SlideShare a Scribd company logo

NAT Examples.pptx

Download as PPTX, PDF
S
ssuser08696d

NAT Examples

Education
1 of 15
NAT Examples
Acknowledgements • Note for expediency, this slide-deck summarises and uses graphics from various Cisco documentation, including: – Cisco − NAT: Local and Global Definitions – Cisco − How NAT Works – Cisco − Configuring Network Address Translation: Getting Started – Cisco – NAT Virtual Interface – Cisco NAT FAQ: • http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation- nat/26704-nat-faq-00.html – The Inside and Outside of NAT • http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
Foundations • First of all need to understand some basic terms: – Inside network = This is inside your network – Outside network = This is outside your network – Inside Local = The assigned IP address of a host inside your network – Inside Global = The “public” IP address used to represent a host inside your network – Outside Local = The locally known IP address of an outside host - not the legitimate host address but is an address ithat s routable to the inside network – Outside Global = The assigned IP address of a host outside of your network - assigned by the host’s owner, could itself be a NAT’d address
Legacy (domain-based) Inside-to-Outside NAT • Have to: 1. Declare a NAT INSIDE and a NAT OUTSIDE interface 2. Set up a NAT pool 3. Set up a source-list to define what source addresses will be NAT’d for outbound traffic
Legacy Inside-to-Outside NAT No-Overload interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat inside !−− Defines serial 0 with an IP address and as a NAT inside interface ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside ! !−− Defines Ethernet 1 with an IP address and as a NAT inside interface ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat outside !−− Defines serial 1 with an IP address and as a NAT outside interface ! ip nat pool POOL-NO-OVERLOAD 172.16.10.1 172.16.10.63 prefix 24 ! !−− Defines a NAT pool named POOL-NO-OVERLOAD with a range of addresses !−− 172.16.10.1 − 172.16.10.63 ! ip nat inside source list 7 pool POOL-NO-OVERLOAD ! !−− Indicates that any packets received on the inside interface that !−− are permitted by access−list 7 !−− will have the source address translated to an address out of the !−− NAT pool “POOL-NO-OVERLOAD" ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 ! !−− Access−list 7 permits packets with source addresses ranging from !−− 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31 Note: Packet is routed first and then NAT occurs
Legacy Inside-to-Outside NAT Overload (also known as “PAT”) interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat inside !−− Defines serial 0 with an IP address and as a NAT inside interface ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside ! !−− Defines Ethernet 1 with an IP address and as a NAT inside interface ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat outside !−− Defines serial 1 with an IP address and as a NAT outside interface ! ip nat pool POOL-OVERLOAD 172.16.10.1 172.16.10.2 prefix 24 ! !−− Defines a NAT pool named POOL-OVERLOAD with a range of addresses !−− 172.16.10.1 − 172.16.10.2 ! −− Means that the users will re-use the two NAT addresses but be distinguished by their source ports. ! ip nat inside source list 7 pool POOL-OVERLOAD overload ! !−− Indicates that any packets received on the inside interface that !−− are permitted by access−list 7 !−− will have the source address translated to an address out of the !−− NAT pool “POOL−OVERLOAD" ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 ! !−− Access−list 7 permits packets with source addresses ranging from !−− 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31 Note: Packet is routed first and then NAT occurs
Static NAT of Outside Host for Inside access interface s0 ip nat inside ! interface s1 ip nat outside ! ! ip nat outside source static 171.16.68.1 10.10.10.5 The outside global host IP of 172.16.68.1 will be translated to 10.10.10.5 so that any inside host may be able to reach it without having to be source NAT’d. Note: Packet is NAT’d first and then routed
NAT Virtual Interface (NVI) • Introduced in IOS 12.3(14)T • Simplifies the config a little (but may be less clear in intention!) • Removes the requirement to configure an interface as either: – NAT inside, or – NAT outside • An interface can be configured to use NAT or not use NAT. • Configure by: 1. Using the command: ‘ip nat source …’ without specifying the inside/outside tag when defining the source address(es) to be NAT’d 2. Enable NAT on the interfaces via the command ‘ip nat enable’
Inside-to-Outside NAT No-Overload using NVI interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat enable ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat enable ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat enable ! ip nat pool POOL-NO-OVERLOAD 172.16.10.1 172.16.10.63 prefix 24 ! ip nat source list 7 pool POOL-NO-OVERLOAD ! ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 ! Notice the “NAT Inside” and “NAT Outside” statements are now replaced by “NAT Enable” Also: NAT Source no longer has an ‘inside’ or ‘outside’ reference. Commands to show translation: • show ip nat nvi translations • show ip nat nvi statistics
Inside-to-Outside NAT Overload (also known as “PAT”) using NVI interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat enable ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat enable ! ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat enable ! ip nat pool POOL-OVERLOAD 172.16.10.1 172.16.10.2 prefix 24 ! ! ip nat source list 7 pool POOL-OVERLOAD overload ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 !
Static NAT of Outside Host for Inside access with NVI interface s0 ip nat enable ! interface s1 ip nat enable ! ! ip nat source static 171.16.68.1 10.10.10.5
So what exactly is NVI? • NVI is the name of a virtual interface (NVI0) created by Cisco IOS when you enable NAT – Created when using legacy (inside/outside) NAT – Created when using NVI NAT • “OK, I’m confused”, you say. – Basically, Cisco introduced a new configuration format in IOS 12.3(14T) and called it “NVI NAT” to distinguish it from “NAT’ing on a stick” where a single routing interface is used to perform the NAT • A loopback interface is used and that is the OUTSIDE interface • The single local network interface is the INSIDE interface • The NAT’ing direction is automatically defined by the traffic flow • And ….. importantly
So what exactly is NVI? • Traffic is symmetrically handled: 1. the NAT translation table is used to make a routing decision to send the packet to the NVI0 interface • Basically a static route forwarding to NVI0 for all packets matching the NAT pool is automatically configured 2. The packet is translated at the NVI0 interface 3. The packet is then routed based on the translated destination • Difference: – Legacy (domain-based) NAT: • Outbound NAT – packet is routed and then translated • Inbound NAT – packet is translated and then routed – NVI-based NAT • Symmetrical handling, routing is performed twice – 1st to send packet to the NVI – Second to send packet to destination based on translated address
NOTE: • Cisco recommends legacy NAT still be used for: – Virtual Router Function (VRF) to global NAT – NAT’ing between interfaces in the same VRF • NVI can be used to NAT between different VRFs or for traffic going across the router that is performing the NAT
The End Ibbidy …. Ibbidy …. Ibbidy ….. That’s All Folks!!! Image courtesy of: dmgermain.blogspot.com

