SlideShare a Scribd company logo

Nat cisco

ā€¢
ā€¢
M
moonmanik

Nat cisco

Engineering
1 of 10
Download to read offline
How NAT Works Document ID: 6450 This document contains Flash animation Contents Introduction Prerequisites Requirements Components Used Conventions Behind the Mask Dynamic NAT and Overloading Examples Flash Animation: Dynamic NAT Security and Administration Multiāˆ’Homing Related Information Introduction If you are reading this, you are most likely connected to the Internet and there's a very good chance that you are using Network Address Translation (NAT) right now! The Internet has grown larger than anyone ever imagined it could be. Although the exact size is unknown, the current estimate is that there are about 100 million hosts and over 350 million users actively on the Internet. That is more than the entire population of the United States! In fact, the rate of growth has been such that the Internet is effectively doubling in size each year. So what does the size of the Internet have to do with NAT? Everything! For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address. An IP address (IP stands for Internet Protocol) is a unique 32āˆ’bit number that identifies the location of your computer on a network. Basically it works just like your street address: a way to find out exactly where you are and deliver information to you. When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232 ). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into Classes and the need to set aside some of the addresses for multicasting, testing or other specific uses. With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (IPv6) but will take several years to implement because it requires modification of the entire infrastructure of the Internet. The NAT router translates traffic coming into and leaving the private network:
This is where NAT (RFC 1631 ) comes to the rescue. Basically, Network Address Translation allows a single device, such as a router, to act as agent between the Internet (or "public network") and a local (or "private") network. This means that only a single unique IP address is required to represent an entire group of computers to anything outside their network. The shortage of IP addresses is only one reason to use NAT. Two other good reasons are: Securityā€¢ Administrationā€¢ You will learn more about how NAT can benefit you, but first, let us take a closer look at NAT and what it can do& Prerequisites Requirements Readers of this document should be knowledgeable of the following: IP addressing and routing conceptsā€¢ Components Used This document is not restricted to specific software and hardware versions. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Behind the Mask NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client and to put them through. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches up the person's name and extension. The receptionist knows that you requested this call, therefore the receptionist forwards the caller to your extension. Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:
Static NAT Mapping an unregistered IP address to a registered IP address on a oneāˆ’toāˆ’one basis. Particularly useful when a device needs to be accessible from outside the network. In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110: ā€¢ Dynamic NAT Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT also establishes a oneāˆ’toāˆ’one mapping between unregistered and registered IP address, but the mapping could vary depending on the registered address available in the pool, at the time of communication. In dynamic NAT, the computer with the IP address of 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150: ā€¢ Overloading A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or portāˆ’level multiplexed NAT. In overloading, each computer on the private network is translated to the same IP address (213.18.123.100) but with a different port number assignment: ā€¢ Overlapping When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses and also it must translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or you can use DNS and implement dynamic NAT. The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another ā€¢
network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network: The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, it doesn't travel off the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world. NAT can be configured in various ways. In the example below the NAT router is configured to translate unregistered IP addresses (inside local addresses) that reside on the private (inside) network to registered IP addresses. This happens whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network. An ISP assigns a range of IP addresses to your company. The assigned block of addresses are registered unique IP addresses and are called inside global addresses. Unregistered private IP addresses are split into two groups, a small group (outside local addresses) that will be used by the NAT routers and the majority that will be used on the stub domain known as inside local addresses. The outside local addresses are used to translate the unique IP addresses, known as outside global addresses, of devices on the public network. For more information on definitions of local and global addresses, refer to NAT: Local and Global Definitions. NAT only translates traffic which travel between the inside and outside network and is specified to be translated. Any traffic not matching the translation criteria or those that are forwarded between other interfaces on a router are never translated, and they are forwarded as such. IP addresses have different designations based on whether they are on the private network (stub domain) or on the public network (Internet) and whether the traffic is incoming or outgoing: ā€¢ Most computers on the stub domain communicate with each other using the inside local addresses.ā€¢ Some computers on the stub domain communicate a lot outside the network. These computers have inside global addresses which means that they do not require translation. ā€¢ When a computer on the stub domain that has an inside local address wants to communicate outside the network, the packet goes to one of the NAT routers by way of normal routing to the defaultāˆ’gateway. ā€¢ The NAT router checks the routing table to see if it has an entry for the destination address. If the destination address is not in the routing table, the packet is dropped. If an entry is available, it verifies whether the packet is traveling from the inside to the outside network and checks if the packet matches the criteria specified for translation. The router then checks the address translation table to ā€¢
