Natting in depth

Prepared and presented by : Amr Ismaeel – Dec 2015

 Table Of contents
• Introduction to Natting
• NAT Inside and Outside Addresses
• NAT Order of Operation
• Natting Types
• Static Natting
• Dynamic Natting & Overloading
• NAT Virtual Interface Design
 Introduction to Natting
• Network Address Translation (NAT) is the process where a
network device ( Router / FW ) assigns a public address to a
computer (or group of computers) inside a private network.
The main use of NAT is to limit the number of public IP
addresses an organization or company must use, for both
economy and security purposes.

• There are other uses for Network Address Translation (NAT)

beyond simply allowing workstations with internal IP addresses
to access the Internet. In large networks, some servers may act
as Web servers and require access from the Internet.
 Introduction to Natting
• These servers are assigned public IP addresses on the firewall,
allowing the public to access the servers only through that IP
address. However, as an additional layer of security, the
firewall acts as the intermediary between the outside world
and the protected internal network. Additional rules can be
added, including which ports can be accessed at that IP
address. Using NAT in this way allows network engineers to
more efficiently route internal network traffic to the same
resources, and allow access to more ports, while restricting
access at the firewall. It also allows detailed logging of
communications between the network and the outside world.
 NAT Inside and Outside Addresses
• The term inside in a NAT context refers to networks owned by
an organization that must be translated. When NAT is
configured, hosts within this network will have addresses in
one space (known as the local address space) that will appear
to those outside the network as being in another space (known
as the global address space).

• Similarly, the term outside refers to those networks to which

the remote network connects, and which are generally not
under the control of the organization. Hosts in outside
networks can also be subject to translation, and thus have local
and global addresses.
 NAT Inside and Outside Addresses
• NAT uses the following definitions:
• Inside local address--The IP address that is assigned to a host
on the inside network
• Outside local address--The IP address of an outside host as it
appears to the inside network , it is allocated from the
address space routable on the inside.
• Inside global address—The IP address that represents one or
more inside local IP addresses to the outside world.
• Outside global address--The IP address assigned to a host on
the outside network by the owner of the host.
 NAT Inside and Outside Addresses
• Local address—A local address is any address that appears on
the inside portion of the network.
• Global address—A global address is any address that appears
on the outside portion of the network.
• Packets sourced on the inside portion of the network have an
inside local address as the source address and an outside local
address as the destination address of the packet, while the
packet resides on the inside portion of the network. When that
same packet gets switched to the outside network, the source
of the packet is now known as the inside global address and
the destination of the packet is known as the outside global
address.
 NAT Inside and Outside Addresses
• Conversely, when a packet is sourced on the outside portion
of the network, while it is on the outside network, its source
address is known as the outside global address. The
destination of the packet is known as the inside global
address. When the same packet gets switched to the inside
network, the source address is known as the outside local
address and the destination of the packet is known as the
inside local address.

• Please check next slide for more details

NAT Inside and Outside Addresses
NAT Inside and Outside Addresses
 NAT Order of Operation

Rules:
Traffic entering inside NAT interface is routed 1st then NATted
Traffic entering outside NAT interface is NATted 1st then routed
NAT Order of Operation
 Natting Types
• NAT operates on a router and translates the private (inside
local) addresses within the internal network into public (inside
global) addresses before any packets are forwarded to
another network. This functionality gives you the option to
configure NAT so that it will advertise only a single address for
your entire network to the outside world

NAT types include:

• Static address translation (static NAT)--allows one-to-one
mapping between local and global addresses.
 Natting Types
• Dynamic address translation (dynamic NAT)--maps
unregistered IP addresses to registered IP addresses from a
pool of registered IP addresses.

• Overloading--a form of dynamic NAT that maps multiple

unregistered IP addresses to a single registered IP address
(many to one) using different ports. This method is also
known as Port Address Translation (PAT). By using PAT (NAT
overload), thousands of users can be connected to the
Internet using only one real global IP address.
 Static Natting
• Example 1 (prom914)
====================

!
int <LAN>
ip nat inside
!
int <WAN>
ip nat outside
!
ip nat inside source static 172.31.17.78 57.228.104.113
!
router bgp 65000
network 57.228.104.113 mask 255.255.255.255
!

