network address translations
DESCRIPTION
TRANSCRIPT
When communicating to devices in a public network, your device needs to use a source address that is a public address. NAT device enables private IPv4 to connect to the Internet. NAT enable you to change an IP address in a packet to a different address. Usually, NAT connects two networks and translates the private (inside local) addresses into public addresses (inside global) before packets are forwarded to another network. In other word Address translation allows you to translate your internal private addresses to public addresses before these packets leave your network
Situation where you should use NAT•Your ISP did not provide you sufficient public IP address•Your company is going to merge in a company which use same address space•Where you want to hide your internal IP address space from outsideYou want to assign the same IP address to multiple machines
There are three types of NATStatic/dynamic/pat•Static:In static NAT manual translation is performed by an address translation device, translating one IP address to a different one. If you have 100 devices, you need to create 100 static entries in the address translation table. Typically, static translation is done for inside resources that outside people want to access
Dynamic NAT is mostly used when inside users needs to access outside resources. The global address assigned to the internal user isn't important, since outside devices don't directly connect to your internal users they just return traffic to them that the inside user requested.Dynamic NAT is used when inside use wants to access external resource. When an inside user sends traffic through the address translation device, say a router, it examines the source IP address and compares it to the internal local address pool. If it finds a match, then it determines which inside global address pool it should use for the translation. It then dynamically picks an address in the global address pool that is not currently assigned to an inside device. The router adds this entry in its address translation table, the packet is translated, and the packet is then sent to the outside world. If no matching entry is found in the local address pool, the address is not translated and is forwarded to the outside world in its original state.When returning traffic comes back into your network, the address translation device examines the destination IP addresses and checks them against the address translation table. Upon finding a matching entry, it converts the global inside address to the local inside address in the destination IP address field of the packet header and forwards the packet to the inside network
With PAT, all devices that go through the address translation device have the same global IP address assigned to them, so the source TCP or UDP port numbers are used to differentiate the different connections. If two devices have the same source port number, the translation device changes one of them to ensure uniqueness.Major difference between NAT and PAT is In NAT Only IP addresses are translated (not port numbers).
Disadvantages of Address Translation
Three main disadvantage with address translation are:•Each connection has an added delay.•Troubleshooting is more difficult.
Not all applications work with address translation
Term Explanation
Inside Addresses located on the inside of your network
Outside Addresses located outside of your network
Local The IP address physically assigned to a device
Global The public IP address physically or logically assigned to a device
Inside local IP address The IPv4 address that is assigned to a host on the inside network
Inside global IP addressA legitimate IPv4 address assigned by the ISP that represents one or more inside local IPv4 addresses to the outside world
Outside global IP address An outside device with a registered public IP address
Outside local IP address An outside device with an assigned private IP address
Static NAT A manual address translation is performed between two addresses and possibly port numbers.
Dynamic NATAn address translation device automatically performs address translation between two addresses and possibly port numbers.
Port Address Translation (PAT)Many inside IP addresses are translated to a single IP address, where each inside address is given a different TCP or UDP port number for uniqueness.
Address Translation Terms and Types
How to configure NAT
Configuration of static NAT is very straight forward. In this example we have a web server connected with Router 1. Our web server is using the IP address 10.0.0.2. But due to various reasons discussed in previous article our company want to use 50.0.0.1 IP address for this server. Now our task is to configure NAT on Router 1 which translate 10.0.0.2 [ inside local web server address] to 50.0.0.1 [ inside global ip address ].a
R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.1R1(config)#ip nat inside source static 10.0.0.2 50.0.0.1R1(config)#int fa 0/0R1(config-if)#ip nat insideR1(config)#int s 0/0/0R1(config-if)#ip nat outsideR1(config-if)#exit
Now configure R0 exactly given hereR0(config-if)#bandwidth 64R0(config-if)#exitR0(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2
As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never know about it. They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and you will get replay.
Now ping from 10.0.0.2 and you will get destination host unreachable error.PC>ping 10.0.0.2Pinging 10.0.0.2 with 32 bytes of data:Reply from 30.0.0.1: Destination host unreachable.Reply from 30.0.0.1: Destination host unreachable.Reply from 30.0.0.1: Destination host unreachable.Reply from 30.0.0.1: Destination host unreachable.
Step by Step Configuration of Dynamic NATWith dynamic NAT, you must manually define two sets of addresses on your address translation device. One set defines which inside addresses are allowed to be translated (the local addresses), and the other defines what these addresses are to be translated to (the global addresses).
In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5 to use. Router1(1841 Router0) is going to be NAT device. Double click on Router1(1841 Router0) and configure it as given below
R0(config-if)#bandwidth 64R0(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0R0(config)#access-list 1 permit 192.168.0.0 0.0.0.255R0(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0R1(config)#ip nat inside source list 1 pool testR1(config)#interface fastEthernet 0/0R1(config-if)#ip nat insideR1(config-if)#exitR1(config)#interface serial 0/0/0R1(config-if)#ip nat outsideR1(config-if)#exit
Now double click on R2(1841 Router1) and configure Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0Router(config)#hostname R2
For testing of NAT go R1 and enable debug for NAT from privilege mode R1#debug ip nat Now go on pc and ping to 20.0.0.2
When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will check NAT pools for free address to translate with this address. Which you can check in the output of debag command in R1
IP NAT debugging is on
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
As you can see in output 192.168.0.5 is translate with 50.0.0.1 before leaving the router
Now check for web access from any client pc
In real life its best practices to turn off debug after testing so go on Router 1 and turn off debug mode. R1#no debug ip nat IP NAT debugging is off R1#
Step by Step Configuration of PATIn dynamics Nat translations is made IP to IP. so you need as much global IP address as you have inside local address. That's an issue if you have few global IP address and hundred of inside local address to translate. In such a situation you need to use PAT.For demonstration we are going to configure the same topology which we used in dynamic NAT but this time we are using only one global IP address 50.0.0.1
IP address of PC are already configured double click on R1 and configured it as given hereNow configure to R2 as given below
Router(config)#hostname R1R1(config)#interface fastEthernet 0/0R1(config-if)#ip address 192.168.0.1 255.255.255.0R1(config-if)#no shutdownR1(config)#interface serial 0/0/0R1(config-if)#ip address 30.0.0.1 255.0.0.0R1(config-if)#clock rate 64000R1(config-if)#bandwidth 64R1(config-if)#no shutdownR1(config-if)#exitR1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0R1(config)#ip nat inside source list 1 pool test overloadR1(config)#interface fastEthernet 0/0R1(config-if)#ip nat insideR1(config-if)#exitR1(config)#interface serial 0/0/0R1(config-if)#ip nat outsideR1(config-if)#exitR1(config)#
Now configure to R2 as given belowRouter>enableRouter#configure terminalRouter(config)#interface serial 0/0/0Router(config-if)#ip address 30.0.0.2 255.0.0.0Router(config-if)#no shutdownRouter(config-if)#exitRouter(config)#interface fastEthernet 0/0Router(config-if)#ip address 20.0.0.1 255.0.0.0Router(config-if)#no shutdownRouter(config-if)#exitRouter(config)#hostname R2R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Now go on pc and ping to 20.0.0.2
To verify PAT go on R1 and run show ip nat translationsR1#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4
As you can see this time address translation is done with port address instead of IP