Enabling the Internet Connection
It is common for small sites to use the Internet to connect to other sites. The Internet service is obtained through an ISP. The physical connection is usually provided using either DSL or cable technology with packet switching.
In some cases, the ISP provides a static address for the interface that is connected to the Internet. In other cases, this address is provided using DHCP.
Two scalability challenges facing the Internet are the depletion of the registered IP version 4 (IPv4) address space and scaling in routing. Cisco IOS Network Address Translation
(NAT) and Port Address Translation (PAT) are mechanisms for conserving registered IP addresses in large networks, and they also simplify IP addressing tasks. NAT and PAT translate IP addresses within private internal networks to legal IP addresses for transport over public external networks such as the Internet without requiring a registered subnet address. Incoming traffic is translated for delivery within the inside network.
This translation of IP addresses eliminates the need for host renumbering and allows the same IP address range to be used in multiple intranets, networks that exists within a companies’ boundaries. This section describes the features of NAT and PAT and how to configure NAT and PAT on Cisco routers.
Packet-Switched Communication Links
Packet switching is a switching method in which no dedicated path between source and destination endpoints exists, allowing for the sharing of connection links and common carrier resources for data transmission.
Packet-switched networks send data packets over different routes of a shared public network to reach the same destination. Instead of providing a dedicated communication path, the carrier provides a network to its subscribers and ensures that data received from one site exits toward another specific site. However, the route that the packets take to reach the destination site varies. When the packets reach their destination, it is the responsibility of the receiving protocol to ensure that they are reassembled in order.
Packet switching enables you to reduce the number of links to the network, and it allows the carrier to make more efficient use of its infrastructure so that the overall cost is generally lower than with discrete point-to-point lines, or leased lines. In a packet-switching environment, many customer networks connect to the network of the carrier. The carrier can then, depending on the technology, create virtual circuits between customer sites. When the customer is not using the full bandwidth on its virtual circuit, the carrier, through statistical multiplexing, can make that unused bandwidth available to another customer. Figure 5-8 shows an example of virtual circuits through a packet-switched network.
Figure 5-8 Packet Switching
Digital Subscriber Line
DSL technology is an always-on connection technology that uses existing twisted-pair telephone lines to transport high-bandwidth data and provides IP services to subscribers. A DSL modem converts an Ethernet signal from users to a DSL signal to the CO. Figure 5-9 shows an example of DSL connectivity from a remote site through a service provider.
Figure 5-9 DSL Connectivity
DSL technology allows a service provider to offer high-speed network services, up to and exceeding the speed of a T1 connection, to customers, using installed local-loop copper lines. DSL technology allows the local-loop line to be used for normal telephone voice connection, plus an always-on connection for instant network connectivity. Multiple DSL are multiplexed into a single, high-capacity link by the use of a DSL access multiplexer (DSLAM) at the provider location. DSLAMs incorporate time-division multiplexing (TDM) technology to aggregate many subscriber lines into a less cumbersome single medium, generally a T3 (DS3) connection. Current DSL technologies use sophisticated coding and modulation techniques to achieve data rates up to 8.192 Mbps.
The voice channel of a standard consumer telephone covers the frequency range of 330 Hz to 3.3 kHz. A frequency range, or window, of 4 kHz is regarded as the requirement for any voice transmission on the local loop. Asymmetric DSL (ADSL) technologies place upstream (upload) and downstream (download) data transmissions at frequencies above
this 4-kHz window, which allows both voice and data transmissions to occur simultaneously on a DSL service.
DSL availability is far from universal, and a wide variety of types, standards, and emerging standards exist. DSL is now a popular choice for enterprise IT departments to support home workers. Generally, a subscriber cannot choose to connect to an enterprise network directly, but must first connect to an ISP, and an IP connection is made through the Internet to the enterprise. Security risks are incurred in this process.
DSL Types and Standards
The two basic types of DSL technologies are as follows:
- Asymmetric DSL (ADSL): Provides higher download bandwidth than upload bandwidth
- Symmetric DSL (SDSL): Provides the same capacity of bandwidth in both directions Figure 5-10 illustrates the difference between ADSL and SDSL.