find if there is an entry existing for the inside local address with a corresponding inside global address. If an entry is found, it translates the packet by using the inside global address. If static NAT alone is configured and no entry is found, it sends the packet without translation. Using an inside global address, the router sends the packet on to its destination.ā€¢ A computer on the public network sends a packet to the private network. The source address on the packet is an outside global address. The destination address is an inside global address. ā€¢ When the packet arrives on the outside network, the NAT router looks at the address translation table and determines that the destination address is in there, mapped to a computer on the stub domain. ā€¢ The NAT router translates the inside global address of the packet to the inside local address and then checks the routing table before it sends it to the destination computer. Whenever an entry is not found for an address in the translation table, it is not translated and proceeds with verifying the routing table for the destination address. The packet is dropped if a route to the destination is not found in the routing table. ā€¢ For more information on the order in which transactions are processed using NAT, refer to NAT Order of Operation. NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows a computer to maintain several concurrent connections with a remote computer(s) using different TCP or UDP ports. An IP packet has a header that contains the following information: Source AddressThe IP address of the originating computer, for example, 201.3.83.132.ā€¢ Source PortThe TCP or UDP port number assigned by the originating computer for this packet, for example, Port 1080. ā€¢ Destination AddressThe IP address of the receiving computer. For example, 145.51.18.223.ā€¢ Destination PortThe TCP or UDP port number the originating computer is requesting the receiving computer to open, for example, Port 3021. ā€¢ The addresses specify the two machines at each end while the port numbers ensure that the connection between the two computers has a unique identifier. The combination of these four numbers defines a single TCP/IP connection. Each port number uses 16 bits, which means that there are a possible 65,536 (216) values. Realistically, since different manufacturers map the ports in slightly different ways, you can expect to have about 4,000 ports available. Dynamic NAT and Overloading Examples Flash Animation: Dynamic NAT Here is how dynamic NAT works: Go to the Dynamic NAT Flash animation and click on one of the green buttons to send a successful packet either to or from the stub domain. Click on one of the red buttons to send a packet that is dropped by the router because of an invalid address. An internal network (stub domain) has been set up with IP addresses that were not specifically allocated to that company by IANA (Internet Assigned Numbers Authority), the global authority that hands out IP addresses. These addresses should be considered nonāˆ’routable since they are not unique. These are the inside local addresses. ā€¢ The company sets up a router with NAT enabled. The router has a range of unique IP addresses given to the company by IANA. These are the inside global addresses. ā€¢ A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server. ā€¢
The router receives the packet from the computer on the stub domain.ā€¢ After checking the routing table and the verification process for translation to occur, the router saves the computer's nonāˆ’routable IP address to an address translation table. The router replaces the sending computer's nonāˆ’routable IP address with the first available IP address out of the range of unique IP addresses. The translation table now has a mapping of the computer's nonāˆ’routable IP address matched with one of the unique IP addresses. ā€¢ When a packet comes back from the destination computer, the router checks the destination address on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address to the one saved in the address translation table and sends it to that computer. If it doesn't find a match in the table, it drops the packet. ā€¢ The computer receives the packet from the router and the process repeats as long as the computer is communicating with the external system. ā€¢ Here's how overloading works: An internal network (stub domain) has been set up with nonāˆ’routable IP addresses that were not specifically allocated to that company by IANA. ā€¢ The company sets up a router with NAT enabled. The router has a unique IP address given to the company by IANA. ā€¢ A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server. ā€¢ The router receives the packet from the computer on the stub domain.ā€¢ After routing and verifying the packet for translation, the router saves the computer's nonāˆ’routable IP address and port number to an address translation table. The router replaces the sending computer's nonāˆ’routable IP address with the router's IP address. The router replaces the sending computer's source port with the port number that matches where the router saved the sending computer's address information in the address translation table. The translation table now has a mapping of the computer's nonāˆ’routable IP address and port number along with the router's IP address. ā€¢ When a packet comes back from the destination computer, the router checks the destination port on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address and destination port to the one saved in the address translation table and sends it to that computer. ā€¢ The computer receives the packet from the router and the process repeats as long as the computer is communicating with the external system. ā€¢ Since the NAT router now has the computer's source address and source port saved to the address translation table, it will continue to use that same port number for the duration of the connection. A timer is reset each time the router accesses an entry in the table. If the entry is not accessed again before the timer expires, the entry is removed from the table. ā€¢ Look at the following table to see how the computers on a stub domain might appear to any external networks: Source Computer Source Computer's IP Address Source Computer's Port NAT Router's IP Address NAT Router's Assigned Port Number A 192.168.32.10 400 215.37.32.203 1 B 192.168.32.13 50 215.37.32.203 2 C 192.168.32.15 3750 215.37.32.203 3 D 192.168.32.18 206 215.37.32.203 4
