NAT and PAT | Troubleshooting Remote Access Networks (CCIE Professional Development)

NAT and PAT are design solutions that create private address space, in the sense that these addresses only exist inside the private network and not in the public address space. These techniques allow designers of future network implementations to achieve some important goals, including the following:

Conserve IP address space
Provide scalability
Provide a firewall technique
Reduce time and cost by simplifying IP address management

In its simplest configuration, NAT operates on a router that connects two networks together. One of these networks (designated as inside or private) is addressed with either private or obsolete addresses that must be converted into public addresses before packets are forwarded onto the other network (designated as outside or public). The translation operates in conjunction with routing, so that NAT can simply be enabled on a customer-side Internet access router when translation is desired.)

PAT is a configuration with a subset of features from the NAT technique, and it is available in later versions of Cisco IOS Software Release 11.2. Both PAT and NAT are discussed in more detail in the sections that follow.

PAT

Several internal addresses can be NATed to only one or a few external addresses by using a feature called overload, which is also referred to as PAT. PAT is a subset of NAT functionality, where it maps several internal addresses (up to about 4000) to a single external address. PAT statically uses unique port numbers on a single outside IP address to distinguish between the various translations. The total number of these ports is theoretically 2 ¹⁶ , or 65,536. PAT-only enabled Cisco IOS Software images do not support full NAT functionality that is required where one-to-one static or dynamic translations are required.

Example 10-12 shows a simple PAT configuration for a 77x router, where a private address space type /28 has to be assigned and ports from 60006005 have to be mapped to one IP address (in this case, 10.0.0.2).

Example 10-12. Simple PAT Configuration

  under user "Internal", type  set ip netmask 255.255.255.240 set ip address 10.0.0.1  ! If the core router's chap hostname is 'gateway,' then the user will need   ! to be name 'gateway' as well.  set user gateway set ip pat on

Assign the ports and private IP addresses as in Example 10-13.

Example 10-13. Assigning Ports/Private IP Addresses

 set dhcp address 10.0.0.2 13 set dhcp netmask 255.255.255.240 set dhcp gateway primary 10.0.0.1 set ip pat porthandler 6000 10.0.0.2 set ip pat porthandler 6001 10.0.0.2 set ip pat porthandler 6002 10.0.0.2 set ip pat porthandler 6003 10.0.0.2 set ip pat porthandler 6004 10.0.0.2 set ip pat porthandler 6005 10.0.0.2

NOTE

In Example 10-13, ports 60006005 are assigned to PAT transformation statically.

Use the show ip pat command to check or troubleshoot the PAT functions on a 77x router, as shown in Example 10-14.

Example 10-14. Determining PAT Functions for Troubleshooting Purposes

 776-isdn> show ip pat Dropped - icmp 0, udp 15, tcp 0, map 0, frag 0 Timeout - udp 5 minutes, tcp 30 minutes Port handlers [no default]: Port     Handler         Service ------------------------------------- 21       10.0.0.2        FTP 6000    10.0.0.2 6001    10.0.0.2 6002    10.0.0.2 6003    10.0.0.2 6004    10.0.0.2 6005    10.0.0.2 23        Router          TELNET 67        Router          DHCP Server 68        Router          DHCP Client 69        Router          TFTP 161      Router          SNMP 162      Router          SNMP-TRAP 520      Router          RIP Translation Table - 16 Entries. Inside          Outside         Orig. Port/ID     Trans. Port/ID  Timeout ------------------------------------------------------------------------- 10.0.0.2        161.68.235.228    0x89c3            0xfff9         1 10.0.0.2        161.69.2.87       0x89cb            0xfff2         2 10.0.0.2        161.68.235.228    0x89cb            0xfff5         2 10.0.0.2        161.69.2.87       0x89cd            0xffee         3 10.0.0.2        161.68.235.228    0x89cd            0xffef         2 10.0.0.2        161.68.222.255    0x9b1              0x9b1         4

NAT

NAT was initially described in RFC 1631. In its simplest configuration, it operates on a router that connects two networks together, where one of these networks is designated as inside or private, and the other is outside or public. As part of a global address plan, each of these networks can use either unique addresses, private addresses (RFC 1918), or addresses that have been officially assigned to some other organization as their private addresses. One of these networks is addressed with addresses that must be translated before packets are forwarded onto the other network. If required, NAT can also perform bidirectionally, translating both the source and destination addresses. Full NAT functionality is required where one-to-one static and dynamic translations are required.

Both static and dynamic address translations are supported by Cisco IOS Software NAT, alone or in conjunction with one another. Static address translations require an administrator to explicitly map an external address to an internal address. Dynamic translations use an allocated IP pool, and each new IP address to be translated is dynamically mapped to another IP address from the pool in a round- robin fashion. Static translations generally allow access to a particular device through the NAT. For example, if a network has an internal Domain Name System (DNS) server that needs to communicate with an external DNS server, one configures a static translation to enable connectivity. The NAT then allows traffic to be passed between these statically known, but translated addresses. Addresses in static translations must explicitly be omitted from the dynamic translation pool.

