A decade ago not too many people thought of having more than one PC at home. But today, having two or more personal computers is almost a necessity for many people. Back then, there was also only a small portion of home computer users subscribing to ADSL or Internet over cable. Currently, more and more people are subscribing to these broadband services.
The IP addressing scheme was not implemented with the extreme growth of the internet and the services related to it in mind. At the beginning, the problem of running out of IP addresses was just a theoretical one that could possibly happen in the far away future. But the future is here! The problem is not theoretical anymore — it is occurring this very moment. More and more users started to require permanent public IP addresses, adding to the problem, and a fast solution was needed.
This solution came with NAT: Network Address Translation and PAT: Port Address Translation. However, NAT does not provide a long-term solution. A more reliable and efficient solution has to do with a completely new addressing scheme called IPv6 which uses 128 bit addresses instead of the 32 used in IPV4.
NAT and PAT
The concept of NAT is based on the fact that every computer sending traffic outside its LAN to the Internet must be assigned a routable IP address. To conserve IP addresses, LAN users make use of a range of private IP addresses for routing local traffic. When a company, for example needs to send traffic to the Internet, via the ISP of course, an address translation takes place. Therefore the range of private IP addresses used by the company is translated to a single (or a small number) IP address.
The ranges of private IP addresses that can be used in the Local network and cannot be routed to the Internet include:
- 10.0.0.0 – 10.255.255.255/8
- 172.16.0.0 – 172.31.255.255/12
- 192.168.0.0 – 192.168.255.255/16
These IP addresses, in NAT terminology, are called “inside networks”. In other words, traffic originated from these networks and is destined for any other network outside private scope needs to be translated to a routable network, known as “outside network”.
Here are the NAT terms defined by Cisco:
- Inside local address: Is simply the private IP address assigned to the computer on the inside network.
- Inside global address: Is the IP address that is provided as a result of the translation process on the router and it represents the inside local or the range of inside local addresses.
- Outside local address: While packets traverse through the Internet to their final destination, they may encounter another translation. The IP address prior to the translation is called outside local since it belongs to an outside network and it’s the one known locally to the inside network.
- Outside global address: Is the IP address assigned to a host on the outside network by the host owner as a result of translation and comes from a globally routable address range.
NAT comes in three flavors:
- Static NAT: Provides one-to-one mapping between local and global addresses, consequently, every computer on the network must be allocated a single dedicated routable IP address.
- Dynamic NAT: A pool of routable IP addresses is configured on the router and dynamically the router assigns addresses from this pool to every machine that requires sending traffic to the “outside world”. This type of NAT needs good planning from the beginning so that the pool of IP addresses is enough to cover the traffic needs of the peak hour traffic to the Internet.
- PAT: Port address translation is another variation of NAT and the most popular one. It is also called NAT Overloading because it is designed to map many private IP addresses to just a single registered IP address (overloaded address) by applying different port addresses in the TCP or UDP header.
Inside Local Source Address Translation
Figure 1: NAT Example
The diagram above shows a router translating an inside source IP address to a source IP address for the outside network. Translation process follows these steps:
- User at host 10.0.0.3 begins to send traffic to the router, destined for host at 212.31.80.2.
- Upon receiving the first packet, the router checks its NAT table.
- If dynamic NAT is configured, the router picks up a free global address from its dynamic address pool (in the above example 179.2.2.80) and creates a translation entry into its NAT table.
- If static NAT is configured, the router automatically translates the inside local address: 10.0.0.3 with its equivalent global IP address: 179.2.2.80, and forwards the packet.
- User at 212.31.80.2 replies to host 10.0.0.3 using the inside global destination address 179.2.2.80 (Destination address=179.2.2.80).
- When the router receives the replied packet, it checks its NAT table again to find an entry for the inside global address 179.2.2.80. If a match is found, then the router translates the address back to its respective local address 10.0.0.3 and forwards it to the user.
- The router continues to perform all the above steps for each packet it receives.
Static NAT Configuration
To configure static inside source address translation for the example shown in Figure 1, the following need to be performed on the router:
- Specify the inside interface:
- Router(config)#interface ethernet0
- Router(config-if)# ip nat inside
- Specify the outside interface:
- Router(config)#interface serial0
- Router(config-if)# ip nat outside
- Enter static translation entry 1:
- Router(config)# ip nat inside source static 10.0.0.3 179.2.2.80
Dynamic NAT Configuration
To configure dynamic inside source address translation for the example shown in figure 1, the following need to be performed:
- Specify the inside interface:
- Router(config)#interface ethernet0
- Router(config-if)# ip nat inside
- Specify the outside interface:
- Router(config)#interface serial0
- Router(config-if)# ip nat outside
- Define an Access List to permit the inside local addresses to be translated 2:
- Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
- Define a pool of global addresses 3:
- Router(config)# ip nat pool figure1 179.2.2.65 179.2.2.90 netmask 255.255.255.224
- Enter dynamic translation entry 4:
- Router(config)# ip nat inside source list 1 pool figure1
Inside Global Address Overloading
Figure 2: NAT Overloading
From the above image, it can be seen that NAT overloading conserves register inside global IP addresses on the router. Inside local IP addresses are translated to a common global IP address and are distinguished between them by the use of different port numbers. Outside hosts do not see this translation; they believe they are talking to the same host with IP address 179.2.2.80, though they are actually talking to two different hosts.
NAT Overloading Configuration
To configure NAT Overloading for the example shown in figure 2, the following need to be performed:
- Specify the inside interface:
- Router(config)#interface ethernet0
- Router(config-if)# ip nat inside
- Specify the outside interface:
- Router(config)#interface serial0
- Router(config-if)# ip nat outside
- Define an Access List to permit the inside local addresses to be translated:
- Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
- Enter dynamic translation entry 5:
- Router(config)# ip nat inside source list 1 interface serial0 overload
Conclusion
NAT’s contribution to the reliability and existence of the Network society as known today has turned out to be extremely valuable. Although it does not provide a stable long-term solution it offers a lot of benefits. Conservation of IP addresses is the primary benefit of NAT through NAT Overloading. Theoretically up to 65000 hosts can be served by a single global IP address by using PAT. Security is another important benefit of NAT. Private networks hide their real identity therefore remain secure without revealing their network topology to the outside world.
Something important to keep in mind is that Cisco’s NAT implementation tries to preserve the original source port all the way through the translation. In the real world, NAT implementation assigns source port numbers dynamically and it’s up to the user’s instructions to allocate specific source port numbers.
1 Router(config)# ip nat inside source static [local IP address] [global IP address]
2 Router(config)# access-list [access list number] permit [source address] [source address wildcard]
3 Router(config)# ip nat pool [pool name] [start IP address] [end IP address] netmask [netmask]
4 Router(config)# ip nat inside source list [access list number] pool [pool name]
5 Router(config)# ip nat inside source list [access list number] interface [interface] overload
No comments:
Post a Comment