Network Address Translation Overview
Network Address Translation (NAT) technology enables the sharing of a limited number of public IP addresses across numerous hosts using private IP addresses. This approach allows more devices to connect to the network than the available public IP address space would typically support. Additionally, NAT enhances security by shielding the internal network, providing a layer of protection for devices within the local area network (LAN).
The fundamental process of implementing Network Address Translation involves setting up an internal network with private IP addresses reserved for local use. The organization is then allocated one or more public IP addresses, and routers equipped with NAT functionality are installed between the private network and the public internet. The NAT router’s primary role is to translate private network addresses in data packets into public IP addresses and vice versa. As data passes through, Network Address Translation not only inspects the packet information but also adjusts the IP address and port details in the packet header, enabling multiple devices behind the NAT router to share a limited number of public IP addresses efficiently.
More Information
When to Use Network Address Translation (NAT)?
Because Network Address Translation (NAT) can reduce the number of public IP addresses needed in a network environment, this technology is helpful when two companies have duplicate internal addresses to merge. Network Address Translation (NAT) is also a useful tool when an organization changes its Internet Service Provider (ISP) but the network administrator does not want to change the internal address scheme.
The following are scenarios where Network Address Translation (NAT) is applied:
- The user needs to access the Internet but the host does not have a globally unique IP address
- Users need to renumber their networks when changing ISPs
- Users need to merge intranets with duplicate addresses
NAT is usually applied to border routers. For example, in the following figure, Network Address Translation (NAT) is applied to the router that connects the enterprise to the Internet:
Advantages and disadvantages of NAT:
Advantages Disadvantages Save legal registration Address conversion causes switching path delay Solve the address overlap problem End-to-end IP address cannot be traced Improve the flexibility of Internet access Some applications cannot be used Network changes do not require address renumbering
Network Address Translation Type:
Static NAT: This type of NAT makes a one-to-one permanent mapping between local and global addresses. Note that static NAT requires users to have a real Internet IP address for each host.
Dynamic NAT : allows users to map an unregistered IP address to one of the registered IP address pools. Dynamic allocation is used to map external legal addresses to internal networks. There is no need to statically configure the router to map internal addresses to external addresses like static NAT, but there must be enough real IP addresses to send and receive packets.
Port NAT (PAT): The most popular type of NAT configuration. Through multiple source ports, multiple unregistered IP addresses are mapped to one legal IP address (many to one). Using PAT can enable thousands of users to connect to the Internet using only one global IP address.
NAT Terminology:
The term NAT is relatively straightforward. After NAT address conversion, it becomes a global address. Usually, it is a public network address used on the Internet. If you do not access the Internet, you do not need to use it.
Local address : The address used before NAT address translation. The internal local address is actually the private address of the sending host trying to access the Internet. The external local address is usually the router interface connected to the user’s ISP and is also the public address where the message starts to be transmitted .
After the conversion, the inside local address is called the inside global address, and the outside global address becomes the address of the target host. As shown in the following table:
Name Meaning Internal The internal address of the source host before local translation External The address of the source host as identified on the local Internet. Usually the router interface connected to the ISP – the real Internet address. Internal The address of the source host connected to the Internet after global translation. Also the real Internet address External Global The external destination host address, also the real Internet address
NAT implementation details:
In the figure below, host 10.1.1.1 sends a message to a border router with NAT function . The router recognizes the source IP address as an internal local IP address, translates the source IP address in the message, and records the translation in the NAT table.
The packet with the newly translated source address is sent to the external interface. The external host sends the packet to the destination host and the NAT router translates the internal global IP address back to the internal local IP address through the NAT table.
In PAT mode, all internal hosts are translated to one IP address. As shown in the figure below, in addition to the internal local IP address and the internal global IP address, there is also a port number. The port number helps the router identify which host should receive the return data. The router uses the source port number from each host to distinguish the data they send. Note that when the message leaves the router, it has a destination port number of 80, and the HTTP server sends the message back with a destination port number of 1026. This allows the NAT translation router to distinguish the hosts in the NAT table and then translate the destination IP address back to the internal local address.
In this example, the port number identifies the local host at the transport layer. If the real global IP address must be used to identify the source host, it can only be done through static NAT , and all addresses will be used up. PAT allows us to identify the host at the transport layer, so that theoretically one real IP address can be shared by 65,000 hosts.
Static NAT configuration:
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
In the first router output, the ip nat inside source command specifies the IP address that needs to be translated. In this example, this command configures a static configuration from the inside local IP address 10.1.1.1 to the outside global IP address 170.46.2.2.
There is an ip nat command under each interface. The ip nat inside command identifies the interface as an inside interface, and the ip nat outside command identifies the interface as an outside interface. Looking back at the ip nat inside source command, this command uses the inside interface as the source or starting point of the translation. It can also be used like this: ip nat outside source. This option indicates that the specified outside interface will become the source or starting point of the translation.
Dynamic NAT configuration:
Dynamic NAT means that an address pool is provided as a real IP address to a group of internal users. Since port numbers are not used, users who try to access the external network at the same time must provide real IP addresses.
The following is example output from a dynamic NAT configuration:
ip nat pool todd 170.168.2.3 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
The ip nat inside source list 1 pool todd command tells the router to translate the IP address matching access-list 1 to an address in the IP NAT pool named todd. Here, the ACL is not used to filter packets by allowing or denying data for security reasons. In this case, it is used to select or specify the data stream we are interested in. When the data stream matches the access list, it is pulled into the NAT process for translation.
The command ip nat pool todd 170.168.2.3 192.168.2.254 netmask 255.255.255.0 is used to create the address pool, which is then assigned to hosts that request global addresses. When troubleshooting Cisco NAT, always check the pool to make sure there are enough addresses to provide translation to internal hosts. Finally, make sure the pool name matches, and be aware that it is case sensitive.
Port NAT configuration:
The following is example output of a port NAT configuration:
ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
The differences between port NAT and dynamic NAT configuration are:
The address pool becomes only one IP address
Add the overload keyword at the end of the ip nat inside source command.
A key element in this example is that an IP address from the pool is used as the external interface IP address. If there are other available addresses such as 170.168.2.2 that can be used as additional addresses, this is helpful when a large number of internal users are active at the same time and more than one overload IP address is needed.