Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Network Address Translation

Published byEarl James Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Network Address Translation"— Presentation transcript:

1 Introduction to Network Address Translation

2 Agenda Basic Concept of
Network Address Translation (NAT) Port Address Translation (PAT) Definition, Benefits, Availability and Application Support NAT Concepts and Terminology NAT Technical Information

3 Basic Concept of NAT NAT NAT changes the IP addresses in the IP header
My Network Before NAT Outbound Packet Src Addr Dest Addr Internet Host After NAT Outbound Packet Src Addr Dest Addr Internet Host Internet NAT Internet Host After NAT Return Packet Src Addr Internet Host Dest Addr Before NAT Return Packet Src Addr Internet Host Dest Addr Nat changes the IP addresses in the IP header These slides use the following conventions Source IP addresses are always in blue Destination IP addresses are always in green Packets that are Pre-NAT are indicated by gold Packets that are Post-NAT are purple NAT changes the IP addresses in the IP header

4 Basic Concept of PAT PAT
Before PAT Outbound Packet Dest Port Any Port Src Addr Src Port 2031 Dest Addr Host 1 After PAT Outbound Packet Dest Port Any Port Src Addr SRC Port 2031 Dest Addr Host 1 My Network PAT Internet Before PAT Outbound Packet Dest Port Any Port Dest Addr Src Port 1506 Host 2 After PAT Outbound Packet Dest Port Any Port Src Addr SRC Port 1506 Dest Addr Host 2 The important point here is that PAT translates the 2 different source IP addresses to the same IP address. It uses the destination port information in the return packet to make the correct reverse translation. Don’t get confused by the term PAT. It is a Cisco term. We wanted to differentiate between using one global address for all translations (PAT) or using a new IP address for each translation (NAT). If you talk with a UNIX admin, they would think PAT is NAT. The IETF uses a different term for PAT – NAPT (Network Address Port Translation). Port Address Translation (PAT) extends NAT from “one-to-one” to “many-to-one” by associating the source port with each flow

5 Basic Concept of PAT PAT
Before PAT Outbound Packet Dest Port Any Port Src Addr Src Port 2031 Dest Addr Host 1 My Network PAT Internet Before PAT Outbound Packet Dest Port Any Port Dest Addr Src Port 1506 Host 2 Before PAT Return Packet Dest Addr Dest Port 1506 Src Addr Host 2 Src Port Any Port The important point here is that PAT translates the 2 different source IP addresses to the same IP address. It uses the destination port information in the return packet to make the correct reverse translation. Don’t get confused by the term PAT. It is a Cisco term. We wanted to differentiate between using one global address for all translations (PAT) or using a new IP address for each translation (NAT). If you talk with a UNIX admin, they would think PAT is NAT. The IETF uses a different term for PAT – NAPT (Network Address Port Translation). Port Address Translation (PAT) extends NAT from “one-to-one” to “many-to-one” by associating the source port with each flow

6 Agenda Basic Concept of NAT and PAT
Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information

7 NAT Defined First described in RFC 1631
Changes source and/or destination IP addresses in IP header and the IP addresses in application data streams Cisco IOS® NAT is superset of that described in RFC 1631

8 Private IP Addresses Problem: IP address space is limited and obtaining a large block of registered addresses is difficult Solution: Use private IP addresses (RFC 1918) internally on your network The private IP addresses you can use on your internal network are: Class A: 10.x.x.x Class B range: x.x– x.x Class C range: x– x You may find another IP address assigned to your Microsoft Windows host. Microsoft Windows 2000 and Windows ME has something called “Automatic Private IP Addressing (APIPA)”. It occurs when a host is configured for DHCP and for some reason is not able to reach the DHCP server. When this occurs, Windows 2000 and Windows ME configure the interface with a x.y IP address. It then ARPs for the address it has chosen to ensure no other host on the subnet is using the same IP address. The IP address range x.y is reserved by IANA for Local Link Networks. See for more information.

9 X Benefits NAT No Translation
Before NAT Outbound Packet Src Addr Dest Addr Internet Host After NAT Outbound Packet Src Addr Dest Addr Internet Host NAT Internet Host X No Translation After NAT Return Packet Src Addr Internet Host Dest Addr Before NAT Return Packet Src Addr Internet Host Dest Addr NAT was developed because hosts with private IP addresses could not reach a host on the internet. Problem: Hosts can’t access registered networks such as the Internet, when assigned private IP addresses Solution: NAT replaces the source address with a routable address and enables privately addressed hosts to access registered networks, such as the Internet, without requiring globally unique IP addresses on end hosts

