Today we will study PAT (Port Address Translation), a technology of IP address translation using ports, and NAT (Network Address Translation), a technology of translating IP addresses of transit packets. PAT is a special case of NAT. We will cover three topics:
- private, or internal (intranet, local) IP addresses and public, or external IP addresses;
- NAT and PAT;
— setting NAT/PAT.
Let's start with internal Private IP addresses. We know that they are divided into three classes: A, B and C.
Class A internal addresses occupy the tens range from 10.0.0.0 to 10.255.255.255, and external addresses range from 1.0.0.0 to 9 and from 255.255.255 to 11.0.0.0.
Class B internal addresses range from 172.16.0.0 to 172.31.255.255, while external addresses range from 128.0.0.0 to 172.15.255.255 and from 172.32.0.0 to 191.255.255.255.
Class C internal addresses range from 192.168.0.0 to 192.168.255.255, while external addresses range from 192.0.0 to 192.167.255.255 and from 192.169.0.0 to 223.255.255.255.
Class A addresses are /8 addresses, class B addresses are /12, and class C addresses are /16. Thus, external and internal IP addresses of different classes occupy different ranges.
We have repeatedly discussed what is the difference between private and public IP addresses. In general terms, if we have a router and a group of internal IP addresses, when they try to access the Internet, the router converts them to external IP addresses. Internal addresses are used exclusively on local networks, not on the Internet.
If I use the command line to view the network parameters of my computer, I see my internal LAN IP address 192.168.1.103 there.
In order to find out your public IP address, you can use an Internet service like "What is my IP"? As you can see, the computer's external address 78.100.196.163 is different from its internal address.
In all cases, my computer is visible on the Internet at the external IP address. So, the internal address of my computer is 192.168.1.103, and the external one is 78.100.196.163. The internal address is used only for local communication, you cannot access the Internet with it, for this you need a public IP address. You can remember why the division into private and public addresses was made by reviewing the Day 3 video tutorial.
Consider what NAT is. There are three types of NAT: static, dynamic, and "overloaded" NAT, or PAT.
There are 4 terms in Cisco that describe NAT. As I said, NAT is a mechanism for converting internal addresses to external ones. If a device connected to the Internet receives a packet from another device on the local network, it will simply discard this packet, since the format of the internal address does not match the format of addresses used on the global Internet. Therefore, the device must obtain a public IP address to access the Internet.
So, the first term is Inside Local, which means the IP address of the host in the internal, local network. Simply put, this is the primary source address like 192.168.1.10. The second term, Inside Global, is the IP address of the local host under which it is visible on the external network. In our case, this is the IP address of the external port of the router 200.124.22.10.
We can say that Inside Local is a private IP address, while Inside Global is a public IP address. Remember that the term Inside is used in relation to the source of the traffic, and Outside is used in relation to the destination of the traffic. Outside Local is the IP address of the host on the external network under which it is visible to the internal network. Simply put, this is the recipient's address as seen from the internal network. An example of such an address is the IP address 200.124.22.100 of a device located on the Internet.
Outside Global is the IP address of the host as seen on the outside network. In most cases, the Outside Local and Outside Global addresses look the same, because even after the translation, the destination IP address is visible to the source as it was before the translation.
Consider what is static NAT. Static NAT means one-to-one translation of internal IP addresses to external ones, or one-to-one translation. When devices send traffic to the Internet, their internal Inside Local addresses are translated to internal Inside Global addresses.
We have 3 devices on our local network, and when they are about to go online, they each get their own Inside Global address. These addresses are statically assigned to traffic sources. The one-to-one principle means that if there are 100 devices on the local network, they receive 100 external addresses.
NAT was born to save the Internet, which was running out of public IP addresses. Thanks to NAT, many companies, many networks can have one common external IP address, into which the local addresses of devices will be converted when accessing the Internet. You can say that in this case of static NAT there is no savings in the number of addresses, since a hundred local computers are assigned a hundred external addresses, and you will be absolutely right. However, static NAT still has a number of advantages.
For example, we have a server with an internal IP address of 192.168.1.100. If some device on the Internet wants to contact it, it will not be able to do this using the internal destination address, for this it needs to use the external server address 200.124.22.3. If static NAT is configured on the router, all traffic addressed to 200.124.22.3 is automatically forwarded to 192.168.1.100. This provides external access to devices on the local network, in this case to the company's web server, which may be necessary in some cases.
Consider dynamic NAT. It is very similar to static, but does not assign permanent external addresses to every local device. For example, we have 3 local devices and only 2 external addresses. If the second device wants to access the Internet, it will be assigned the first free IP address. If a web server wants to go online after it, the router will assign it a second available external address. If after that the first device wants to go to the external network, there will be no available IP address for it, and the router will drop its packet.
