NAT and PAT

      No Comments on NAT and PAT

A topic that most of us should be familiar with.  However, some of us might not have the need to do it in IOS very often.  NAT in many environments is handled by firewall appliances these days. There are 3 kinds of NAT I want to talk about today but before we jump in, we best review the Cisco terms that are used to describe NAT addresses..

Inside Local Address – This is the IP address of a private host on your network.  The host will commonly have RFC1918 addressing on it

Inside Global – This is the public IP address for your inside host.  Commonly public IP space is used here

Outside Local – This is the inside IP address of a inbound host.  AKA, if someone is trying to talk to you from a public IP and you NAT ‘hide’ them, the hide address would be the outside local IP address.

Outside Global – The publically routable version of the client IP before it’s hidden (if it is).

I’m not a huge fan of the terminology just because it all depends on where you are standing (outside or inside) but that’s the Cisco definition.  Let’s look at the configs for the 3 different kinds now…

Static NAT
This is most commonly referred to as 1-to-1 NAT.  As in, you want to put your web server on the internet so you allocate a public IP which you then statically NAT to the inside IP address of the web server.  The config for this is pretty straight forward.  Let’s use this example…

image

So we want to allow the internal server (10.20.30.40) to have a public routable IP.  One way to do that is to setup a static NAT that says ‘Translate 75.146.45.100 to 10.0.0.57’.  To do that, we’d do something like this on the router…

interface FastEthernet0/0
ip address 75.146.45.99 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
end

interface FastEthernet0/1
ip address 10.20.30.250 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
end

ip nat inside source static 10.20.30.40 75.146.45.100

Most of the configuration should be standard, we only added the NAT configuration commands.  Basically, we need to tell the router which interface is the inside and which is the outside.  After we do that, it now knows where IP’s like inside local/global and outside local/global should like.  Once that’s complete, we define the actual static NAT with the ‘ip nat inside’ command.  If we walk through the command using the question mark, we can see where the Cisco NAT terminology comes in…

Router(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

Router(config)#ip nat inside source static 10.20.30.40 ?
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

So the fist IP address is the ‘inside local’ IP which if we recall from above is the IP of the private host on the network.  The next IP in the command is the ‘inside global’ IP which is the externally routable IP address for your inside host.  Once this is done, we can test and examine the translations by using the ‘show ip nat translations’ command…

image

So as you can see, we have a successful NAT translation here that’s allowing the web server at 10.20.30.40 to appear on the internet to be 75.146.45.100.  A user at the IP address of 203.146.251.175 is currently utilizing this NAT rule to talk to the web server.  The second line shows the actual NAT rule which will always show up in the output even if the rule currently isn’t being used. 

Dynamic NAT
Dynamic NAT is the second kind of NAT we can use.  To be frank, I’m not sure who actually uses this anymore but it can be done.  Dynamic NAT allows you to do 1-to-1 mappings like static NAT, but it does so on a dynamic basis.  That is, you define a pool of IPs to use for the inside local and inside global addresses. 

image 
So here we have a pool of IPs (75.146.45.100 to 101) that we want clients to use externally as they traverse router 5.  In this manner we are saying ‘Translate any client in the 192.168.0.0/24 network to either 75.146.45.100 or 75.146.45.101’.  If the two IPs get used, and another client tries to talk to the internet, it will fail because the NAT can’t take place.  The config might look something like this…

ip access-list standard clients
  permit 192.168.0.0 0.0.0.255
ip nat pool nat_pool 75.146.45.100 75.146.45.101 netmask 255.255.255.248
ip nat inside source list clients pool nat_pool

The first thing we do is define an ACL which will determine which IPs should be NAT’d.  I called this ACL clients and made it the 192.168.0.0/24 network.  Next, we define a pool of IPs that we want to make up the global pool.  In this example, my pool only includes 2 IPs, but that will be enough for the purpose of this example.  Next, we define the dynamic NAT by matching the ACL clients to the NAT pool ‘nat_pool’.  Note that I still have to have the ‘ip nat inside’ and ‘ip nat outside’ commands on my interfaces.  Let’s see what the translations look like…

image

4.2.2.2 was defined as the DNS server on the workstation I was testing so we can see that translation on the second like starting with UDP.  I also pinged 4.2.2.2 which is why we see an ICMP translation as well.  Let’s look at another command output…

image

In the output of ‘show ip nat statistics’ we can see a little more info on the NAT pool.  For instance, look at the hits and misses counters.  Hits are when the NAT table already has an entry for the particular translation.  Misses are when it doesn’t so it has to build one dynamically.  This being said, hits aren’t bad, in fact they are required to happen the first time around so that the router can build the NAT entry for the next attempt.  Also note that this output shows how many IPs I have in my pool and the percentage of use.

PAT
The next kind of NAT I want to look at is called PAT, or port address translation.  In this method of NAT, a single IP is ‘overloaded’ so that many inside hosts can use the same outside IP. 

image

Here many inside hosts will be able to use the single outside interface IP address.  Let’s take a look at the configuration for this…

ip access-list standard clients
    permit 192.168.0.0 0.0.0.255

ip nat inside source list clients interface FastEthernet0/0 overload

We use the same ACL, but now all we need to do is to tell the router to overload the outside interface.  When we do this, all of the inside hosts that match the ‘clients’ ACL will use the outside interface as their inside global IP…

image

As you can see, we have three hosts that are all using the 75.146.45.99 IP address to get out to the internet.  The router tracks each connection on a different port so that a single IP can be reused multiple times. 

So those are the three basic kinds of NAT.  NAT can get a lot more complication so I’m sure there will be more to come on this topic!

Leave a Reply

Your email address will not be published. Required fields are marked *