.0.0.150:1086  192.168.1.10:1086  10.0.0.100:80      10.0.0.100:80
--- 10.0.0.150          192.168.1.10       
---                
---tcp 10.0.0.152:1112  192.168.1.11:1112  10.0.0.100:80      10.0.0.100:80
--- 10.0.0.152          192.168.1.11       
---                
---tcp 10.0.0.153:1129  192.168.1.12:1129  10.0.0.100:80      10.0.0.100:80
--- 10.0.0.153          192.168.1.12       
---                
---
R2#

PAT

And the last for now. We’ll see how to generate a por NAT, ie, rather than translating an entire IP address, perform the conversion only for the TCP or UDP ports need to consider. For may, this is the well-known “open ports”. Not really, the port is open (listening state) as long a service is running.

The mos common use of this configuration is to provide a service, running on the local network, on the Internet. For example, if we have a server running a web server we need to do PAT with port 80 TCP on that machine to the public IP address.

In this case we need only a PAT rule. What we do is provide port 3389 TCP, which is the one for the RDP Protocol (Remote Desktop Protocol).

R2# sh run | s static tcp
ip nat inside source static tcp 192.168.1.10 3389 10.0.0.10 3389 extendable
R2#

Here are the NAT entries on the router:

R2# sh ip nat tra
Pro Inside global   Inside local            Outside local         Outside global
tcp 10.0.0.10:3389  192.168.1.10:3389       10.0.0.100:1043       10.0.0.100:1043
tcp 10.0.0.10:3389  192.168.1.10:3389
---
---
R2#

Conclusion

We have seen several extremely simple NAT configurations. From here you only need to study the needs of the network to reach far more complex configurations, with several pools of internal and external IP addresses, exemptions, advanced services, backup IPs, route-maps, policy-based translations and so on. Plus it can and indeed it does, solve some routing problems…