Recommended

Nat 07
Nat 07Nat 07
Nat 07
Davinder Chauhan
 
Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall
NetProtocol Xpert
 
Nat 03
Nat 03Nat 03
Nat 03
Davinder Chauhan
 
N at
N atN at
N at
Sumit Tambe
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
robertoxe
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
ernestlithur
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
Netwax Lab
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
GeorgeThoreJr
 

Recommended

Nat 07
Nat 07Nat 07
Nat 07
Davinder Chauhan
 
Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall
NetProtocol Xpert
 
Nat 03
Nat 03Nat 03
Nat 03
Davinder Chauhan
 
N at
N atN at
N at
Sumit Tambe
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
robertoxe
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
ernestlithur
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
Netwax Lab
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
GeorgeThoreJr
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
CYBERINTELLIGENTS
 
Day 17.1 nat pat
Day 17.1 nat pat Day 17.1 nat pat
Day 17.1 nat pat
CYBERINTELLIGENTS
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
Joud Khattab
 
Docker Setting for Static IP allocation
Docker Setting for Static IP allocationDocker Setting for Static IP allocation
Docker Setting for Static IP allocation
Ji-Woong Choi
 
Nat
NatNat
Nat
saul calle espinoza
 
Nat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with exampleNat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with example
unixhowto
 
CCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntp
CCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntpCCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntp
CCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntp
Faisal Khan
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
inwin stack
 
Nat pat
Nat patNat pat
Nat pat
CYBERINTELLIGENTS
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
Aalap Tripathy
 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccna
singhsukdeep
 
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
3Anetwork com
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
angelitoh11
 
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rulesUccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Shu Shin
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In Kubernetes
Don Jayakody
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob Hamm
Information and Communications Technology Council
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routers
IT Tech
 
Chapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfChapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdf
Buntha Chhay
 
CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014
Đồng Quốc Vương
 
NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
Muuluu
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
RamjanShidvankar
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Pooja Bhuva
 

More Related Content

Similar to NAT Examples.pptx

Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
angelitoh11
 
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rulesUccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Shu Shin
 
NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
Muuluu
 

Similar to NAT Examples.pptx (20)

Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
 
Day 17.1 nat pat
Day 17.1 nat pat Day 17.1 nat pat
Day 17.1 nat pat
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
 
Docker Setting for Static IP allocation
Docker Setting for Static IP allocationDocker Setting for Static IP allocation
Docker Setting for Static IP allocation
 
Nat
NatNat
Nat
 
Nat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with exampleNat failover with dual isp on cisco router configuration explained with example
Nat failover with dual isp on cisco router configuration explained with example
 
CCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntp
CCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntpCCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntp
CCIE Collaboration Lecture - Chapter 1.1 campus design - vlan dhcp and ntp
 
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
Integrate Kubernetes into CORD(Central Office Re-architected as a Datacenter)
 
Nat pat
Nat patNat pat
Nat pat
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccna
 
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
Configuring a Cisco Router as a PPPoE Client for DSL Connectivity
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rulesUccn1003 -may10_-_lect04a_-_intro_to_routing_rules
Uccn1003 -may10_-_lect04a_-_intro_to_routing_rules
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In Kubernetes
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob Hamm
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routers
 
Chapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfChapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdf
 
CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014
 
NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 

NAT Examples.pptx

  • 2. Acknowledgements • Note for expediency, this slide-deck summarises and uses graphics from various Cisco documentation, including: – Cisco − NAT: Local and Global Definitions – Cisco − How NAT Works – Cisco − Configuring Network Address Translation: Getting Started – Cisco – NAT Virtual Interface – Cisco NAT FAQ: • http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation- nat/26704-nat-faq-00.html – The Inside and Outside of NAT • http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
  • 3. Foundations • First of all need to understand some basic terms: – Inside network = This is inside your network – Outside network = This is outside your network – Inside Local = The assigned IP address of a host inside your network – Inside Global = The “public” IP address used to represent a host inside your network – Outside Local = The locally known IP address of an outside host - not the legitimate host address but is an address ithat s routable to the inside network – Outside Global = The assigned IP address of a host outside of your network - assigned by the host’s owner, could itself be a NAT’d address
  • 4. Legacy (domain-based) Inside-to-Outside NAT • Have to: 1. Declare a NAT INSIDE and a NAT OUTSIDE interface 2. Set up a NAT pool 3. Set up a source-list to define what source addresses will be NAT’d for outbound traffic
  • 5. Legacy Inside-to-Outside NAT No-Overload interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat inside !−− Defines serial 0 with an IP address and as a NAT inside interface ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside ! !−− Defines Ethernet 1 with an IP address and as a NAT inside interface ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat outside !−− Defines serial 1 with an IP address and as a NAT outside interface ! ip nat pool POOL-NO-OVERLOAD 172.16.10.1 172.16.10.63 prefix 24 ! !−− Defines a NAT pool named POOL-NO-OVERLOAD with a range of addresses !−− 172.16.10.1 − 172.16.10.63 ! ip nat inside source list 7 pool POOL-NO-OVERLOAD ! !−− Indicates that any packets received on the inside interface that !−− are permitted by access−list 7 !−− will have the source address translated to an address out of the !−− NAT pool “POOL-NO-OVERLOAD" ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 ! !−− Access−list 7 permits packets with source addresses ranging from !−− 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31 Note: Packet is routed first and then NAT occurs
  • 6. Legacy Inside-to-Outside NAT Overload (also known as “PAT”) interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat inside !−− Defines serial 0 with an IP address and as a NAT inside interface ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside ! !−− Defines Ethernet 1 with an IP address and as a NAT inside interface ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat outside !−− Defines serial 1 with an IP address and as a NAT outside interface ! ip nat pool POOL-OVERLOAD 172.16.10.1 172.16.10.2 prefix 24 ! !−− Defines a NAT pool named POOL-OVERLOAD with a range of addresses !−− 172.16.10.1 − 172.16.10.2 ! −− Means that the users will re-use the two NAT addresses but be distinguished by their source ports. ! ip nat inside source list 7 pool POOL-OVERLOAD overload ! !−− Indicates that any packets received on the inside interface that !−− are permitted by access−list 7 !−− will have the source address translated to an address out of the !−− NAT pool “POOL−OVERLOAD" ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 ! !−− Access−list 7 permits packets with source addresses ranging from !−− 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31 Note: Packet is routed first and then NAT occurs
  • 7. Static NAT of Outside Host for Inside access interface s0 ip nat inside ! interface s1 ip nat outside ! ! ip nat outside source static 171.16.68.1 10.10.10.5 The outside global host IP of 172.16.68.1 will be translated to 10.10.10.5 so that any inside host may be able to reach it without having to be source NAT’d. Note: Packet is NAT’d first and then routed
  • 8. NAT Virtual Interface (NVI) • Introduced in IOS 12.3(14)T • Simplifies the config a little (but may be less clear in intention!) • Removes the requirement to configure an interface as either: – NAT inside, or – NAT outside • An interface can be configured to use NAT or not use NAT. • Configure by: 1. Using the command: ‘ip nat source …’ without specifying the inside/outside tag when defining the source address(es) to be NAT’d 2. Enable NAT on the interfaces via the command ‘ip nat enable’
  • 9. Inside-to-Outside NAT No-Overload using NVI interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat enable ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat enable ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat enable ! ip nat pool POOL-NO-OVERLOAD 172.16.10.1 172.16.10.63 prefix 24 ! ip nat source list 7 pool POOL-NO-OVERLOAD ! ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 ! Notice the “NAT Inside” and “NAT Outside” statements are now replaced by “NAT Enable” Also: NAT Source no longer has an ‘inside’ or ‘outside’ reference. Commands to show translation: • show ip nat nvi translations • show ip nat nvi statistics
  • 10. Inside-to-Outside NAT Overload (also known as “PAT”) using NVI interface Serial 0 ip address 10.10.10.1 255.255.255.0 ip nat enable ! interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat enable ! ! interface serial 1 ip address 172.16.10.64 255.255.255.0 ip nat enable ! ip nat pool POOL-OVERLOAD 172.16.10.1 172.16.10.2 prefix 24 ! ! ip nat source list 7 pool POOL-OVERLOAD overload ! access−list 7 permit 10.10.10.0 0.0.0.31 access−list 7 permit 10.10.20.0 0.0.0.31 !
  • 11. Static NAT of Outside Host for Inside access with NVI interface s0 ip nat enable ! interface s1 ip nat enable ! ! ip nat source static 171.16.68.1 10.10.10.5
  • 12. So what exactly is NVI? • NVI is the name of a virtual interface (NVI0) created by Cisco IOS when you enable NAT – Created when using legacy (inside/outside) NAT – Created when using NVI NAT • “OK, I’m confused”, you say. – Basically, Cisco introduced a new configuration format in IOS 12.3(14T) and called it “NVI NAT” to distinguish it from “NAT’ing on a stick” where a single routing interface is used to perform the NAT • A loopback interface is used and that is the OUTSIDE interface • The single local network interface is the INSIDE interface • The NAT’ing direction is automatically defined by the traffic flow • And ….. importantly
  • 13. So what exactly is NVI? • Traffic is symmetrically handled: 1. the NAT translation table is used to make a routing decision to send the packet to the NVI0 interface • Basically a static route forwarding to NVI0 for all packets matching the NAT pool is automatically configured 2. The packet is translated at the NVI0 interface 3. The packet is then routed based on the translated destination • Difference: – Legacy (domain-based) NAT: • Outbound NAT – packet is routed and then translated • Inbound NAT – packet is translated and then routed – NVI-based NAT • Symmetrical handling, routing is performed twice – 1st to send packet to the NVI – Second to send packet to destination based on translated address
  • 14. NOTE: • Cisco recommends legacy NAT still be used for: – Virtual Router Function (VRF) to global NAT – NAT’ing between interfaces in the same VRF • NVI can be used to NAT between different VRFs or for traffic going across the router that is performing the NAT
  • 15. The End Ibbidy …. Ibbidy …. Ibbidy ….. That’s All Folks!!! Image courtesy of: dmgermain.blogspot.com