To access the Internet, one public IP address is needed, but we can use a private IP address in our private network. The idea of NAT is to allow multiple devices to access the Internet through a single public address. To achieve this, the translation of private IP address to a public IP address is required. Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts. Also, it does the translation of port numbers i.e. masks the port number of the host with another port number, in the packet that will be routed to the destination. It then makes the corresponding entries of IP address and port number in the NAT table. NAT generally operates on router or firewall.
Generally, the border router is configured for NAT i.e the router which has one interface in local (inside) network and one interface in the global (outside) network. When a packet traverse outside the local (inside) network, then NAT converts that local (private) IP address to a global (public) IP address. When a packet enters the local network, the global (public) IP address is converted to a local (private) IP address. If NAT run out of addresses, i.e., no address is left in the pool configured then the packets will be dropped and an Internet Control Message Protocol (ICMP) host unreachable packet to the destination is sent.
Why mask port numbers?
Example, in a network, two hosts A and B are connected. Now, both of them request for the same destination, on the same port number, say 1000, on the host side, at the same time. If NAT does an only translation of IP addresses, then when their packets will arrive at the NAT, both of their IP addresses would be masked by the public IP address of the network and sent to the destination. Destination will send replies on the public IP address of the router. Thus, on receiving a reply, it will be unclear to NAT as to which reply belongs to which host (because source port numbers for both A and B are same). Hence, to avoid such a problem, NAT masks the source port number as well and makes an entry in the NAT table.
NAT inside and outside addresses
Inside refers to the addresses which must be translated. Outside refers to the addresses which are not in control of an organization. These are the network Addresses in which the translation of the addresses will be done.
- Inside local address – An IP address that is assigned to a host on the Inside (local) network. The address is probably not a IP address assigned by the service provider i.e., these are private IP address. This is the inside host seen from the inside network.
- Inside global address – IP address that represents one or more inside local IP addresses to the outside world. This is the inside host as seen from the outside network.
- Outside local address – This is the actual IP address of the destination host in the local network after translation.
- Outside global address – This is the outside host as seen form the outside network. It is the IP address of the outside destination host before translation.
Network Address Translation (NAT) Types
There are 3 ways to configure NAT:
Static NAT
In this, a single unregistered (Private) IP address is mapped with a legally registered (Public) IP address i.e one-to-one mapping between local and global address. This is generally used for Web hosting. These are not used in organizations as there are many devices who will need Internet access and to provide Internet access, the public IP address is needed.
Suppose, if there are 3000 devices who need access to the Internet, the organisation have to buy 3000 public addresses that will be very costly.
CONFIGURATION
Here is a small topology in which there is PC having IP address 192.168.1.1/24, Router R1 having IP address 192.168.1.2/24 on interface fa0/0, 12.1.1.1/24 on fa0/1 and server having IP address 73.1.1.2/24. Now, inside local and inside global are shown in the figure. Configuring the static NAT through command ip nat inside source static INSIDE_LOCAL_IP_ADDRESS INSIDE_GLOBAL_IP_ADDRESS.
R1(config)# ip nat inside source static 192.168.1.1 12.1.1.1
Now, we have configure router’s inside interface as IP NAT inside and outside interface as IP NAT outside.
R1(config)# int fa0/0
R1(config-if)# ip nat inside
R1(config)# int fa0/1
R1(config-if)# ip nat outside
Dynamic NAT
In this type of NAT, an unregistered IP address is translated into a registered (Public) IP address from a pool of public IP address. If the IP address of pool is not free, then the packet will be dropped as an only a fixed number of private IP address can be translated to public addresses.
Suppose, if there is a pool of 2 public IP addresses then only 2 private IP addresses can be translated at a given time. If 3rd private IP address wants to access Internet then the packet will be dropped therefore many private IP addresses are mapped to a pool of public IP addresses. NAT is used when the number of users who wants to access the Internet is fixed. This is also very costly as the organisation have to buy many global IP addresses to make a pool. (In this type of NAT, multiple private IP address are mapped to a pool of public IP address . It is used when we know the number of fixed users wants to access the Internet at a given point of time)
CONFIGURATION
There is PC having IP address 192.168.1.1/24, Router R1 having IP address 192.168.1.2/24 on interface fa0/0, 12.1.1.1/24 on fa0/1 and server having IP address 73.1.1.2/24.
Now, first configuring the access-list:
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Configuring the nat pool from which a public IP will be selected.
R1(config)# ip nat pool pool1 12.1.1.1 12.1.1.3 netmask 255.255.255.0
Now, enabling Dynamic NAT:
R1(config)# ip nat inside source list 1 pool pool1
At last, we have to configure router interfaces as inside or outside.
R1(config)# int fa0/0
R1(config-if)# ip nat inside
R1(config)# int fa0/1
R1(config-if)# ip nat outside
Port Address Translation (PAT)
This is also known as NAT overload. In this, many local (private) IP addresses can be translated to a single registered IP address. Port numbers are used to distinguish the traffic i.e., which traffic belongs to which IP address. This is most frequently used as it is cost-effective as thousands of users can be connected to the Internet by using only one real global (public) IP address.
CONFIGURATION
Taking the same topology, There is PC1 having IP address 192.168.1.1/24, Router R1 having IP address 192.168.1.2/24 on interface fa0/0, 12.1.1.1/24 on fa0/1 and server having IP address 73.1.1.2/24.
Now, first configuring the access-list:
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Configuring the nat pool from which a public IP will be selected.
R1(config)# ip nat pool pool1 12.1.1.1 12.1.1.1 netmask 255.255.255.0
Here, note that the nat pool is shrunk to one ip address only and the IP address used is the outside interface ip address of the router. If you have additional IP then you can use that also.
Now, enabling Dynamic NAT overload (PAT):
R1(config)# ip nat inside source list 1 pool pool1 overload
Or we can also use
R1(config)# ip nat inside source list 1 interface fastEthernet 0/1 overload
At last, we have to configure router interfaces as inside or outside.
R1(config)# int fa0/0
R1(config-if)# ip nat inside
R1(config)# int fa0/1
R1(config-if)# ip nat outside