NAT

You are currently browsing articles tagged NAT.

NAT and PAT

A topic that most of us should be familiar with.  However, some of us might not have the need to do it in IOS very often.  NAT in many environments is handled by firewall appliances these days. There are 3 kinds of NAT I want to talk about today but before we jump in, we best review the Cisco terms that are used to describe NAT addresses..

Inside Local Address – This is the IP address of a private host on your network.  The host will commonly have RFC1918 addressing on it

Inside Global – This is the public IP address for your inside host.  Commonly public IP space is used here

Outside Local – This is the inside IP address of a inbound host.  AKA, if someone is trying to talk to you from a public IP and you NAT ‘hide’ them, the hide address would be the outside local IP address.

Outside Global – The publically routable version of the client IP before it’s hidden (if it is).

I’m not a huge fan of the terminology just because it all depends on where you are standing (outside or inside) but that’s the Cisco definition.  Let’s look at the configs for the 3 different kinds now…

Static NAT
This is most commonly referred to as 1-to-1 NAT.  As in, you want to put your web server on the internet so you allocate a public IP which you then statically NAT to the inside IP address of the web server.  The config for this is pretty straight forward.  Let’s use this example…

image

So we want to allow the internal server (10.20.30.40) to have a public routable IP.  One way to do that is to setup a static NAT that says ‘Translate 75.146.45.100 to 10.0.0.57’.  To do that, we’d do something like this on the router…

interface FastEthernet0/0
ip address 75.146.45.99 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
end

interface FastEthernet0/1
ip address 10.20.30.250 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
end

ip nat inside source static 10.20.30.40 75.146.45.100

Most of the configuration should be standard, we only added the NAT configuration commands.  Basically, we need to tell the router which interface is the inside and which is the outside.  After we do that, it now knows where IP’s like inside local/global and outside local/global should like.  Once that’s complete, we define the actual static NAT with the ‘ip nat inside’ command.  If we walk through the command using the question mark, we can see where the Cisco NAT terminology comes in…

Router(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

Router(config)#ip nat inside source static 10.20.30.40 ?
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

So the fist IP address is the ‘inside local’ IP which if we recall from above is the IP of the private host on the network.  The next IP in the command is the ‘inside global’ IP which is the externally routable IP address for your inside host.  Once this is done, we can test and examine the translations by using the ‘show ip nat translations’ command…

image

So as you can see, we have a successful NAT translation here that’s allowing the web server at 10.20.30.40 to appear on the internet to be 75.146.45.100.  A user at the IP address of 203.146.251.175 is currently utilizing this NAT rule to talk to the web server.  The second line shows the actual NAT rule which will always show up in the output even if the rule currently isn’t being used. 

Dynamic NAT
Dynamic NAT is the second kind of NAT we can use.  To be frank, I’m not sure who actually uses this anymore but it can be done.  Dynamic NAT allows you to do 1-to-1 mappings like static NAT, but it does so on a dynamic basis.  That is, you define a pool of IPs to use for the inside local and inside global addresses. 

image 
So here we have a pool of IPs (75.146.45.100 to 101) that we want clients to use externally as they traverse router 5.  In this manner we are saying ‘Translate any client in the 192.168.0.0/24 network to either 75.146.45.100 or 75.146.45.101’.  If the two IPs get used, and another client tries to talk to the internet, it will fail because the NAT can’t take place.  The config might look something like this…

ip access-list standard clients
  permit 192.168.0.0 0.0.0.255
ip nat pool nat_pool 75.146.45.100 75.146.45.101 netmask 255.255.255.248
ip nat inside source list clients pool nat_pool

The first thing we do is define an ACL which will determine which IPs should be NAT’d.  I called this ACL clients and made it the 192.168.0.0/24 network.  Next, we define a pool of IPs that we want to make up the global pool.  In this example, my pool only includes 2 IPs, but that will be enough for the purpose of this example.  Next, we define the dynamic NAT by matching the ACL clients to the NAT pool ‘nat_pool’.  Note that I still have to have the ‘ip nat inside’ and ‘ip nat outside’ commands on my interfaces.  Let’s see what the translations look like…

image

4.2.2.2 was defined as the DNS server on the workstation I was testing so we can see that translation on the second like starting with UDP.  I also pinged 4.2.2.2 which is why we see an ICMP translation as well.  Let’s look at another command output…

image

In the output of ‘show ip nat statistics’ we can see a little more info on the NAT pool.  For instance, look at the hits and misses counters.  Hits are when the NAT table already has an entry for the particular translation.  Misses are when it doesn’t so it has to build one dynamically.  This being said, hits aren’t bad, in fact they are required to happen the first time around so that the router can build the NAT entry for the next attempt.  Also note that this output shows how many IPs I have in my pool and the percentage of use.

