NAT

NAT terminology
1 2

3 4

2
 Private addressing

• RFC 1918 sets aside three blocks for private IP

addresses.
• Public addresses must be registered by a
company or leased from a provider.
3
 Private addressing

• 172.16.0.0 – 172.31.255.255: 172.16.0.0/12

– Where does the /12 come from?

12 bits in common
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0
10101100 . 00011111 . 11111111 . 11111111 – 172.31.255.255
-------------------------------------------------------------
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0/12
4
 NAT terminology

• Inside addresses – Inside addresses are the set of networks that are subject
to translation.
– Inside addresses are typically RFC 1918 addresses, but they can be any
valid IP addresses.
• Outside addresses – Outside address are all other addresses.
– Usually these are valid addresses located on the Internet.
5
 NAT terminology

• Inside local address – Configured IP address assigned to a host on the inside

network. Address may be globally unique, allocated out of the private
address space defined in RFC 1918, or might be officially allocated to another
organization.
• Inside global address – The IP address of an inside host as it appears to the
outside network. The inside global address is the translated address. These
addresses are typically allocated from a globally unique address space and
typically provided by the ISP, if the enterprise is connected to the Internet.
6
 NAT terminology

Outside local and Outside global address

• Outside local address – The IP address of an outside host as it appears to the

inside network.
– These addresses can be allocated from the RFC 1918 space if desired.
• Outside global address – The configured IP address assigned to a host in the
outside network.

7
 NAT functions

• Translating inside local addresses

– NAT
• Overloading inside global addresses
– PAT
• TCP load distribution
– Dynamic form of destination translation can be configured for some
outside-to-inside traffic on a round-robin basis
• Handling overlapping networks
– NAT can be used to resolve addressing issues that arise when inside
addresses overlap with addresses in the outside network.
8
Network Address Translation
 NAT
1 2

DA SA DA SA

128.23.2.2 10.0.0.3 .... Data 128.23.2.2 179.9.8.80 .... Data

1 IP Header 2 IP Header

• The translation from Private source IP address to Public source IP address.

10
 NAT
1 2

• Inside local address – The IP address assigned to a host on the inside

network.
• Inside global address – A legitimate (Internet routable or public) IP address
assigned the service provider.
• Outside global address – The IP address assigned to a host on the outside
network. The owner of the host assigns this address.
11
 NAT
4 3

DA SA DA SA

10.0.0.3 128.23.2.2 .... Data 179.9.8.80 128.23.2.2 .... Data

4 IP Header 3 IP Header

• Translation back, from Public destination IP address to Private destination IP

12 address.
 NAT

• NAT allows you to have more than your allocated number of IP addresses by
using RFC 1918 address space with smaller mask.
• However, because you have to use your Public IP addresses for the Internet,
NAT still limits the number of hosts you can have access the Internet at any
one time (depending upon the number of hosts in your public network
mask.)
13
 Configuring Dynamic NAT

14
 Configuring Dynamic NAT

Translate to these
outside addresses

Start
here

Source IP address
must match here

15
 Configuring Dynamic NAT
Router(config)#ip nat translation timeout seconds

• On a Cisco router, dynamic NAT table entries remain in the table for 24 hours
by default.
• Once the entry times out, outside hosts will no longer be able to reach
10.1.1.6 until a new table entry is created.
• The table entry can only be created from the inside.
A 24-hour timeout is relatively long.
• Adjust the translation timeout using the following command: ip nat
translation timeout
• Although NAT is not a security firewall, it can prevent outsiders from initiating
connections with inside hosts.
• This is unless a permanent global address mapping exists in the NAT table,
static NAT.
• NAT has the effect of hiding the inside network structure because outside
16
hosts never see the “pre-translated” inside addresses.
 Static NAT

• Static translation occurs when an address is specifically configured in a

lookup table.
• A specific inside local address maps to a pre-specified inside global address.
• The inside local and inside global addresses are statically mapped one for
one.
• This means that for every inside local address, static NAT requires an inside
global address.
17
 Configuring Static NAT

18
 Configuring Static NAT

19
Port Address Translation

“NAT overload”
 PAT – Port Address Translation

• PAT (Port Address Translation) allows you to use a single Public IP address and
assign it up to 65,536 inside hosts (4,000 is more realistic).
• PAT modifies the TCP/UDP source port to track inside Host addresses.
• Tracks and translates SA, DA and SP (which uniquely identifies each
connection) for each stream of traffic.
21
 PAT Example

NAT/PAT table
maintains translation
of:
DA, SA, SP
DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data

IP Header TCP/UDP IP Header TCP/UDP

1 Header 2 Header

DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data

IP Header TCP/UDP IP Header TCP/UDP

Header Header
22
 PAT Example

NAT/PAT table maintains

translation of:
SA (DA), DA (SA), DP (SP)
DA SA DP SP DA SA DP SP

10.0.0.3 128.23.2.2 1331 80 Data 179.9.8.80 128.23.2.2 3333 80 Data

IP Header TCP/UDP IP Header TCP/UDP

4 Header 3 Header

DA SA DP SP DA SA DP SP

10.0.0.2 128.23.2.2 1555 80 Data 179.9.8.80 128.23.2.2 2222 80 Data

IP Header TCP/UDP IP Header TCP/UDP

Header Header
23
 PAT – Port Address Translation

• With PAT a multiple private IP addresses can be translated by a single public

address (many-to-one translation).
• This solves the limitation of NAT which is one-to-one translation.