Figure 5-10 Asymmetric Versus Symmetric DSL
All forms of DSL services are categorized as asymmetric or symmetric, but several varieties of each type exist. ADSL includes the following forms:
- Consumer DSL (CDSL), also called G.Lite or G.992.2
- Very-high-data-rate DSL (VDSL)
SDSL includes the following forms:
- High-data-rate DSL (HDSL)
- ISDN DSL (IDSL)
- Symmetric high-bit-rate DSL (G.shdsl)
DSL service can be added incrementally in any area. A service provider can upgrade bandwidth to coincide with a growth in numbers of subscribers. DSL is also backward compatible with analog voice and makes good use of the existing local loop, which means that it is easy to use DSL service simultaneously with normal phone service.
However, DSL suffers from distance limitations. Most DSL service offerings currently require the customer to be within 18,000 feet of the CO location of the provider, and the older, longer loops present problems. Also, upstream (upload) speed is usually considerably slower than the downstream (download) speed. The always-on technology of DSL also can present security risks because potential hackers have greater access.
Another technology that has become increasingly popular as a WAN communications access option is the IP over Ethernet Internet service delivered by cable networks. Figure 5-11 shows typical cable connectivity.
Figure 5-11 Cable Connectivity
Originally, cable was a one-directional medium designed to carry broadcast analog video channels to the customers, or subscribers. During the 1990s, with the introduction of direct broadcast satellite (DBS) and DSL technology, however, cable operators experienced a serious challenge to their existence by competing technologies. DBS operators marketed more choices and better quality entertainment products through digital technology, and the existing local exchange carriers (LEC) in cities that offered a combination of voice, video, and data by means of DSL.
Fearing loss of market share, and facing the need to offer advanced services to remain economically viable, key multiple service operators (MSO) formed the Multimedia Cable Network System Partners Ltd. (MCNS), with the purpose of defining a product and system standard capable of providing data and future services over cable television (CATV) plants. MCNS proposed a packet-based (IP) solution in contention with a cell-based (ATM) solution promoted by IEEE 802.14. MCNS partners included Comcast Cable Communications, Cox Communications, Tele-Communications, Time Warner Cable, MediaOne, Rogers Cablesystems, and Cable Television Laboratories (CableLabs).
Global Internet: The Largest WAN
The Internet can be thought of as a WAN that spans the globe. In the 1960s, researchers at the U.S. Department of Defense wanted to build a command-and-control network by linking several of their computing facilities around the country. This early WAN could be vulnerable, however, to natural disaster or military attack. Therefore, it was necessary to ensure that if part of the network was destroyed, the rest of the system would still function. Thus, the network would have no central authority, and the computers running it could automatically reroute the flow of information around any broken links.
The Department of Defense researchers devised a way to break messages into parts, sending each part separately to its destination, where the message would be reassembled. This method of data transmission is now known as a packet system.
This packet system, which was made public by the military in 1964, was also being researched at the Massachusetts Institute of Technology (MIT), the University of California, Los Angeles (UCLA), and the National Physical Laboratory in the United Kingdom. In the fall of 1969, UCLA installed the first computer on this network. Several months later, four computers were on this network, which was named the Advanced Research Projects Agency Network (ARPANET).
In 1972, the first e-mail messaging software was developed so that ARPANET developers could more easily communicate and coordinate on projects. Later that year, a program that allowed users to read, file, forward, and respond to messages was developed. Throughout the 1970s and 1980s, the network expanded as technology became more sophisticated. In 1984, the Domain Name System (DNS) was introduced and gave the
world domain suffixes (such as .edu, .com, .gov, and .org) and a series of country codes. This system made the Internet much more manageable. Without DNS, users had to remember the IP address of every Internet site they wanted to visit, a long series of numbers, instead of a string of words.
In 1989, Timothy Berners-Lee began work on a means to better facilitate communication among physicists around the world, based on the concept of hypertext, which would allow electronic documents to be linked directly to each other. The eventual result of linking documents was the World Wide Web. Standard formatting languages, such as HTML and its variants, allow web pages to display formatted text, graphics, and multimedia. A web browser can read and display HTML documents and can access and download related files and software.
The web was popularized by the 1993 release of a graphical, easy-to-use browser called Mosaic. Therefore, although the web began as just one component of the Internet, it is clearly the most popular, and the two are now nearly synonymous.
Throughout the 1990s, personal computers (PC) became more powerful and less expensive, allowing millions of people to buy them for their homes and offices. ISPs, such as America Online (AOL), CompuServe, and many local providers, began offering affordable dialup connections to the Internet. To accommodate the need for increased speed, cable service providers began to offer access through cable network facilities and technologies.