PAT
The next kind of NAT I want to look at is called PAT, or port address translation.  In this method of NAT, a single IP is ‘overloaded’ so that many inside hosts can use the same outside IP. 

image

Here many inside hosts will be able to use the single outside interface IP address.  Let’s take a look at the configuration for this…

ip access-list standard clients
    permit 192.168.0.0 0.0.0.255

ip nat inside source list clients interface FastEthernet0/0 overload

We use the same ACL, but now all we need to do is to tell the router to overload the outside interface.  When we do this, all of the inside hosts that match the ‘clients’ ACL will use the outside interface as their inside global IP…

image

As you can see, we have three hosts that are all using the 75.146.45.99 IP address to get out to the internet.  The router tracks each connection on a different port so that a single IP can be reused multiple times. 

So those are the three basic kinds of NAT.  NAT can get a lot more complication so I’m sure there will be more to come on this topic!

Tags: ,

NAT on the ASA

NAT configuration is always something that draws a lot of attention.  NAT can perform lots of different functions in many different configurations.  That being said, it can be complex to understand at first.  However, I think its probably more important to understand NAT than any other function on the ASA’s.  If you don’t fully understand the concept you can get yourself in a lot of trouble real fast.  So lets get right into it and look at a couple of scenarios and examples.  In this post I’m going to talk about the most common NAT configurations.  In upcoming posts we’ll talk about NAT DMZ configurations and policy NAT.

The standard 5505 overload
I call this the ‘standard’ because its pretty typical to see on a 5505 box.  The client usually has 1 external IP and has a couple of services with a single subnet behind it.  Nothing too special here.

ASA(config)# global (outside) 1 interface
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

So, what does this mean?  Lets break it down. 
The Global Command
global
– Indicates that we are defining a global address pool.  This can either be a pool of addresses or a single IP that’s being overloaded through the use of PAT
(outside) – The item in the parenthesis is the interface we are defining the pool on.  In this case, its the outside interface
1 Specifies the ID of the pool, this will be matched up against the internal NAT pool
interface – The interface keyword specifies that PAT is being used with the IP defined on the interface.  PAT (also referred to as overload) uses a single external IP address for all of the clients in the NAT pool.  To make the distinction clear, NAT usually means that you are using a pool of IP’s and PAT usually means you are using one external IP. 

The Nat command
nat
– The NAT command is what you use to associate a network with a pool of global addresses
(inside) – The item in the parenthesis is the interface in which the NAT network exists.  In this case its going to be on the inside interface
1 – This number is what is used to pair the global and NAT statements together.  In other words, global pool 1 will be used with NAT network 1. 
0.0.0.0 0.0.0.0 – Translates to mean all networks.  If there is only a single internal subnet that requires translation this could just as easily read something like ‘192.168.127.0 255.255.255.0’. 

Summary
This configuration PATs all of the internal traffic heading out to the public network to the single IP address defined on the external interface.

Defining an actual NAT pool
Lets take the same scenario as above but define a real pool of IP’s for inside clients to NAT to. 

ASA(config)# global (outside) 1 <Begin Range>-<End Range>
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

This configuration is exactly the same as above save the fact that we defined a range of IPs for NAT to use.  In this scenario, users that were heading out to the public network would use one of the actual IPs defined within the range rather than all using the same IP in an overloaded configuration. 

Putting them together.
We’ve reviewed two options for basic NAT at this point.  One using NAT overload and one defining a NAT pool.  These are the classic NAT/PAT examples and they both work equally well in different scenarios.  However option 2 has a gotcha attached to it.  Lets say that you have 30 users and 20 IPs defined in your NAT pool.  What happens when the 21st users attempts to make a NAT request?  Nothing.  Since you are out of IP addresses there isn’t one for that user to use.  The best practice is to define a single NAT overload in addition to the range of IPs.  That way, if the NAT pool fills up, subsequent users can start using PAT.  An example is shown below.

ASA(config)# global (outside) 1 <Begin Range>-<End Range – 1>
ASA(config)# global (outside) 1 <End Range>
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

The ASA will evaluate any range definitions prior to moving to PAT on the single IP.  So here we took the last IP in the range and defined it for PAT in the case that our NAT range becomes oversubscribed.  Seeing as the ASA cant PAT approximately 64,000 sessions through a single external IP, one PAT statement is usually enough.  If you wish two PAT ranges can be defined and will be used in order.

Summary
In this post we took a look at what I would call basic NAT/PAT’.  The idea of this post was to get you familiar with build blocks of NAT and see a couple of common implementations.   In the next couple of posts we’ll talk about policy NAT and NAT configuration with a DMZ interface.

Tags: ,