Day 5 NAT Concepts, Configuration, and Troubleshooting
CCNA 640-802 Exam Topics
Explain the basic operation of NAT.
Configure NAT for given network requirements using (CLI/SDM).
Troubleshoot NAT issues.
Key Topics
To cope with the depletion of IPv4 addresses, several short-term solutions were developed. One short-term solution is to use private addresses and Network Address Translation (NAT). NAT enables inside network hosts to borrow a legitimate Internet IP address while accessing Internet resources. When the requested traffic returns, the legitimate IP address is repurposed and available for the next Internet request by an inside host. Using NAT, network administrators need only one or a few IP addresses for the router to provide to the hosts, instead of one unique IP address for every client joining the network. Today, we review the concepts, configuration, and troubleshooting of NAT.
NAT Concepts
NAT, defined in RFC 3022, has many uses. But its key use is to conserve IP addresses by allowing networks to use private IP addresses. NAT translates nonroutable, private, internal addresses into routable, public addresses. NAT is also a natural firewall. It hides internal IP addresses from outside networks.
A NAT-enabled device typically operates at the border of a stub network. In Figure 5-1, R2 is the border router.
In NAT terminology, the inside network is the set of networks that are subject to translation (every network in the shaded region in Figure 5-1). The outside network refers to all other addresses. Figure 5-2 shows how to refer to the addresses when configuring NAT.
Inside local address: Most likely a private address. In the figure, the IP address 192.168.10.10 assigned to PC1 is an inside local address.
Inside global address: A valid public address that the inside host is given when it exits the NAT router. When traffic from PC1 is destined for the web server at 209.165.201.1, R2 must translate the inside local address to an inside global address, which is 209.165.200.226 in this case.
Outside global address: A reachable IP address assigned to a host on the Internet. For example, the web server can be reached at IP address 209.165.201.1.
Outside local address: The local IP address assigned to a host on the outside network. In most situations, this address is identical to the outside global address of that outside device. (Outside local addresses are beyond the scope of the CCNA.)
A NAT Example
The following steps illustrate the NAT process when PC1 sends traffic to the Internet:
-
PC1 sends a packet destined for the Internet to R1, the default gateway.
-
R1 forwards the packet to R2, as directed by its routing table.
-
R2 refers to its routing table and identifies the next hop as the ISP router. It then checks to see if the packet matches the criteria specified for translation. R2 has an ACL that identifies the inside network as a valid host for translation. Therefore, it translates an inside local IP address to an inside global IP address, which in this case is 209.165.200.226. It stores this mapping of the local to global address in the NAT table.
-
R2 modifies the packet with the new source IP address (the inside global address) and sends it to the ISP router.
-
The packet eventually reaches its destination, which then sends its reply to the inside global address 209.165.200.226.
-
When replies from the destination arrive back at R2, it consults the NAT table to match the inside global address to the correct inside local address. R2 then modifies the packet with the inside local address (192.168.10.10) and sends it to R1.
-
R1 receives the packet and forwards it to PC1.
Dynamic and Static NAT
The two types of NAT translation are as follows:
Dynamic NAT: Uses a pool of public addresses and assigns them on a first-come, first-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host.
Static NAT: Uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet.
NAT Overload
NAT overloading (sometimes called Port Address Translation [PAT]) maps multiple private IP addresses to a single public IP address or a few addresses. To do this, each private address is also tracked by a port number. When a response comes back from outside, port numbers determine to which client the NAT router translates the packets.
Figure 5-3 and the following steps illustrate the NAT overload process.
-
When the packets arrive at R2, NAT overload changes the source address to the inside global IP address and keeps the assigned port numbers (1555 and 1331 in this example) to identify the client from which the packet originated.
-
R2 updates its NAT table. Notice the assigned ports. R2 then routes the packets to the Internet.
-
When the web server replies, R2 uses the destination source port to translate the packet to the correct client.