Today, the Internet has grown into the largest network on the earth, providing access to information and communication for business and home users. The Internet can be seen as a network of networks, consisting of a worldwide mesh of hundreds of thousands of networks, owned and operated by millions of companies and individuals all over the world, all connected to thousands of ISPs. Figure 5-12 illustrates how the Internet provides connectivity between different businesses and organizations across a WAN.
Obtaining an Interface Address from a DHCP Server
An ISP sometimes provides a static address for an interface that is connected to the Internet. In other cases, this address is provided using DHCP.
If the ISP uses DHCP to provide interface addressing, no manual address can be configured. Instead, the interface is configured to operate as a DHCP client.
Figure 5-12 The Internet Connects via WAN
Introducing NAT and PAT
Small networks are commonly implemented using private IP addressing. When connecting this type of network to public networks such as the Internet, you need a method to convert the private IP addressing to public addressing. NAT operates on a Cisco router and is designed for IP address simplification and conservation. NAT enables private IP intranets that use nonregistered IP addresses to connect to the Internet. Usually, NAT connects two networks together and translates the private (inside local) addresses in the internal network into public addresses (inside global) before packets are forwarded to another network. You can configure NAT to advertise only one address for the entire network to the outside world.
Advertising only one address effectively hides the internal network from the world, thus providing additional security. Figure 5-13 shows how NAT changes and tracks addressing between interfaces.
Figure 5-13 NAT Translations
Any device that sits between an internal network and the public network, such as a firewall, a router, or a computer, uses NAT, which is defined in RFC 1631.
In NAT terminology, the “inside network” is the set of networks that are subject to translation. The “outside network” refers to all other addresses. Usually these are valid addresses located on the Internet.
Cisco defines the following NAT terms:
- Inside local address: The IP address assigned to a host on the inside network. The inside local address is likely not an IP address assigned by the Internet Assigned Numbers Authority (IANA) or service provider.
- Inside global address: A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
- Outside local address: The IP address of an outside host as it appears to the inside network. Not necessarily legitimate, the outside local address is allocated from an address space routable on the inside.
- Outside global address: The IP address assigned to a host on the outside network by the host owner. The outside global address is allocated from a globally routable address or network space.
One of the main features of NAT is static PAT, which is also referred to as overload in Cisco IOS configuration. Several internal addresses can be translated using NAT into just one or a few external addresses by using PAT.
PAT uses unique source port numbers on the inside global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number of internal addresses that NAT can translate into one external address is, theoretically, as many as 65,536 addresses. PAT attempts to preserve the original source port. If the source port is already allocated, PAT attempts to find the first available port number. It starts from the beginning of the appropriate port group, 0–511, 512–1023, or 1024–65535. If PAT does not find a port that is available from the appropriate port group and if more than one external IP address is configured, PAT moves to the next IP address and tries to allocate the original source port again. PAT continues trying to allocate the original source port until it runs out of available ports and external IP addresses. Figure 5-14 shows how a single address can be used to translate for multiple addresses.
Figure 5-14 PAT Translations
Translating Inside Source Addresses
You can translate your own IP addresses into globally unique IP addresses when you are communicating outside your network. You can configure static or dynamic inside source translation.
Example: Translating Inside Source Addresses
Figure 5-15 illustrates a router that is translating a source address inside a network into a source address outside the network.
Figure 5-15 Translating Inside Source Address (NAT)
The steps for translating an inside source address are as follows:
Step 1 The user at host 10.1.1.1 opens a connection to host B.
Step 2 The first packet that the router receives from host 10.1.1.1 causes the router to check its NAT table.
- If a static translation entry was configured, the router goes to Step 3.
- If no static translation entry exists, the router determines that the source address 10.1.1.1 (SA 10.1.1.1) must be translated dynamically. The router then selects a legal, global address from the dynamic address pool and creates a translation entry (in this example, 22.214.171.124). This type of entry is called a simple entry.
Step 3 The router replaces the inside local source address of host 10.1.1.1 with the translation entry global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 10.1.1.1 by using the inside global IP destination address 126.96.36.199 (DA 188.8.131.52).
Step 5 When the router receives the packet with the inside global IP address, the router performs a NAT table lookup by using the inside global address as a key. The router then translates the address back to the inside local address of host 10.1.1.1 and forwards the packet to host 10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation. The router performs Steps 2 through 5 for each packet.