An IP packet that traverses a NAT can have both its source and destination addresses translated by the NAT. RFC 1918 defines the address space to be allocated for private Internets. The documents state: "The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets ":

 10.0.0.0 - 10.255.255.255  (10/8 prefix) 172.16.0.0 - 172.31.255.255  (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

NOTE

The IANA is now called the American Registry for Internet Numbers (ARIN).

The first block is referred to as the 24-bit block, the second as the 20-bit block, and the third as the 16-bit block. The first block is nothing but a single class A network number, the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous Class C network numbers. The full document can be found in the available literature or at www.faqs.org/rfcs/rfc1918.html.

Under the Ethernet0 interface, a sample config of Cisco IOS Software NAT requires the configuration in Example 10-15.

Example 10-15. Cisco IOS Software NAT Configuration

 ! interface Ethernet0 <output omitted> ip nat inside no shutdown ________________________________________________________________ Under the Dialer 1 interface: <output omitted> ip nat outside <output omitted>

Example 10-16 shows the configuration in global configuration mode.

Example 10-16. Cisco IOS Software NAT Configuration: Global Configuration Mode

 ip nat inside source list  111 interface Dialer1 overload access-list 10 permit ip any any access-list 111 deny   udp any eq netbios-dgm any access-list 111 deny   udp any eq netbios-ns any access-list 111 deny   udp any eq netbios-ss any access-list 111 deny   tcp any eq 137 any access-list 111 deny   tcp any eq 138 any access-list 111 deny   tcp any eq 139 any access-list 111 permit ip any any time-range TIME dialer-list 1 protocol ip permit <output omitted>

TIP

Before starting the troubleshooting process, use the command clear ip nat translations, which is helpful in the NAT debug process.

To troubleshoot the solution, you can use the debug in Example 10-17.

Example 10-17. Debug for NAT

 804-isdn#  debug ip nat  *Mar  1 00:03:43.065: NAT: o: icmp (10.0.0.1, 5574) -> (10.0.0.2, 5574) [0] *Mar  1 00:03:44.565: NAT: o: icmp (10.0.0.1, 5575) -> (10.0.0.2, 5575) [1] *Mar  1 00:03:49.065: NAT: i: udp (10.0.0.2, 137) -> (161.68.235.228, 137) [18082] *Mar  1 00:03:50.565: NAT: i: udp (10.0.0.2, 137) -> (161.68.235.228, 137) [18083]

The first two lines show that the default gateway 10.0.0.1 is exchanging Internet Control Message Protocol (ICMP) packets with the newly assigned 10.0.0.2. The second two lines show 10.0.0.2 using port 18082, and exchanging udp port 137 packets with an IP address.

To check the arp-cache transactions, use the debug in Example 10-18.

As soon as the ip nat debug is turned on, you can see the standard data exchange and NAT in action.

Example 10-18. Example of Debugging NAT

 804-isdn#  show ip nat  translations  804-isdn#  debug arp804-isdn  #debug ip nat IP NAT debugging is on ARP packet debugging is on 804-isdn# *Oct 105 01:15:19.198: IP ARP: rcvd req src 10.0.0.2 0050.dabb.c887,   dst 10.0.0.2 Ethernet0  ! IP ARP request from  an IP source with MAC address 0050.dabb.c887.  *Oct 105 01:15:20.166: IP ARP: rcvd req src 10.0.0.2 0050.dabb.c887,   dst 10.0.0.2 Ethernet0  ! Again the same request  *Oct 105 01:15:21.166: IP ARP: rcvd req src 10.0.0.2 0050.dabb.c887,   dst 10.0.0.2 Ethernet0  ! and again  *Oct 105 01:15:23.178: IP ARP: creating entry for IP address: 10.0.0.2,   hw: 0050.dabb.c887  ! The entry in the ARP-cache is created to map IP 10.0.0.2 to MAC 0050.dabb.c887.  *Oct 105 01:15:23.182: IP ARP: sent rep src 10.0.0.1 00b0.64ba.2c81,   dst 10.0.0.2 0050.dabb.c887 Ethernet0 A confirmation (replicate) is sent to confirm the assignment. 804-isdn#  show arp  Protocol  Address          Age (min)  Hardware Addr   Type   Interface Internet  10.0.0.2                1   0050.dabb.c887  ARPA   Ethernet0 Internet  10.0.0.1                -   00b0.64ba.2c81  ARPA   Ethernet0

See Example 10-19 to see negotiations of the IP and related ports.