As you can see, the NAT router stores the IP address and port number of each computer in the address translation table. It then replaces the IP address with its own registered IP address and the port number corresponding to the location of the entry for that packet's source computer in the table. So any external network sees the NAT Router's IP address and the port number assigned by the router as the source computer information on each packet. You can still have some computers on the stub domain that use dedicated IP addresses. You can create an access list of IP addresses that tells the router which computers on the network require NAT. All other IP addresses will pass through untranslated. The number of simultaneous translations that a router will support is determined mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a typical entry in the address translation table only takes about 160 bytes, a router with 4 MB of DRAM could theoretically process 26,214 simultaneous translations! Which is more than enough for most applications. IANA has actually set aside specific ranges of IP addresses for use as nonāˆ’routable internal network addresses. These addresses are considered unregistered, ( for more information check out RFC 1918: Address Allocation for Private Internets which defines these address ranges) which means that no company or agency can claim ownership of them and use them on public computers. Routers do not forward packets to unregistered addresses since those networks are meant for private use and are not supposed to be advertised to outside world. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to. There is a range for each of the three classes of IP addresses used for networking. Range 1 is for Class A: 10.0.0.0 through 10.255.255.255ā€¢ Range 2 is Class B: 172.16.0.0 through 172.31.255.255ā€¢ Range 3 is Class C: 192.168.0.0 through 192.168.255.255ā€¢ Although each range is in a different class, there is no requirement that you use any particular range for your internal network. It is good practice though because it greatly diminishes the chance of an IP address conflict. When you modify an existing Dynamic NAT configuration, you may be prompted with these error messages while the NAT translation is active: Dynamic mapping in use, cannot removeā€¢ %Pool outpool in use, cannot destroyā€¢ For these types of error messages, please refer to How to Change the Dynamic NAT Configuration which describes the procedure to clear the active NAT translation and modify the configuration accordingly. Security and Administration Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. So you can browse the Internet and connect to a site, even download a file. But somebody else can't simply latch onto your IP address and use it to connect to a port on your computer. Static NAT, also called inbound mapping, allows connections initiated by external devices to computers on the stub domain to take place in specific circumstances. For instance, you may wish to map an inside global address to a specific inside local address that is assigned to your Web server.
Static NAT (inbound mapping) allows a computer on the stub domain to maintain a specific address when communicating with devices outside the network: Some NAT routers provide for extensive filtering and traffic logging. Filtering allows your company to control what type of sites employees visit on the Web, preventing them from viewing questionable material. You can use traffic logging to create a log file of what sites are visited and generate various reports from it. Network Address Translation is sometimes confused with proxy servers but there are definite differences. NAT is transparent to the source and destination computers. Neither one realizes that it is dealing with a third device. But a proxy server is not transparent. The source computer knows that it is making a request to the proxy server and must be configured to do so. The destination computer thinks that the proxy server IS the source computer and deals with it directly. Also, proxy servers usually work at Layer 4 (Transport) of the OSI Reference Model or higher, while NAT is a Layer 3 (Network) protocol. Working at a higher layer makes proxy servers slower than NAT devices in most cases. NAT operates at the Network layer (Layer 3) of the OSI Reference Model which makes sense, because this is the layer at which routers work: A real benefit of NAT is apparent in network administration. For example, you can move your Web server or FTP server to another host computer without having to worry about broken links. Simply change the inbound
mapping with the new inside local address at the router to reflect the new host. You can also make changes to your internal network easily since the only external IP address either belongs to the router or comes from a pool of global addresses. NAT and DHCP are a natural fit, you can choose a range of unregistered IP addresses for your stub domain and have the DHCP server dole them out as necessary. It also makes it much easier to scale up your network as your needs grow. You don't have to request more IP addresses from IANA. You can just increase the range of available IP addresses configured in DHCP and immediately have room for additional computers on your network. Multiāˆ’Homing As businesses rely more and more on the Internet, having multiple points of connection to the Internet is fast becoming an integral part of their network strategy. Multiple connections, known as multiāˆ’homing, reduces the chance of a potentially catastrophic shutdown if one of the connections should fail. In addition to maintaining a reliable connection, multiāˆ’homing allows a company to perform loadāˆ’balancing by lowering the number of computers connecting to the Internet through any single connection. Distributing the load through multiple connections optimizes the performance and can significantly decrease wait times. Multiāˆ’homed networks are often connected to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or range of IP addresses) to the company. Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route between networks using different protocols. In a multiāˆ’homed network, the router utilizes IBGP (Internal Border Gateway Protocol) on the stub domain side and EBGP (External Border Gateway Protocol) to communicate with other routers. When using NAT with multiāˆ’homing, the NAT router is configured with multiple pools of inside global addresses allocated by different ISPs. The same inside local address should be mapped to more than one inside global address from the configured pools, depending on the provider through which the traffic gets routed to the destination. This is known as NAT by destination. Refer to NAT āˆ’ Ability to Use Route Maps with Static Translations for more information. Multiāˆ’homing really makes a difference if one of the connections to an ISP fails. As soon as the router assigned to connect to that ISP determines that the connection is down, it will reroute all data through one of the other routers. NAT can be used to facilitate scalable routing for mulitāˆ’homed multiāˆ’provider connectivity. Related Information Configuring Network Address Translation: Getting Startedā€¢ How to Change the Dynamic NAT Configurationā€¢ Basic rule of NAT (incoming and outgoing) & how to use "Ip nat inside destination"ā€¢ Cisco IOS Network Address Translationā€¢ Cisco IOS Network Address Translation Overviewā€¢ Configuring IP Addressingā€¢ Using NAT in Overlapping Networksā€¢ NAT Order of Operationā€¢ The Internet Protocol Journal: The Trouble with NATā€¢ RFC 1631: The IP Network Address Translator (NAT)ā€¢ RFC 1918: Address Allocation for Private Internetsā€¢ KnowledgeShare āˆ’ White Papers: Network Address Translation FAQā€¢ NAT Technical Discussionā€¢ Technical Support & Documentation āˆ’ Cisco Systemsā€¢
Contacts & Feedback | Help | Site Map Ā© 2010 āˆ’ 2011 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. Updated: Mar 29, 2011 Document ID: 6450