NAT overload attempts to preserve the original source port. However, if this source port is already used, NAT overload assigns the first available port number starting from the beginning of the appropriate port group 0 to 511, 512 to 1023, or 1024 to 65535.
NAT Benefits
The benefits of using NAT include the following:
NAT conserves registered IP address space because, with NAT overload, internal hosts can share a single public IP address for all external communications.
NAT increases the flexibility of connections to the public network. Multiple pools, backup pools, and load-balancing pools can be implemented to ensure reliable public network connections.
NAT allows the existing scheme to remain while supporting a new public addressing scheme. This means an organization could change ISPs and not need to change any of its inside clients.
NAT provides a layer of network security because private networks do not advertise their inside local addresses outside the organization.
NAT Limitations
The limitations of using NAT include the following:
Performance is degraded: NAT increases switching delays because translating each IP address within the packet headers takes time.
End-to-end functionality is degraded: Many Internet protocols and applications depend on end-to-end functionality, with unmodified packets forwarded from the source to the destination.
End-to-end IP traceability is lost: It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops, making troubleshooting challenging.
Tunneling is more complicated: Using NAT also complicates tunneling protocols, such as IPsec, because NAT modifies values in the headers that interfere with the integrity checks done by IPsec and other tunneling protocols.
Services may be disrupted: Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted.
Configuring Static NAT
Static NAT is a one-to-one mapping between an inside address and an outside address. Static NAT allows connections initiated by external devices to inside devices. For instance, you might want to map an inside global address to a specific inside local address that is assigned to your web server. The steps and syntax to configure static NAT are as follows:
Step 1 Configure the static translation of an inside local address to an inside global address:
Router(config)#ip nat inside source static local-ip global-ip
Step 2 Specify the inside interface:
Router(config)#interface type number
Router(config-if)#ip nat inside
Step 2 Specify the outside interface:
Router(config)#interface type number
Router(config-if)#ip nat outside
Figure 5-4 shows a sample static NAT topology.
Example 5-1 shows the static NAT configuration.
This configuration statically maps the inside IP address of 192.168.10.254 to the outside address of 209.165.10.254. This allows outside hosts to access the internal web server using the public IP address 209.165.10.254.
Configuring Dynamic NAT
Dynamic NAT maps private IP addresses to public addresses drawn from a NAT pool. The steps and syntax to configure dynamic NAT are as follows:
Step 1 Define a pool of global addresses to be allocated:
Router(config)#ip nat pool namestart-ip end-ip {netmask netmask |
prefix-lengthprefix-length}
Step 2 Define a standard access list permitting those addresses that are to be translated:
Router(config)#access-list access-list-number source source-wildcard
Step 3 Bind the pool of addresses to the access list:
Router(config)#ip nat inside source list access-list-number pool name
Step 4 Specify the inside interface:
Router(config)#interfacetype number
Router(config-if)#ip nat inside
Step 5 Specify the outside interface:
Router(config)#interfacetype number
Router(config-if)#ip nat outside
Figure 5-5 shows a sample dynamic NAT topology.
Example 5-2 shows the dynamic NAT configuration.
Example 5-2 Dynamic NAT Configuration
R2(config)#ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask
255.255.255.224
R2(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)#ip nat inside source list 1 pool NAT-POOL1
R2(config)#interface serial 0/0/0
R2(config-if)#ip nat inside
R2(config-if)#interface serial s0/1/0
R2(config-if)#ip nat outside
Configuring NAT Overload
Commonly with home networks and small to medium-sized businesses, the ISP assigns only one registered IP address to your router. Therefore, it is necessary to overload that one IP address so that multiple inside clients can use it simultaneously.
The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IP address. Therefore, no NAT pool is defined. The overload keyword enables the addition of the port number to the translation.
Example 5-3 shows how R2 in Figure 5-5 would be configured to overload its registered IP address on the serial interface.