We can have hundreds of devices with internal IP addresses, and each of these devices can access the Internet. But since we do not have a static assignment of external addresses, no more than 2 devices out of a hundred will be able to access the Internet at the same time, because we have only two dynamically assigned external addresses.
Cisco devices have a fixed address resolution time, which is 24 hours by default. It can be changed to 1,2,3, 10 minutes, any time you want. After this time, external addresses are released and automatically returned to the address pool. If at this moment the first device wants to go online and any external address is available, then it will receive it. The router contains a NAT table that is dynamically updated, and until the translation time has expired, the assigned address is kept by the device. Simply put, dynamic NAT works on the principle: "who came first, he was served."
Consider what is an overloaded NAT, or PAT. This is the most common type of NAT. There may be many devices on your home network - a PC, a smartphone, a laptop, a tablet, and they all connect to a router that has one external IP address. So, PAT allows many devices with internal IP addresses to simultaneously access the Internet under one external IP address. This is possible due to the fact that each private, internal IP address uses a specific port number during a communication session.
Suppose we have one public address 200.124.22.1 and many local devices. So, when accessing the Internet, all these hosts will receive the same address 200.124.22.1. The only thing that will distinguish them from each other is the port number.
If you remember the discussion about the transport layer, you know that the transport layer contains port numbers, with the source port number being a random number.
Suppose there is a host on the external network with an IP address of 200.124.22.10 that is connected to the Internet. If computer 192.168.1.11 wants to contact computer 200.124.22.10, it will create a random source port of 51772. In this case, the destination port of the external network computer will be 80.
When the router receives a packet from the local computer directed to the external network, it will translate its local Inside Local address to the Inside Global address 200.124.22.1 and assign port number 23556. The packet will reach the computer 200.124.22.10, and it will have to send back a response according to the handshake procedure, the destination will be 200.124.22.1 and port 23556.
The router has a NAT translation table, so when it receives a packet from an external computer, it will determine the Inside Local address corresponding to the Inside Global address as 192.168.1.11:51772 and forward the packet to it. After that, the connection between the two computers can be considered established.
At the same time, you can have hundreds of devices using the same 200.124.22.1 address to communicate, but different port numbers, so that they can all access the Internet at the same time. This is why PAT is such a popular translation method.
Let's take a look at setting up static NAT. For any network, you first need to define the input and output interfaces. The diagram shows a router through which traffic is transmitted from port G0 / 0 to port G0 / 1, that is, from the internal network to the external network. Thus, we have an input interface 192.168.1.1 and an output interface 200.124.22.1.
To configure NAT, we go to the G0 / 0 interface and set the parameters ip addres 192.168.1.1 255.255.255.0 and indicate that this interface is the input using the ip nat inside command.
Similarly, we configure NAT on the outgoing interface G0/1 by specifying ip address 200.124.22.1, subnet mask 255.255.255.0 and ip nat outside. Remember that dynamic NAT translation is always done from the ingress interface to the egress interface, from inside to outside. Naturally, for dynamic NAT, the response comes to the input interface through the output one, but when traffic is initiated, it is the in-out direction that works. In the case of static NAT, traffic can be initiated in any of the directions - in-out or out-in.
Next, we need to create a static NAT table, where each local address corresponds to a separate global address. In our case, there are 3 devices, so the table will consist of 3 entries, which indicate the Inside Local IP address of the source, which is converted to the Inside Global address: ip nat inside static 192.168.1.10 200.124.22.1.
Thus, in static NAT, you manually write a translation for each local host address. Now I will go to Packet Tracer and make the settings described above.
At the top we have server 192.168.1.100, below is computer 192.168.1.10 and at the very bottom is computer 192.168.1.11. Port G0/0 of Router0 has an IP address of 192.168.1.1 and port G0/1 is 200.124.22.1. In the "cloud" representing the Internet, I placed Router1, which I assigned the IP address 200.124.22.10.
I go into the Router1 settings and type the debug ip icmp command. Now, as soon as the ping reaches this device, a debug message will appear in the settings window, showing what kind of packet it is.
