Write directory title here
NAT usage background
A public IPv4 address is not enough to assign each device a unique address for Internet connection.
These private addresses can be used within an enterprise or site to allow devices to communicate locally. However, because these addresses do not identify any one company or business, private IPv4 addresses cannot be routed through the Internet. In order for a device with a private IPv4 address to access devices and resources outside the local network, the private address must first be translated to a public address.
NAT provides translation of private addresses to public addresses. This enables devices with private IPv4 addresses to access resources outside of their private network. NAT combined with private IPv4 addresses becomes an effective method for saving public IPv4 addresses. A single public IPv4 address can be shared by hundreds or even thousands of devices, while each device is configured with a unique private IPv4 address.
NAT principle
NAT serves many purposes, but its main purpose is to save public IPv4 addresses .
A NAT-enabled router can be configured with one or more valid public IPv4 addresses. These public addresses are called NAT address pools . When an internal device sends traffic outside the network, a NAT-enabled router translates the device's internal IPv4 address to a public address in the NAT pool. To the external device, all traffic to and from the network appears to have a public IPv4 address drawn from the provided address pool.
NAT routers usually work at stub network boundaries. A stub network is a network that has a single connection to its neighbors, with one-in and one-out. In the example in the figure, R2 is the border router. For ISPs, R2 constitutes a stub network.
When a device within a stub network wants to communicate with a device outside its network, it forwards the packet to a border router. Border routers perform a NAT process that translates a device's internal private address to a public, externally routable address.
NAT address type
When using NAT, different IPv4 addresses are called differently depending on whether the address is on a private network or a public network (the Internet), and whether the traffic is incoming or outgoing.
When deciding which address to use, it is important to remember that NAT terminology is always applied from the perspective of the device with the translated address:
内部地址 - 经过 NAT 转换的设备的地址。
外部地址 - 目标设备的地址。
NAT also uses the notion of local or global with respect to addresses:
本地地址 - 本地地址是在网络内部出现的任何地址。
全局地址 - 全局地址是在网络外部出现的任何地址。
So, combined, NAT includes four types of addresses:
- Inside local address - the source address as seen from inside the network
- Internal Global Address - source address as seen from the external network
- External Local Address - The address of the destination as seen from the external network
- External Global Address - The address of the destination as seen from inside the network
In the figure, PC1 has an internal local address of 192.168.10.10. From PC1's perspective, the web server has an external address of 209.165.201.1. When a packet is sent from PC1 to the web server's global address, PC1's inside local address is translated to 209.165.200.226 (the inside global address). The address of the external device is usually not translated because it is generally a public IPv4 address.
Note that PC1 has different local and global addresses, while the web server uses the same public IPv4 address for both local and global addresses. From the web server's perspective, traffic originating from PC1 appears to come from 209.165.200.226 (the internal global address).
The NAT router (R2 in the diagram) is the demarcation point between the internal and external networks and between local and global addresses.
Static NAT and Dynamic NAT
There are three types of NAT translations:
Static Address Translation (Static NAT) - One-to-one address mapping between local addresses and global addresses.
Dynamic Address Translation (Dynamic NAT) - Many-to-many address mapping between local addresses and global addresses. Conversions are made on an as-available basis. For example, if there are 100 inside local addresses and 10 inside global addresses, only 10 of the 100 inside local addresses can be translated at any one time. This limitation of dynamic NAT makes it less practical than port address translation for production networks.
Port Address Translation (PAT) - Many-to-one address mapping between local addresses and global addresses. This method is also known as overloading (NAT overloading). For example, if there are 100 inside local addresses and 10 inside global addresses, PAT uses the port as an additional parameter to provide a multiplier effect that enables the reuse of any of the 10 inside global addresses up to 65,536 times (this depending on whether the traffic flow is based on UDP, TCP or ICMP).
Advantages and disadvantages of NAT
NAT has many advantages, including:
- NAT allows private addressing of the intranet, thereby maintaining a legally registered public addressing scheme
- NAT enhances the flexibility of connecting to public networks
- NAT provides consistency in internal network addressing schemes (organizations can change ISPs without changing any internal clients)
- NAT provides network security (hide user IPv4 address)
However, the fact that hosts on the Internet appear to be communicating directly with the NAT-enabled device, rather than actual hosts inside the private network, creates several problems:
- affect network performance
- Loss of end-to-end addressing
- End-to-end IPv4 traceability is also lost
- complicates the use of tunneling protocols
- The source TCPl connection may be interrupted
Configure static NAT
Static NAT is a one-to-one mapping between inside addresses and outside addresses.
As shown in the above topology, if NAT is not configured, from the web server, pinging the client fails, but pinging the R2 S0/0/0 interface. The ping command should succeed.
When configuring static NAT translation, there are two basic tasks:
Step 1. The first task is to establish a mapping between inside local addresses and inside global addresses .
Router(config)#ip nat inside source static local-ip global-ip
For example, the inside local address 192.168.10.254 and the inside global address 209.165.201.5 in Figure 1 have been configured for static NAT translation.
Router(config)#ip nat inside source static 192.168.10.254 209.165.201.5
Step 2. After configuring the mapping, configure the interface participating in the translation as an inside or outside interface (as opposed to NAT).
