A topic that most of us should be familiar with. However, some of us might not have the need to do it in IOS very often. NAT in many environments is handled by firewall appliances these days. There are 3 kinds of NAT I want to talk about today but before we jump in, we best review the Cisco terms that are used to describe NAT addresses..
Inside Local Address – This is the IP address of a private host on your network. The host will commonly have RFC1918 addressing on it
Inside Global – This is the public IP address for your inside host. Commonly public IP space is used here
Outside Local – This is the inside IP address of a inbound host. AKA, if someone is trying to talk to you from a public IP and you NAT ‘hide’ them, the hide address would be the outside local IP address.
Outside Global – The publically routable version of the client IP before it’s hidden (if it is).
I’m not a huge fan of the terminology just because it all depends on where you are standing (outside or inside) but that’s the Cisco definition. Let’s look at the configs for the 3 different kinds now…
This is most commonly referred to as 1-to-1 NAT. As in, you want to put your web server on the internet so you allocate a public IP which you then statically NAT to the inside IP address of the web server. The config for this is pretty straight forward. Let’s use this example…
So we want to allow the internal server (10.20.30.40) to have a public routable IP. One way to do that is to setup a static NAT that says ‘Translate 126.96.36.199 to 10.0.0.57’. To do that, we’d do something like this on the router…
ip address 188.8.131.52 255.255.255.248
ip nat outside
ip address 10.20.30.250 255.255.255.0
ip nat inside
ip nat inside source static 10.20.30.40 184.108.40.206
Most of the configuration should be standard, we only added the NAT configuration commands. Basically, we need to tell the router which interface is the inside and which is the outside. After we do that, it now knows where IP’s like inside local/global and outside local/global should like. Once that’s complete, we define the actual static NAT with the ‘ip nat inside’ command. If we walk through the command using the question mark, we can see where the Cisco NAT terminology comes in…
Router(config)#ip nat inside source static ?
A.B.C.D Inside local IP address
esp IPSec-ESP (Tunnel mode) support
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
Router(config)#ip nat inside source static 10.20.30.40 ?
A.B.C.D Inside global IP address
interface Specify interface for global address
So the fist IP address is the ‘inside local’ IP which if we recall from above is the IP of the private host on the network. The next IP in the command is the ‘inside global’ IP which is the externally routable IP address for your inside host. Once this is done, we can test and examine the translations by using the ‘show ip nat translations’ command…
So as you can see, we have a successful NAT translation here that’s allowing the web server at 10.20.30.40 to appear on the internet to be 220.127.116.11. A user at the IP address of 18.104.22.168 is currently utilizing this NAT rule to talk to the web server. The second line shows the actual NAT rule which will always show up in the output even if the rule currently isn’t being used.
Dynamic NAT is the second kind of NAT we can use. To be frank, I’m not sure who actually uses this anymore but it can be done. Dynamic NAT allows you to do 1-to-1 mappings like static NAT, but it does so on a dynamic basis. That is, you define a pool of IPs to use for the inside local and inside global addresses.
So here we have a pool of IPs (22.214.171.124 to 101) that we want clients to use externally as they traverse router 5. In this manner we are saying ‘Translate any client in the 192.168.0.0/24 network to either 126.96.36.199 or 188.8.131.52’. If the two IPs get used, and another client tries to talk to the internet, it will fail because the NAT can’t take place. The config might look something like this…
ip access-list standard clients
permit 192.168.0.0 0.0.0.255
ip nat pool nat_pool 184.108.40.206 220.127.116.11 netmask 255.255.255.248
ip nat inside source list clients pool nat_pool
The first thing we do is define an ACL which will determine which IPs should be NAT’d. I called this ACL clients and made it the 192.168.0.0/24 network. Next, we define a pool of IPs that we want to make up the global pool. In this example, my pool only includes 2 IPs, but that will be enough for the purpose of this example. Next, we define the dynamic NAT by matching the ACL clients to the NAT pool ‘nat_pool’. Note that I still have to have the ‘ip nat inside’ and ‘ip nat outside’ commands on my interfaces. Let’s see what the translations look like…
18.104.22.168 was defined as the DNS server on the workstation I was testing so we can see that translation on the second like starting with UDP. I also pinged 22.214.171.124 which is why we see an ICMP translation as well. Let’s look at another command output…
In the output of ‘show ip nat statistics’ we can see a little more info on the NAT pool. For instance, look at the hits and misses counters. Hits are when the NAT table already has an entry for the particular translation. Misses are when it doesn’t so it has to build one dynamically. This being said, hits aren’t bad, in fact they are required to happen the first time around so that the router can build the NAT entry for the next attempt. Also note that this output shows how many IPs I have in my pool and the percentage of use.
The next kind of NAT I want to look at is called PAT, or port address translation. In this method of NAT, a single IP is ‘overloaded’ so that many inside hosts can use the same outside IP.
Here many inside hosts will be able to use the single outside interface IP address. Let’s take a look at the configuration for this…
ip access-list standard clients
permit 192.168.0.0 0.0.0.255
ip nat inside source list clients interface FastEthernet0/0 overload
We use the same ACL, but now all we need to do is to tell the router to overload the outside interface. When we do this, all of the inside hosts that match the ‘clients’ ACL will use the outside interface as their inside global IP…
As you can see, we have three hosts that are all using the 126.96.36.199 IP address to get out to the internet. The router tracks each connection on a different port so that a single IP can be reused multiple times.
So those are the three basic kinds of NAT. NAT can get a lot more complication so I’m sure there will be more to come on this topic!