Let's start configuring the Router0 router. I go into global settings mode and call interface G0/0. Next, I enter the ip nat inside command, then go to the g0/1 interface and enter the ip nat outside command. Thus, I assigned the input and output interfaces of the router. Now I need to manually configure the IP addresses, that is, transfer the rows of the table above to the settings:
Ip nat inside source static 192.168.1.10 200.124.22.1
Ip nat inside source static 192.168.1.11 200.124.22.2
Ip nat inside source static 192.168.1.100 200.124.22.3
Now I'm going to ping Router1 from each of our devices and see what IP addresses the ping it receives shows up. To do this, I position the open R1 CLI window on the right side of the screen so that I can see the debug messages. Now I go to the PC0 command line terminal and ping the address 200.124.22.10. After that, a message appears in the window that the ping was received from the IP address 200.124.22.1. This means that the local machine's IP address 192.168.1.10 has been translated to the global address 200.124.22.1.
I do the same with the next local computer and see that its address has been translated to 200.124.22.2. Then I send a ping from the server and see the address 200.124.22.3.
Thus, when traffic from a LAN device reaches a router configured with static NAT, the router converts the local IP address to a global one according to the table and sends the traffic to the external network. To check the NAT table, I issue the show ip nat translations command.
Now we can view all the transformations that the router makes. The first column Inside Global contains the address of the device before the broadcast, that is, the address under which the device is visible from the external network, followed by the Inside Local address, that is, the address of the device on the local network. The third column shows the Outside Local and the fourth column shows the Outside Global address, both of which are the same because we are not translating the destination IP address. As you can see, after a few seconds the table was cleared because Packet Tracer had a short ping timeout.
I can ping the server at 1 from R200.124.22.3, and if I go back to the router settings, I can see that the table is again filled with four ping lines with the translated destination address 192.168.1.100.
As I said, even if the translation timeout has been triggered, when initiating traffic from an external source, the NAT mechanism is automatically activated. This only happens when using static NAT.
Now let's look at how dynamic NAT works. In our example, there are 2 public addresses for three LAN devices, but there may be tens or hundreds of such private hosts. At the same time, only 2 devices can access the Internet at the same time. Let's consider what, besides this, is the difference between static and dynamic NAT.
As in the previous case, you first need to determine the input and output interfaces of the router. Next, we create a kind of access list, but this is not the same ACL that we talked about in the previous lesson. This access list is used to identify the traffic we want to transform. Here comes the new term “interesting traffic”, or “interesting traffic”. This is traffic that you are interested in for some reason, and when that traffic matches the conditions of the access list, it is NATed and translated. This term is applicable to traffic in many cases, for example, in the case of a VPN, “interesting” refers to traffic that is going to be passed through a VPN tunnel.
We must create an ACL that identifies interesting traffic, in our case it is the traffic of the entire network 192.168.1.0, along with which the reverse mask 0.0.0.255 is indicated.
Next, we must create a NAT pool, for which we use the ip nat pool <pool name> command and specify the IP address pool 200.124.22.1 200.124.22.2. This means that we only provide two external IP addresses. The command then uses the netmask keyword and enters the subnet mask 255.255.255.252. The last octet of the mask is (255 - the number of pool addresses is 1), so if you have 254 addresses in the pool, then the subnet mask will be 255.255.255.0. This is a very important setting, so be sure to enter the correct netmask value when setting up dynamic NAT.
Next, we use a command that starts the NAT mechanism: ip nat inside sourse list 1 pool NWKING, where NWKING is the name of the pool and list 1 is ACL number1. Remember, for this command to work, you first need to create a dynamic address pool and an access list.
So, under our conditions, the first device that wants to access the Internet will be able to do this, the second device too, but the third one will have to wait until one of the pool addresses is free. Setting up dynamic NAT consists of 4 steps: defining the input and output interface, identifying “interesting” traffic, creating a NAT pool, and actually setting it up.
Now we will move on to Packet Tracer and try to set up dynamic NAT. First we must remove the static NAT settings, for which we enter the following commands in sequence:
no Ip nat inside source static 192.168.1.10 200.124.22.1
no Ip nat inside source static 192.168.1.11 200.124.22.2
no Ip nat inside source static 192.168.1.100 200.124.22.3.
Next, I create a List 1 access list for the whole network with the access-list 1 permit 192.168.1.0 0.0.0.255 command and form a NAT pool with the ip nat pool NWKING 200.124.22.1 200.124.22.2 netmask 255.255.255.252 command. In this command, I specified the name of the pool, the addresses that it includes, and the netmask.
Then I specify which NAT it is - internal or external, and the source from where NAT should draw information, in our case it is list, using the ip nat inside source list 1 command. After that, the system will prompt you whether you need a whole pool or a specific interface . I choose pool because we have more than 1 external address. If you select interface, you will need to specify a port with a specific IP address. In the final form, the command will look like this: ip nat inside source list 1 pool NWKING. Now this pool consists of two addresses 200.124.22.1 200.124.22.2, but you can freely change them or add new addresses that are not tied to a specific interface.
