Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Two Internet scalability challenges are the depletion of registered IP version 4 (IPv4)
address space and scaling in routing. Cisco IOS Network Address Translation (NAT) and
Port Address Translation (PAT) are mechanisms for conserving registered IPv4 addresses
in large networks and simplifying IPv4 address management tasks. NAT and PAT translate
IPv4 addresses within private internal networks to legal IPv4 addresses for transport over
public external networks, such as the Internet, without requiring a registered subnet
address. Incoming traffic is translated back for delivery within the inside network.
250 Chapter 7: Managing Address Spaces with NAT and IPv6
This translation of IPv4 addresses eliminates the need for host renumbering and allows
the same IPv4 address range to be used in multiple intranets. This section describes the
features that are offered by NAT and PAT and shows you how to configure NAT and PAT
on Cisco routers.
Introducing NAT and PAT
NAT operates on a Cisco router and is designed for IPv4 address simplification and
conservation. NAT enables private IPv4 internetworks that use nonregistered IPv4
addresses to connect to the Internet. Usually, NAT connects two networks and translates the
private (inside local) addresses in the internal network into public addresses (inside global)
before packets are forwarded to another network. As part of this functionality, you can
configure NAT to advertise only one address for the entire network to the outside world.
Advertising only one address effectively hides the internal network from the world, thus
providing additional security. Figure 7-1 shows an example of address translation between
a private and public network.
Figure 7-1 Network Address Translation
Inside Global
IPv4 Address
Inside Local
IPv4 Address
171.69.58.80
171.69.58.81
10.0.0.1
10.0.0.2
NAT Table
10.0.0.2
10.0.0.1
SA
10.0.0.1
Inside Outside
Internet
SA
171.69.58.80
Scaling the Network with NAT and PAT 251
Any device that is between an internal network and the public network—such as a firewall,
a router, or a computer—uses NAT, which is defined in RFC 1631.
In NAT terminology, the inside network is the set of networks that are subject to translation.
The outside network refers to all other addresses. Usually these are valid addresses
located on the Internet.
Cisco defines the following list of NAT terms:
■ Inside local address: The IPv4 address that is assigned to a host on the inside network.
The inside local address is likely not an IPv4 address assigned by the Network
Information Center or service provider.
■ Inside global address: A legitimate IPv4 address assigned by the NIC or service
provider that represents one or more inside local IPv4 addresses to the outside world.
■ Outside local address: The IPv4 address of an outside host as it appears to the inside
network. Not necessarily legitimate, the outside local address is allocated from a
routable address space on the inside.
■ Outside global address: The IPv4 address that is assigned to a host on the outside
network by the host owner. The outside global address is allocated from a globally
routable address or network space.
NAT has many forms and can work in the following ways:
■ Static NAT: Maps an unregistered IPv4 address to a registered IPv4 address (one to
one). Static NAT is particularly useful when a device must be accessible from outside
the network.
■ Dynamic NAT: Maps an unregistered IPv4 address to a registered IPv4 address from
a group of registered IPv4 addresses.
■ NAT overloading: Maps multiple unregistered IPv4 addresses to a single registered
IPv4 address (many to one) by using different ports. Overloading is also known as PAT
and is a form of dynamic NAT.
NAT offers these benefits over using public addressing:
■ Eliminates the need to readdress all hosts that require external access, saving time and
money.
252 Chapter 7: Managing Address Spaces with NAT and IPv6
■ Conserves addresses through application port-level multiplexing. With NAT, internal
hosts can share a single registered IPv4 address for all external communications. In this
type of configuration, relatively few external addresses are required to support many
internal hosts, thus conserving IPv4 addresses.
■ Protects network security. Because private networks do not advertise their addresses or
internal topology, they remain reasonably secure when they gain controlled external
access in conjunction with NAT.
One of the main features of NAT is PAT, which is also referred to as “overload” in Cisco
IOS configuration. PAT allows you to translate multiple internal addresses into a single
external address, essentially allowing the internal addresses to share one external address.
Figure 7-2 shows an example of Port Address Translation. The following list highlights the
operations of PAT:
Figure 7-2 Port Address Translation
■ PAT uses unique source port numbers on the inside global IPv4 address to distinguish
between translations. Because the port number is encoded in 16 bits, the total number
of internal sessions that NAT can translate into one external address is, theoretically,
as many as 65,536.
