ICND1 100-105

ICND1 100-105

Network Address Translation

We will describe the whole process of deploying Internet access by adding services to your Internet router in the form of DHCP servers, and network address translation. You will be able to touch and feel the whole process by configuring these functions on a Cisco router.

Network Address Translation

The number of IP addresses allocated by the Internet service provider will typically be small. With today’s IP address space, it is impossible to provide a public Internet IP address to all of the devices. So most organizations, if not all, use a private addressing scheme inside of their network and will require network address translation for connectivity to the public network, and that device in the middle would implement the translation and it would translate back for return traffic into the private addressing scheme.

Network Address Translation - NAT

When talking about NAT, it is important to understand the terminology. You will have global and local addresses, global meaning public addresses that make sense out in the public Internet and local addresses which are related to the private addressing. Another concept is that of inside and outside devices. An inside device will be physically located in the internal network, whereas an outside device will be physically located somewhere else.

So you could have an inside device with a local address, but also an inside device with a global address after the device’s packets have been translated by NAT. Another concept is that of address assignments or mappings; they can be static or dynamic: static if manually created or dynamic if dynamically assigned by the NAT device.

Port Address Translation

Outbound traffic that is going toward the Internet typically uses dynamic assignment of public IP addresses. This means that one machine in the inside could be using a certain public address when going out today, but a different address when going out tomorrow. This allows for more flexibility in reusing the public address ranges. However, those public address ranges are typically very small. A lot of times it is only one public address that you can use and that address is already assigned to the public interface of the perimeter device. You will need to reuse that public IP address for all of the internal machines. That is why we have port address translation or PAT.

Port Address Translation - PAT

Multiple private addresses can reuse the same public address as indicated in that NAT table there, but the NAT device will include a port number to the translation. The port number is always different and it will be the tiebreaker to identify which private address is using which instance of the one public address.

Translating Inside Source Address

Here is how it works in a one-to-one translation environment.

One-to-one Address Translation

The source machine will send a packet with the private address which will hit the NAT device. The NAT device will look up its NAT table and see if there is a static assignment as defined by the administrator. If there is one, it will use it; if there is none, then it will dynamically assign a public address and forward a packet. When the destination replies, the old source address becomes the destination address now; it will eventually hit the NAT device again. In this NAT device, we will look up the NAT table looking for an existing translation. When it finds it, it will simply translate that public address of the destination into a private address. It then forwards a packet back to the original source and this same thing happens for all the packets and all of the senders where each sender will use a different public IP.

Overloading an Inside Global Address

The previous example is not sustainable in an Internet scenario. That is why we need port address translation, sometimes known as NAT overload. The process is the same but now the path device will use an expanded NAT table that will include ports. Notice how the source ports are translated at the NAT device, which will control uniqueness of these ports to be able to know which private addresses are using which instance of the public address.

NAT Overloading

Since the source ports travel with the packet, return traffic will contain the same information and that is how the PAT device will know who to deliver the packet to.

Configuration and Commands

SDM simply hides the complexity of commands, but it will generate and create those commands and deliver them to the router. Here is a samble configuration with IP NAT overloading, which shpuld be applyed to the router from the image above.

!
interface GigabitEthernet0/0
 description ### LOCAL LAN ###
 ip address 10.1.1.10 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
!
interface GigabitEthernet0/1
 description ### Internet ###
 ip address 171.69.68.2 255.255.255.0
 ip ospf network broadcast
 ip nat outside
 duplex auto
 speed auto
!
!
ip nat inside source list InetNat interface GigabitEthernet0/1 overload
!
ip access-list extended InetNat
 permit ip 10.1.1.0 0.0.0.255 any
!

You can monitor the operations of NAT and PAT from the router command-line interface by using these commands; show ip nat translation will display each of the inside local IP addresses and their corresponding outside global or public address. If there are static translations, then it will also show and those will not time out; dynamic translations typically disappear after a certain period of inactivity. You can also clear the NAT translations table, if you want to troubleshoot or if you changed the public address range and you want to reset connections and apply the new public range.

Router#sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
tcp 83.228.127.214:1086   10.1.1.2:1025       217.29.9.205:11357    217.29.9.205:11357
tcp 83.228.127.214:1049   10.1.1.2:1031       46.38.189.180:6669    46.38.189.180:6669
tcp 83.228.127.214:1546   10.1.1.2:1040       74.105.111.98:34794   74.105.111.98:34794
tcp 83.228.127.214:1721   10.1.1.3:1044       59.92.70.243:61603    59.92.70.243:61603
tcp 83.228.127.214:1175   10.1.1.3:1054       71.218.158.201:6890   71.218.158.201:6890