Example 5-3 Configuring NAT to Overload an Interface Address
R2(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)#ip nat inside source list 1 interface serial 0/1/0 overload
R2(config)#interface serial 0/0/0
R2(config-if)#ip nat inside
R2(config-if)#interface serial s0/1/0
R2(config-if)#ip nat outside
You can also overload a NAT pool of addresses, which might be necessary in organizations that potentially have many clients simultaneously needing translations. In our previous Example 5-2, NAT is configured with a pool of 15 addresses (209.165.200.226 to 209.165.200.240). If, at any given moment, R2 is translating all 15 addresses, packets for the 16th client will be queued for processing and possibly timeout. To avoid this problem, add the keyword overload to the command that binds the access list to the NAT pool as follows:
R2(config)#ip nat inside source list 1 pool NAT-POOL1 overload
Interestingly, IOS will use the first IP address in the pool until it runs out of available port numbers. Then it will move to the next IP address in the pool.
Verifying NAT
Assume that both the static and dynamic NAT topologies shown in Figures 5-4 and 5-5 are configured on R2 with the inside server statically translated to 209.165.200.254 and the NAT-POOL1 configured with the overload keyword. Further assume that two inside clients have connected to an outside host. You can use the show ip nat translations command to verify the current translations in the R2 NAT table, as shown in Example 5-4.
The static entry is always in the table. Currently, there are two dynamic entries. Notice that both inside clients received the same inside global address, but the port numbers are different.
The show ip nat statistics command shown in Example 5-5 displays information about the total number of active translations, NAT configuration parameters, how many addresses are in the pool, and how many have been allocated.
Example 5-5 Verifying NAT Operations with show ip nat statistics
R2#show ip nat statistics
Total translations: 3 (1 static, 2 dynamic, 2 extended)
Outside Interfaces: Serial0/1/0
Inside Interfaces: FastEthernet0/0 , Serial0/0/0 , Serial0/0/1
Hits: 29 Misses: 7
Expired translations: 5
Dynamic mappings:
-- Inside Source
access-list 1 pool NAT-POOL1 refCount 2
pool NAT-POOL1: netmask 255.255.255.224
start 209.165.200.226 end 209.165.200.240
type generic, total addresses 3 , allocated 1 (7%), misses 0
Alternatively, use the show run command and look for NAT, access command list, interface, or pool-related commands with the required values. Examine the output from these commands carefully to discover any errors.
It is sometimes useful to clear the dynamic entries sooner than the default. This is especially true when testing the NAT configuration. To clear dynamic entries before the timeout has expired, use the clear ip nat translation * privileged EXEC command.
Troubleshooting NAT
When you have IP connectivity problems in a NAT environment, it is often difficult to determine the cause of the problem. The first step in solving your problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:
Step 1 Based on the configuration, clearly define what NAT is supposed to achieve. This might reveal a problem with the configuration.
Step 2 Verify that correct translations exist in the translation table using the show ip nat translations command.
Step 3 Use the clear and debug commands to verify that NAT is operating as expected. Check to see if dynamic entries are re-created after they are cleared.
Step 4 Review in detail what is happening to the packet, and verify that routers have the correct routing information to forward the packet.
Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that the router translates, as shown in Example 5-6.
Example 5-6 Troubleshooting NAT with debug ip nat
R2#debug ip nat
IP NAT debugging is on
R2#
NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8]
NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8]
NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8]
NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8]
NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8]
NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8]
NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8]
NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8]
NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8]
NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8]
NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8]
R2#
You can see that inside host 192.168.10.10 initiated traffic to outside host 209.165.201.30 and has been translated into address 209.165.200.226.
When decoding the debug output, note what the following symbols and values indicate:
*: The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.
s=: Refers to the source IP address.
a.b.c.d->w.x.y.z: Indicates that source address a.b.c.d is translated into w.x.y.z.
d=: Refers to the destination IP address.
[xxxx]: The value in brackets is the IP identification number. This information may be useful for debugging because it enables correlation with other packet traces from protocol analyzers.