NAT (network address translation) is an address conservation technique that allows private networks with non-registered IP addresses to connect to the Internet. NAT usually operates on a router that sits at the boundary between two networks and translates addresses in the private network into public addresses usable on the Internet. In this article, we provide a concise introduction to NAT concepts relevant to the new CCNA version 2 exams. We also present a GNS3 topology in order to learn NAT configuration and verification. The present article belongs to the GNS3 Labs for CCNA series, and we are offering the GNS3 topology and initial configuration files for download, as usual. You may refer to GNS3 Labs for CCNA: Getting Started if you need help setting up GNS3.

NAT Concepts

NAT (network address translation) is a feature that helps resolve the problem of global IP address depletion. Many organizations cannot assign globally routable IP addresses to all hosts simply because they do not possess enough registered IP addresses. NAT addresses this issue by mapping hundreds or even thousands of internal addresses to a much smaller range of public addresses. It is possible even to map all internal addresses to a single public address.

NAT can be used even by organizations that do have public addresses for all hosts in order to hide those addresses from hackers on the Internet. The primary motivation for NAT was address conservation, but it provides a degree of security as well.

The notions of inside and outside are essential to NAT:

  1. Inside—The term inside refers to the private network owned by an organization or individual.
  2. Outside—The term outside refers to the public network, most often the Internet, to which the private network connects.

A router must have at least one interface to the inside network and one to the outside network in order to perform NAT. The following NAT terms, which are also used in the output of Cisco IOS show commands, convey important concepts:

  1. Inside Local—Inside local is most often a private IP address assigned to a host on the inside network.
  2. Inside Global—Inside global is a registered IP address assigned by the service provider that represents one or more inside local addresses to the outside world.
  3. Outside Local—Outside local is the IP address of an outside host as it appears to the inside network.
  4. Outside Global—Outside global is a globally routable registered IP address of an outside host used in the outside network.

A remarkable feature of NAT is that it can be configured without requiring any changes to hosts or routers other than the router on which it is actually configured.

The following graphic shows the how a router performs NAT, rewriting IP addresses inside packet headers as packets move from inside to outside or in the opposite direction. Please note that the router changes the source IP address of a packet as it moves from the inside network on the left to the outside network on the right. The router also rewrites the destination IP address of a packet that flows back from the outside network to the inside network. The graphic and the explanation that follows should help you understand basic NAT operation.

The user PC (192.168.1.2) creates a packet and sends it to www.intenseschool.com (65.181.154). The NAT router receives the packet on its inside interface. The router changes the source IP address in the packet header from 192.168.1.2 to 31.214.2.4.45 before sending it out through its outside interface. The packet, with a source IP address of 31.214.2.45, is received by the server at www.intenseschool.com. The server has no way of knowing that the source IP address was rewritten by a NAT router, and it truly believes that the packet is coming from 31.214.2.45. The server thus creates a packet with its own IP address (65.181.154.141) as source and 31.214.2.45 as the destination and sends it back. The packet is received by the NAT router on its outside interface. The router replaces the destination IP address in the packet header from 31.214.2.45 to 192.168.1.2 and sends it out its inside interface. The user PC eventually receives the packet.

The NAT router is running the show here and the following aspect of the whole operation are quite interesting:

  1. The user PC (192.168.1.2) believes it is communicating with www.intenseschool.com (65.181.154.141). The PC is sending packets out to 65.181.154.141 and receiving packets back from 65.181.154.141. It is not even aware of the fact that addresses are being rewritten by NAT while packets are en route.
  2. The server at www.intenseschool.com believes it is communicating with 31.214.2.4.45. The server is receiving packets from 31.214.2.4.45 and sending packets back to the same address. The server is not aware of the existence of NAT operation either.
  3. The NAT router is orchestrating the secret NAT operation and has the full picture.

There are several variants of NAT as briefly described below:

  1. Static NAT—Static NAT provides static address translation, creating one-to-one mapping between local and global addresses.
  2. Dynamic NAT—Dynamic NAT provides dynamic address translation mapping local addresses to global addresses from a pool of global addresses.
  3. PAT (port address translation)—PAT is a form of dynamic NAT that maps multiple local addresses to a single global address. PAT creates many-to-one mapping using different port numbers, as opposed to one-to-one mapping created by static and dynamic map. This form of NAT is also known as NAT overload.