You must ensure that your routing table has been updated so that any of those IP addresses in the pool must be directed to this device or you will not receive return traffic. To make sure that the settings work, we will repeat the procedure for pinging the cloud router, which was carried out for static NAT. I'll open a window on Router 1 to see the debug mode messages and ping it from each of the 3 devices.
We see that all source addresses from where ping packets come from correspond to the settings. At the same time, a ping from PC0 does not work, because it did not have enough free external address. If you go into the settings of Router 1, you can see that the pool addresses 200.124.22.1 and 200.124.22.2 are currently being used. Now I will turn off the broadcast, and you will see how the lines disappear one by one. I ping again from PC0, and as you can see, everything works now, because he was able to get the freed external address 200.124.22.1.
How can I clear the NAT table and cancel the given address translation? We go into the settings of the Router0 router and type the command clear ip nat translation * with an asterisk at the end of the line. If we now look at the translation status using the show ip nat translation command, the system will give us an empty string.
To view NAT statistics, use the show ip nat statistics command.
This is a very useful command that shows the total number of dynamic, static, and extended NAT/PAT translations. You can see that it is 0 because we cleared the broadcast data with the previous command. It displays the input and output interfaces, the number of successful and unsuccessful hits and misses (the number of failures is due to the lack of a free external address for the internal host), the name of the access list and the pool.
We now move on to the most popular form of IP address translation, extended NAT, or PAT. To set up PAT, you need to follow the same steps as for setting up dynamic NAT: determine the input and output interfaces of the router, identify “interesting” traffic, create a NAT pool, and configure PAT. We can create the same pool of multiple addresses as in the previous case, but this is not necessary because PAT uses the same external address all the time. The only difference between configuring dynamic NAT and PAT is the overload keyword that ends the last configuration command. After entering this word, dynamic NAT automatically turns into PAT.
Also, you use only one address in the NWKING pool, for example 200.124.22.1, but you specify it twice as a start and end external address with a netmask of 255.255.255.0. You can do it easier by using the source interface parameter and the fixed address 1 of the G200.124.22.1 / 200.124.22.1 interface instead of the line ip nat 255.255.255.0 pool NWKING 200.124.22.1 0 netmask 1. In this case, all local addresses when accessing the Internet will be converted to this IP address.
You can also use any other IP address in the pool, not necessarily corresponding to a specific physical interface. However, in this case, you must make sure that all routers on the network will be able to send return traffic to the device you have chosen. The disadvantage of NAT is that it cannot be used for end-to-end addressing, because while the return packet returns to the local device, its dynamic NAT IP address may have time to change. That is, you must be sure that the selected IP address will remain available for the duration of the communication session.
Let's look at it through Packet Tracer. First I must remove the dynamic NAT with the no Ip nat inside source list 1 NWKING command and remove the NAT pool with the no Ip nat pool NWKING 200.124.22.1 200.124.22.2 netmask 225.255.255.252 command.
Then I have to create a PAT pool with the command Ip nat pool NWKING 200.124.22.2 200.124.22.2 netmask 225.255.255.255. This time I'm using an IP address that doesn't belong to the physical device because the physical device has an address of 200.124.22.1 and I want to use 200.124.22.2. In our case, this works because we have a local network.
Next, I configure PAT with the Ip nat inside source list 1 pool NWKING overload command. After entering this command, PAT address translation is activated for us. To check if the setup is correct, I go to our devices, the server and two computers, and ping PC0 Router1 at 200.124.22.10. In the router settings window, you can see the debug lines, which show that the source of the ping, as we expected, is the IP address 200.124.22.2. The ping sent by PC1 and Server0 comes from the same address.
Let's see what happens in the lookup table of Router0. You can see that all conversions are successful, each device is assigned its own port, and all local addresses are associated with Router1 through the pool IP address 200.124.22.2.
I use the show ip nat statistics command to view PAT statistics.
We see that the total number of conversions, or address translations, is 12, we see the characteristics of the pool and other information.
Now I will do something else - I will enter the command Ip nat inside source list 1 interface gigabit Ethernet g0 / 1 overload. If after that you ping the router from PC0, you can see that the packet came from the address 200.124.22.1, that is, from the physical interface! This is an easier way: if you do not want to create a pool, which is most often the case when using home routers, then you can use the IP address of the physical interface of the router as the external NAT address. This is how your private host address is most often translated to the public network.
Today we have learned a very important topic, so you need to practice it. Use Packet Tracer to test your theoretical knowledge in solving practical NAT and PAT configuration problems. We have come to the end of the ICND1 topic, the first exam of the CCNA course, so I will probably dedicate the next video lesson to debriefing.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com