Network Address Translation (NAT)

NAT’s basic function is to map private IP version 4 addresses to the globally unique IP addresses used to communicate with other Internet hosts. It’s available in version 11.2 in the s feature set, and you enable it on a border router—one that’s located between an enterprise and Internet router.

You can use NAT on an entirely private IP network or on one inhabited by a mix of registered and private addresses. There’s a very extensive list of possible NAT-oriented scenarios, but overall, NAT is used to provide connectivity between globally and privately addressed hosts. For connectivity between the two types of hosts to be established—for it to happen at all—a source address modification of the privately addressed host must occur. NAT provides this translation.

Let’s walk through the NAT process. To help visualize what happens with NAT, refer to Figure 7.23.

Figure 7.23: Network address translation

Host P wants to connect with Host G, but since private networks aren’t advertised to the Internet, Host G won’t be able to respond to Host P— there’s no route back to its private address.

This problem is solved by using NAT. Realize that the border router is the only device that understands both the private and public addressing schemes. What NAT does is allow the border router to receive the request from Host P and then forward it on to Host G using the border router’s address in the public address space as the return address. Host G then responds to the router, which then forwards the response on to Host P. This allows hundreds or thousands of private addresses to be represented and to communicate with the open Internet using a single registered address.

Here are a few factors to keep in mind when deciding whether to use NAT:

• The cost of purchasing registered IP addresses

• The number of nodes currently configured with private addresses

• The importance of logging, traceability, and security

• Transport delay

• Application sensitivity

As always, the cost of implementation needs to be considered. Even obtaining registered addresses for use with NAT has an associated cost, which you have to pay (unless the provider allocates them without additional cost). Since procuring registered addresses has a dollar factor whether you’re going to use NAT or not, it might be possible to just re-address the current network and bypass NAT altogether. When is this a good idea? It’s probably easier to just renumber if there aren’t a lot of private nodes on the network. Also, when NAT is used end to end, the identity of machines is lost. So if an existing policy mandates strict management information, NAT may not work for you. Because the router must process every packet, there will be delay incurred in packet transport. Some applications simply rely on the end-to- end information that NAT just can’t provide. If you have those applications running on your network, implementing NAT could break them.

But all things considered, there are still several advantages to using NAT. If your network is huge, with a multitude of private addresses, it’s much easier to implement NAT rather than to re-address. Since NAT allows only specific networks to use the registered IP addresses, it gives you some degree of control over who’s able to reach Internet hosts and who isn’t.