Example 10-19. Negotiations of the IP and Related Ports in Cisco IOS Software

 Oct 105 04:30:31.837: NAT: i: tcp (10.0.0.2, 4734) -> (141.68.235.244, 139)   [17225] *Oct 105 04:30:31.885: NAT: o: tcp (141.68.235.244, 139) -> (141.70.209.81, 4734)   [45847]  ! Outside source is sending TCP 139 data to the public address of the user 141.70.209.81.  *Oct 105 04:30:32.029: NAT: i: tcp (10.0.0.2, 4734) -> (141.68.235.244, 139)   [17226] *Oct 105 04:30:42.873: NAT: o: udp (192.168.165.15, 496) -> (230.0.1.39, 496)   [38427] *Oct 105 04:30:42.889: NAT: o: udp (192.168.165.15, 496) -> (230.0.1.39, 496)   [38426] *Oct 105 04:30:57.593: NAT: o: udp (141.69.10.13, 496) -> (230.0.1.40, 496)   [19018] *Oct 105 04:30:57.609: NAT: o: udp (141.69.10.13, 496) -> (230.0.1.40, 496)   [19016] *Oct 105 04:30:58.097: NAT: o: tcp (141.68.235.244, 139) -> (141.70.209.81, 4734)   [53804] *Oct 105 04:30:58.265: NAT: i: tcp (10.0.0.2, 4734) -> (141.68.235.244, 139)   [17227] *Oct 105 04:31:04.645: NAT: i: tcp (10.0.0.2, 4734) -> (141.68.235.244, 139)   [17228] *Oct 105 04:31:04.693: NAT: o: tcp (141.68.235.244, 139) -> (141.70.209.81, 4734)   [24625] *Oct 105 04:31:04.877: NAT: i: tcp (10.0.0.2, 4734) -> (141.68.235.244, 139)   [17229] *Oct 105 04:31:12.017: NAT: i: udp (10.0.0.2, 4796) -> (141.68.10.70, 53) [17230] *Oct 105 04:31:12.017: NAT: ipnat_allocate_port: wanted 4796 got 4796 *Oct 105 04:31:12.021: NAT: i: udp (10.0.0.2, 137) -> (141.68.235.228, 137)   [17231] *Oct 105 04:31:12.073: NAT: o: udp (141.68.10.70, 53) -> (141.70.209.81, 4796)   [44539]  ! The DNS server is sending DNS confirm  UDP 53 to the public IP of the   ! user 141.70.209.81  *Oct 105 04:31:12.077: NAT: i: icmp (10.0.0.2, 512) -> (141.68.222.155, 512)   [17232] *Oct 105 04:31:12.081: NAT: ipnat_allocate_port: wanted 512 got 512 ! Port 512 allocation example. *Oct 105 04:31:12.117: NAT: o: icmp (141.68.222.155, 512) -> (141.70.209.81, 512)   [5514] *Oct 105 04:31:12.121: NAT: i: tcp (10.0.0.2, 4795) -> (141.68.222.155, 445)   [17233] *Oct 105 04:31:12.121: NAT: ipnat_allocate_port: wanted 4795 got 4795 ! Port 4795 allocation example. *Oct 105 04:31:12.157: NAT: o: tcp (141.68.222.155, 445) -> (141.70.209.81, 4795)   [5534] *Oct 105 04:31:12.585: NAT: i: tcp (10.0.0.2, 4795) -> (141.68.222.155, 445)   [17234] *Oct 105 04:31:12.621: NAT: o: tcp (141.68.222.155, 445) -> (141.70.209.81, 4795)   [5722] *Oct 105 04:31:13.089: NAT: i: tcp (10.0.0.2, 4795) -> (141.68.222.155, 445)   [17235] *Oct 105 04:31:13.121: NAT: o: tcp (141.68.222.155, 445) -> (141.70.209.81, 4795)   [5816] *Oct 105 04:31:13.517: NAT: i: udp (10.0.0.2, 137) -> (141.68.235.228, 137)   [17236]

In this example, the information in the first line reads this way:

Inside IP 10.0.0.2, using TCP port 4734, is requesting TCP port 139 service from 141.68.235.244, and the I-O transformation uses port 17225.

The number of simultaneous NAT translations supported on a given platform is bounded by the amount of available dynamic random-access memory (DRAM) in the router. Each NAT translation consumes about 160 bytes of memory. When using the overload function, each time a different stream (identified by an IP address, protocol, and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number) passes through the NAT router, a new entry is created in the table. If traditional address translation is used, each IP address matches to only one IP address and creates a single table entry. Not all traffic is supported by NAT/PAT, which can create an issue for some protocols.

Some of the protocols supported by Cisco IOS Software NAT include HTTP, TFTP, Telnet, Archie, Finger, Network Time Protocol (NTP), Network File System (NFS), rlogin, remote shell (rsh), remote copy (rcp), and any TCP/UDP traffic that does not carry source or destination IP addresses in the application data stream.

Unsupported traffic includes routing table updates, DNS zone transfers, Bootp, talk, ntalk, Simple Network Management Protocol (SNMP), and NetShow. See Cisco.com for the full description of protocols.