Recommended

Nat presentation
Nat presentationNat presentation
Nat presentationhassoon3
Ā 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)Amit Kumar , Jaipur Engineers
Ā 
Nat
NatNat
NatHumaira Saleem
Ā 
Network address translation
Network address translationNetwork address translation
Network address translationMohak Kaushik
Ā 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translationtmavroidis
Ā 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsrajshreemuthiah
Ā 
Network address translation
Network address translationNetwork address translation
Network address translationKarppinen Ngoc Anh
Ā 
Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
Ā 

Recommended

Nat presentation
Nat presentationNat presentation
Nat presentationhassoon3
Ā 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)Amit Kumar , Jaipur Engineers
Ā 
Nat
NatNat
NatHumaira Saleem
Ā 
Network address translation
Network address translationNetwork address translation
Network address translationMohak Kaushik
Ā 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translationtmavroidis
Ā 
DCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsDCHP,NAT,forwarding of ip packets
DCHP,NAT,forwarding of ip packetsrajshreemuthiah
Ā 
Network address translation
Network address translationNetwork address translation
Network address translationKarppinen Ngoc Anh
Ā 
Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
Ā 
Nat
NatNat
Natlyndyv
Ā 
Data Packets, Routers and IP Addresses
Data Packets, Routers and IP AddressesData Packets, Routers and IP Addresses
Data Packets, Routers and IP AddressesStudent1989
Ā 
network address translate
network address translate network address translate
network address translate ahmedOday
Ā 
Ipv6 packet fomat
Ipv6 packet fomatIpv6 packet fomat
Ipv6 packet fomatDeena Siva
Ā 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)Joud Khattab
Ā 
Network address translation pdf
Network address translation pdfNetwork address translation pdf
Network address translation pdfMadhusudhan Anand
Ā 
Ipv6up
Ipv6upIpv6up
Ipv6upasimnawaz54
Ā 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)Subrata Kumer Paul
Ā 
NAT
NATNAT
NATSurinder Kaur
Ā 
Mobile IP - pavankumar_912
Mobile IP - pavankumar_912Mobile IP - pavankumar_912
Mobile IP - pavankumar_912Pavan Kumar Sindgi
Ā 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6Chaitanya Ram
Ā 
Nat pat
Nat patNat pat
Nat patCYBERINTELLIGENTS
Ā 
IPv4 vs IPv6
IPv4 vs IPv6IPv4 vs IPv6
IPv4 vs IPv6NetProtocol Xpert
Ā 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6Ankita Mahajan
Ā 
internet protocol
internet protocolinternet protocol
internet protocolrajshreemuthiah
Ā 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...Adii Shah
Ā 
Mobile ip overview
Mobile ip overviewMobile ip overview
Mobile ip overviewpriya Nithya
Ā 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
Ā 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 pptSonal Chandel
Ā 
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET Journal
Ā 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxGeorgeThoreJr
Ā 
Ip, subnet, gateway and routers
Ip, subnet, gateway and routersIp, subnet, gateway and routers
Ip, subnet, gateway and routersAdrian Suarez
Ā 

More Related Content

What's hot

Nat
NatNat
Natlyndyv
Ā 
Data Packets, Routers and IP Addresses
Data Packets, Routers and IP AddressesData Packets, Routers and IP Addresses
Data Packets, Routers and IP AddressesStudent1989
Ā 
network address translate
network address translate network address translate
network address translate ahmedOday
Ā 
Ipv6 packet fomat
Ipv6 packet fomatIpv6 packet fomat
Ipv6 packet fomatDeena Siva
Ā 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)Joud Khattab
Ā 
Network address translation pdf
Network address translation pdfNetwork address translation pdf
Network address translation pdfMadhusudhan Anand
Ā 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)Subrata Kumer Paul
Ā 
Mobile IP - pavankumar_912
Mobile IP - pavankumar_912Mobile IP - pavankumar_912
Mobile IP - pavankumar_912Pavan Kumar Sindgi
Ā 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6Chaitanya Ram
Ā 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6Ankita Mahajan
Ā 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...Adii Shah
Ā 
Mobile ip overview
Mobile ip overviewMobile ip overview
Mobile ip overviewpriya Nithya
Ā 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
Ā 
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET Journal
Ā 

What's hot (20)

Nat
NatNat
Nat
Ā 
Data Packets, Routers and IP Addresses
Data Packets, Routers and IP AddressesData Packets, Routers and IP Addresses
Data Packets, Routers and IP Addresses
Ā 
network address translate
network address translate network address translate
network address translate
Ā 
Ipv6 packet fomat
Ipv6 packet fomatIpv6 packet fomat
Ipv6 packet fomat
Ā 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
Ā 
Network address translation pdf
Network address translation pdfNetwork address translation pdf
Network address translation pdf
Ā 
Ipv6up
Ipv6upIpv6up
Ipv6up
Ā 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)
Ā 
NAT
NATNAT
NAT
Ā 
Mobile IP - pavankumar_912
Mobile IP - pavankumar_912Mobile IP - pavankumar_912
Mobile IP - pavankumar_912
Ā 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6
Ā 
Nat pat
Nat patNat pat
Nat pat
Ā 
IPv4 vs IPv6
IPv4 vs IPv6IPv4 vs IPv6
IPv4 vs IPv6
Ā 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6
Ā 
internet protocol
internet protocolinternet protocol
internet protocol
Ā 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...
Ā 
Mobile ip overview
Mobile ip overviewMobile ip overview
Mobile ip overview
Ā 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
Ā 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 ppt
Ā 
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
Ā 

