Network Address Translation – NAT explained

Like it or not, NAT has been with us for some time and is unlikely to go anywhere in the near future, at least not until IPv6 becomes mainstream and even then it will be a slow process.

NAT typically comes in three flavours. Static, dynamic and overloading.

Static NAT can be found where a direct mapping between between addresses is necessary. An example would be where overlapping address space is an issue, typically when companies networks’ merge or a VPN link is required for remote support.

In the example below, traffic inbound to fa0/0 exiting fa0/1 from the host 10.0.0.10 would be translated and will arrive at the destination with a source address of 192.168.1.10. When the return traffic crosses the router, packets will be destined for 192.168.1.10 and then re-addressed and forwarded to the original host at 10.0.0.10. The same applies to traffic on the inbound direction. This is also known as a 1:1 NAT mapping.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

ip nat inside source static 10.0.0.10 192.168.1.10

Dynamic NAT can provide a pool of address space where no bi-directional static relationship is required between hosts. For example, where a sufficient range of publicly routable addresses are available to service internal hosts requesting resources from the Internet, a dynamic translation may be configured on a border router to service outbound requests from local hosts. This method is becoming less common due to rapid depletion of IPv4 public address space.

In the example below traffic from the 10.0.0.0/24 network will be dynamically assigned an address between 192.168.1.10 to 192.168.1.19 when crossing the router outbound. Return traffic will be translated back, depending on the outbound address translation. You may notice that only 10 addresses are available in the translation pool, once all ten addresses are assigned the NAT pool will be exhausted and any further translations will fail. It is also worth noting this method will only work where traffic is initiated outbound, since until this point no translation will exist in the router’s NAT table.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool NATPOOL 192.168.1.10 192.168.19 prefix-length 24
ip nat inside source list 1 pool NATPOOL

Overloading NAT is most commonly used, especially in the home environment where one public IP address is shared between several hosts on the internal LAN. Overloading, or PAT (Port Address Translation) works in a similar way to dynamic NAT. However, instead of translating internal to external IP addresses the router builds a dynamic mapping of source and destination address / port pairs for each connection. These mappings allow the router to map individual connections to internal hosts using only one external IP address, typically this address is publicly routable.

In the configuration example below, a single public IP address is assigned to fa0/1 which will be used to service outbound requests from the internal network on fa0/0. The router will record the source address and port numbers of connections initiated from internal hosts, packets will then be assigned a the external IP address and a port number chosen by the router’s NAT process. A table will be built mapping inside source address / port pairs to the outside source address / port pair and traffic will be forwarded to the remote host with a source address of that on fa0/1. The return traffic will be translated to the relevant internal host using the NAT mapping table as it crosses the router.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 178.79.134.87 255.255.255.248

access-list 123 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 123 destination interface fa0/1 overload

That’s about it for a basic introduction, in my next post I will cover NAT timeouts and overlapping NAT.

 

Leave a Comment