6-6 Network Address Translation (NAT)

Previous page
Table of content
Next page

  • NAT can be used to interface a network of private or nonregistered IP addresses to the Internet and present them as one or more registered addresses.

  • NAT can translate one IP address space into another during an address space migration.

  • An entire address range can be "hidden" or translated behind a single IP address using Port Address Translation (PAT).

  • NAT can provide load balancing of a single IP address to many translated addresses, as in the case of a server farm.

  • NAT has one router interface on the "outside"and at least one interface on the "inside." ( Inside refers to the local, private address space, and outside refers to the global, public address space.)

  • When NAT runs out of available address space for translation, incoming packets requiring translation are dropped, and an ICMP Host Unreachable packet is returned.

  • Cisco's EasyIP is a combination of IOS software features: NAT, DHCP server (see Section 6-4), and WAN interface IP address negotiation using PPP and IPCP (see Section 3-6).

NOTE

NAT is fully compatible with TCP and UDP traffic that does not contain source or destination addresses within the payload. In other words, packets that have IP addresses located within the packet header can easily be translated. These protocols include HTTP, TFTP, Telnet, finger, NTP, NFS, and rlogin/rsh/rcp.

However, many protocols do contain source and/or destination IP addresses embedded in the data portion of the packet. For these, NAT must look further into the packet payload and perform the necessary translations so that the protocols work properly after the translation occurs. Protocols that are compatible with Cisco IOS NAT include ICMP, FTP, NetBIOS over TCP/IP, RealAudio, CuSeeMe, DNS queries, NetMeeting, VDOLive, Vxtreme, IP multicast, PPTP, H.323v2, H.225/245 (except RAS), and Cisco's IP Phone Skinny Client Protocol.


Configuration

In the configuration steps, NAT is shown to translate inside source addresses. The command format is ip nat inside source. NAT can also perform other translations with the following commands: 

 (global)  ip nat inside destination ...  (global)  ip nat outside source ...  (global)  ip nat outside destination ...

These commands can be used with the same options and results defined in the following configuration steps. However, the most common use of NAT is to translate inside source addresses where a private network interfaces with the Internet.

  1. (Optional) Use static address translation.

    1. (Optional) Define a static translation for an IP address: 

       (global)  ip nat inside source static   local-ip global-ip  {  extendable   no-alias  }

      A static entry is made in the translation table such that a source address of local-ip is translated into global-ip. Two different types of translations can be configured: specific TCP or UDP port numbers associated with an IP address, and a translation for all TCP and UDP ports associated with an IP address.

    2. (Optional) Define a static translation for an IP address and a specific TCP or UDP port: 

       (global)  ip nat inside source static  [  tcp   udp  ]  local-ip local-port  {  global-ip   interface   type num  }  global-port  {  extendable   no-alias  }

      A static entry is made in the translation table such that a source address of local-ip and TCP or UDP port local-port will be translated into global-ip with TCP or UDP port global-port. Optionally, an interface type and number can be specified instead of a global IP address. The interface's IP address is then used as the global IP address for translation. This is useful when an interface's IP address is negotiated or dynamically assigned.

      The extendable keyword is used when several ambiguous static translations exist for the same local or global IP addresses. Full address and port NAT entries are created to resolve the ambiguity. By default, the router answers ARP requests for translations to unused global IP addresses. Use the no-alias keyword if this behavior is not what you want.

    3. (Optional) Define a static translation for an entire network address: 

       (global)  ip nat inside source static network   local-ip global-ip  {  netmask   prefix-length  } {  extendable   no-alias  }

      A static entry is made in the translation table such that source addresses of the entire network local-ip are translated into the network global-ip. The network mask is specified as either a regular netmask in dotted notation or as a single number prefix-length representing the length of the subnet mask prefix.

  2. (Optional) Use dynamic translation behind a pool of IP addresses.

    1. Define a pool of contiguous IP addresses to use: 

       (global)  ip nat pool   pool   start-ip end-ip  {  netmask   netmask   prefix-length   length  }

      A single range of contiguous IP addresses is identified as a pool named pool, beginning with start-ip and ending with end-ip. An optional mask can be specified as either a regular netmask in dotted notation or as a single number length representing the length of the subnet mask prefix.

