We can still remember the very first time we saw Network Address Translation (NAT) in action. “This is the most amazing thing we have ever seen,” we said, with the same awestruck feeling as the first time you walk up and look over the Grand Canyon. Okay, perhaps it wasn’t that fantastic, but at the same time, NAT is definitely at the top of the list configurations we love to set up.
Despite it being one of the most widely implemented concepts in the world of network technology, NAT is one of the newer topics added to the examinations of CCNA. This is most likely because of its configuration complexity: It requires a thorough understanding of standard access lists to successfully deploy. However, Cisco is very wise in adding it to the entry-level exam, because nearly every network in the world uses NAT income shape or form. Even home networks using Linksys, D-link and Net Gear routers use NAT.
NAT was originally developed through a combination of Cisco engineers and the Internet Engineering Task Force (IETF) group in 1994 to overcome the quickly approaching IP address shortage. With the internet popularity growing at a rate far faster than expected, the remaining public IP addresses would soon be depleted. At that time, TCP/IP version 6 (IPv6, which would have solved the IP address shortage) had been created in draft status, but it would require a worldwide upgrade of network devices and operating system software to successfully deploy. Rather than upgrading all network-capable devices, the focus was placed on creating a gateway device that could enable multiple network devices to share a single IP address.
As this concept materialized, NAT was born. Theoretically, a router running NAT is capable of allowing more than 60000 devices to share a single Internet-valid IP address. Practically speaking, the router resources (processor and memory) and WAN bandwidth are depleted long before that limit is reached. With thousands of devices capable of using a single public IP address, the life of TCP/IP version 4 (IPv4) has been extended years beyond what was thought possible.
NAT also acts as a natural security boundary by eliminating end-to-end traceability. If your router has only a single IP address that is connected to the Internet, the public IP address, which is assigned to the outside interface, does not belong to anyone’s internal host. For example, imagine that your router’s public IP address is 22.214.171.124, and all your internal hosts come from the subnet 192.168.1.0/24. Whenever one of the internal hosts accesses the Internet, it is seen as 126.96.36.199. however, if anyone from the Internet attempts to access 188.8.131.52, the address maps to no individual host, which makes the internal network invisible to the Internet.
Although the introductory discussion of NAT covers the most popular uses of technology, NAT can be used for much more. Before you go deeper into the specific uses, though, you must understand the foundation concepts.
As its core function, Network address translation does just that: translate addresses. It can take any IP address and make it look like another. This is why the creative geniuses behind TCP/IP defined three ranges of “Private IP addresses” in RFC 1918. The following is a list of three private address ranges.
- Class A: 10.0.0.0 to 10.255.255.255
- Class B: 172.16.0.0 to 172.31.255.255
- Class C: 192.168.0.0 to 192.168.255.255
You might notice that a private address range is defined for each class of address. This gives a company more flexibility to use different ranges based on the company size. As a general statement, most small companies use the 192.168.x.x range, most medium-sized companies use the 172.16.x.x to 172.31.x.x ranges, and most large companies use the 10.x.x.x ranges. Remember, this is just a general statement, not a solid rule.
It is commonly stated that their private addresses are non-routable, but this is not true. Thousands of companies around the world use these addresses and route them throughout their private network just fine. This misunderstanding came about because all internet service providers (ISPs) use access lists to block these addresses from entering or leaving their networks. It is accurate to say these private addresses are not Internet routable, because if they were, there would be thousands of duplicate IP address conflict every day.
As shown in the picture below, networks connected to the Internet typically use these private IP addresses internally and then translate them when attempting to access the internet. This enables you to have many duplicate addresses around the world without any conflicts because they never communicate directly. This can cause problems with overlapping IP addresses when companies merge, but NAT can even be engineering to solve these problems.
With this foundation in place, you’re ready to examine the styles of NAT.
Static NAT is the simplest form of NAT. it enables you to map one IP address to another in a one-to-one relationship. This is typically used to allow access to internal servers from the Internet that are using a private address space. In the picture below, three servers are located on the internal network: a web server, an FTP server, and an email server. These three servers are assigned to a private IP address space (192.168.1.0/24) and would typically be inaccessible from the internet. By using static NAT, you can map the private IP addresses to a public IP on a one-to-one basis, enabling these servers to be accessed from the internet using the three public IP addresses shown in the picture below.
This static NAT mapping goes both ways. When someone from the Internet accesses 184.108.40.206, it is translated to the internal address 192.168.1.1. likewise, when the server 192.168.1.1 accesses the internet, it is seen as 220.127.116.11. although this form of NAT does not allow multiple internal hosts to share a single address, it does implement the security features of NAT by eliminating end-to-end traceability and enables servers that are sharing your private network to be accessed from the internet.
Static NAT can also be configured to statically translated individual TCP or UDP ports. This awesome feature enables you to take a single IP address and translate one or many ports to either the same host or many different hosts. For example, you might have a router that has the external IP address 18.104.22.168. you can statically configure NAT so that when your router receives a request on 22.214.171.124, using TCP port 80 (HTTP), it redirects it to the internal address 192.168.1.50 on TCP port 80. However, when it receives a request on 126.96.36.199, using TCP port 21 (FTP), it redirects it to the internal address 192.168.1.100 on TCP port 21. In this way, NAT can act as a type of firewall (allowing only some ports through to specific hosts) and give you the flexibility of offering many port numbers. For example, you might be using one of those scandalous DSL or cable internet providers that block certain port numbers to keep you from running a web server from home. You can configure static NAT in such a way that when your router receives a request on TCP port 800 it redirects it to an internal IP address on TCP port 80.