10 X Benefits NAT Corporate Acquisition
Before NAT Outbound Packet Src Addr Dest Addr Acquisition After NAT Outbound Packet Src Addr Dest Addr Acquisition NAT X After NAT Outbound Packet Src Addr Dest Addr Corporate Before NAT Outbound Packet Src Addr Dest Addr Corporate This is accomplished by using a DNS server to translate the name of the host from a x address to a different IP address. Once this occurs the other hosts thinks that it communicating with the translated address. In this example the x must be unique in both networks. Problem: Merging corporations with conflicting private IP address space need connectivity to each other and/or the Internet Solution: NAT provides transparent, scalable, and bi-directional connectivity between corporate headquarters and acquisitions

11 X Benefits NAT Problem: Changing ISPs
My Network ISP Network New Before NAT Outbound Packet Src Addr Dest Addr Internet Host After NAT Outbound Packet Src Addr Dest Addr Internet Host NAT X Internet/ Intranet After NAT Outbound Packet Src Addr Internet Host Dest Addr Before NAT Outbound Packet Src Addr Internet Host Dest Addr Problem: Changing ISPs Solution: NAT eliminates the need for host renumbering when changing ISPs or IP addressing schemes

12 Benefits My Network Internet Before NAT Port Scanning Packet Src Addr Internet Host Dest Addr NAT Internet Host X Problem: Internal network should not be visible to external users Solution: NAT enhances network privacy since assigned addresses are hidden. NAT defeats port scanning of the subnet This is a beneficial side effect of NAT. NAT is not a security protocol. Cisco does not recommend that NAT be thought of as a security feature. It is not a replacement for other true security devices such as a PIX or IOS Firewall. Having said that, without a translation in the NAT translation table the packet will be dropped by the router. The NAT enabled router will respond with an ICMP unreachable packet. It is important to turn off ICMP unreachable packets (with the command “no icmp unreachable”) on the interface to reduce the risk of a denial of service attack.

13 Application Support Introduced in Cisco IOS software release 11.2(1) October 1996 Cisco IOS NAT performs ‘stateful inspection’ on applications it has awareness of NAT has been around since October The basic functionality of NAT has not changed. When changes are made to the NAT code, the changes are made to include applications that have embedded addresses in the data portion of the packet. So when considering NAT or PAT, one needs to consider the applications running on the network. If the application has embedded IP addresses, you need to check to se if NAT or PAT will translate them.

14 Agenda Basic Concept of NAT and PAT
Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information

15 NAT Concepts NAT Inside Network Outside Network Inside Interface
Outside Interface NAT Inside Host Outside Host ip nat inside ip nat outside An interface on the router can be defined as inside or outside Translations occur only from inside to outside interfaces or vice versa—never between the same type of interface What happens when a packet goes from an inside interface to an unmarked interface? No translation occurs. How about an unmarked interface to an outside interface? Again, no translation occurs. Translations only occur when going from an inside interface to an outside interface or vice versa. I want to caution you about the significance of inside and outside. If you use this with inside local and outside local you will get confused. What you want to walk away with here is that a translation will only occur when going from inside to outside or vice versa. The only other place where inside and outside interface definitions are significant is which side can produce a new translation. For “ip nat inside source …” tells you that packets received on the inside interface can create new translation entry. DO NOT USE the inside and outside interfaces to explain Inside local and outside local!

16 NAT Concepts NAT translations are static or dynamic
Static translation are entered directly into the configuration and are always in the translation table ip nat inside source static Dynamic translations use access lists to identify IP addresses that NAT should create translations for ip nat inside source list 1 pool nat-pool access-list 1 permit

17 Static vs. Dynamic Translations
Static translations When you need to be able to initiate a connection from both the inside and outside interfaces (e.g. SMTP, Web) Or you want a specific host to be translated to a specific IP address Dynamic translations When you want to initiate a connection from only the inside or only the outside

18 NAT Concepts NAT An IP address is either local or global
My Network Before NAT Outbound Packet Src Addr Inside Local Dest Addr Outside Host After NAT Outbound Packet Src Addr Inside Global Dest Addr Outside Host Internet NAT Inside Host Outside Host After NAT Inbound Packet Src Addr Outside Local Dest Addr Inside Host Before NAT Inbound Packet Src Addr Outside Global Dest Addr Inside Host Remember, local IP addresses are seen on the inside network. If you remember this fact, you will be able to read any of the documentation and understand it. Don’t use the inside interface or outside interface for reference here or you will get confused. An IP address is either local or global Local IP addresses are seen in the inside network Global IP addresses are seen in the Outside network

19 Inside Local/Inside Global Example
My Network Before NAT Outbound Packet Src Addr Dest Addr Outside Host After NAT Outbound Packet Src Addr Dest Addr Outside Host Internet NAT Outside Host Pro Inside Local Outside Local Outside Global Inside Global --- The translation table is exactly what you see when you type “show ip nat translations” minus the lines and colors. Keep in mind how the router works. The router first looks for a translation to use in the translation table. If it can’t find one, it then looks at the access lists to see if it can create one. NAT Address Pool NAT Address Pool For Outbound Packets an Address Is Dynamically Allocated from the NAT Address Pool

