Tuesday, 11 February 2014

NAT / PAT ON CISCO

NAT / PAT Configuration on Cisco
How to configure NAT and PAT on Cisco?

NAT/PAT Technique Behind Private and Public IP Communication:
Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device.

When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232 ). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into classes, and because some addresses are set aside for multicasting, testing or other special uses, which we have discussed in our previous articles on IP addressing/Subnetting.


With the explosion of the Internet and the increase in home and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed right now (called IPv6) but it will take several years to implement because it requires modification of the entire infrastructure of the Internet.


This is where NAT comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or “public network”) and a local (or “private”) network. This means that only a single, unique IP address is required to represent an entire group of computers.
But the shortage of IP addresses is only one reason to use NAT. In this article, you will learn more about how NAT can benefit you. But first, let’s take a closer look at NAT and exactly what it can do.


It is common to hide an entire IP address space, usually consisting of private IP addresses, behind a single IP address, or in some cases a small group of IP addresses, in another (usually public) address space. To avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level information such as TCP/UDP ports in outgoing communications and must maintain a translation table so that return packets can be correctly translated back. RFC 2663 uses the term NAPT (Network Address and Port Translation) for this type of NAT. Other names include PAT (Port Address Translation), IP masquerading, NAT Overload and many-to-one NAT. Since this is the most common type of NAT it is often referred to simply as NAT.


However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as “static NAT” or port forwarding, and it allows traffic originating in the “outside” network to reach designated hosts.


In the mid-1990s, NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion. It has become a common, indispensable feature in routers for home and small-office Internet connections. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address.


Network address translation has serious drawbacks in terms of the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular, all types of NAT break the originally envisioned model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have been devised to alleviate the issues encountered.

What Does NAT Do?
NAT is like the receptionist in a large office. Let’s say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through.


The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.


Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:


Static NAT - Maps an unregistered IP address to a registered IP address on a one-to-one basis. It’s particularly useful when a device needs to be accessible from outside the network. In dynamic NAT, the computer with the IP address 192.168.1.10 will translate to the first available address in the range from 202.1.13.10 to 202.1.13.15.

(Config)# ipnat inside source static 192.168.1.10 202.1.13.10/* Static Binding
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.10 255.255.255.0
(Config-if)# ipnat outside


Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

(Config)# ipnat pool cisco202.1.13.10 202.1.13.15netmask 255.255.255.0
/*created a pool for dynamic allocation
(Config)# ipnat inside source list 1 pool cisco
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1255.255.255.0
(Config-if)# ipnat outside
(Config)# access-list 1 permit192.168.1 0.0.0.255


Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
(Config)# ipnat pool cisco 202.1.13.10 202.1.13.10 netmask 255.255.255.0
(Config)# ipnat inside source list 1 pool cisco overload
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1 255.255.255.0
(Config-if)# ipnat outside
(Config)# access-list 1 permit 192.168.1 0.0.0.255


Overlapping – When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the “internal” addresses to registered unique addresses, as well as translate the “external” registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT.


The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn’t travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.

NAT Verification: 
Router#show ipnat translations
Router#debugipnat

You can use clear ipnat translation to clear all entries from the NAT Table.

No comments:

Post a Comment