Day 8. NAT
CCNA 200-301 Exam Topics
Configure and verify inside source NAT using static and pools
Key Topics
To cope with the depletion of IPv4 addresses, several short-term solutions were developed. One short-term solution is to use private addresses and Network Address Translation (NAT). NAT enables inside network hosts to borrow a legitimate Internet IPv4 address while accessing Internet resources. When the requested traffic returns, the legitimate IPv4 address is repurposed and available for the next Internet request by an inside host. Using NAT, network administrators need only one or a few IPv4 addresses for the router to provide to the hosts instead of one unique IPv4 address for every client joining the network. Although IPv6 ultimately solves the problem of IPv4 address space depletion that NAT was created to address, it is still in wide use in current network implementation strategies. Today we review the concepts, configuration, and troubleshooting of NAT.
NAT Concepts
NAT, defined in RFC 3022, has many uses. Its key use is to conserve IPv4 addresses by allowing networks to use private IPv4 addresses. NAT translates nonroutable, private, internal addresses into routable public addresses. NAT also has the benefit of hiding internal IPv4 addresses from outside networks.
A NAT-enabled device typically operates at the border of a stub network. Figure 8-1 shows the master topology used during today’s review. R2 is the border router and is the device used for today’s example configurations.
Figure 8-1 NAT Topology
In NAT terminology, the inside network is the set of networks that are subject to translation (every network in the shaded region in Figure 8-1). The outside network is all other addresses. Figure 8-2 shows how to refer to the addresses when configuring NAT:
Inside local address: Most likely a private address. In the figure, the IPv4 address 192.168.10.10 assigned to PC1 is an inside local address.
Inside global address: A valid public address that the inside host is given when it exits the NAT router. When traffic from PC1 is destined for the web server at 209.165.201.1, R2 must translate the inside local address to an inside global address, which is 209.165.200.226 in this case.
Outside global address: A reachable IPv4 address assigned to a host on the Internet. For example, the web server can be reached at IPv4 address 209.165.201.1.
Outside local address: The local IPv4 address assigned to a host on the outside network. In most situations, this address is identical to the outside global address of that outside device. (Outside local addresses are beyond the scope of the CCNA.)
Figure 8-2 NAT Terminology
A NAT Example
Referring to Figure 8-1, the following steps illustrate the NAT process when PC1 sends traffic to the Internet:
Step 1. PC1 sends a packet destined for the Internet to R1, the default gateway.
Step 2. R1 forwards the packet to R2, as directed by its routing table.
Step 3. R2 refers to its routing table and identifies the next hop as the ISP router. It then checks to see whether the packet matches the criteria specified for translation. R2 has an ACL that identifies the inside network as a valid host for translation. Therefore, it translates an inside local IPv4 address to an inside global IPv4 address, which, in this case, is 209.165.200.226. It stores this mapping of the local address to global address in the NAT table.
Step 4. R2 modifies the packet with the new source IPv4 address (the inside global address) and sends it to the ISP router.
Step 5. The packet eventually reaches its destination, which then sends its reply to the inside global address 209.165.200.226.
Step 6. When R2 receives replies from the destination, it consults the NAT table to match the inside global address to the correct inside local address. R2 then modifies the packet, inserting the inside local address (192.168.10.10) as the destination address and sending it to R1.
Step 7. R1 receives the packet and forwards it to PC1.
Dynamic and Static NAT
The two types of NAT translation are as follows:
Dynamic NAT: Uses a pool of public addresses and assigns them on a first-come, first-served basis or reuses an existing public address configured on an interface. When a host with a private IPv4 address requests access to the Internet, dynamic NAT chooses an IPv4 address from the pool that another host is not already using. Instead of using a pool, dynamic NAT can be configured to overload an existing public address configured on an interface.
Static NAT: Uses a one-to-one mapping of local and global addresses. These mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet.
NAT Overload
NAT overloading (also called Port Address Translation [PAT]) maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses. To do this, a port number also tracks each private address. When a response comes back from the outside, source port numbers determine the correct client for the NAT router to translate the packets.
Figure 8-3 and the following steps illustrate the NAT overload process:
Figure 8-3 NAT Overload Example
Step 1. PC1 and PC2 send packets destined for the Internet.
Step 2. When the packets arrive at R2, NAT overload changes the source address to the inside global IPv4 address and keeps a record of the assigned source port numbers (1555 and 1331, in this example) to identify the client from which the packets originated.
Step 3. R2 updates its NAT table. Notice the assigned ports. R2 then routes the packets to the Internet.
Step 4. When the web server replies, R2 uses the destination source port to translate the packet to the correct client.