Similar to Nat cisco

Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxGeorgeThoreJr
Ā 
Ip, subnet, gateway and routers
Ip, subnet, gateway and routersIp, subnet, gateway and routers
Ip, subnet, gateway and routersAdrian Suarez
Ā 
Describe how a NAT (Network Address Translator) works. Be sure to in.pdf
Describe how a NAT (Network Address Translator) works. Be sure to in.pdfDescribe how a NAT (Network Address Translator) works. Be sure to in.pdf
Describe how a NAT (Network Address Translator) works. Be sure to in.pdfarishmarketing21
Ā 
Unit III
Unit IIIUnit III
Unit IIIAPARNA P
Ā 
Network address translations
Network address translations Network address translations
Network address translations Shahzad shareef
Ā 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
Ā 
Internet architecture protocol
Internet architecture protocolInternet architecture protocol
Internet architecture protocolGLIM Digital
Ā 
Network Address Translation ( Nat ) Essay
Network Address Translation ( Nat ) EssayNetwork Address Translation ( Nat ) Essay
Network Address Translation ( Nat ) EssayJill Crawford
Ā 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
Ā 
networkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptxnetworkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptxzmulani8
Ā 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security conceptssonuagain
Ā 
Networking presentation 9 march 2009
Networking presentation 9 march 2009Networking presentation 9 march 2009
Networking presentation 9 march 2009Kinshook Chaturvedi
Ā 
As robust as the IP protocol is, it does not perform the actual .docx
As robust as the IP protocol is, it does not perform the actual .docxAs robust as the IP protocol is, it does not perform the actual .docx
As robust as the IP protocol is, it does not perform the actual .docxcargillfilberto
Ā 
Network addresses.pptx
Network addresses.pptxNetwork addresses.pptx
Network addresses.pptxCherryLim21
Ā 
Computer Networks Slide.pptx
Computer Networks Slide.pptxComputer Networks Slide.pptx
Computer Networks Slide.pptxemsResulzade1
Ā 
Basic Foundation For Cybersecurity
Basic Foundation For CybersecurityBasic Foundation For Cybersecurity
Basic Foundation For CybersecurityMohammed Adam
Ā 
CCN CEP.pptx
CCN CEP.pptxCCN CEP.pptx
CCN CEP.pptxNOOR69810
Ā 

Similar to Nat cisco (20)

Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
Ā 
Ip, subnet, gateway and routers
Ip, subnet, gateway and routersIp, subnet, gateway and routers
Ip, subnet, gateway and routers
Ā 
Describe how a NAT (Network Address Translator) works. Be sure to in.pdf
Describe how a NAT (Network Address Translator) works. Be sure to in.pdfDescribe how a NAT (Network Address Translator) works. Be sure to in.pdf
Describe how a NAT (Network Address Translator) works. Be sure to in.pdf
Ā 
Unit III
Unit IIIUnit III
Unit III
Ā 
Network address translations
Network address translations Network address translations
Network address translations
Ā 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routers
Ā 
Internet architecture protocol
Internet architecture protocolInternet architecture protocol
Internet architecture protocol
Ā 
Network Address Translation ( Nat ) Essay
Network Address Translation ( Nat ) EssayNetwork Address Translation ( Nat ) Essay
Network Address Translation ( Nat ) Essay
Ā 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
Ā 
networkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptxnetworkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptx
Ā 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
Ā 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
Ā 
Networking presentation 9 march 2009
Networking presentation 9 march 2009Networking presentation 9 march 2009
Networking presentation 9 march 2009
Ā 
As robust as the IP protocol is, it does not perform the actual .docx
As robust as the IP protocol is, it does not perform the actual .docxAs robust as the IP protocol is, it does not perform the actual .docx
As robust as the IP protocol is, it does not perform the actual .docx
Ā 
Network addresses.pptx
Network addresses.pptxNetwork addresses.pptx
Network addresses.pptx
Ā 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccna
Ā 
Computer Networks Slide.pptx
Computer Networks Slide.pptxComputer Networks Slide.pptx
Computer Networks Slide.pptx
Ā 
Class note 4
Class note 4Class note 4
Class note 4
Ā 
Basic Foundation For Cybersecurity
Basic Foundation For CybersecurityBasic Foundation For Cybersecurity
Basic Foundation For Cybersecurity
Ā 
CCN CEP.pptx
CCN CEP.pptxCCN CEP.pptx
CCN CEP.pptx
Ā 

Recently uploaded

Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
Ā 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
Ā 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
Ā 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
Ā 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
Ā 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
Ā 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
Ā 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
Ā 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
Ā 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
Ā 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
Ā 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
Ā 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
Ā 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
Ā 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
Ā 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
Ā 

Recently uploaded (20)

young call girls in Rajiv ChowkšŸ” 9953056974 šŸ” Delhi escort Service
young call girls in Rajiv ChowkšŸ” 9953056974 šŸ” Delhi escort Serviceyoung call girls in Rajiv ChowkšŸ” 9953056974 šŸ” Delhi escort Service
young call girls in Rajiv ChowkšŸ” 9953056974 šŸ” Delhi escort Service
Ā 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Ā 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
Ā 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
Ā 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
Ā 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
Ā 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
Ā 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
Ā 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
Ā 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
Ā 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
Ā 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
Ā 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Ā 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
Ā 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
Ā 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
Ā 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
Ā 
young call girls in Green ParkšŸ” 9953056974 šŸ” escort Service
young call girls in Green ParkšŸ” 9953056974 šŸ” escort Serviceyoung call girls in Green ParkšŸ” 9953056974 šŸ” escort Service
young call girls in Green ParkšŸ” 9953056974 šŸ” escort Service
Ā 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
Ā 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
Ā 