Router(config)#interface 内部接口类型编号
Router(config)#ip nat inside
Router(config)#interface 外部接口类型编号
Router(config)#ip nat outside
In this example, R2's Serial 0/0/0 interface is the inside interface and Serial 0/1/0 is the outside interface.
Router(config)#interface Serial 0/0/0
Router(config)#ip nat inside
Router(config)#interface Serial 0/1/0
Router(config)#ip nat outside
View NAT translation
Verify the static NAT configuration with the following command:
show running-config
show ip nat translations
show ip nat statistics
Configure dynamic NAT
Static NAT provides a permanent mapping between inside local addresses and inside global addresses, while dynamic NAT enables automatic mapping of inside local addresses to inside global addresses.
Like static NAT, dynamic NAT also requires configuration of the inside and outside interfaces participating in the NAT. However, static NAT creates a permanent mapping to a single address, while dynamic NAT uses a pool of addresses .
Step 1. Use the ip nat pool command to define the address pool that will be used for translation . The address pool is usually a group of public addresses. These addresses are defined by indicating the starting IPv4 address and ending IPv4 address in the pool. The netmask or prefix-length keywords indicate which address bits belong to the network and which bits belong to the hosts within that address range.
Step 2. Configure a standard ACL to identify (allow) only those addresses that will be translated. ACLs that are too broad can have unintended consequences. Remember that there is an implicit deny all statement at the end of every ACL.
Step 3. Bind ACL and address pool . The command ip nat inside source list access-list-number pool pool name is used to bind ACL and address pool. Routers use this configuration to determine which devices (lists) receive which addresses (pools).
Step 4. Determine which interfaces are internal for NAT; that is, any interface connected to the internal network.
Step 5. Determine which interfaces are external for NAT; that is, any interface connected to the external network.
The figure above shows an example topology along with the configuration. This configuration will allow traffic generated by all hosts on the 192.168.0.0/16 network, including the 192.168.10.0 LAN and 192.168.11.0 LAN, to be translated as it enters S0/0/0 and exits S0/1/0. These hosts will translate to one of the available addresses in the pool of addresses in the range 209.165.200.226 - 209.165.200.240.
//使用池名称 PUBLIC-POOL,定义从 209.165.200.226 到 209.165.200.240的公有 IPv4 地址池。
R2(config)# ip nat pool PUBLIC-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224
//配置 ACL 1 以允许 NAT 转换来自 192.168.0.0/24 网络的设备。
R2(config)# access-list 1 permit 192.168.0.0 0.0.0.255
//绑定 PUBLIC-POOL 与 ACL 2。
R2(config)# ip nat inside source list 1 pool PUBLIC-POOL
// 配置恰当的内部 NAT 接口。
R2(config)# interface Serial0/0/0
R2(config-if)# ip nat inside
//配置恰当的外部 NAT 接口。
R2(config)# interface Serial0/1/0
R2(config-if)# ip nat outside
Verify Dynamic NAT
PAT
PAT (also known as NAT overloading) allows a router to use one inside global address for many inside local addresses , thus saving addresses in the inside global address pool. In other words, one public IPv4 address can be used for hundreds or even thousands of internal private IPv4 addresses. When this type of translation is configured, the router saves enough information from higher layer protocols (such as TCP or UDP port numbers) to translate the inside global address back to the correct inside local address. When multiple inside local addresses map to one inside global address, the TCP or UDP port number of each inside host can be used to distinguish the different local addresses.
Note: In theory, the total number of internal addresses that can be translated into one external address can be as high as 65,536 per IPv4 address. However, the number of internal addresses that can be assigned a single IPv4 address is about 4000.
There are two ways to configure PAT, depending on how your ISP assigns public IPv4 addresses. In the first assignment, the ISP assigns multiple public IPv4 addresses to the business, and in the other, it assigns the business a single IPv4 address through which it connects to the ISP.
Configure PAT
The figure above shows the steps to configure PAT with an address pool. The main difference between this configuration and dynamic, one-to-one NAT configuration is the use of the overload keyword . The overload keyword enables PAT.
//使用池名称 NAT-POOL-OVERLOAD,定义从 209.165.200.226 到 209.165.200.240 的公有 IPv4 地址池。
R2(config)# ip nat pool NAT-POOL-OVERLOAD 209.165.200.226 209.165.200.240 netmask 255.255.255.224
//配置 ACL 1 以允许 NAT 转换来自 10.0.0.0/8 网络的设备。
R2(config)# access-list 3 permit 10.0.0.0 0.255.255.255
//绑定 NAT-POOL-OVERLOAD 与 ACL 3。
R2(config)# ip nat inside source list 3 pool NAT-POOL-OVERLOAD overload
//配置恰当的内部 NAT 接口。
R2(config)# interface Serial0/0/0
R2(config-if)# ip nat inside
//配置恰当的外部 NAT 接口。
R2(config)# interface Serial0/1/0
R2(config-if)# ip nat outside
Without NAT, the IPv4 address space exhaustion problem could have occurred well before the year 2000. However, NAT also has some limitations, which are discussed later in this chapter. In order to deal with the exhaustion of IPv4 address space and the limitations of NAT, a transition to IPv6 will eventually be required.