Cabrillo College Building Cisco Remote Access Network Ch. 11 Setting IP Addresses with NAT Rick Graziani, Instructor March 13, 2001
Private addresses and NAT Network Address Translatation NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header. In practice, NAT is used to allow hosts that are privately addressed to access the Internet.
Network Address Translation The privately addressed "inside" network sends a packet through the NAT router. The addresses are converted to legal, registered IP addresses, enabling the packets to be passed to the public networks, such as the Internet.
NAT * 192.168.2.0/24 4 5 3 1 2 * This would normally be a routable address (non-private address space)
Cisco NAT Terminology When configuring NAT using the Cisco IOS, you will have to be able to distinguish between inside and outside addresses. Whether an address is “inside” or “outside” depends on your point-of-view.
Cisco NAT Terminology Addresses that your network is using are inside addresses, regardless of whether they belong to a private range or are globally routable. Addresses of systems beyond your network are considered outside addresses (whether they are private or global). Thus, your network could have inside local addresses (private addresses) and inside global addresses (globally routable addresses assigned by your provider).
NAT
NAT: Pros and Cons
NAT One advantage of NAT is that, since not every inside host needs outside access at the same time, you can get away with using a small pool of globally unique addresses to serve a relatively large number of privately addressed hosts.
NAT NAT comes as a great relief to organizations that outgrow their address space. If a school with a Class C address suddenly finds that over 500 nodes on campus need occasional Internet access, NAT (used in conjunction with RFC 1918 addresses) may provide a convenient solution.
NAT Because outside hosts never see the “pre-translated” inside addresses, NAT has the effect of hiding the inside structure of a network. Although NAT is not a security firewall, it can prevent outsiders from connecting directly to inside hosts, unless a permanent global address mapping exists in the NAT table.
NAT If you actually wants outside users to access an internally addressed webserver, you can statically map a global address (2.2.2.3) to an inside address (10.0.0.1). Static mappings exist in the NAT table until they are removed by an administrator. Internet hosts, and DNS, can use the global address to access the privately addressed webserver.
NAT Since CIDR places the authority to assign addresses at the ISP level, if you moved from one ISP to another, your company may have to completely readdress its systems with the new ISP’s CIDR block. Instead of readdressing, NAT can be deployed to temporarily translate the old addresses to new ones, with static mappings in place to keep web and other public services available to the outside.
Types of NAT Static NAT Dynamic NAT Overloading NAT (PAT) Overlapping
Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.
Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. In dynamic NAT, the computer with the IP address of 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.
Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. In overloading, each computer on the private network is translated to the same IP address (213.18.123.100) but with a different port number assignment.
Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network.
NAT Functions Translating inside local addresses Overloading inside global addresses TCP load distribution Handling overlapping networks
NAT Examples Translating Inside Local Addresses Overloading Inside Global Addresses TCP Load Distribution
NAT Configuration: Static RTA(config)#ip nat inside source static local-ip global-ip RTA(config)#interface type number RTA(config-if)#ip nat inside RTA(config-if)#ip nat outside
NAT Configuration: Static 192.168.2.0/24 172.16.2.1 ip route 192.168.2.0 255.255.255.0 172.16.2.1 192.168.2.2
NAT Configuration: Static Room 2501 Example interface FastEthernet0/0 description Cabrillo LAN (NAT outside) ip address 172.16.29.254 255.255.224.0 ip nat outside interface FastEthernet0/1 description Cisco Classroom 2501 (NAT inside) ip address 172.30.1.1 255.255.255.0 ip nat inside ! Static map to Linux Server -inside source-ip translated to nnnn ip nat inside source static 172.30.1.11 172.16.24.66 ! Static map to Catalyst 1900 switch ip nat inside source static 172.30.1.99 172.16.24.67
NAT Configuration: Dynamic Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [rotary] RTA(config)#ip nat pool MYPOOL 207.2.2.0 207.2.2.255 netmask 255.255.255.0 Translated to these addresses
NAT Configuration: Dynamic Router(config)#access-list access-list-number permit source [source-wildcard] Router(config)# ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip global-ip} Addresses to get translated RTA(config)#access-list 1 permit 192.168.1.0 0.0.0.255 RTA(config)#ip nat inside source list 1 pool MYPOOL
NAT Configuration: Dynamic Router(config)#interface type number Router(config-if)#ip nat inside Router(config-if)#interface type number: Router(config-if)#ip nat outside RTA(config)#interface s0 RTA(config-if)#ip nat outside RTA(config-if)#interface e0 RTA(config-if)#ip nat inside
NAT Configuration: Dynamic interface FastEthernet0/0 description Cabrillo LAN (NAT outside) ip address 172.16.29.254 255.255.224.0 ip nat outside interface FastEthernet0/1 description Cisco Classroom 2501 (NAT inside) ip address 172.30.1.1 255.255.255.0 ip nat inside ip nat pool room2501 172.16.24.65 172.16.24.99 netmask 255.255.224.0 ip nat inside source list 1 pool room2501 access-list 1 permit 172.30.1.0 0.0.0.255
PAT: Address overloading The most powerful feature of NAT routers is their ability to use Port Address Translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a “many-to-one” NAT. literally hundreds of privately address nodes can access the Internet using only one global address.
PAT The NAT box keeps track of the different conversations by mapping TCP and UDP port numbers. This works well for client applications like web browsers because they grab port numbers as needed, typically from the unassigned range between 1024 and 65,535.
PAT An example PAT translation table
NAT Configuration: Overload Router(config)#ip nat inside source list 24 pool natpool overload RTA(config)#ip nat inside source list 24 pool natpool overload
NAT Configuration: Overload
PAT Configuration: Dynamic interface FastEthernet0/0 description Cabrillo LAN (NAT outside) ip address 172.16.29.254 255.255.224.0 ip nat outside interface FastEthernet0/1 description Cisco Classroom 2501 (NAT inside) ip address 172.30.1.1 255.255.255.0 ip nat inside ip nat pool room2501 172.16.24.65 172.16.24.65 netmask 255.255.224.0 overload ip nat inside source list 1 pool room2501 access-list 1 permit 172.30.1.0 0.0.0.255
NAT and PAT NAT overload is often used in conjunction with dynamic mappings to a NAT pool. A NAT router can then use a one-to-one dynamic mapping until the available addresses are almost depleted, at which time NAT can overload the remaining address or addresses. On a Cisco router, NAT will overload the first address in the pool until it’s maxed out, and then move on to the second address, and so on.
TCP Load distribution Cisco routers support TCP load distribution, a powerful NAT feature that allows you to map one global address to multiple inside addresses for the purpose of distributing conversations among multiple (usually mirrored) hosts.
TCP Load Distribution
NAT Configuration: Rotary RTA(config)#ip nat pool webservers 10.0.0.1 10.0.0.2 netmask 255.0.0.0 type rotary RTA(config)#access-list 46 permit host 2.2.2.3 RTA(config)#ip nat inside destination list 46 pool webservers RTA(config)#interface e0 RTA(config-if)#ip nat inside RTA(config-if)#interface s0 RTA(config)#ip nat outside
NAT Configuration: Rotary 2 10.1.1.127 NAT’d to 10.1.1.1 - 10.1.1.3
NAT drawbacks The tradeoff for address translation is a loss of functionality, particularly with any protocol or application that involves sending IP address information outside the IP header.
NAT drawbacks The following traffic types are not supported by Cisco IOS NAT: Routing table updates Domain Name System (DNS) zone transfers BOOTP talk, ntalk Simple Network Management Protocol (SNMP) NetShow