Nat cisco

  • 1. How NAT Works Document ID: 6450 This document contains Flash animation Contents Introduction Prerequisites Requirements Components Used Conventions Behind the Mask Dynamic NAT and Overloading Examples Flash Animation: Dynamic NAT Security and Administration Multiāˆ’Homing Related Information Introduction If you are reading this, you are most likely connected to the Internet and there's a very good chance that you are using Network Address Translation (NAT) right now! The Internet has grown larger than anyone ever imagined it could be. Although the exact size is unknown, the current estimate is that there are about 100 million hosts and over 350 million users actively on the Internet. That is more than the entire population of the United States! In fact, the rate of growth has been such that the Internet is effectively doubling in size each year. So what does the size of the Internet have to do with NAT? Everything! For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address. An IP address (IP stands for Internet Protocol) is a unique 32āˆ’bit number that identifies the location of your computer on a network. Basically it works just like your street address: a way to find out exactly where you are and deliver information to you. When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232 ). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into Classes and the need to set aside some of the addresses for multicasting, testing or other specific uses. With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (IPv6) but will take several years to implement because it requires modification of the entire infrastructure of the Internet. The NAT router translates traffic coming into and leaving the private network:
  • 2. This is where NAT (RFC 1631 ) comes to the rescue. Basically, Network Address Translation allows a single device, such as a router, to act as agent between the Internet (or "public network") and a local (or "private") network. This means that only a single unique IP address is required to represent an entire group of computers to anything outside their network. The shortage of IP addresses is only one reason to use NAT. Two other good reasons are: Securityā€¢ Administrationā€¢ You will learn more about how NAT can benefit you, but first, let us take a closer look at NAT and what it can do& Prerequisites Requirements Readers of this document should be knowledgeable of the following: IP addressing and routing conceptsā€¢ Components Used This document is not restricted to specific software and hardware versions. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Behind the Mask NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client and to put them through. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches up the person's name and extension. The receptionist knows that you requested this call, therefore the receptionist forwards the caller to your extension. Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:
  • 3. Static NAT Mapping an unregistered IP address to a registered IP address on a oneāˆ’toāˆ’one basis. Particularly useful when a device needs to be accessible from outside the network. In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110: ā€¢ Dynamic NAT Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Dynamic NAT also establishes a oneāˆ’toāˆ’one mapping between unregistered and registered IP address, but the mapping could vary depending on the registered address available in the pool, at the time of communication. In dynamic NAT, the computer with the IP address of 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150: ā€¢ Overloading A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or portāˆ’level multiplexed NAT. In overloading, each computer on the private network is translated to the same IP address (213.18.123.100) but with a different port number assignment: ā€¢ Overlapping When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses and also it must translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or you can use DNS and implement dynamic NAT. The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another ā€¢
  • 4. network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network: The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, it doesn't travel off the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world. NAT can be configured in various ways. In the example below the NAT router is configured to translate unregistered IP addresses (inside local addresses) that reside on the private (inside) network to registered IP addresses. This happens whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network. An ISP assigns a range of IP addresses to your company. The assigned block of addresses are registered unique IP addresses and are called inside global addresses. Unregistered private IP addresses are split into two groups, a small group (outside local addresses) that will be used by the NAT routers and the majority that will be used on the stub domain known as inside local addresses. The outside local addresses are used to translate the unique IP addresses, known as outside global addresses, of devices on the public network. For more information on definitions of local and global addresses, refer to NAT: Local and Global Definitions. NAT only translates traffic which travel between the inside and outside network and is specified to be translated. Any traffic not matching the translation criteria or those that are forwarded between other interfaces on a router are never translated, and they are forwarded as such. IP addresses have different designations based on whether they are on the private network (stub domain) or on the public network (Internet) and whether the traffic is incoming or outgoing: ā€¢ Most computers on the stub domain communicate with each other using the inside local addresses.ā€¢ Some computers on the stub domain communicate a lot outside the network. These computers have inside global addresses which means that they do not require translation. ā€¢ When a computer on the stub domain that has an inside local address wants to communicate outside the network, the packet goes to one of the NAT routers by way of normal routing to the defaultāˆ’gateway. ā€¢ The NAT router checks the routing table to see if it has an entry for the destination address. If the destination address is not in the routing table, the packet is dropped. If an entry is available, it verifies whether the packet is traveling from the inside to the outside network and checks if the packet matches the criteria specified for translation. The router then checks the address translation table to ā€¢