20 Inside Local/Inside Global Example
My Network After NAT Return Packet Src Addr Dest Addr Outside Host Before NAT Return Packet Src Addr Dest Addr Outside Host Internet NAT Outside Host Pro Inside Local Outside Local Outside Global Inside Global --- Pro Inside Local Outside Local Outside Global Inside Global --- NAT Address Pool NAT Address Pool The NAT Address Translation Entry in the Translation Table Is Used to Translate Return Packets

21 NAT Terminology Inside local Inside global
Configured IP address assigned to a host on the inside network; address may be globally unique, allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization Inside global The IP address of an inside host as it appears to the outside host and network, “Translated IP Address”; addresses can be allocated from a globally unique address space, typically provided by the ISP (if the enterprise is connected to the global Internet)

22 NAT Concepts My Network Internet NAT Inside Host Outside Host Before NAT Outbound Packet Src Addr Outside Local Inside Local After NAT Outbound Packet Dest Addr Outside Global Src Addr Inside Global When the packet contains both a source and destination address that needs to be translated, the router translates both IP addresses. Local IP addresses are seen on the inside network while global IP addresses are seen on the outside network

23 NAT Concepts A NAT translation is 1 to 1 or many to 1
Router# show ip nat translations --- Pro Inside Local Outside Local Outside Global Inside Global :1202 :1202 :80 :1460 :1460 :80 tcp --- Pro Inside Local Outside Local Outside Global Inside Global --- Pro Inside Local Outside Local Outside Global Inside Global A NAT translation is 1 to 1 or many to 1 1 to 1 translations (NAT) assign a different IP address for each translation Many to 1 (PAT) translations can assign the same IP address for each translation

24 Agenda Basic Concept of NAT and PAT
Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information

25 PAT Router# show ip nat translations Pro Inside Global Inside Local Outside Local Outside Global tcp :1405 :1405 :80 :80 PAT (Port Address Translation) includes ports in addition to IP addresses Many-to-one translation Maps multiple IP addresses to 1 or a few IP addresses Unique source port number identifies each session Conserves registered IP addresses Also called NAPT in IETF documents

26 Outside Address Assignment
Use a pool of IP addresses Can use an interface name Interface IP addresses can be assigned: 1) Statically configured 2) Via PPP (IPCP) 3) Via DHCP on Ethernet interfaces [12.1(2)T]. More types of interfaces to follow

27 NAT vs. PAT NAT When there is sufficient number of IP addresses for 1 to 1 translations PAT When there are an insufficient number of IP addresses available to translate all of the inside addresses

28 Agenda Basic Concept of NAT and PAT
Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information

29 How Much Memory? Memory Needs 42 Kb of system memory to enable NAT
160–200 bytes for each entry in the NAT translation table 1,000 entries use approximately 205 Kb of memory (includes 42 Kb)

30 NAT Order of Operation Inside Interface Outside Interface Before NAT Outbound Packet Src Addr Outside Local Inside Local After NAT Outbound Packet Dest Addr Outside Global Src Addr Inside Global Routing NAT After NAT Inbound Packet Src Addr Outside Local Dest Addr Inside Local Before NAT Inbound Packet Src Addr Outside Global Dest Addr Inside Global NAT always checks translation table for entry before access lists For a full NAT order of operation see

31 Summary NAT provides transparent and bi-directional connectivity between networks having arbitrary addressing schemes NAT eliminates costs associated with host renumbering NAT eases IP address management NAT enhances network privacy

32 References RFC 1631—The IP Network Address Translator
RFC 2663—IP Network Address Translator (NAT) Terminology and Considerations NAT Technical Tips NAT FAQ (includes platform support) TAC NAT page

33 © 2001, Cisco Systems, Inc. All rights reserved.
33

Download ppt "Introduction to Network Address Translation"

Similar presentations

CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—5-1 WAN Connections Enabling the Internet Connection.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—5-1 WAN Connections Enabling the Internet Connection.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0 Rick Graziani Cabrillo College.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0 Rick Graziani Cabrillo College.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor 660-3713

M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor
Sybex CCNA 640-802 Chapter 11: Network Address Translation Instructor & Todd Lammle.

Sybex CCNA Chapter 11: Network Address Translation Instructor & Todd Lammle.
© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.

© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
Sybex CCENT 100-101 Chapter 13: Network Address Translation Instructor & Todd Lammle.

Sybex CCENT Chapter 13: Network Address Translation Instructor & Todd Lammle.
Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )
4: Addressing Working At A Small-to-Medium Business or ISP.

4: Addressing Working At A Small-to-Medium Business or ISP.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Network Address Translation

Network Address Translation

Similar presentations

Ads by Google