171.69.68.10:2031
171.69.68.10:1506
171.69.68.10:2032
10.6.1.2:2031
10.6.1.6:1506
10.6.1.6:131
10.6.1.2
10.6.1.6
SA
10.6.1.6:1506
SA
10.6.1.2:2031
My Network Internet
SA
171.69.68.10:2031
SA
171.69.68.10:1506
Inside Global
IPv4 Address
Inside Local
IPv4 Address
NAT Table
Internet to
Intranet
PAT
Scaling the Network with NAT and PAT 253
■ PAT attempts to preserve the original source port. If the source port is already
allocated, PAT attempts to find the first available port number. It starts from the
beginning of the appropriate port group, 0 to 511, 512 to 1023, or 1024 to 65535. If
PAT does not find an available port from the appropriate port group and if more than
one external IPv4 address is configured, PAT moves to the next IPv4 address and tries
to allocate the original source port again. PAT continues trying to allocate the original
source port until it runs out of available ports and external IPv4 addresses.
Translating Inside Source Addresses
You can translate your own IPv4 addresses into globally unique IPv4 addresses when
you are communicating outside your network. You can configure static or dynamic inside
source translation.
Figure 7-3 illustrates a router that is translating a source address inside a network into a
source address outside the network.
Figure 7-3 Translating an Address
The steps for translating an inside source address are as follows:
Step 1 The user at host 1.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 1.1.1.1 causes the
router to check its NAT table.
1.1.1.2
1.1.1.1 1
SA
1.1.1.1
2
5
DA
1.1.1.1
3
SA
2.2.2.2
4
DA
2.2.2.2
Inside Outside
Inside
Interface
Outside
Interface
Inside Global
IPv4 Address
Inside Local
IPv4 Address
2.2.2.3
2.2.2.2
1.1.1.2
1.1.1.1
NAT Table
Internet
Host B
9.6.7.3
254 Chapter 7: Managing Address Spaces with NAT and IPv6
• If a static translation entry was configured, the router goes to Step 3.
• If no static translation entry exists, the router determines that the source address
1.1.1.1 (SA 1.1.1.1) must be translated dynamically. The router then selects a
legal, global address from the dynamic address pool and creates a translation
entry (in the example, 2.2.2.2). This type of entry is called a simple entry.
Step 3 The router replaces the inside local source address of host 1.1.1.1 with
the translation entry global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 1.1.1.1 by using the
inside global IPv4 destination address 2.2.2.2 (DA 2.2.2.2).
Step 5 When the router receives the packet with the inside global IPv4 address,
the router performs a NAT table lookup by using the inside global
address as a key. The router then translates the address back to the inside
local address of host 1.1.1.1 and forwards the packet to host 1.1.1.1. Host
1.1.1.1 receives the packet and continues the conversation. The router
performs Steps 2 through 5 for each packet.
The order in which the router processes traffic depends on whether the NAT translation
is a global-to-local translation or a local-to-global translation. Table 7-1 illustrates the order
in which a router processes traffic, depending on the direction of the translation.
Table 7-1 Router Processing Order
Local-to-Global Global-to-Local
1. Check input access list if using IPsec1.
2. Perform decryption—for Cisco
Encryption Technology or IPsec.
3. Check inbound access list.
4. Check input rate limits.
5. Perform input accounting.
6. Perform policy routing.
7. Route packet.
8. Redirect to web cache.
1. Check input access list if using IPsec.
2. Perform decryption—for Cisco Encryption
Technology or IPsec.
3. Check inbound access list.
4. Check input rate limits.
5. Perform input accounting.
6. Perform NAT outside to inside (global to
local translation).
7. Perform policy routing.
8. Route packet.
9. Redirect to web cache.
Scaling the Network with NAT and PAT 255
1 IPsec = IP security
2 CBAC = Context-Based Access Control
To configure static inside source address translation on a router, follow these steps:
Step 1 Establish static translation between an inside local address and an inside global
address.
RouterX(config)# ip nat inside source static local-ip global-ip
Enter the no ip nat inside source static global command to remove the static
source translation.
Step 2 Specify the inside interface.