  • 5. find if there is an entry existing for the inside local address with a corresponding inside global address. If an entry is found, it translates the packet by using the inside global address. If static NAT alone is configured and no entry is found, it sends the packet without translation. Using an inside global address, the router sends the packet on to its destination.ā€¢ A computer on the public network sends a packet to the private network. The source address on the packet is an outside global address. The destination address is an inside global address. ā€¢ When the packet arrives on the outside network, the NAT router looks at the address translation table and determines that the destination address is in there, mapped to a computer on the stub domain. ā€¢ The NAT router translates the inside global address of the packet to the inside local address and then checks the routing table before it sends it to the destination computer. Whenever an entry is not found for an address in the translation table, it is not translated and proceeds with verifying the routing table for the destination address. The packet is dropped if a route to the destination is not found in the routing table. ā€¢ For more information on the order in which transactions are processed using NAT, refer to NAT Order of Operation. NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows a computer to maintain several concurrent connections with a remote computer(s) using different TCP or UDP ports. An IP packet has a header that contains the following information: Source AddressThe IP address of the originating computer, for example, 201.3.83.132.ā€¢ Source PortThe TCP or UDP port number assigned by the originating computer for this packet, for example, Port 1080. ā€¢ Destination AddressThe IP address of the receiving computer. For example, 145.51.18.223.ā€¢ Destination PortThe TCP or UDP port number the originating computer is requesting the receiving computer to open, for example, Port 3021. ā€¢ The addresses specify the two machines at each end while the port numbers ensure that the connection between the two computers has a unique identifier. The combination of these four numbers defines a single TCP/IP connection. Each port number uses 16 bits, which means that there are a possible 65,536 (216) values. Realistically, since different manufacturers map the ports in slightly different ways, you can expect to have about 4,000 ports available. Dynamic NAT and Overloading Examples Flash Animation: Dynamic NAT Here is how dynamic NAT works: Go to the Dynamic NAT Flash animation and click on one of the green buttons to send a successful packet either to or from the stub domain. Click on one of the red buttons to send a packet that is dropped by the router because of an invalid address. An internal network (stub domain) has been set up with IP addresses that were not specifically allocated to that company by IANA (Internet Assigned Numbers Authority), the global authority that hands out IP addresses. These addresses should be considered nonāˆ’routable since they are not unique. These are the inside local addresses. ā€¢ The company sets up a router with NAT enabled. The router has a range of unique IP addresses given to the company by IANA. These are the inside global addresses. ā€¢ A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server. ā€¢
  • 6. The router receives the packet from the computer on the stub domain.ā€¢ After checking the routing table and the verification process for translation to occur, the router saves the computer's nonāˆ’routable IP address to an address translation table. The router replaces the sending computer's nonāˆ’routable IP address with the first available IP address out of the range of unique IP addresses. The translation table now has a mapping of the computer's nonāˆ’routable IP address matched with one of the unique IP addresses. ā€¢ When a packet comes back from the destination computer, the router checks the destination address on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address to the one saved in the address translation table and sends it to that computer. If it doesn't find a match in the table, it drops the packet. ā€¢ The computer receives the packet from the router and the process repeats as long as the computer is communicating with the external system. ā€¢ Here's how overloading works: An internal network (stub domain) has been set up with nonāˆ’routable IP addresses that were not specifically allocated to that company by IANA. ā€¢ The company sets up a router with NAT enabled. The router has a unique IP address given to the company by IANA. ā€¢ A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server. ā€¢ The router receives the packet from the computer on the stub domain.ā€¢ After routing and verifying the packet for translation, the router saves the computer's nonāˆ’routable IP address and port number to an address translation table. The router replaces the sending computer's nonāˆ’routable IP address with the router's IP address. The router replaces the sending computer's source port with the port number that matches where the router saved the sending computer's address information in the address translation table. The translation table now has a mapping of the computer's nonāˆ’routable IP address and port number along with the router's IP address. ā€¢ When a packet comes back from the destination computer, the router checks the destination port on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address and destination port to the one saved in the address translation table and sends it to that computer. ā€¢ The computer receives the packet from the router and the process repeats as long as the computer is communicating with the external system. ā€¢ Since the NAT router now has the computer's source address and source port saved to the address translation table, it will continue to use that same port number for the duration of the connection. A timer is reset each time the router accesses an entry in the table. If the entry is not accessed again before the timer expires, the entry is removed from the table. ā€¢ Look at the following table to see how the computers on a stub domain might appear to any external networks: Source Computer Source Computer's IP Address Source Computer's Port NAT Router's IP Address NAT Router's Assigned Port Number A 192.168.32.10 400 215.37.32.203 1 B 192.168.32.13 50 215.37.32.203 2 C 192.168.32.15 3750 215.37.32.203 3 D 192.168.32.18 206 215.37.32.203 4