24
 PAT – Port Address Translation
DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data

IP Header TCP/UDP IP Header TCP/UDP

1 Header 2 Header

DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data

IP Header TCP/UDP IP Header TCP/UDP

Header Header

From the curriculum”

• “As long as the inside global port numbers are unique for each inside local
host, NAT overload will work. For example, if the host at 10.1.1.5 and 10.1.1.6
both use TCP port 1234, the NAT router can create the extended table entries
mapping 10.1.1.5:1234 to 171.70.2.2:1234 and 10.1.1.6:1234 to
171.70.2.2:1235. In fact, NAT implementations do not necessarily try to
preserve the original port number.”
25
 Configure PAT – Overload

• In this example a single Public IP addresses is used, using PAT, source ports, to
differentiate between connection streams.
26
 Configure PAT – Overload

This is a different
example, using the IP
address of the outside
interface instead
specifying an IP
address

27
TCP load distribution
 TCP load
distribution
With NAT
translation

• Cisco routers support TCP load distribution as an extension to static mapping.

• This powerful NAT feature allows one global address to map to multiple
inside addresses for the purpose of distributing conversations among
multiple hosts.
• NAT router rotates conversations between two inside Web servers at 10.1.1.6
and 10.1.1.7 when an outside host requests web services at 171.70.2.10.

29
 TCP load
distribution
With no NAT
translation

• TCP load distribution can be used even when there is no translation between
private addresses and public addresses.
• RTA is configured to map both www1, 171.70.2.3/24, and www2,
171.70.2.4/24, to the same inside global IP address, 171.70.2.10/24.
• All three of these IP addresses are public addresses on the same subnet. In
configurations like these, the address 171.70.2.10 is referred to as a virtual
host.
30
 Configuring TCP load distribution

• Similar to NAT but with type rotary.

• Establish dynamic inside destination translation
identifying the access list.

31
 TCP load distribution configuration
• example
RTA is configured to translate destination
addresses that match 171.70.2.10, access list 46,
using the webservers pool.
• Because the webservers pool was defined using
the rotary keyword, the first translation will be
to 171.70.2.3.
• However, the second translation will be to
171.70.2.4, the third back to 171.70.2.3, and so
on. In this way, the load is distributed among the
Web servers.

RTA(config)#ip nat pool webservers 171.70.2.3 171.70.2.4 netmask

255.255.255.0 type rotary
RTA(config)#access-list 46 permit host 171.70.2.10
RTA(config)#ip nat inside destination list 46 pool webservers
RTA(config)#interface e0
RTA(config-if)#ip nat inside
RTA(config-if)#interface s0
RTA(config-if)#ip
32
nat outside
Overlapping Networks
 Overlapping
Networks

• Overlapping networks result when one IP address assigned to a device on a

local network is already legally owned and assigned to a different device on
the Internet or outside network.
• Overlapping networks also result when two companies, both using RFC 1918
IP addresses in their networks, merge.
• These two networks need to communicate, preferably without having to
readdress all their devices.
• If HostA pings 10.1.1.6, it will be pinging its local neighbor and not HostZ.
34
 Overlapping Networks

• One way to allow HostA to communicate with HostZ is to use DNS and NAT.
• Instead of using the IP address of HostZ, HostA can use the hostname for
HostZ.
• For example, a user on HostA could issue the command ping HostZ which
would result in a name-to-address lookup using DNS.
• A NAT translation is done for the DNS query sourced from 10.1.1.7.
• The query from 10.1.1.7 is translated by RTA so that it appears to be from the
inside global address 192.168.1.7.
• The DNS server responds to this query.
35
 ng
Networks

• The DNS server responds with the actual IP address for Host Z, 10.1.1.6.
• However, RTA translates the payload of the DNS response.
• Cisco's implementation of NAT will actually alter the contents of a DNS
packet.
• RTA will create a simple table entry that maps the outside global address,
10.1.1.6, to an outside local address, 192.168.3.6.
• HostA will believe that HostZ is at 192.168.3.6, presumably, a reachable IP
network.
• Note: NAT does not look at the payload of the DNS reply unless translation
occurs on the IP header of the reply packet.
36
 ng
Networks

• HostA can then begin a conversation with HostZ.