NAT overload attempts to preserve the original source port. However, if this source port is already used, NAT overload assigns the first available port number, starting from the beginning of the appropriate port group 0–511, 512–1023, or 1024–65535.
NAT Benefits
Using NAT offers the following benefits:
NAT conserves registered IPv4 address space because, with NAT overload, internal hosts can share a single public IPv4 address for all external communications.
NAT increases the flexibility of connections to the public network. Multiple pools, backup pools, and load-balancing pools can be implemented to ensure reliable public network connections.
NAT allows the existing scheme to remain while supporting a new public addressing scheme. This means that an organization can change ISPs without needing to change any of its inside clients.
NAT provides a layer of network security because private networks do not advertise their inside local addresses outside the organization. However, the phrase NAT firewall is misleading; NAT does not replace firewalls.
NAT Limitations
The limitations of using NAT include the following:
Performance is degraded: NAT increases switching delays because translating each IPv4 address within the packet headers takes time.
End-to-end functionality is degraded: Many Internet protocols and applications depend on end-to-end functionality, with unmodified packets forwarded from the source to the destination.
End-to-end IP traceability is lost: Tracing packets that undergo numerous packet address changes over multiple NAT hops becomes much more difficult, making troubleshooting challenging.
Tunneling is more complicated: Using NAT also complicates tunneling protocols, such as IPsec, because NAT modifies values in the headers that interfere with the integrity checks that IPsec and other tunneling protocols do.
Services can be disrupted: Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted.
Configuring Static NAT
Static NAT is a one-to-one mapping between an inside address and an outside address. Static NAT allows connections initiated by external devices to access inside devices. For example, you might want to map an inside global address to a specific inside local address that is assigned to your inside web server. The steps and syntax to configure static NAT follow:
Step 1. Configure the static translation of an inside local address to an inside global address:
Router(config)# ip nat inside source static local-ip global-ip
Step 2. Specify the inside interface:
Router(config)# interface type number Router(config-if)# ip nat inside
Step 3. Specify the outside interface:
Router(config)# interface type number Router(config-if)# ip nat outside
Figure 8-4 shows a sample static NAT topology.
Figure 8-4 Static NAT Topology
Example 8-1 shows the static NAT configuration.
Example 8-1 Static NAT Configuration
R2(config)# ip nat inside source static 192.168.10.254 209.165.200.254 R2(config)# interface serial0/0/0 R2(config-if)# ip nat inside R2(config-if)# interface serial 0/1/0 R2(config-if)# ip nat outside
This configuration statically maps the inside private IPv4 address 192.168.10.254 to the outside public IPv4 address 209.165.200.254. This allows outside hosts to access the internal web server by using the public IPv4 address 209.165.200.254.
Configuring Dynamic NAT
Dynamic NAT maps private IPv4 addresses to public addresses drawn from a NAT pool. The steps and syntax to configure dynamic NAT are as follows:
Step 1. Define a pool of global addresses to be allocated:
Router(config)# ip nat pool name start-ip end-ip {netmask | prefix-length
prefix-length}
Step 2. Define a standard access list permitting addresses that are to be translated:
Router(config)# access-list access-list-number source source-wildcard
Step 3. Bind the pool of addresses to the access list:
Router(config)# ip nat inside source list access-list-number pool name
Step 4. Specify the inside interface:
Router(config)# interface type number Router(config-if)# ip nat inside
Step 5. Specify the outside interface:
Router(config)# interface type number Router(config-if)# ip nat outside
Figure 8-5 shows a sample dynamic NAT topology.
Figure 8-5 Dynamic NAT Topology
Example 8-2 shows the dynamic NAT configuration.
Example 8-2 Dynamic NAT Configuration
R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255 R2(config)# ip nat inside source list 1 pool NAT-POOL1 R2(config)# interface serial 0/0/0 R2(config-if)# ip nat inside R2(config-if)# interface serial s0/1/0 R2(config-if)# ip nat outside
Configuring NAT Overload
Commonly with home networks and small to medium-size businesses, the ISP assigns only one registered IPv4 address to the router. Therefore, it is necessary to overload that one IPv4 address so that multiple inside clients can use it simultaneously.
The configuration is similar to the use of dynamic NAT, except that instead of using a pool of addresses, the interface keyword is used to identify the outside IPv4 address. The overload keyword enables PAT so that source port numbers are tracked during translation.
Example 8-3 shows how R2 in Figure 8-5 is configured to overload its registered IPv4 address on the serial interface.
