NAT in Operation

NAT can handle a variety of situations and configurations based on the needs of the network; some translations need to be strictly defined, whereas others can vary. You can use NAT to connect everyone to the Internet with just one address or use it to connect two companies that happen to choose the same addressing scheme. Next, we examine the different scenarios and their configurations.

Static NAT

A static mapping is usually used to help make available a shared resource (Web, email, FTP server, and so on) on the private side of your network to the outside. The issue is that the address on the internal resource is not valid for the outside, so what needs to be configured is a connection between a valid outside address and your internal resource's private address. You enter the following command in global configuration mode:

 ip nat inside source static local-ip global-ip 

local-ip address is the address of the resource on the inside, and global-ip is the address that will be visible on the public network.

Remember that static mapping is usually used to make a shared resource on the private side of your network available to the outside.

Table 5.2 describes the basic IP NAT command.

(A disclaimer about the addresses in this chapter: All the addresses that the examples use are based on RFC 1918, "Address Allocation for Private Internets." We understand that it makes no sense to convert from one of these addresses to another; however, in the interest of not using a real address visible on the Internet, we decided to use addresses conforming to RFC 1918. The network of 172.30.0.0 is the network used to represent the public space.)

Let's look at a working example:

 Router(config)#ip nat inside source static 192.168.1.10 172.30.0.20 

Based on this example, requests destined for 172.130.0.20 are converted and redirected to the address of 192.168.1.10.

To be a little more complex, we use the static command to redirect requests sent to one public address to multiple private addresses based on ports. To do this, use the following command:

 ip nat inside static tcp|udp local-ip local-port global-ip global-port 

Notice that we added a protocol designator for Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and then a port assignment for each address:

 Router(config)#ip nat inside source static tcp 192.168.1.10 80 172.30.0.20 80 Router(config)#ip nat inside source static udp 192.168.1.25 69 172.30.0.20 69 

The first line will take incoming requests using TCP port 80 (HTTP) destined for the public address of 172.30.0.20 and send them to the Web server at 192.168.1.10. The second line will take requests using UDP port 69 (Trivial File Transfer Protocol [TFTP]) going to the same public address, but will redirect them to a different private address 192.168.1.25. This setup makes for a simple way to distribute load across multiple servers.

For NAT and all the preceding translations to be successful, you need to specify which interfaces will be used in NAT and which role they will play. You enter the command to do so in interface config mode. The ip nat inside command specified at the configuration interface level tells the router to use this interface as the inside of NAT translations:

 Router(config-if)#ip nat inside 

Then, using the ip nat outside command on another interface sets up the pairing for the translation to occur. Each direction is now defined:

 Router(config-if)#ip nat outside 

Besides using the static NAT command to translate private addresses to public addresses, you can replace the inside keyword with outside and work the translation in the opposite direction.

Dynamic NAT

With static NAT, we configure a one-to-one mapping. Using dynamic NAT, we can convert our inside addresses to a range of outside addresses. This range gives us more flexibility and the ability to support more clients. To configure dynamic NAT, we need to use a standard access list to specify those addresses that we want converted (inside or private) and a nat pool command to specify the range of translated addresses (outside or public).

Remember that dynamic NAT converts inside addresses to a range of outside addresses.

The nat pool command looks like this:

[View full width]
 ip nat pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length}  [type rotary] 

Table 5.3 explains the command.

Table 5.4 explains the options for the following command:

 ip nat inside source {list {access-list-number | name} pool name. 

An example of the two commands used together looks something like this:

 Router(config)#ip nat pool small-range 172.30.1.5 172.30.1.25 netmask 255.255.255.0 Router(config)#ip nat inside source list my-access-list pool small-range 

The first command will build a pool named small-range that represents the numbers between 172.30.1.5 and 172.30.1.25 to be used as global outside addresses. The second command specifies that any source address that matches the addresses in the named access list will be converted to the global addresses defined in the pool small-range.

It is possible to combine static and dynamic NAT. To do so, make sure the access list in dynamic NAT has a deny statement for any address used with the static NAT configuration.

Overloading NAT

Most organizations do not have a range of legal public address at their disposal; many have only an address or two to use. With NAT overloading, you specify that you want all private inside translations to be represented by a single outside global address. All you need to do is add the keyword overload to the end of the ip nat inside source command:

 Router(config)#ip nat inside source list 10 interface serial 0 overload 

This command will translate packets that match the source addresses specified in access list 10 to the IP address of the serial 0 interface. The keyword overload at the end tells the router that it will need to use TCP and UDP ports to track the individual conversations because all outbound conversations will have the same address. When NAT uses ports to track separate conversations, we often refer to it as port address translation (PAT). PAT is a form or subset of NAT; translation still occurs, but because of the limit of available outside addresses, port numbers identify the separate conversions.

Overlapping NAT

When a company needs to connect two networks that are using the same address range, you normally would have a problem; however, NAT once again comes to the rescue. The solution to the problem is rather simple: You NAT in both directions. You set up a translation to go from the inside to the outside as in preceding examples. Then, you set up a translation in the opposite direction that is, from the outside to the inside. This type of translation is best for a temporary fix; you would rather not have an overlapped network. Most overlapped networks are the result of company mergers or branch offices being connected when designers never thought they would be. The overall problem solved by NAT is that you are trying to reach a location that is outside your network. However, the address of that outside location is an address that appears on the inside of your network.