RouterX(config)# interface type number
After you enter the interface command, the CLI prompt changes from (config)#
to (config-if)#.
Step 3 Mark the interface as connected to the inside.
RouterX(config-if)# ip nat inside
Step 4 Specify the outside interface.
RouterX(config-if)# interface type number
Step 5 Mark the interface as connected to the outside.
RouterX(config-if)# ip nat outside
Use the command show ip nat translations in EXEC mode to display active translation
information, as demonstrated here:
RouterX# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.1.2 10.1.1.2
9. Perform NAT inside to outside (local to
global translation).
10. Check crypto map and mark for
encryption if appropriate.
11. Check outbound access list.
10. Check crypto map and mark for
encryption if appropriate.
11. Check outbound access list.
12. Inspect CBAC.
13. Intercept TCP.
14. Perform encryption.
15. Perform queuing.
Table 7-1 Router Processing Order (Continued)
Local-to-Global Global-to-Local
256 Chapter 7: Managing Address Spaces with NAT and IPv6
Static NAT Address Mapping
The example shows the use of discrete address mapping with static NAT translations for
the network in Figure 7-4. The router translates packets from host 10.1.1.2 to a source
address of 192.168.1.2.
Figure 7-4 Static NAT Address Mapping
To configure dynamic inside source address translation, follow these steps:
Step 1 Define a pool of global addresses to be allocated as needed.
RouterX(config)# ip nat pool name start-ip end-ip {netmask netmask |
prefix-length prefix-length}
Enter the no ip nat pool global command to remove the pool of global addresses.
Step 2 Define a standard access control list (ACL) that permits the addresses
that are to be translated.
RouterX(config)# access-list access-list-number permit source [sourcewildcard]
Enter the no access-list access-list-number global command to remove the ACL.
Step 3 Establish dynamic source translation, specifying the ACL that was
defined in the prior step.
RouterX(config)# ip nat inside source list access-list-number pool name
Enter the no ip nat inside source global command to remove the dynamic source
translation.
Step 4 Specify the inside interface.
RouterX(config)# interface type number
After you enter the interface command, the CLI prompt changes from (config)#
to (config-if)#.
Step 5 Mark the interface as connected to the inside.
RouterX(config-if)# ip nat inside
Step 6 Specify the outside interface.
RouterX(config-if)# interface type number
10.1.1.2
E0
10.1.1.1
S0
192.168.1.1
SA
10.1.1.2
SA
192.168.1.2
Internet
Scaling the Network with NAT and PAT 257
Step 7 Mark the interface as connected to the outside.
RouterX(config-if)# ip nat outside
Use the command show ip nat translations in EXEC mode to display active translation
information.
Dynamic Address Translation
The example in Figure 7-5 shows how the device translates all source addresses that pass
ACL 1, which means a source address from the 192.168.1.0/24 network, into an address
from the pool named net-208. The pool contains addresses from 171.69.233.209/28 to
171.69.233.222/28.
Figure 7-5 Dynamic Address Translation
CAUTION The ACL must permit only those addresses that are to be translated.
Remember that there is an implicit deny any statement at the end of each ACL. An ACL
that is too permissive can lead to unpredictable results. Using permit any can result in
NAT consuming too many router resources, which can cause network problems.
ip nat pool net-208 171.69.233.209 171.69.233.222 netmask
255.255.255.240
ip nat inside source list 1 pool net-208
!
interface serial 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 0
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
Host A
192.168.1.100
E0
192.168.1.94
S0
171.69.232.182
Host B
192.168.1.101
Host C
10.1.1.1
Host D
172.16.1.1
258 Chapter 7: Managing Address Spaces with NAT and IPv6
Overloading an Inside Global Address
You can conserve addresses in the inside global address pool by allowing the router to
use one inside global address for many inside local addresses. When this overloading is
configured, the router maintains enough information from higher-level protocols—for
example, TCP or User Datagram Protocol (UDP) port numbers—to translate the inside
global address back into the correct inside local address. When multiple inside local
addresses map to one inside global address, the TCP or UDP port numbers of each inside
host distinguish between the local addresses.
Figure 7-6 illustrates NAT operation when one inside global address represents multiple
inside local addresses. The TCP port numbers act as differentiators.