- The Natted IP must be advertised so remote sites can get back to 172.31.17.78
- If 172.31.17.78 is not part of LAN subnet , you need to add cascaded static route of it on router
 Static Natting
• Example 2 (prom914)
=====================
!
int <LAN>
ip nat inside
!
int <WAN>
ip nat outside
!
ip nat inside source static 172.31.11.10 57.228.104.131 route-map
Production_access_to_America_IDNet
!
router bgp 65000
network 57.228.104.131 mask 255.255.255.255
!
route-map Production_access_to_America_IDNet permit 10
match ip address Production_access_to_America_IDNet
 Static Natting
!
ip access-list extended Production_access_to_America_IDNet
permit ip host 172.31.11.10 167.144.89.0 0.0.0.255
permit ip host 172.31.11.10 167.144.99.0 0.0.0.255
permit ip host 172.31.11.10 167.144.32.0 0.0.0.255
...
...
...

- This Type of Natting is called conditional natting , it restricts Natting to the permitted Destination IPs
 Static Natting
• Example 3 ( paar073 )
====================

!
int <LAN>
ip nat outside
!
int <WAN>
ip nat inside
!
ip nat outside source static 10.16.0.45 57.253.153.39 vrf claesnet add-route
!
ip route vrf claesnet 57.253.153.39 255.255.255.255 10.16.240.137
 Static Natting
!
router bgp 65000
address-family ipv4 vrf claesnet
network 57.253.153.39 mask 255.255.255.255
!

- When traffic comes on outside interface , traffic is first natted then routed , but when traffic comes on
inside interface , traffic is first routed then natted

- IMPORTANT ===> For outside NAT : Make sure to have a route for the “outside local” to the outside
NAT interface, or add the keyword “add-route” at the end of the “ip nat outside source static”
command,
 Static Natting
• Example 4
===========

!
ip nat inside source static 10.0.0.1 100.0.0.2 extendable
ip nat inside source static 10.0.0.1 200.0.0.2 extendable
!
- Application used when router had two Internet connections (two public IPs) , The “extendable” option
allows static NAT mappings of one Inside Local Address (private address) to multiple Inside Global
addresses (public addresses), the keyword “extendable” is added to the end of the mapping statements

- This is a good option for accessing one a server via two Internet connections, the traffic can come from
any internet connection, that public address gets translated to the same private address (server
address), this raises no ambiguity
 Dynamic Natting &Overloading
• Example 1 ( prom613 )
====================
!
57.253.2.64 255.255.255.224 : 57.253.2.65 --> 57.253.2.94
57.253.2.64 255.255.255.240 : 57.253.2.65 --> 57.253.2.78
!
access-list 110 deny ip host 10.10.0.13 any
access-list 110 deny ip host 172.31.7.57 any
access-list 110 deny ip host 172.31.2.5 any
access-list 110 deny ip host 172.31.17.76 host 57.253.125.16
access-list 110 deny ip host 172.31.17.76 host 57.253.125.17
access-list 110 deny ip host 172.31.17.77 host 57.253.125.16
access-list 110 deny ip host 172.31.17.77 host 57.253.125.17
access-list 110 permit ip 172.31.0.0 0.0.255.255 any
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!
!
ip nat pool DYNat 57.253.2.65 57.253.2.73 netmask 255.255.255.240
!
 Dynamic Natting &Overloading
!
ip nat inside source list 110 pool DYNat vrf Alliancenet_ICN overload
!
router bgp 65000
address-family ipv4 vrf Alliancenet_ICN
network 57.253.2.64 mask 255.255.255.224
!
ip route vrf Alliancenet_ICN 57.253.2.64 255.255.255.224 GigabitEthernet0/1 10.10.0.2
!