The focus of this article is static NAT, but we plan to follow up with another article covering dynamic NAT and PAT.

Static NAT Configuration

We will use the GNS3 topology shown below to perform NAT configuration and verification, which is also available as a download with this article. We have used MicroCore Linux hosts emulated in Qemu for A and www.intenseschool.com. The topology comes pre-configured with all IP addresses and you will be able to configure NAT commands on R1 right away.

We are using the ip nat inside source command in global configuration mode to enable translation of the inside source address. This command has two forms for static and dynamic address translation. The syntax of the command with the keyword static implies a single static translation. The form with an access list is used for dynamic translation. The focus of this article is static NAT, so we are going to use the ip nat inside source static command in global configuration mode on R1.

ip nat inside source static 192.168.1.2 31.214.2.45

The above command establishes a one-to-one mapping between inside local address 192.168.1.2 and inside global address 31.214.2.45.

The ip nat command is used in interface configuration mode to establish that traffic coming into the interface or going out of the interface is subject to NAT. We will use the ip nat command with the inside keyword on FastEthernet0/0 of R1 to indicate that the interface is connected to the inside network. Similarly we will use the ip nat outside command on FastEthernet0/1 of R1 to indicate that the interface is connected to the outside network.

interface FastEthernet0/0
 ip nat inside
 exit
!
interface FastEthernet0/1
 ip nat outside
 exit

Please keep in mind that the NAT router will only translate packets moving between inside and outside interfaces. You must specify at least one inside interface and one outside interface for any NAT router.

You may verify your NAT configuration using the command show ip nat translations.

R1#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 31.214.2.45        192.168.1.2        ---                ---

The output above shows that inside local address 192.168.1.2, belonging to host A, is mapped to inside global address 31.214.2.45, belonging to the outside interface of NAT router R1. Let’s view NAT statistics using the command show ip nat statistics.

R1#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

The output above provides quite a lot of useful information, including inside/outside interfaces, the number of translations, and packet hits/misses. We have configured NAT but there have not been any NAT translations. That’s the reason the number of hits is zero.

Let’s generate some traffic by sending five ICMP (internet control message protocol) pings from A to www.intenseschool.com.

tc@A:~$ ping -c 5 65.181.154.141
PING 65.181.154.141 (65.181.154.141): 56 data bytes
64 bytes from 65.181.154.141: seq=0 ttl=62 time=41.323 ms
64 bytes from 65.181.154.141: seq=1 ttl=62 time=44.565 ms
64 bytes from 65.181.154.141: seq=2 ttl=62 time=35.984 ms
64 bytes from 65.181.154.141: seq=3 ttl=62 time=37.608 ms
64 bytes from 65.181.154.141: seq=4 ttl=62 time=55.699 ms

--- 65.181.154.141 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 35.984/43.035/55.699 ms

You can see from above output that you received replies from www.intenseschool.com for all five pings.

We can expect that R1 would have performed some NAT translations by now.

R1#show ip nat translations
Pro   Inside global      Inside local       Outside local         Outside global
icmp  31.214.2.45:38150  192.168.1.2:38150  65.181.154.141:38150  65.181.154.141:38150
---   31.214.2.45        192.168.1.2        ---                   ---

The output above has two lines now, one of which corresponds to our static NAT configuration. The other line corresponds to an actual NAT translation for ICMP pings flowing from 192.168.1.2 to 65.181.154.141 and ping replies travelling in the opposite direction. Please closely correlate the inside global, inside local, outside local, and outside global addresses from the output above with the IP addresses we used in our GNS3 topology. That will help you build a deeper understanding of important NAT concepts.

Let’s run the command show ip nat statistics once again.

R1#show ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Outside interfaces:
  FastEthernet0/1
Inside interfaces:
  FastEthernet0/0
Hits: 10  Misses: 0
CEF Translated packets: 10, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

The above output reports two active NAT translations that correspond to entries in the output of show ip nat translations, presented earlier. The output also reports 10 hits, indicating the total number of packets on which NAT translation was performed. The number 10 corresponds to five pings from inside to outside and another five ping replies in the opposite direction. Please note that the source IP address is translated in packets going from inside to outside, while the destination IP address is translated in packets moving from outside to inside.

We are done for today here but we plan to follow up with an article on dynamic NAT and PAT to round off our coverage of NAT for CCNA.