Figure 7-6 Overloading an Inside Global Address
Both host B and host C think they are talking to a single host at address 2.2.2.2. They are
actually talking to different hosts; the port number is the differentiator. In fact, many inside
hosts could share the inside global IPv4 address by using many port numbers.
The router performs the following process when it overloads inside global addresses:
Step 1 The user at host 1.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 1.1.1.1 causes the
router to check its NAT table.
1.1.1.2
Host B
9.6.7.3
1.1.1.1 1
SA
1.1.1.1
2
5
DA
1.1.1.1
3
SA
2.2.2.2
4
DA
2.2.2.2
4
DA
2.2.2.2
Inside
Outside Global
IPv4 Address:Port
Inside Global
IPv4 Address:Port
Inside Local
IPv4 Address:Port
Protocol
6.5.4.7:23
9.6.7.3:23
2.2.2.2:1723
2.2.2.2:1024
1.1.1.2:1723
1.1.1.1:1024
TCP
TCP
NAT Table
Internet
Host C
6.5.4.7
Scaling the Network with NAT and PAT 259
If no translation entry exists, the router determines that address 1.1.1.1 must be
translated and sets up a translation of inside local address 1.1.1.1 into a legal inside
global address. If overloading is enabled and another translation is active, the router
reuses the inside global address from that translation and saves enough information
to be able to translate back. This type of entry is called an extended entry.
Step 3 The router replaces the inside local source address 1.1.1.1 with the
selected inside global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 1.1.1.1 by using the
inside global IPv4 address 2.2.2.2.
Step 5 When the router receives the packet with the inside global IPv4 address,
the router performs a NAT table lookup. Using the inside global address
and port and outside global address and port as a key, the router translates
the address back into the inside local address 1.1.1.1 and forwards the
packet to host 1.1.1.1. Host 1.1.1.1 receives the packet and continues the
conversation. The router performs Steps 2 through 5 for each packet.
To configure overloading of inside global addresses, follow these steps:
Step 1 Define a standard ACL that permits the addresses that are to be translated.
RouterX(config)# access-list access-list-number permit source [sourcewildcard]
Enter the no access-list access-list-number global command to remove the ACL.
Step 2 Establish dynamic source translation, specifying the ACL that was
defined in the prior step.
RouterX(config)# ip nat inside source list access-list-number interface
interface overload
Enter the no ip nat inside source global command to remove the dynamic source
translation. The keyword overload enables PAT.
Step 3 Specify the inside interface.
RouterX(config)# interface type number
RouterX(config-if)# ip nat inside
After you enter the interface command, the CLI prompt changes from (config)#
to (config-if)#.
Step 4 Specify the outside interface.
RouterX(config-if)# interface type number
RouterX(config-if)# ip nat outside
260 Chapter 7: Managing Address Spaces with NAT and IPv6
Use the command show ip nat translations in EXEC mode to display active translation
information.
The NAT inside-to-outside process comprises this sequence of steps:
Step 1 The incoming packet goes to the route table and the next hop is identified.
Step 2 NAT statements are parsed so that the interface serial 0 IPv4 address can
be used in overload mode. PAT creates a source address to use.
Step 3 The router encapsulates the packet and sends it out on interface serial 0.
For the return traffic, the NAT outside-to-inside address translation process works in the
following sequence of steps:
Step 1 NAT statements are parsed. The router looks for an existing translation and
identifies the appropriate destination address.
Step 2 The packet goes to the route table, and the next-hop interface is
determined.
Step 3 The packet is encapsulated and sent out to the local interface.
No internal addresses are visible during this process. As a result, hosts do not have an
external public address, which leads to improved security.
By default, dynamic address translations time out from the NAT and PAT translation tables
after some period of nonuse. The default timeout periods differ among various protocols.
You can reconfigure the default timeouts with the ip nat translation command. The syntax
for this command is as follows:
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout |
icmp-timeout | pptp-timeout | syn-timeout | port-timeout} {seconds | never}
Table 7-2 describes the parameters for this command.
Table 7-2 ip nat translation Parameters
Parameter Description
timeout Specifies that the timeout value applies to dynamic translations except
for overload translations. The default is 86,400 seconds (24 hours).
udp-timeout Specifies the timeout value for the UDP port. The default is 300 seconds
(5 minutes).
