HOTICO CATALIN-DANIEL

ACCESS THE PUBLIC INTERNET VIA

NETWORK ADDRESS TRANSLATION (NAT)

The Network Address Translation (a.k.a. NAT) is the main reason that each
client or host can communicate over the public WAN / Internet nowadays.
Multiple networks, with the same private address ranges can communicate over
the world by just simply knowing the public network address. Why NAT is
neccesarry? Why each network can’t just have one or more custom addresses ?
The depletion of the IPV4 is the main reason !

IPV4 Format & Depletion

IP version 4 is 32-bit-long address with 4 bytes each (4 bytes x 8-bit = 32-bit
total), meaning that it should looking like WWWW.XXXX.YYYY.ZZZZ. Each byte
contain 8 bits in binar (one or zero). Calculating the total available IP addresses in
version 4, we find out that there are over four billion addresses (2^32, meaning
one or zero power of thirty-two-bits of version 4, is over four billion). In the past,
4 billion addresses seemed a lot, and engineers consider that the four billion is
almost impossible to reach. Now, in the IoT era, in which every device we interact
is connected to the internet, the depletion problem is the main reason NAT can
be so helpful to slow this problem.
NAT just simply translates the private network addresses in the remaining
public network addresses. There are three mainly private types of addresses:
 Class A – 10.0.0.0 – 10.255.255.255
 Class B – 172.16.0.0 – 172.31.255.255
 Class C – 192.168.0.0 – 192.168.255.255
Almost all the remaining addresses (excluding the multicast and reserved
IPV4 addresses) are available to public network. Depletion is slowed by separating
the private networks (such organizations or ISP-clients) to the wide-area network.
A host can own a private address like 192.168.1.5 and the other host in a
separated network can expect the same address. A private address is never
reachable indirectly by another host, it must be translated from a public
reachable address to the private address a host can own. Service-Providers offers
NAT-solutions on their network terminals / routers. A PC can extract an private
address from the router’s DHCP pool (NAT refers to the “local inside address”
terminology), exiting the internet to an statical-allocated IP address on the WAN
interface (knowing as local outside address).

The 192.168.100.5 is unreachable by another host from a different subnet /

network, instead, the public address is reachable by tracing or pinging (traceroute
/ ping). The NAT is also a security solution, by isolating the host from the other-
network host. It doesn’t have end-to-end connectivity, the NAT-enable router also
needs to perform additional processing by translating new addresses it needs to
place in the internal NAT table.

Client-to-Client NAT connectivity

Each of local or edge router performs it’s NAT, depends of the

environment, usually and recommended by the Cisco RFC is that the border /
edge routers to run the NAT instance. How it works ? Let’s imagine that a PC
wants to ping a web server on port 80. In the PC LAN, there are one switch, one
local router w/ NAT instance, the WAN and the final router from the Server’s LAN.

PC ------- SW1 ------- NAT R1 ------- R2 ------- NAT R3 ------- SW2 ------- WEBServer

