Network address translations

When communicating to devices in a public
network, your device needs to use a source
address that is a public address. NAT device
enables private IPv4 to connect to the Internet.
NAT enable you to change an IP address in a
packet to a different address. Usually, NAT
connects two networks and translates the private
(inside local) addresses into public addresses
(inside global) before packets are forwarded to
another network. In other word Address
translation allows you to translate your internal
private addresses to public addresses before these
packets leave your network

Situation where you should use NAT
•Your ISP did not provide you sufficient
public IP address
•Your company is going to merge in a
company which use same address space
•Where you want to hide your internal IP
address space from outside
You want to assign the same IP
address to multiple machines

There are three types of NAT
Static/dynamic/pat
•Static:In static NAT manual translation is
performed by an address translation device,
translating one IP address to a different
one. If you have 100 devices, you need to
create 100 static entries in the address
translation table.Typically, static
translation is done for inside resources that
outside people want to access

Dynamic NAT is mostly used when inside users needs to access outside resources.
The global address assigned to the internal user isn't important, since outside
devices don't directly connect to your internal users they just return traffic to them
that the inside user requested.
Dynamic NAT is used when inside use wants to access external resource. When an
inside user sends traffic through the address translation device, say a router, it
examines the source IP address and compares it to the internal local address pool.
If it finds a match, then it determines which inside global address pool it should use
for the translation. It then dynamically picks an address in the global address pool
that is not currently assigned to an inside device. The router adds this entry in its
address translation table, the packet is translated, and the packet is then sent to
the outside world. If no matching entry is found in the local address pool, the
address is not translated and is forwarded to the outside world in its original state.
When returning traffic comes back into your network, the address translation
device examines the destination IP addresses and checks them against the address
translation table. Upon finding a matching entry, it converts the global inside
address to the local inside address in the destination IP address field of the packet
header and forwards the packet to the inside network

With PAT, all devices that go through the
address translation device have the same
global IP address assigned to them, so the
source TCP or UDP port numbers are used to
differentiate the different connections. If two
devices have the same source port
number, the translation device changes one of
them to ensure uniqueness.
Major difference between NAT and PAT is In
NAT Only IP addresses are translated (not port
numbers).

Disadvantages of Address Translation
Three main disadvantage with address
translation are:
•Each connection has an added delay.
•Troubleshooting is more difficult.
Not all applications work with
address translation

Term Explanation
Inside Addresses located on the inside of your network
Outside Addresses located outside of your network
Local The IP address physically assigned to a device
Global The public IP address physically or logically assigned to a device
Inside local IP address The IPv4 address that is assigned to a host on the inside network
Inside global IP address
A legitimate IPv4 address assigned by the ISP that represents one or more inside local IPv4
addresses to the outside world
Outside global IP address An outside device with a registered public IP address
Outside local IP address An outside device with an assigned private IP address
Static NAT A manual address translation is performed between two addresses and possibly port numbers.
Dynamic NAT
An address translation device automatically performs address translation between two addresses
and possibly port numbers.
Port Address Translation (PAT)
Many inside IP addresses are translated to a single IP address, where each inside address is given a
different TCP or UDP port number for uniqueness.
Address Translation Terms and Types

How to configure NAT
Configuration of static NAT is very straight
forward. In this example we have a web server
connected with Router 1. Our web server is using
the IP address 10.0.0.2. But due to various
reasons discussed in previous article our
company want to use 50.0.0.1 IP address for this
server. Now our task is to configure NAT on
Router 1 which translate 10.0.0.2 [ inside local
web server address] to 50.0.0.1 [ inside global ip
address ].a

R1(config)#ip route 30.0.0.0
255.0.0.0 20.0.0.1
R1(config)#ip nat inside
source static 10.0.0.2
50.0.0.1
R1(config)#int fa 0/0
R1(config-if)#ip nat inside
R1(config)#int s 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit

Now configure R0 exactly
given here
R0(config-
if)#bandwidth 64
R0(config-if)#exit
R0(config)#ip route
50.0.0.0 255.0.0.0
20.0.0.2

As you have seen in configuration there is not
direct route for 10.0.0.2. So PC from network
of 30.0.0.0 will never know about it. They will
access 50.0.0.1 as the web server IP. To test it
double click on any computer and ping from
50.0.0.1 and you will get replay.

Now ping from 10.0.0.2 and you will get destination host
unreachable error.
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 30.0.0.1: Destination host
unreachable.
unreachable.
unreachable.
unreachable.

Step by Step Configuration of Dynamic
NAT
With dynamic NAT, you must manually
define two sets of addresses on your
address translation device. One set
defines which inside addresses are
allowed to be translated (the local
addresses), and the other defines what
these addresses are to be translated to
(the global addresses).

In this example our internal
network is using 192.168.0.0
network. We have five public ip
address 50.0.0.1 to 50.0.0.5 to use.
Router1(1841 Router0) is going to
be NAT device. Double click on
Router1(1841 Router0) and
configure it as given below

R0(config-if)#bandwidth 64
R0(config)#ip route 0.0.0.0 0.0.0.0
serial 0/0/0
R0(config)#access-list 1 permit
192.168.0.0 0.0.0.255
R0(config)#ip nat pool test 50.0.0.1
50.0.0.5 netmask 255.0.0.0
R1(config)#ip nat inside source list 1
pool test
R1(config)#interface fastEthernet 0/0
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#exit

Now double click on R2(1841
Router1) and configure
Router(config)#ip
route 0.0.0.0 0.0.0.0
serial 0/0/0
Router(config)#hostna
me R2

For testing of NAT go R1 and enable debug for NAT from privilege
mode
R1#debug ip nat
Now go on pc and ping to 20.0.0.2

When ICMP ping packet reach to R1.
It examines its source address against
the access list 1. As this packet is
generated form the network of
192.168.0.0 so it will pass the access
list. Now router will check NAT pools
for free address to translate with this
address. Which you can check in the
output of debag command in R1

IP NAT debugging is on
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
As you can see in output 192.168.0.5 is translate with
50.0.0.1 before leaving the router

Now check for web access from any client pc
In real life its best practices to turn off debug after testing so go on Router 1 and
turn off debug mode.
R1#no debug ip nat IP NAT debugging is off R1#

Step by Step Configuration of PAT
In dynamics Nat translations is made IP to IP.
so you need as much global IP address as you
have inside local address. That's an issue if
you have few global IP address and hundred
of inside local address to translate. In such a
situation you need to use PAT.
For demonstration we are going to configure
the same topology which we used in dynamic
NAT but this time we are using only one
global IP address 50.0.0.1

IP address of PC are already
configured double click on R1
and configured it as given
here
Now configure to R2 as given
below

Router(config)#hostname R1
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask
255.0.0.0
R1(config)#ip nat inside source list 1 pool test overload
R1(config-if)#exit
R1(config-if)#exit
R1(config)#

Now configure to R2 as given below
Router>enable
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 30.0.0.2 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname R2
R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
Now go on pc and ping to 20.0.0.2

To verify PAT go on R1 and run show ip nat translations
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside
global
icmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1
icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2
icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3
icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4
As you can see this time address translation is done with port address instead of IP

Network address translations

More Related Content

What's hot

Similar to Network address translations

Recently uploaded

Network address translations