Scaling the Network with NAT and PAT 261
1 DNS = Domain Name System
2 ICMP = Internet Control Message Protocol
3 PPTP = Point-to-Point Tunneling Protocol
Table 7-3 lists commands you can use to clear the entries before they time out.
dns-timeout Specifies the timeout value for connections to the DNS1. The default is
60 seconds.
tcp-timeout Specifies the timeout value for the TCP port. The default is 86,400
seconds (24 hours).
finrst-timeout Specifies the timeout value for the Finish and Reset TCP packets, which
terminate a connection. The default is 60 seconds.
icmp-timeout Specifies the timeout value for ICMP2 flows. The default is 60 seconds.
pptp-timeout Specifies the timeout value for NAT PPTP3 flows. The default is 86,400
seconds (24 hours).
syn-timeout Specifies the timeout value for TCP flows immediately after a
synchronous transmission message that consists of digital signals that
are sent with precise clocking. The default is 60 seconds.
port-timeout Specifies that the timeout value applies to the TCP/UDP port.
seconds Number of seconds after which the specified port translation times out.
The default is 0.
never Specifies that the port translation never times out.
Table 7-3 clear ip nat translation Commands
Command Description
clear ip nat translation * Clears all dynamic address translation entries
from the NAT translation table.
clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip]
Clears a simple dynamic translation entry that
contains an inside translation or both an inside
and outside translation.
clear ip nat translation outside local-ip
global-ip
Clears a simple dynamic translation entry
containing an outside translation.
clear ip nat translation protocol inside
global-ip global-port local-ip local-port
[outside local-ip local-port global-ip
global-port]
Clears an extended dynamic translation entry
(PAT entry).
Table 7-2 ip nat translation Parameters (Continued)
Parameter Description
262 Chapter 7: Managing Address Spaces with NAT and IPv6
Resolving Translation Table Issues
When you have IPv4 connectivity problems in a NAT environment, it is often difficult to
determine the cause of the problem. Many times NAT is blamed, when in reality there is an
underlying problem. When you are trying to determine the cause of an IPv4 connectivity
problem, it helps to eliminate NAT as the potential problem. Follow these steps to verify
that NAT is operating as expected:
Step 1 Based on the configuration, clearly define what NAT is supposed to achieve. You
may determine that the NAT configuration has a problem.
Step 2 Use the show ip nat translations command to determine if the correct
translations exist in the translation table.
Step 3 Verify whether the translation is occurring by using show and debug
commands.
Step 4 Review in detail what is happening to the translated packet, and verify
that routers have the correct routing information for the translated
address to move the packet.
If the appropriate translations are not in the translation table, verify the following
items:
• There are no inbound ACLs that are denying the packet entry into the NAT
router.
• The ACL that is referenced by the NAT command is permitting all necessary
networks.
• The NAT pool has enough addresses.
• The router interfaces are appropriately defined as NAT inside or NAT outside.
In a simple network environment, it is useful to monitor NAT statistics with the show ip nat
statistics command. However, in a more complex NAT environment with several
translations taking place, this show command is no longer useful. In this case, it may be
necessary to run debug commands on the router.
The debug ip nat command displays information about every packet that is translated by
the router, which helps you verify the operation of the NAT feature. The debug ip nat
detailed command generates a description of each packet that is considered for translation.
This command also outputs information about certain errors or exception conditions,
such as the failure to allocate a global address. The debug ip nat detailed command will
generate more overhead than the debug ip nat command, but it can provide the detail that
you need to troubleshoot the NAT problem.
Scaling the Network with NAT and PAT 263
Example 7-1 demonstrates sample debug ip nat output.
In Example 7-1, the first two lines show the debugging output that a DNS request and reply
produce where the DNS server address is 172.31.2.132. The remaining lines show the
debugging output from a Telnet connection from a host on the inside of the network to a
host on the outside of the network.
The asterisk (*) next to NAT indicates that the translation is occurring in the fast-switched
path. The first packet in a conversation is always process-switched. The remaining
packets go through the fast-switched path if a cache entry exists.
The final entry in each line, within brackets ([ ]), provides the identification number of the
packet. You can use this information to correlate with other packet traces from protocol
analyzers.
Another useful command when verifying the operation of NAT is the show ip nat statistics
command.
No comments:
Post a Comment