Network Address Translation (NAT)

Network Address Translation (NAT) is similar to Classless Inter-Domain Routing (CIDR) in that the original intention for NAT was to slow the depletion of available IP address space by allowing multiple private IP addresses to be represented by a much smaller number of public IP addresses.
NAT really decreases the overwhelming amount of public IP addresses required in a networking environment, it comes in really handy when two companies that have duplicate internal addressing schemes merge. NAT is also a great tool to use when an organization changes its Internet service provider (ISP) but the networking manager needs to avoid the hassle of changing the internal address scheme.

Here’s a list of situations when NAT can be
1. When you need to connect to the Internet and your hosts don’t have globally unique IP addresses.
2. When you’ve changed to a new ISP that requires you to renumber your network.
3. When you need to merge two intranets with duplicate addresses.

Types of Network Address Translation

Static NAT : This type of NAT is designed to allow one-to-one mapping between local and global addresses. Keep in mind that the static version requires you to have one real Internet IP address for every host on your network.

Dynamic NAT : This version gives you the ability to map an unregistered IP address to a registered IP address from out of a pool of registered IP addresses. You don’t have to statically configure your router to map each inside address to an individual outside address as you would using static NAT, but you do have to have enough real, IP addresses for everyone who’s going to be sending packets to and receiving them from the Internet at the same time.

Overloading (PAT) : This is the most popular type of NAT configuration. Understand that overloading really is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different source ports.

Network Address Translation (NAT) Terms

Inside Local : Source host inside address before translation.

Outside Local :Address from which source host is known on the Internet. This is usually the address of the router interface connected to ISP—the actual Internet address.

Inside Global : Source host address used after translation to get onto the Internet. This is also the actual Internet address.

Outside Global :Address of outside destination host and, again, the real Internet address.

Static NAT Configuration

ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
In the preceding router output, the ip nat inside source command identifies which IP addresses will be translated. In this configuration example, the ip nat inside source command configures a static translation between the inside local IP address 10.1.1.1 to the outside global IP address 170.46.2.2.

Scrolling farther down in the configuration, we find an ip nat command under each interface. The ip nat inside command identifies that interface as the inside interface. The ip nat outside command identifies that interface as the outside interface. When you look back at the ip nat inside source command, you can see that the command is referencing the inside interface as the source or starting point of the translation. You could also use the command like this: ip nat outside source. This option indicates the interface that you designated as the outside interface should become the source or starting point for the translation.

Dymanic NAT Configuration

ip nat pool thelanbook 170.168.2.3 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
The ip nat inside source list 1 pool thelanbook command tells the router to translate IP addresses that match access-list 1 to an address found in the IP NAT pool named thelanbook. Here the ACL isn’t there to filter traffic for security reasons by permitting or denying traffic. In this case, it’s there to select or designate what we often call interesting traffic. When interesting traffic has been matched with the access list, it’s pulled into the NAT process to be translated. This is actually a common use for access lists, which aren’t always just stuck with the dull job of just blocking traffic at an interface!

The command ip nat pool thelanbook 170.168.2.3 192.168.2.254 netmask 255.255.255.0 creates a pool of addresses that will be distributed to the specific hosts that require global addresses. When troubleshooting NAT for the Cisco objectives, always check this pool to confirm that there are enough addresses in it to provide translation for all the inside hosts. Last, check to make sure the pool names match exactly on both lines.

Overloading (PAT) Configuration

ip nat pool thelanbook 170.168.2.1 170.168.2.1 netmask 255.255.255.0
ip nat inside source list 1 pool thelanbook overload
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255

The nice thing about PAT is that these are the only differences between this configuration and the previous dynamic NAT configuration:
- Our pool of addresses has shrunk to only one IP address.
- We included the overload keyword at the end of our ip nat inside source command.