      -OR-

    2. Define a pool of discontiguous ranges of IP addresses: 

       (global)  ip nat pool   pool  {  netmask   netmask   prefix-length   length  } [  type   match-host  ] (ip-nat-pool)  address   start-ip end-ip  (ip-nat-pool) ...

      Several ranges of IP addresses can be assigned to a NAT pool, even if they are discontiguous. In this case, only the pool name is specified, along with either the subnet mask or the prefix length. If the optional type match-host keyword is included, the prefix is translated, and the host number remains the same. In other words, NAT "slides" the entire range of host addresses under a new network address.

      The pool's individual ranges are defined with the address command, along with starting and ending IP addresses.

    3. Trigger the NAT operation using an access list.

      • Define a standard access list that permits addresses to be translated: 

         (global)  access-list   number   permit   source-address mask

        -OR- 

         (global)  ip access-list standard   name  (std-nacl)  permit   source-address mask

        A standard IP access list (either with a number 1 to 99 or a name ) is defined. The inside address to be translated must be permitted by the access list and is defined as source-address and network mask.

      • Configure NAT to use an access list and an address pool: 

         (global)  ip nat inside source list   access-list   pool   pool

        The numbered or named standard IP access list is used to trigger NAT to select an unused address from the pool named pool.

    4. Trigger the NAT operation using a route map.

      • Define a route map that matches addresses to be translated: 

         (global)  route-map   name   permit   statement-num

        A route map named name is defined.

      • Specify parameters to match: 

         (route-map)  match ip address   access-list

        -OR- 

         (route-map)  match ip next-hop   access-list

        -OR- 

         (route-map)  match interface   type num

        One or more of the match statements are specified for the route map to identify the IP address, next-hop address, or outbound interface of a packet. Matching conditions flag the packet for address translation. These matching conditions are useful if translation is needed into address spaces from several service providers. The matching conditions should be selected so that a unique service provider address space or interface is chosen .

      • Apply a route map to a NAT address pool: 

         (global)  ip nat inside source route-map   map-name   pool   pool-name

        Matching conditions from the route map map-name trigger NAT to use an IP address from the pool pool-name. This command can be used more than once to bind unique addressing from multiple service providers to the appropriate address pools.

  3. (Optional) Define a dynamic translation to "hide" inside hosts behind a single IP address: 

     (global)  ip nat inside source list   list  [  interface   type num   pool   pool-name  ]  overload

    PAT is activated using the overload keyword. NAT is triggered using the standard IP access list list. It can use a single global IP address from either an interface (specified with the interface keyword) or one of the NAT pool addresses (specified with the pool keyword).

    The local or inside TCP/UDP port numbers are kept intact, and all the inside addresses are translated into the single global IP address. The global TCP/UDP port numbers are modified to create a unique translation entry. If the original source port cannot be retained in the translation, the next available port number (0 to 65535) is used. In the case of the pool keyword, as soon as all available ports have been used for one IP address in the pool, NAT moves to the next available pool address.

  4. (Optional) Configure load balancing for TCP traffic.

    1. Define an address pool that represents a group of real servers: 

       (global)  ip nat pool   pool start-ip end-ip  {  netmask   mask   prefix-length   length  }  type rotary

      The IP addresses of physical servers are defined as a NAT pool named pool and ranging from start-ip to end-ip. An optional network mask or prefix length can be given for the range. The type rotary keywords must be used to enable the round- robin load balancing operation. Each new TCP connection receives a translation to the next address in the pool.

    2. Define an access list that permits the address of a virtual server: 

       (global)  access-list   number   permit   source-address mask

      -OR- 

       (global)  ip access-list standard   name  (std-nacl)  permit   source-address mask

      A standard IP access list (either with a number 1 to 99 or a name ) is defined. Only the inside address of the virtual server must be permitted by the access list. It is defined as source-address and network mask.

    3. Apply the virtual server access list to the pool of real servers: 

       (global)  ip nat inside destination list   access-list   pool   pool

      The numbered or named standard IP access list is used to trigger NAT to select the next physical server IP address from the pool. Note that the nat command shown here translates the inside destination address. This is because TCP load balancing is usually used on inbound traffic destined for a virtual server address. Therefore, the virtual server should be "located" on an outside interface, and the physical servers should be located on an inside interface.

