NETWORK SECURITY
Network Address Translation
CONTENTS
What is NAT
 NAT Terminology
 How NAT works
 NAT translation
 Dynamic, static and overloading
 Advantages and disadvantages


Configuration and troubleshooting on
routers.
Cisco
WHAT IS NAT?



An IETF standard that allows an organization to present
itself to the Internet with far fewer IP addresses than
there are nodes on its internal network.
NAT translates non-routable, private, internal addresses
into routable, public addresses.
NAT uses:
To save IP addresses by allowing networks to use private IP
addresses.
 Adds a degree of privacy and security to a network by hiding
internal IP addresses from outside networks.


A NAT-enabled device typically operates at the border of
a stub network. (A stub network is a network that has a
single connection to its neighbor network).
NAT TERMINOLOGY

Inside local address – “The IP address assigned to a host

From the figure an example is: x.x.x.x
Inside global address –A legitimate public IP address

From the figure x.x.x.x is translated to p.p.p.p
Outside global address – “The public IP address of an
on the inside network” (McQuery, 2008).

assigned to a host when it exits a NAT device.

outside host as it appears to the inside network” (McQuery,
2008).

For example, the web server is reachable at IP address
209.165.201.1.
NAT TRANSLATION
NAT TYPES

“Static NAT: This type of NAT is designed to allow one-to-one mapping
between local and global addresses.

“Dynamic NAT: This version gives you the ability to map an unregistered
IP address to a registered IP address from out of a pool of registered IP
addresses.


You need enough real, IP addresses for everyone who's going to be sending packets to
and receiving them from the Internet at the same time”
“Overloading: This is the most popular type of NAT configuration. It
maps multiple unregistered IP addresses to a single registered IP address
(many-to-one) by using different source ports.
Also known as Port Address Translation (PAT).
 By using PAT (NAT Overload), you get to have thousands of users connect
to the Internet using only one real global IP address

(Lammle, 2011).

The static version requires you to have one real Internet IP address for every host on
your network”
NAT OVERLOAD

PAT uses unique source port numbers on the inside global IP
address to distinguish between translations. Port number is
encoded in 16 bits, thus, 65,536 addresses can be translated
into 1 address!!
NAT ADVANTAGES AND DISADVANTAGES
NAT Advantages
NAT Disadvantages
Conserves the legally registered
addresses
Translation introduces switching
path delays.
Remedies address overlap
occurrence.
Loss of end to end IP traceability.
Increases flexibility when connecting Certain applications will not
to Internet.
function with well with NAT
enabled. (like VoIP)
Eliminates address renumbering as
network changes.
Provides security by hiding internal
IP addresses
CONFIGURING STATIC NAT ON A CISCO ROUTER
 Library(config)#
ip nat inside source static
<local –IP> <global-IP>
 Library(config)# interface <interface name slot>
 Library(config-if)# ip address <ip address>
<subnet mask>
 Library(config-if)# ip nat inside
 Library(config)# interface <interface name slot>
 Library(config-if)# ip address <ip address>
<subnet mask>
 Library(config-if)# ip nat outside
STATIC NAT CONFIGURATION EXAMPLE
 Library(config)#
ip nat inside source
static 10.1.1.1 170.46.2.2
 Library(config)# interface Ethernet0
 Library(config-if)# ip address 10.1.1.10
255.255.255.0
 Library(config-if)# ip nat inside
 Library(config)# interface Serial0
 Library(config-if)# ip address 170.46.2.1
255.255.255.0
 Library(config-if)# ip nat outside
DYNAMIC NAT CONFIGURATION









Library(config)# ip nat pool <pool name> <start-ip>
<end-ip> netmask <subnet mask>
Library(config)# ip nat inside source list <accesslist number> pool <pool name>
Library(config)# interface <interface name slot>
Library(config-if)# ip address <ip address> <subnet
mask>
Library(config-if)# ip nat inside
Library(config)# interface <interface name slot>
Library(config-if)# ip address <ip address> <subnet
mask>
Library(config-if)# ip nat outside
Library(config)# access-list <acl-no> {permit | deny}
<source> <source wildcard mask>
DYNAMIC NAT CONFIGURATION EXAMPLE









Library(config)# ip nat pool todd 170.168.2.3
170.168.2.254 netmask 255.255.255.0
Library(config)# ip nat inside source list 1 pool
todd
Library(config)# interface Ethernet0
Library(config-if)# ip address 10.1.1.10
255.255.255.0
Library(config-if)# ip nat inside
Library(config)# interface Serial0
Library(config-if)# ip address 170.168.2.1
255.255.255.0
Library(config-if)# ip nat outside
Library(config)# access-list 1 permit 10.1.1.0
0.0.0.255
VERIFYING NAT CONFIGURATIONS
“Check the dynamic pools. Are they composed of the
right scope of addresses?
 Check to see if any dynamic pools overlap.
 Check to see if the addresses used for static mapping
and those in the dynamic pools overlap.
 Ensure that your access lists specify the correct
addresses for translation.
 Make sure there aren't any addresses left out that
need to be there, and ensure that none are included
that shouldn't be.
 Check to make sure you've got both the inside and
outside interfaces delimited properly.”(Lammle,
2011)

VERIFYING NAT AND NAT OVERLOAD
Library# Show ip nat translations
 Library# Debug ip Nat
 Library# Show ip nat statistics