Static NAT is superb if you have a few hosts that need to be translated; however, if many hosts need to be translated, creating static entries for each one can be quite tedious. This is where dynamic NAT can help. Dynamic NAT enables you to define a pool of addresses to be translated along with a pool of addresses to which they are to translate. The router then dynamically maps these IP addresses as the need arises. This is not the same thing as allowing multiple hosts to share the same IP address (known as NAT overloading). Dynamic NAT makes many one-to-one mappings without requiring you to configure them statically.
NAT overload and Port Address Translation
Now we come to the form of NAT that made it famous. NAT overload, also known as Port Address Translation (PAT), enables a single IP address to support many internal clients. Whenever a host establishes communication with a server outside the NAT firewall, it tries to access a specific port number (known as the destination port). However, it also uses a source port number to allow for return and we have an article of Using Cisco Access lists regarding this. The following picture shows how NAT overload also incorporates this source port number into the translation.
The hosts communicating randomly generate the source ports. The NAT router then appends these to the public IP address to make the source socket (or IP address and port number combination) unique. When the internet server replies to whatever request was made, it does so to the source IP and socket when the NAT router receives the reply, it then can redirect it to the correct internal host by referring to its NAT translation table. Because hosts use random source ports, there is very little possibility that two hosts will choose the same source port number (one chance out of some 60000). However, if two hosts do happen to choose the same port number, the NAT device causes one of the device sessions to reset and choose a different port number. By using unique port numbers, the router can originate thousands of requests from its single Internet IP address. This provides Internet access to internal network clients while using just one Internet address.
To review, the following table shows the three forms of NAT and the styles of translation they perform.
|NAT configuration||Translation Type|
|Static NAT||One-to-one IP address translations|
|Dynamic NAT||Many-to-many IP address translations|
|NAT overload/PAT||Many-to-one IP address translations|
Believe it or not, setting up NAT is not very difficult; it’s’ learning the terminology used with NAT that can fry your brain. The first time you see these terms, it may make no sense to you, and that’s just fine. It takes some time to soak in. now, keep in mind that these are not “Cisco terms.” Rather, they are an industry-standard way of referring to the four different points in a NAT-based network. Before trying to understand four NAT address descriptions, you must understand the building blocks used to construct these terms:
- Inside/outside: these NAT descriptors refer to where a device is physically located. If a device is “inside,” it is under your control; it is in your network. If a device is “outside”, it is not under your control; it is outside your network.
- Local/global: These NAT descriptors refer to where an IP address is located from the perspective of a NAT device. The NAT device is a network device that has its address translated through a NAT router. It could be a PC, a server, an Xbox, or any other type of host that has a private address that is translated to a real address on the internet. If the IP address is considered “local,” it is seen as a device on the local subnet from the perspective of a NAT device (this may or may not be true). If the IP address is considered “global,” it is seen as not on the local subnet from the perspective of a NAT device.
if that doesn’t sound confusing, just wait until we start combining these terms for the four NAT address descriptions. The following picture shows a visual location of these addresses of the network.
- Inside local addresses: These addresses are the easiest to understand because they refer to everything inside your network. Remember the word constructs discussed just a moment ago: An address “inside” is physically located inside your network. From the perspective of the NAT device, it is “local” meaning it is seen on the internal network.
It an inside local address was to communicate with another inside local address, that communication would be described as standard LAN connectivity. No routers would be needed.
- Inside Global Addresses: Now the terms begin to mix a little bit. Let’s break this down into the individual pieces: first, the address is “inside”, which means that it is physically located on your network: it is under your control. “Global” means that it is seen as an IP address not on the local subnet from the perspective of one of your NAT devices. Put all this together and you are left with the internet valid IP address assigned to your router that is directly connected to the internet. This is where a fundamental understanding of inside and outside can really help. If the address were an “outside global” it would not be under your control, meaning that it could be any of the millions of devices attached to the Internet.
- Outside Global addresses: Outside global addresses refer to devices that are physically “outside” your network outside your control. These addresses are “global” meaning that the NAT devices on the inside of your network see these as nonlocal addresses. Put these two pieces together and you have a description of a standard Internet IP addresses.
- Outside local Addresses: We have saved the best for last. Outside local addresses confused us for quite some time until we fully understood the capabilities of NAT. first, let’s look at the piece: This address is physically “outside” your network, out of your control, out on the internet. However, it appears to NAT devices like an IP address on the “local” subnet. What this describes is an Internet host translated as it comes through the NAT router into your local network. You can think of this as “reverse NAT” or just NAT in the other direction. As shown in the picture below, when the cisco.com web server speaks to the internal hosts on the 192.168.0.0/24 network, they believe it to be co-located on the local subnet with them. They come to this conclusion because the NAT router translated the outside global address to something local (perhaps 192.168.0.1, the NAT gateway’s address).