- Any traffic matches ACL110 will be source Natted with IPs from range 57.253.2.65 --> 57.253.2.73

- This type of NAT is a variation on dynamic NAT. With dynamic NAT, there is always a one to one relationship
between inside and outside addresses ,if the address pool is exhausted, traffic from the next addresses requesting
translation will be dropped.

- With overloading, instead of a one to one relationship, traffic is translated and given a specific outside port
number to communicate with; in this situation, many internal hosts can be using the same outside address while
utilizing different port numbers.
 Dynamic Natting &Overloading
• Example 2 (prom612)
======================
!
interface Loopback1
description --- to GMSNET
ip address 57.228.104.253 255.255.255.255
!
!
ip access-list extended To_GMSNET
permit ip 10.10.0.0 0.0.0.255 57.6.17.64 0.0.0.63
permit ip 10.10.0.0 0.0.0.255 57.233.33.0 0.0.0.63
permit ip 10.10.0.0 0.0.0.255 57.255.0.0 0.0.0.255
….
….
….
!
 Dynamic Natting &Overloading
!
router bgp 65000
network 57.228.104.253 mask 255.255.255.255
!
ip nat inside source list To_GMSNET interface Loopback1 overload
!

- Any Traffic matches ACL To_GMSNET will be source Natted to loopback1 IP and with unique port
address
 Dynamic Natting &Overloading
• Example 3 ( prom612 )
=======================

!
ip nat pool CFMUNet_SourceIP 57.210.120.65 57.210.120.65 netmask 255.255.255.0
ip nat inside source list Access-to-CFMUnet pool CFMUNet_SourceIP overload
!
router bgp 65000
network 57.210.120.65 mask 255.255.255.255
!
ip route 57.210.120.65 255.255.255.255 GigabitEthernet0/0
!

- like previous example , but natting is done like that as trick in situation you don't need static
advertisement of PAT IP and loopback interface and you need to add dependency on physical interface
status , can be used for example in MCS setups while same NAT IP to be configured on both routers
 Dynamic Natting &Overloading
===========
Special Note
===========
• In case you have server is connected behind router and you
need to configure Natting for server, always make sure you
are using static natting , because server is never initating the
request and it only responds to remote request , so if remote
host for example tried to connect to server and NAT table
doesn’t have entry “ in case dynamic natting is used “ , the
connection will fail
 NAT Virtual Interface Design
• Cisco has introduced a new feature called NAT Virtual
Interface; NVI removes the requirements to configure an
interface as either NAT inside or NAT outside. An interface can
be configured to use NAT or not use NAT.
• You can use the command ‘ip nat source …’ without specifying
the inside/outside tag and enable the nat to the
interfaces using the command ‘ip nat enable’.
• For instance, if you use legacy statement:
Router(config)#interface range fastEthernet 0/0
Router(config-if-range)#ip nat inside
Router(config)#interface range fastEthernet 0/1
 NAT Virtual Interface Design
Router(config-if-range)#ip nat outside
Router(config)#ip nat inside source static 172.16.0.6
10.16.0.5

• with NVI feature the nat will be:

Router(config)#interface range fastEthernet 0/0
Router(config-if-range)#ip nat enable
Router(config)#interface range fastEthernet 0/1
Router(config-if-range)#ip nat enable
Router(config)#ip nat source static 172.16.0.6 10.16.0.5
 NAT Virtual Interface Design
• When using NAT based domain, depending on the direction of
the traffic, NAT occurs before or after the routing process which
means that you need to take care of routing when using this type
of NAT. With NVI, all NAT traffic pass through a new virtual
interface called NVI, in a symmetric manner eliminating the need
to specify inside and outside domains.

• Legacy NAT is domain based NAT. You need to define inside and
outside. And the order of routing and NAT is different.
Traffic from outside, NAT first then routing.
Traffic from inside, routing first then NAT.
 NAT Virtual Interface Design
• The new NAT virtual interface has no difference between
interface outside or inside.
1. First it will check the packet to see if it needs to be NAT
2. If it needs to be NAT, it will be routed to the virtual interface
then doing the NAT.
3. After the NATed, it will be routed again.
Any questions