Network Address Translation – NAT explained

Like it or not, NAT has been with us for some time and is unlikely to go anywhere in the near future, at least not until IPv6 becomes mainstream and even then it will be a slow process.

NAT typically comes in three flavours. Static, dynamic and overloading.

Static NAT can be found where a direct mapping between between addresses is necessary. An example would be where overlapping address space is an issue, typically when companies networks’ merge or a VPN link is required for remote support.

In the example below, traffic inbound to fa0/0 exiting fa0/1 from the host 10.0.0.10 would be translated and will arrive at the destination with a source address of 192.168.1.10. When the return traffic crosses the router, packets will be destined for 192.168.1.10 and then re-addressed and forwarded to the original host at 10.0.0.10. The same applies to traffic on the inbound direction. This is also known as a 1:1 NAT mapping.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

ip nat inside source static 10.0.0.10 192.168.1.10

Dynamic NAT can provide a pool of address space where no bi-directional static relationship is required between hosts. For example, where a sufficient range of publicly routable addresses are available to service internal hosts requesting resources from the Internet, a dynamic translation may be configured on a border router to service outbound requests from local hosts. This method is becoming less common due to rapid depletion of IPv4 public address space.

In the example below traffic from the 10.0.0.0/24 network will be dynamically assigned an address between 192.168.1.10 to 192.168.1.19 when crossing the router outbound. Return traffic will be translated back, depending on the outbound address translation. You may notice that only 10 addresses are available in the translation pool, once all ten addresses are assigned the NAT pool will be exhausted and any further translations will fail. It is also worth noting this method will only work where traffic is initiated outbound, since until this point no translation will exist in the router’s NAT table.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool NATPOOL 192.168.1.10 192.168.19 prefix-length 24
ip nat inside source list 1 pool NATPOOL

Overloading NAT is most commonly used, especially in the home environment where one public IP address is shared between several hosts on the internal LAN. Overloading, or PAT (Port Address Translation) works in a similar way to dynamic NAT. However, instead of translating internal to external IP addresses the router builds a dynamic mapping of source and destination address / port pairs for each connection. These mappings allow the router to map individual connections to internal hosts using only one external IP address, typically this address is publicly routable.

In the configuration example below, a single public IP address is assigned to fa0/1 which will be used to service outbound requests from the internal network on fa0/0. The router will record the source address and port numbers of connections initiated from internal hosts, packets will then be assigned a the external IP address and a port number chosen by the router’s NAT process. A table will be built mapping inside source address / port pairs to the outside source address / port pair and traffic will be forwarded to the remote host with a source address of that on fa0/1. The return traffic will be translated to the relevant internal host using the NAT mapping table as it crosses the router.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 178.79.134.87 255.255.255.248

access-list 123 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 123 destination interface fa0/1 overload

That’s about it for a basic introduction, in my next post I will cover NAT timeouts and overlapping NAT.

 

FTTC with a Cisco VDSL router

[Note] I’ve recently started a network consultancy business, head over to Optimus Networks to get in touch.

I recently learned that the Cisco 887VA packs a dual technology modem that supports not only ADSL2+ but VDSL2, the technology that supports FTTC (Fibre To The Cabinet), more commonly known as BT Infinity.

Excited at the prospect of removing the Openreach modem from my over-heating cupboard / home comms room, I set about building the config and was surprised to find FTTC to be very similar in delivery to a Etherflow Etherway. The similarity being that the circuit is delivered with a vlan tag, that is 101. The authentication is done via CHAP/PPPOE, see my previous posts on how to get an Ethernet connection established from an Ethernet port on a router or an ASA.

There is no ATM configuration as per ADSL, the VDSL modem is tied to the Ethernet0 interface and must be bound to a dialer carrying the PPPOE configuration. Also, since the service arrives tagged, an Ethernet0.101 sub-interface must be configured and bound to the dialer.

Here is the config :

controller VDSL 0 !## TELL THE ROUTER WE WILL BE USING VDSL MODE

interface Ethernet0
no ip address !## SEE THE DIALER

interface Ethernet0.101 !## EVERYTHING IS TAGGED IN VLAN 101, SO WE MUST USE A SUB INTERFACE
encapsulation dot1Q 101
pppoe-client dial-pool-number 1

interface ATM0 !## NO NEED FOR THIS
no ip address
shutdown
no atm ilmi-keepalive

interface Dialer0
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname YOUR_LOGIN
ppp chap password 0 YOUR_PASSWORD
ppp ipcp dns request
ppp ipcp route default !## GRAB YOUR 0.0.0.0/0 ROUTE FROM PPPOE

In-case of issues or slow performance, I believe the FTTC MSAN equipment will fall back to ADSL2+ mode if required so check you have specified VDSL mode as per the 1st line of the config if you have any trouble. Not that I’ve had any issues.

Also, in-case you are wondering what speed your line is capable of, since BT recently announced 80Mbps downstream for new or renewing customers, the VDSL stats show a good amount of detail including a headline reading for your line. I was pleasantly surprised..

Router#sh controllers VDSL 0
Attainable Rate: 102056 kbits/s 33192 kbits/s

According to these numbers I’ve lost a whole 2Mbps downstream, a previous reading showed 104Mbps. I wonder if the nice weather we’ve had this week had an effect on the cable? Damn you physics! 😉