Example 8-3 Configuring NAT to Overload an Interface Address
R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255 R2(config)# ip nat inside source list 1 interface serial 0/1/0 overload R2(config)# interface serial 0/0/0 R2(config-if)# ip nat inside R2(config-if)# interface serial s0/1/0 R2(config-if)# ip nat outside
You can also overload a NAT pool of addresses, which might be necessary in organizations that potentially have many clients that simultaneously need translations. In Example 8-2. NAT is configured with a pool of 15 addresses (209.165.200.226–209.165.200.240). If R2 is translating all 15 addresses at any given moment, packets for the 16th client will be queued for processing and will possibly time out. To avoid this problem, add the keyword overload to the command that binds the access list to the NAT pool, as follows:
R2(config)# ip nat inside source list 1 pool NAT-POOL1 overload
Interestingly, Cisco IOS uses the first IPv4 address in the pool until it runs out of available port numbers. Then it moves to the next IPv4 address in the pool.
Verifying NAT
Assume that both the static and dynamic NAT topologies in Figures 6-4 and 6-5 are configured on R2, with the inside server statically translated to 209.165.200.254 and NAT-POOL1 configured with the overload keyword. Furthermore, assume that two inside clients have connected to an outside host. You can use the show ip nat translations command to verify the current translations in the R2 NAT table, as Example 8-4 shows.
Example 8-4 Verifying NAT Operations with show ip nat translations
R2# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 209.165.200.254 192.168.10.254 --- --- tcp 209.165.200.226:47392 192.168.10.10:47392 209.165.201.30:80 209.165.201.30:80 tcp 209.165.200.226:50243 192.168.11.10:50243 209.165.201.30:80 209.165.201.30:80
The static entry is always in the table. Currently, the table has two dynamic entries. Notice that both inside clients received the same inside global address, but the source port numbers are different (47392 for PC1 and 50243 for PC2).
The show ip nat statistics command, shown in Example 8-5. displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and how many have been allocated.
Example 8-5 Verifying NAT Operations with show ip nat statistics
R2# show ip nat statistics
Total translations: 3 (1 static, 2 dynamic, 2 extended)
Outside Interfaces: Serial0/1/0
Inside Interfaces: FastEthernet0/0 , Serial0/0/0 , Serial0/0/1
Hits: 29 Misses: 7
Expired translations: 5
Dynamic mappings:
-- Inside Source
access-list 1 pool NAT-POOL1 refCount 2
pool NAT-POOL1: netmask 255.255.255.224
start 209.165.200.226 end 209.165.200.240
type generic, total addresses 3 , allocated 1 (7%), misses 0
Alternatively, use the show run command and look for NAT, access command list, interface, or pool-related commands with the required values. Carefully examine the output from these commands to discover any errors.
It is sometimes useful to clear the dynamic entries sooner than the default. This is especially true when testing the NAT configuration. To clear dynamic entries before the timeout has expired, use the clear ip nat translation * privileged EXEC command.
Troubleshooting NAT
When you have IP connectivity problems in a NAT environment, determining the cause of a problem is often difficult. The first step in solving your problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:
Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This might reveal a problem with the configuration.
Step 2. Verify that correct translations exist in the translation table by using the show ip nat translations command.
Step 3. Use the clear and debug commands to verify that NAT is operating as expected. Check to see whether dynamic entries are re-created after they are cleared.
Step 4. Review in detail what is happening to the packet and verify that routers have the correct routing information to forward the packet.
Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that the router translates, as in Example 8-6.
Example 8-6 Troubleshooting NAT with debug ip nat
R2# debug ip nat IP NAT debugging is on R2# NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8] NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8] NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8] NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8] NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8] NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8] NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8] NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8] NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8] NAT*: s=209.165.201.30, d=209.165.200.226->192.168.10.10[8] NAT: s=192.168.10.10->209.165.200.226, d=209.165.201.30[8] R2#
You can see that inside host 192.168.10.10 initiated traffic to outside host 209.165.201.30 and has been translated into address 209.165.200.226.
When decoding the debug output, note what the following symbols and values indicate:
*: The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.
s=: This refers to the source IPv4 address.
a.b.c.d->w.x.y.z: This indicates that source address a.b.c.d is translated into w.x.y.z.
d=: This refers to the destination IPv4 address.
[xxxx]: The value in brackets is the IP identification number. This information can be useful for debugging because it enables correlation with other packet traces from protocol analyzers.
Study Resources
For today’s exam topics, refer to the following resources for more study.
Resource |
Module or Chapter |
Enterprise Networking, Security, and Automation |
6 |
CCNA 200-301 Official Cert Guide, Volume 2 |
10 |
Portable Command Guide |
18 |