PC sends an ICMP request packet to the R1 router with source of let’s say
192.168.100.1 to the R3 destination 209.165.100.3. The R2 de-encapsulates the
packet and see the source IP address from the field. The R1 have the NAT instance
active, so it checks the NAT Table if the 100.1 is already translated to the public
address. R1 doesn’t see the translation, so it bind the local inside address (100.1)
to an address from the NAT pool (if the NAT is dynamic. If it is configured with
static NAT, the NAT Table is already filled with a static binding). R1 replace the
100.1 source address from the packet to the new public address (let’s say
209.165.100.1). The source IP address becomes the 165.100.1 to the destination
165.100.3. R1 routes forward the packet until it reaches the R3 router. The R3
router de-encapsulates the packet and see that the destination address is the
165.100.3 IP. It checks the NAT Table and see that this public IP is already owned
by the local server, let’s say 172.16.100.1. It translates back the public address to
the private address, forward to the SW2 with 16.100.1 destination and SW2
forwards the packet to the WEBServer, so it receive the ICMP Request.
Referring to the PAT technology (Port Address Translation / “NAT on
ports”), each of the assigned public IP addresses has at the end a local port, or a
port assigned or incremented by the PAT algorithm if two local ports are identical
on the same public IP address. Usually, two PCs with the same public IP address
has a port generated automatically by the operating system and assigned to the
address. In other cases, protocols like ICMP (packets without a layer four port
number) assign the query number of the packet protocol (routers increment the
port with each packet sent to the router’s interface).
PAT is widely adopted by the ISPs, because it’s more efficient and
depletion-saving than the traditional NAT. Because the public IP address is the
same, a address or a few number of address from the PAT pool can include
hundreds of assigned devices to a global inside address. PAT, or NAT overloading
divides the available ports to 0-511, 512 – 1023 and 1024 – 65535, that’s the
theoretical number of devices a public address can handle, but reffering to the
Cisco NAT documentation, each of the translated device consume 160 bytes of
DRAM memory, so the router configuration is also a criteria. This principle is the
same with the NAT pools, the recommended maximum number of pools is 255,
because each pool created can consume up to 16 bits of memory. PAT can also
help to load-balance networks according to the Cisco NAT FAQ.

NAT and PAT CLI configuration

There are two types of NAT: static NAT in which a host is binded to an
specific public address, or dynamic NAT, in which a host receive a public address
from the NAT pool. In the dynamic NAT scenario, an access-list is needed.
Let’s refer to the above topology. CiscoRouter2 and CiscoRouter4 both performs
NAT technology.
CiscoRouter2 needs to specify the inbound and outbound NAT translations,
NAT documentations refers to “inside” and “outside” terminologies. CiscoRouter2
is configured on G0/0, G2/0 and G3/0 interfaces as inside interfaces, because the
it needs to except private addresses to be translated. The outside interface is
configured on G1/0, interface in which a public address is expected.

“int range g0/0, g2/0, g3/0

Ip nat inside
Int g1/0
Ip nat outside”

Next step is to create the access-list to allow networks 192.168.1.0,

192.168.2.0 for the dynamic NAT. Then, we have to create the NAT pool
specifying the range of usable public addresses. For the access-list, a standard ACL
is more than enough.

“ip access-list standard ACL-NAT

permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
deny any (implicit deny is usually automatically added)
exit
ip nat pool POOL-NAT 209.165.100.20 209.165.100.22 netmask 255.255.255.0”.
To bind the both ACL and Pool, we have to refer to the ip nat command.

“ip nat inside source list ACL-NAT pool POOL-NAT”.

 Interface G3/0 is used to statically assign the public address for the PC4. To
statically assign an inside global address to a host, we have to perform the
following command:

“ip nat inside source static 192.168.3.5 209.165.100.30”, the 3.5 is the PC4 IP
address.
CiscoRouter4 is performed to run static PAT on the 209.166.200.20 public
address, so PC3 configured with 172.16.10.5 is gonna be translated to the public
one by exiting to the WAN network.
To statically assign PAT, the configuration is the same with the static NAT, with
the overload keyword. An ACL is needed.

“ip access-list standard ACL-NAT

permit host 172.16.10.5
deny any
exit
ip nat inside source list ACL-NAT interface g0/0 overload
int g1/0
ip nat inside
int g0/0
ip nat outside”.

Notes: - The capture of packets by pinging the different networks connected to

the same NAT Router is almost invisible. Because the NAT Router is the gateway
for the NAT process, sometimes an engineer can’t see the ICMP request & replies
on the same NAT-enabled router.
 - On different networks on different NAT-enabled routers, such
CiscoRouter4 and CiscoRouter2, the source and destination between the
routers is visible as the public addresses configured.

cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-
faq-00.html

datatracker.ietf.org/doc/html/rfc1918

datatracker.ietf.org/doc/html/rfc2663