This is the first in a series of articles where we will be discussing NETWORK ADDRESS TRANSLATION (NAT). In this first installment, we will be looking at configuring NAT Overload, but first, we will look at the concept of NAT in general and its different flavors.
The concept of NAT was first implemented in Cisco IOS release 11.2 as a way to alleviate the depletion of IPv4 address space. Basically, Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or “public network”) and a local (or “private”) network. It is a temporary workaround to the immediate problem of too many hosts and not enough IP addresses.
CCNA Training – Resources (Intense)
A NAT device is similar to a phone system at an office that has one public telephone number and multiple extensions. Outbound phone calls made from the office all appear to come from the same telephone number. However, an incoming call that does not specify an extension cannot be transferred to an individual inside the office. In this scenario, the office is a private LAN, the main phone number is the public IP address, and the individual extensions are unique port numbers.
In February 1996, the RFC 1918 document was published. In it, a range of IP addresses were reserved as PRIVATE ADDRESS SPACE:
- 10.0.0.0 – 10.255.255.255 (10.0.0.0/8 )
- 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 – 192.168.255.255 (192.168.0.0./16)
Network Address Translation is a technique in which the BORDER router, the one connected to your ISP (Internet Service Provider) and your LAN, removes the original SOURCE address in the IP header (private range) and replaces it with a legitimate, unique, public one leased by the ISP while sending packets towards the Internet. It is smart enough to keep this information in a special database called the NAT table. When the reply comes back, the SOURCE and DESTINATION addresses are reversed in the IP header. Once the packet reaches our BORDER router, it uses the right entry in the NAT table to swap the destination IP’s PUBLIC address (that represented our computer) back to its PRIVATE address.
Using proper terminology, when the IP packet enters the router’s inside interface (connected to the LAN), and is sent out to the outside interface (connected to the Internet), it removes the inside local address (private, e.g. 192.168.10.1), makes a note of what it did in the so called NAT table, and then inserts the inside global address (public e.g. 18.104.22.168) in the IP header instead.
So for instance, the original source 192.168.10.1 becomes 22.214.171.124 when the packet is sent towards the Internet (apologies if I use somebody’s real IP address here).
Then, when the destination host sends the reply back to the original sender, this 126.96.36.199 (former source) becomes the destination address. Our edge router receives it on its ‘outside interface‘. Since, the outbound interface is now our ‘inside interface,‘ the router will need to find the appropriate entry in the NAT table which will allow it to identify the original sender’s address (our 192.168.10.1). Its address will now be inserted in the destination field of the IP header so that the packet will be sent to the appropriate host originating this transmission.
Key Concepts to Note When Using NAT
In typical NAT configurations, interfaces are placed into one of two categories or locations: inside or outside. Inside indicates traffic that is coming from within the organizational network. Outside indicates traffic that is coming from an external network that is outside the organizational network.
- Inside local address: This is the inside address as it is seen and used within the organizational network.
- Inside global address: This is the inside address as it is seen and used on the outside of the organizational network.
- Outside local address: This is the outside address as it seen and used within the organizational network.
- Outside global address: This is the outside address as it is seen and used on the outside of the organizational network.
Types of NAT
There are three (3) major types of NAT:
- Static NAT
- Dynamic NAT
- NAT Overload
In this article, we will discuss NAT Overload.
How to Configure Basic NAT with Overload
‘Overloading’ means that the single public IP assigned to your router can be used by multiple internal hosts concurrently. With overloading, instead of a one-to-one relationship, traffic is translated and given a specific outside port number to communicate with. In this situation, many internal hosts can be using the same outside address while utilizing different port numbers. This is a typical NAT configuration for almost all of today’s networks. In cases such as home networks, your ISP will only issue you with a single public IP address though you might have 2 or more devices that need to access the Internet at any given time.
Steps to Configure NAT Overload
There are three major steps that should be followed when configuring NAT Overload. They are
- Label the interfaces: This is the process of labeling the interface for NAT: IP NAT inside on the internal interface and IP NAT outside on the external interface.
- Identify the internal IP addresses to be translated: This is the process of configuring the internal IP address to be translated. For instance, if you want people in the 192.168.10.0/24 to have access to the Internet and people in the 192.168.40.0/24 subnet refused Internet access, you have to identify them. Most of the time, this is done by using Access lists.
- Enable NAT Overload: The final step is enabling NAT with the command ip nat inside source <list/pool> <acl name/number><interface> overload.
We will be configuring NAT OVERLOAD with the scenario below.
For the purpose of this scenario, I’m going to use 188.8.131.52 as our public IP address. The host 192.168.10.11 is trying to contact www.krason.com.
Addresses used in this scenario are going to be as follows:
Private (LAN) IP = 192.168.10.11-13/24
Public (Internet) IP = 184.108.40.206/30 (connection to ISP)
Public (Internet) IP = 220.127.116.11 (Internet host used to check NAT)
Below is the configuration for the home router and the ISP router:
Home Router Configuration
Ip address 192.168.10.1 255.255.255.0
Ip nat inside
Ip address 18.104.22.168 255.255.255.252
Ip nat outside
Clock rate 64000
Ip nat inside source list NAT interface Serial1/0 overload
Ip route 0.0.0.0 0.0.0.0 Serial1/0
Ip access-list standard NAT
Permit 192.168.10.0 0.0.0.255
ISP Router Configuration
Ip address 22.214.171.124 255.255.255.0
Ip address 126.96.36.199 255.255.255.252
ip route 0.0.0.0 0.0.0.0 Serial1/0
To verify NAT Overload, we turn on “show ip nat translations” and then try pinging from 192.168.10.11 to the website on 188.8.131.52.
As we can see, NAT Overload has only one IP address but uses different port numbers for each operation.
A quick explanation of the result:
- The 1st column, Pro, shows us the protocol in use. In the first case, it shows that a ping request was sent, thus the protocol used was ICMP.
- The 2nd column, Inside global, shows the public IP address to be translated into and the port number.
- The 3rd column, Inside local, shows the local private IP address on the internal network’s HOME router along with the port number.
- The 4th column, Outside local, shows us the outside IP address we are trying to reach.
- The 5th column, Outside global, shows us the outside address we are trying to contact. As it is a public address, it does not require translation.
- Check the ‘ip nat inside’ and ‘ip nat outside’ statements on the interfaces. Be sure they are at the right interfaces.
- Check if your Access-lists match on the appropriate Inside Local addresses. If you send traffic from these, ‘show access-list’ should show you the hits against the ACL entries.
- You could consider using the command ‘debug ip nat’. However, do not use this command during production! Below is the output generated when pinging www.kranson.com from 192.168.10.11:
In conclusion, NAT is a good fix, albeit a temporary one, to solve the problem of IP address shortage. A more permanent fix in IPv6 is gradually being implemented, and in a few years time we should have migrated partially, if not fully, to IPv6.
CCNA Cisco Certified Network Associate Study Guide, 7th Edition, by Todd Lammle