  • 7. As you can see, the NAT router stores the IP address and port number of each computer in the address translation table. It then replaces the IP address with its own registered IP address and the port number corresponding to the location of the entry for that packet's source computer in the table. So any external network sees the NAT Router's IP address and the port number assigned by the router as the source computer information on each packet. You can still have some computers on the stub domain that use dedicated IP addresses. You can create an access list of IP addresses that tells the router which computers on the network require NAT. All other IP addresses will pass through untranslated. The number of simultaneous translations that a router will support is determined mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a typical entry in the address translation table only takes about 160 bytes, a router with 4 MB of DRAM could theoretically process 26,214 simultaneous translations! Which is more than enough for most applications. IANA has actually set aside specific ranges of IP addresses for use as nonāˆ’routable internal network addresses. These addresses are considered unregistered, ( for more information check out RFC 1918: Address Allocation for Private Internets which defines these address ranges) which means that no company or agency can claim ownership of them and use them on public computers. Routers do not forward packets to unregistered addresses since those networks are meant for private use and are not supposed to be advertised to outside world. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to. There is a range for each of the three classes of IP addresses used for networking. Range 1 is for Class A: 10.0.0.0 through 10.255.255.255ā€¢ Range 2 is Class B: 172.16.0.0 through 172.31.255.255ā€¢ Range 3 is Class C: 192.168.0.0 through 192.168.255.255ā€¢ Although each range is in a different class, there is no requirement that you use any particular range for your internal network. It is good practice though because it greatly diminishes the chance of an IP address conflict. When you modify an existing Dynamic NAT configuration, you may be prompted with these error messages while the NAT translation is active: Dynamic mapping in use, cannot removeā€¢ %Pool outpool in use, cannot destroyā€¢ For these types of error messages, please refer to How to Change the Dynamic NAT Configuration which describes the procedure to clear the active NAT translation and modify the configuration accordingly. Security and Administration Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. So you can browse the Internet and connect to a site, even download a file. But somebody else can't simply latch onto your IP address and use it to connect to a port on your computer. Static NAT, also called inbound mapping, allows connections initiated by external devices to computers on the stub domain to take place in specific circumstances. For instance, you may wish to map an inside global address to a specific inside local address that is assigned to your Web server.
  • 8. Static NAT (inbound mapping) allows a computer on the stub domain to maintain a specific address when communicating with devices outside the network: Some NAT routers provide for extensive filtering and traffic logging. Filtering allows your company to control what type of sites employees visit on the Web, preventing them from viewing questionable material. You can use traffic logging to create a log file of what sites are visited and generate various reports from it. Network Address Translation is sometimes confused with proxy servers but there are definite differences. NAT is transparent to the source and destination computers. Neither one realizes that it is dealing with a third device. But a proxy server is not transparent. The source computer knows that it is making a request to the proxy server and must be configured to do so. The destination computer thinks that the proxy server IS the source computer and deals with it directly. Also, proxy servers usually work at Layer 4 (Transport) of the OSI Reference Model or higher, while NAT is a Layer 3 (Network) protocol. Working at a higher layer makes proxy servers slower than NAT devices in most cases. NAT operates at the Network layer (Layer 3) of the OSI Reference Model which makes sense, because this is the layer at which routers work: A real benefit of NAT is apparent in network administration. For example, you can move your Web server or FTP server to another host computer without having to worry about broken links. Simply change the inbound
  • 9. mapping with the new inside local address at the router to reflect the new host. You can also make changes to your internal network easily since the only external IP address either belongs to the router or comes from a pool of global addresses. NAT and DHCP are a natural fit, you can choose a range of unregistered IP addresses for your stub domain and have the DHCP server dole them out as necessary. It also makes it much easier to scale up your network as your needs grow. You don't have to request more IP addresses from IANA. You can just increase the range of available IP addresses configured in DHCP and immediately have room for additional computers on your network. Multiāˆ’Homing As businesses rely more and more on the Internet, having multiple points of connection to the Internet is fast becoming an integral part of their network strategy. Multiple connections, known as multiāˆ’homing, reduces the chance of a potentially catastrophic shutdown if one of the connections should fail. In addition to maintaining a reliable connection, multiāˆ’homing allows a company to perform loadāˆ’balancing by lowering the number of computers connecting to the Internet through any single connection. Distributing the load through multiple connections optimizes the performance and can significantly decrease wait times. Multiāˆ’homed networks are often connected to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or range of IP addresses) to the company. Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route between networks using different protocols. In a multiāˆ’homed network, the router utilizes IBGP (Internal Border Gateway Protocol) on the stub domain side and EBGP (External Border Gateway Protocol) to communicate with other routers. When using NAT with multiāˆ’homing, the NAT router is configured with multiple pools of inside global addresses allocated by different ISPs. The same inside local address should be mapped to more than one inside global address from the configured pools, depending on the provider through which the traffic gets routed to the destination. This is known as NAT by destination. Refer to NAT āˆ’ Ability to Use Route Maps with Static Translations for more information. Multiāˆ’homing really makes a difference if one of the connections to an ISP fails. As soon as the router assigned to connect to that ISP determines that the connection is down, it will reroute all data through one of the other routers. NAT can be used to facilitate scalable routing for mulitāˆ’homed multiāˆ’provider connectivity. Related Information Configuring Network Address Translation: Getting Startedā€¢ How to Change the Dynamic NAT Configurationā€¢ Basic rule of NAT (incoming and outgoing) & how to use "Ip nat inside destination"ā€¢ Cisco IOS Network Address Translationā€¢ Cisco IOS Network Address Translation Overviewā€¢ Configuring IP Addressingā€¢ Using NAT in Overlapping Networksā€¢ NAT Order of Operationā€¢ The Internet Protocol Journal: The Trouble with NATā€¢ RFC 1631: The IP Network Address Translator (NAT)ā€¢ RFC 1918: Address Allocation for Private Internetsā€¢ KnowledgeShare āˆ’ White Papers: Network Address Translation FAQā€¢ NAT Technical Discussionā€¢ Technical Support & Documentation āˆ’ Cisco Systemsā€¢
  • 10. Contacts & Feedback | Help | Site Map Ā© 2010 āˆ’ 2011 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. Updated: Mar 29, 2011 Document ID: 6450