Friday, April 22, 2016

CCNAv2 Chapter 11 Notes - NAT

Network Address Translation
* Credits to any/all authors for any used resources below.

Terminology / Definitions
 These four ‘address’ terms are used within our other important definitions.
Inside local address: The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by a service provider. Most likely a private address.
Inside global address: A legitimate IP address assigned by the service provider that represents one or more inside local IP addresses to the outside world.  
Outside local address: The IP address of an outside host as it is known to the hosts on the inside network.
Outside global address: The IP address assigned to a host on the outside network. The owner of the host assigns this address.

NAT: NAT, or “Network Address Translation”, can be broken down into the following definitions:
  • Static NAT: Maps an unregistered IP address to a registered IP (unique) addresses on one-to-one basis.
    • The commands used to assign static NAT:
      • ip nat inside source static <Local IP> <Global IP>
        • <Local IP>”: the local IP address assigned to a host on the inside network.
        • <Global IP>”: The unique address of a local host as it appears to the internet / outside connections.

  • Dynamic NAT: Maps an unregistered IP address to a registered IP (unique) address from a group of registered IP addresses.
    • A problem with Dynamic NAT is that each user would require an IP address, which can be costly and, for the most part, inefficient. If you do not have enough public addresses for your network, some hosts will be unable to connect to external networks. Packets won’t travel outside the LAN, rather, IP request packets will be sent in place.
  • Overloading (PAT): Otherwise known as PAT (Port Address Translation), “Overloading” is a special type of Dynamic NAT that maps multiple unregistered IP addresses to a single global IP address by using different port numbers. PAT can support about 216 ports, which is more than 64,000 connections using one public IP address.
  • Overlapping: “Overlapping” is when the internal IP address belongs to a global IP address of another network. In which case, the internal IP address is hidden from the outside network to prevent duplication.
    • NAT Overlapping allows the use of internal global addresses by mapping them to globally unique IP addresses using either static or dynamic NAT.

NAT General
  • Allows several hosts to be connected to the internet by using fewer global IP addresses.
  • NAT supports “load sharing” on inside machines, meaning the inside machines are accessed in a “round robin” fashion.
  • NAT is secure (to an extent) since IP addresses are not easily traceable. The actual host IP that is accessing the internet is translated into outside IP addresses and vice versa.
  • NAT provides protection against hacking (see dash above this).
  • A disadvantage of NAT is that network delays are increased for obvious reasons.
  • A disadvantage of NAT is that when an application uses physical IP addresses, they may not work as NAT translates the physical addresses of hardware.
A disadvantage of NAT is that there's no end-to-end addressing, making it hard to track and sometimes blocking ports/etc.

NAT Configuration & Commands
When you are configuring NAT, an interface using NAT needs to be either “inside” or “outside”.
The commands to configure NAT with these settings is as follows:
Router(config-if)#ip nat inside -- For inside configuration.
Router(config-if)#ip nat outside -- For outside configuration.

Usually, the inside NAT is configured on an ethernet interface, whereas outside NAT is normally on a Serial interface.

The command:
  ip nat inside source static “<Local IP> <Global IP>”
configures address translation for static NAT.

Whereas, the command:
  ip nat inside source list <access-list-number> pool <name>
used to map the ACL to the IP NAT pool during the configuration of Dynamic NAT.

NAT in Action: Command Examples
The following command configures a static NAT translation by mapping inside local address to the inside global address.
ip nat inside source static

What is happening when we use this command?
Here, is the inside local address, and is the inside global address. A packet’s source address is changed to by the NAT device.

Defining a standard IP access-list using the command:
access-list <access-list-number> {permit | deny} <local-ip-address>

Defining an IP NAT pool for the inside network using the command:
ip nat pool <pool-name> <start-ip> <end-ip> {netmask <net-mask> | prefix-length <prefix-length>} [type-rotary]
  • type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed.

Mapping the access-list to the IP NAT pool by using the command:
ip nat inside source list <access-list-number> pool <pool-name>

Enabling NAT on at least one inside and one outside interface using the command:
ip nat {inside | outside}
The syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:
ip nat inside source list <access-list-number> pool <pool-name> overload
  • <access-list-number> is the standard access list number
  • <pool-name> is the pool name
  • Note that the option 'overload' specifies many to one relationship.
  • This configuration is typically used when many hosts with private IP addresses need to access Internet through a specified globally unique IP address.

Notes / Small Review
True or False: The inside IP addresses eligible for address translation are defined in a standard IP access-list.
  • True, the inside IP addresses eligible for address translation is defined in an ACL.

True or False: Only packets moving between inside and outside networks will get translated.
  • True for both static and dynamic NAT. If a packet is destined for another host, but does not require to cross the NAT boundary, the packets source/destination addresses aren't translated.
    • Why are they not translated? Simple, since the packet is not crossing the network boundary, there is no NAT translation needed by the packet.

Images / Useful Notes

The following image (credit) shows the relationship between an internal and external connection range, both of which use PAT.

Port Translation of Inside Source Addresses
This is not a good example for a real-world setting, such as actual internet use, but it is helpful.

IOS Command Reference Examples
The following are the commands and descriptions to configure NAT on an IPV4 range.
onfigure NAT for IPv4
For both static and dynamic NAT, designate interfaces as inside or outside:
R1(config)# interface fa0/0
  • typically designate all interfaces except the outside one

R1(config-if)# ip nat inside
  • designate this as an inside interface)

R1(config)# interface serial 0/0/0
  • typically there is only one outside interface

R1(config-if)# ip nat outside
  • designate this as an outside interface
  • Static NAT requires only one statement. The IP addresses are inside / outside:

R1(config)# ip nat inside source static
  • Dynamic NAT may use a pool of ‘outside addresses’. If you do not use a pool, you will have to use the address on the outside interface. You can use ‘netmask’:

R1(config)# ip nat pool POOL-NAME netmask
  • You may choose to use ‘prefix-length’.

R1(config)# ip nat pool POOL-NAME prefix-length 29
  • Dynamic NAT requires an ACL to define which internal addresses can be NATted:

R1(config)# ip access-list standard NAT-ELIGIBLE

R1(config-std-nacl)# permit
  • Include all subnets!
  • Dynamic NAT can use the pool for outside addresses:

R1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME
  • Dynamic NAT can use the pool with overload to share outside addresses:

R1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME overload
  • Dynamic NAT can use the exit interface – almost always will use overload:

R1(config)# ip nat inside source list NAT-ELIGIBLE interface serial 0/0/0 overload

R1# show ip nat translations
  • current translations; dynamic and static.

R1# show ip nat statistics
  • see # of active translations, role of interfaces, etc.

DHCP & NAT (Image)


  1. Whats with the black background, it makes it hard to read.

    1. We've been testing out some themes and designs and have concluded a dark design is terrible for reasons like this. Apologies, anon. It has been fixed.


Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.