• When HostA sends a packet to HostZ, RTA creates an extended table entry.
• HostA will see this conversation being between 10.1.1.7, HostA, and
192.168.3.6, HostZ.
• However, RTA translates both the source and destination addresses so that
HostZ believes this same conversation is between 192.168.1.7, HostA, and
10.1.1.6, HostZ.

37
 Overlapping
Networks
Configuration

• RTA uses the inGlobal address pool to translate HostA's address so that
outside hosts can reach HostA.
• RTA uses the outLocal pool to translate outside hosts in the overlapping
network so that HostA can reach those hosts.
38
 Overlapping Networks

• Three entries are created from the output of the show ip nat
translations command after HostA has sent HostZ an IP packet.
• The first entry was created when HostA sent a DNS query.
• The second entry was created when RTA translated the payload of the DNS
reply.
• The third entry was created when the packet was exchanged between HostA
and HostZ.
• The third entry is a summary of the first two entries and is used for more
efficient translations.

39
Verifying NAT translations
 Verifying NAT translations

• The verbose keyword can be used with this command to display more
information, including the time remaining for a dynamic entry.
41
 Troubleshooting NAT translations

• The asterisk next to NAT indicates that the translation is occurring in the fast path.
• The first packet in a conversation will always go through the slow path, that is, to be
process-switched.
• The remaining packets will go through the fast path if a cache entry exists.
– s = a.b.c.d is the source address.
– a.b.c.d -> w.x.y.z is the address that the source was translated.
– d = a.b.c.d is the destination address.
– The value in brackets is the IP identification number. This information may be
useful for debugging. This information enables the comparison of data from the
debug to data from other sources, such as packet traces from sniffers.

42
 Clearing NAT translations

• Once NAT is enabled, no changes can be made to the NAT process while
dynamic translations are active.
• Use the clear ip nat translation * command to clear all
translated entries.
• There are additional forms of this command to clear specific entries.

43
NAT Considerations
 NAT advantages

• NAT conserves the legally registered addressing scheme by allowing the

privatization of intranets.
• NAT reduces the instances in which addressing schemes overlap.
• NAT increases the flexibility of connection to the public network.
– Multiple pools, backup pools, and load sharing/balancing pools can be
implemented to help ensure reliable public network connections.
• De-privatization of a network requires the renumbering of the existing
network.
– NAT allows the existing scheme to remain and still supports the new
assigned addressing scheme outside the private network.
45
 NAT disadvantages

• Gaining address translation can cause a loss of functionality.

• This is particularly true with any protocol or application that involves sending
IP address information outside the IP header.
• NAT increases delay.
• Switching path delays, of course, are introduced because of the translation of
each IP address within the packet headers.
• Performance may be a consideration because NAT is currently accomplished
by using process switching.

46
 NAT disadvantages/advantage

• One significant disadvantage when implementing and using NAT is the loss of
end-to-end IP traceability.
• It becomes more difficult to trace packets that undergo numerous packet
address changes over multiple NAT hops.
• This scenario does, however, lead to more secure links.
• Hackers who want to determine the source of a packet will find it difficult, if
not impossible, to trace or obtain the original source or destination address.

47
 Traffic types supported by Cisco
• Cisco ISO NAT supports the following traffic types:
– Any TCP/UDP traffic that does not carry source or destination IP
addresses in the application data stream
– Hypertext Transfer Protocol (HTTP)
– Trivial File Transfer Protocol (TFTP)
– Telnet
– Archie
– Finger
– Network Timing Protocol (NTP)
– Network File System (NFS)
– rlogin, rsh, rcp

48
 Traffic types supported by Cisco
• Cisco IOS NAT also supports the following traffic types although they carry IP
addresses in the application data stream:
– ICMP
– File Transfer Protocol (FTP), including PORT and PASV commands
– NetBIOS over TCP/IP for datagram, name, and session services
– Progressive Networks' RealAudio
– White Pines' CuSeeMe
– Xing Technologies' Streamworks
– DNS "A" and "PTR" queries
– H.323/NetMeeting versions 12.0(1)/12.0(1)T and later
– VDOLive versions 11.3(4)11.3(4)T and later
– Vxtreme versions 11.3(4)11.3(4)T and later
– IP multicast version 12.0(1)T for source address translation only

49
 Traffic types not supported by
•
Cisco
Cisco IOS NAT does not support the following traffic types:
– Routing table updates
– DNS zone transfers
– BOOTP
– talk, ntalk
– Simple Network Management Protocol (SNMP)
– NetShow

50
Laboratorios
NAT PAT Overload
NAT TCP Load Balancing
Laboratorio No. 1