You can conserve addresses in the inside global address pool by allowing the router to use one inside global address for many inside local addresses. When this overloading is configured, the router maintains enough information from higher-level protocols, for example, TCP or User Datagram Protocol (UDP) port numbers, to translate the inside global address back into the correct inside local address. When multiple inside local addresses map to one inside global address, the TCP or UDP port numbers of each inside host distinguish between the local addresses.
Example: Overloading an Inside Global Address
Figure 5-16 illustrates NAT operation when one inside global address represents multiple inside local addresses. The TCP port numbers act as differentiators. Both host B and host C think they are talking to a single host at address 184.108.40.206. They are actually talking to different hosts; the port number is the differentiator. In fact, many inside hosts could share the inside global IP address by using many port numbers.
Figure 5-16 Overloading an Inside Global Address (PAT)
The router performs the following process in overloading inside global addresses:
Step 1 The user at host 10.1.1.1 opens a connection to host B. The first packet that the router receives from host 10.1.1.1 causes the router to check its
Step 2 If no translation entry exists, the router determines that address 10.1.1.1 must be translated and sets up a translation of inside local address 10.1.1.1 into a legal inside global address. If overloading is enabled and another translation is active, the router reuses the inside global address from that translation and saves enough information to be able to translate back. This type of entry is called an extended entry.
Step 3 The router replaces the inside local source address 10.1.1.1 with the selected inside global address and forwards the packet.
Step 4 Host B receives the packet and responds to host 10.1.1.1 by using the inside global IP address 220.127.116.11.
Step 5 When the router receives the packet with the inside global IP address, the router performs a NAT table lookup. Using the inside global address and port and outside global address and port as a key, the router translates the address back into the inside local address 10.1.1.1 and forwards the packet to host 10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation. The router performs Steps 2 through 5 for each packet.
Configuring the DHCP Client and PAT
For a router that connects to the Internet where the provider gives you an address via DHCP, such as DSL or cable connectivity, you need to configure the router as a DHCP client and to perform PAT on the inside private address. The first thing you need to do is determine what interface the DHCP client is to be configured on. Figure 5-17 shows the private and public addresses for this example.
In this implementation, you configure the WAN interface (fa0/1) as a DCHP client so that it get its IP address, default gateway, and default routing from the Internet DHCP server. In addition, you enable PAT to translate the internal private addressing to the external public addressing. For this example, you use Security Device Manager (SDM) to configure DHCP.
Figure 5-17 Identifying Inside and Outside Interfaces
To begin configuring the DHCP client interface, click the Interfaces and Connections tab. Check the Ethernet (PPPoE or Unencapsulated Routing) radio button, and then click the Create New Connection button. This is shown in Figure 5-18.
Figure 5-18 Configuring the Ethernet Interface
Clicking the Create New Connection button opens the WAN Wizard for further configuration. Figure 5-19 shows the wizard welcome window. Click Next to continue.
Figure 5-19 WAN Wizard
If the ISP uses PPP over Ethernet (PPPoE), click the check box, and then click Next. These options are shown in Figure 5-20.
Figure 5-20 PPPOE Configuration
Click the Dynamic (DHCP Client) radio button and enter the hostname as shown in Figure 5-21.
Figure 5-21 DHCP Configuration
Check the Port Address Translation check box and choose the inside interface in the drop-down list as shown in Figure 5-22.
Figure 5-22 PAT Configuration
When you are finished, the wizard provides a summary of the configuration, as shown in Figure 5-23.
Figure 5-23 Configuration Summary
Verifying the DHCP Client Configuration
You can use the Interfaces and Connections window in SDM to verify that the DHCP client is obtaining an address from the DHCP server. This is shown in Figure 5-24.
Figure 5-24 Configuration Verification
NOTE The client IP address might not display in the window immediately, and you might need to refresh the window
Verifying the NAT and PAT Configuration
You can verify the NAT and PAT configuration with the command show ip nat translation. Its output follows:
RouterX# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 172.16.131.1 10.10.10.1 ---
Table 5-2 shows the commands that you can use in EXEC mode to display and manage translation information.
Table 5-2 Useful NAT Management Commands
After you have configured NAT, verify that it operates as expected. You can do this by using the show and clear commands.
By default, dynamic address translations time out from the NAT and PAT translation tables at some time after a period of nonuse. When port translation is not configured, translation entries time out after 24 hours unless you reconfigure them with the ip nat translation command. You can clear the entries before the timeout by using the clear command listed in the Table 5-2.
Alternatively, you can use the show run command and look for NAT, ACL, interface, or pool commands with the required values.