Network Address Translation
(NAT) – Overview
c
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
➢ NAT Overview
➢ NAT Classifications
➢ Dynamic NAT
➢ Static NAT
➢ Dynamic PAT
➢ Static PAT
c
Network Diagram
Internet
R2
192.1.25.0/24
10.2.2.0/24
E0/1 (.2)
E0/0 (.2)
c
ISP
192.1.20.0/24 Outside
ASA FW
R4
192.168.4.0/24 DMZ-4
E0/0 (.4)
G0/0 (.10)
G0/3 (.10)
G0/2 (.10)
G0/1 (.10)
10.4.4.0/24
10.11.11.0/24 Inside
E0/0 (.1)
E0/1 (.1)
10.1.1.0/24
10.10.10.0/24
R3
192.168.3.0/24 DMZ-3
R1
10.20.20.0/24
E0/0 (.3)
10.3.3.0/24
NAT Overview
➢
IP Address Blocks are assigned to the ISP’s by Internet Assigned Numbers Authority (IANA).
➢
The ISP in turn will assign IP Addresses to the clients which could be individual users or enterprises. They
use these addresses communicate to each other on the Internet. These addresses are known as Public
Addresses.
c
➢
The Internet has grown beyond anyone's expectations.
➢
As a result of the explosion of the Internet, the IP Addresses are getting depleted.
➢
To counter this concern, IANA, reserved a certain set of addresses that could be used internally within the
private networks.
➢
These addresses can be used for communications within a Private network. They are defined in a standards
document called the RFC. The RFC number for Private addresses is RFC 1918.
➢
These addresses cannot be used on the Internet. They are assigned within the Private network and
translated to a Public address when the device wants to communicate to the Internet.
Private IP Address & NAT
➢ The ISP assigns Dynamic IP addresses to clients from a Pool of addresses. When the client is
not using the address, the address is returned back to the pool. It can be re-used for another
client that might require it at that moment.
➢ This allows you to use Public addresses morec efficiently.
➢ If an individual has more devices in his premises like on a home network or office, the Private
addresses can be used internally. They are used when the devices want to communicate to
each other on the internal network.
➢ When an internal device wants to communicate to a device on the Internet, the Private address
is translated to the IP Address assigned to the individual or company by the ISP.
➢ This process is called Network Address Translation (NAT). Multiple internal devices can share
the same Public IP addresses on the Internet. This allows you to conserve IP Addresses by
assigning a single address for a multiple set of Internal addresses.
NAT Classifications
➢ When we translate Our Address (Private – To – Public or Public – To –
Private), it is known as Inside NAT or Source NAT. This is the most
common type of NAT. Generally we are translating our Private address
c when the packet is going from Inside
to our ISP assigned Public address
to Outside and we translate our Public address to the corresponding
Private address when the packet coming in from Outside to Inside.
➢ When we translate the Remote address on our Network, (Private – To –
Public or Public – To – Private), it is known as Outside NAT or
Destination NAT. Generally we are NOT translating the remote address
on our internal networks.
NAT Classifications
➢ Another way of classifying NAT is by whether NAT is done based
on simple IP – to – IP translations or by involving Port numbers.
➢ If we configure NAT in a way
c that it only uses IP – To – IP
translations, it is known as Network Address Translation (NAT).
➢ If we configure NAT in a way that it uses a Port # in addition to an
IP Address to perform the translation, it is known as Port
Address Translation (PAT) or NAT overload. This is done when
you have a small number of public addresses as compared to the
internal device that need to be translated.
NAT Classifications
➢ Another way of classifying NAT is by whether NAT entries are created manually
or they are created when a flow requires it to be created.
➢ When we have internal devices going out to the Internet, we can define a Pool of
c
addresses that can be used on the Public
Network. As the Internal device wants
to initiate the connection to the outside, it will dynamically pick an address
from the Pool of Public addresses and create an entry in the Translation table.
This is known as Dynamic NAT. This is generally used for Traffic initiated from
Inside to Outside.
➢ If we want translation to be done in a manner that our devices are always
translated to the same address, we configure a manual entry in the Translation
Table. This is known as Static NAT. This is generally done for our Public facing
devices like our Public Servers or Devices.
Main NAT Types
➢ Let’s take a look at the popular NAT Types:
• Dynamic NAT
• Static NAT
• Dynamic PAT
• Static PAT
c
Dynamic NAT
➢
This type of NAT is used when clients on the inside initiate a connection towards a device on the Internet.
➢
In this type of NAT, your Internal private address gets changed to your public address.
➢
You configure a Pool of Addresses on your NAT device. This pool consists of Public IP Addresses that are
assigned by the ISP to your company.
c
➢
As a packet tries go from your internal network towards the Internet, the NAT device will translate the
internal private address to an address from the pool of Public addresses configured on the NAT device.
➢
The translation between the Private and Public address will be stored in the Translation table of the NAT
Device so that the return traffic can be translated back to the original IP and forwarded to the internal
device. This entry will be created dynamically at the time the connection is made.
➢
The entry will stay in the translation table for a configurable amount of idle time after which the translation
entry is removed and the address is returned back to the Pool.
➢
The internal device is not aware that the NAT process has taken place.
Static NAT
➢ This type of NAT is used when internal devices require a fixed address on the
internet.
➢ Generally this is in the case of the company’s public devices/servers that need
c
to be accessed from the Internet by clients.
➢ You configure the mapping between the internal IP to its corresponding public
IP manually on the router.
➢ Unlike Dynamic NAT, where the entry in the translation table is created when
the client initiates the connection, Static NAT entries are created immediately.
➢ The reason for this is that the entry needs to be present in the translation table
at the time the Internet-based client initiates a connection towards your Public
Server.
Dynamic PAT
➢
This type of NAT is used when clients on the inside initiate a connection towards a device on the Internet.
➢
In this type of NAT, your Internal private address gets changed to your public address.
➢
Dynamic PAT is used when you have a small number of public IP’s and you have multiple simultaneous
c
connections.
➢
Dynamic PAT allows multiple clients from the internal network to go the Internet using a Single Public IP.
➢
The uniqueness in the translation table is maintained by using a IP/Port combination.
➢
NAT device uses the client's randomly generated source port as the Port number in the translation table.
➢
In case, there is already a translation using the same port number, the NAT device changes the Source Port
in the outgoing packet as well to make the translation unique.
➢
The internal device is not aware that the NAT process has taken place.
Static PAT
➢ This type of NAT is used when internal devices require a fixed address on the internet.
➢ Generally this is in the case of the company’s public devices/servers that need to be accessed
from the Internet by clients.
c
➢ Static PAT is used when you have a small number of public IP’s and you have more internal
servers/devices that need to be made available on the Internet.
➢ The uniqueness in the translation table is maintained by using a IP/Port combination.
➢ You configure this entry manually.
➢ The reason for this is that the entry needs to be present in the translation table at the time the
Internet-based client initiates a connection towards your Public Server.
Whiteboard
c