  5. Enable NAT by identifying an "inside" interface: 

     (interface)  ip nat inside

    The inside boundary for the NAT operation is defined on the specified interface. One or more inside interfaces can be defined so that NAT will translate selected addresses as packets cross the boundary between any inside and outside interfaces.

  6. Enable NAT by identifying an "outside" interface: 

     (interface)  ip nat outside

    The outside boundary for the NAT operation is defined on the specified interface. One or more outside interfaces can be defined.

Examples

Figure 6-3 shows a network diagram for this example. A static translation is defined to map inside address 192.168.3.17 to outside address 128.3.5.64. In the second group of commands, static translations are defined to map a single outside host address to two different inside hostsone host for SMTP (port 25) traffic, and another host for HTTP (port 80) traffic. Both SMTP and HTTP traffic can be sent to the single outside address, and NAT will sort out the traffic to the correct inside hosts.

Figure 6-3. Network Diagram for the NAT Static Translation Example

graphics/06fig03.gif

The network 192.168.77.0 is translated into the network 128.3.77.0 by a single static NAT command. Two pools of dynamic addresses are created for two user groups: workgroup1 and workgroup2, each containing 128 IP addresses. Access list 101 is used to trigger NAT for addresses in the 192.168.16.0 network going out anywhere, using NAT pool workgroup1. Route map trigger2 is used to trigger NAT for addresses in the 192.168.16.0 network going anywhere except the 172.30.0.0 network, using NAT pool workgroup2. Access list 103 is used to trigger NAT with PAT or overload for addresses in the 192.168.17.0 network going anywhere . Rather than using a pool, NAT translates the inside addresses so that they are hidden behind the single IP address of interface serial 1. 

  ip nat inside source static 192.168.3.17 128.3.5.64   ip nat inside source static tcp 192.168.3.5 25 128.3.5.31 25   ip nat inside source static tcp 192.168.3.10 80 128.3.5.31 80   ip nat inside source static network 192.168.77.0 128.3.77.0 255.255.255.0   ip nat pool workgroup1 128.3.80.1 128.3.80.127 netmask 255.255.255.128   ip nat pool workgroup2 128.3.80.128 128.3.80.254 netmask 255.255.255.128   ip nat inside source list 101 pool workgroup1   ip nat inside source route-map trigger2 pool workgroup2   ip nat inside source list 103 interface serial 1 overload   access-list 101 permit ip 192.168.16.0 0.0.0.255 any   access-list 102 deny ip 192.168.16.0 0.0.0.255 172.30.0.0 0.0.255.255   access-list 102 permit ip 192.168.16.0 0.0.0.255 any   access-list 103 permit ip 192.168.17.0 0.0.0.255 any   route-map trigger2 permit 10   match ip address 102   interface ethernet 0   ip address 192.168.16.1 255.255.255.0   ip address 192.168.17.1 255.255.255.0 secondary   ip nat inside   interface serial 1   ip address 204.16.47.6 255.255.255.0   ip nat outside

NAT is used to provide TCP load balancing for a server farm. The physical servers are defined as a pool called servers, ranging from 192.168.99.10 to 192.168.99.40. A virtual server is defined as 128.100.41.5, matched by access list 1. The servers are located on inside interface ethernet 1/0, and the virtual server is located on the outside interface serial 0/3. Figure 6-4 shows a network diagram.

Figure 6-4. Network Diagram for the NAT TCP Load Balancing Example

graphics/06fig04.gif 

  ip nat pool servers 192.168.99.10 192.168.99.40 netmask 255.255.255.0 type rotary   ip nat inside destination list 1 pool servers   access-list 1 permit 128.100.41.5 0.0.0.0   interface ethernet 1/0   ip address 192.168.99.1 255.255.255.0   ip nat inside   interface serial 0/3   ip address 128.100.41.1 255.255.255.0   ip nat outside

Previous page
Table of content
Next page
Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
WebLogic: The Definitive Guide
Systematic Software Testing (Artech House Computer Library)
Mapping Hacks: Tips & Tools for Electronic Cartography
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy