NAT Concepts
Objective:
- Explain the basic operation of NAT
Although the introductory discussion of NAT covers the most popular uses of the technology, NAT can be used for much more. Before you go deeper into the specific uses, though, you must understand the foundation concepts.
As its core function, Network Address Translation does just that: translate addresses. It can take any IP address and make it look like another. This is why the creative geniuses behind TCP/IP defined three ranges of “private IP addresses” in RFC 1918. The following is a list of the three private address ranges:
- Class A: 10.0.0.0 to 10.255.255.255
- Class B: 172.16.0.0 to 172.31.255.255
- Class C: 192.168.0.0 to 192.168.255.255
TIP
You need to know the private IP address ranges.
You might notice that a private address range is defined for each class of address. This gives a company more flexibility to use different ranges based on the company size. As a general statement, most small companies use the 192.168.X.X range, most medium-sized companies use the 172.16.X.X to 172.31.X.X ranges, and most large companies use the 10.X.X.X ranges.
Remember, this is just a general statement, not a solid rule. It is commonly stated that these private addresses are nonroutable, but this is untrue. Thousands of companies around the world use these addresses and route them throughout their private networks just fine. This misunderstanding came about because all Internet service providers (ISPs) use access lists to block these addresses from entering or leaving their networks. It is accurate to say that these private addresses are not Internet routable, because if they were, there would be thousands of duplicate IP address conflicts every day.
As shown in Figure 20.1, networks connected to the Internet typically use these private IP addresses internally and then translate them when attempting to access the Internet. This enables you to have many duplicate addresses around the world without any conflicts, because they never communicate directly. This can cause problems with overlapping IP addresses when companies merge, but NAT can even be engineered to solve these problems.
Static NAT
Static NAT is the simplest form of NAT. It enables you to map one IP address to another in a one-to-one relationship. This is typically used to allow access to internal servers from the Internet that are using a private address space. In Figure 20.2, three servers are located on the internal network: a web server, an FTP server, and an email server. These three servers are assigned to a private IP address space (192.168.1.0/24) and would typically be inaccessible from the Internet.
By using static NAT, you can map the private IP addresses to a public IP on a one-to-one basis, enabling these servers to be accessed from the Internet using the three public IP addresses shown in Figure 20.2. This static NAT mapping goes both ways. When someone from the Internet accesses
200.1.1.1, it is translated to the internal address 192.168.1.1. Likewise, when the server 192.168.1.1 accesses the Internet, it is seen as 200.1.1.1. Although this form of NAT does not allow multiple internal hosts to share a single address, it does implement the security features of NAT by eliminating end-to-end traceability and enables servers that are sharing your private network to be accessed from the Internet.
Static NAT can also be configured to statically translate individual TCP or UDP ports. This awesome feature enables you to take a single IP address and translate one or many ports to either the same host or many different hosts. For example, you might have a router that has the external IP address 195.1.1.1. You can statically configure NAT so that when your router receives a request on 195.1.1.1, using TCP port 80 (HTTP), it redirects it to the internal address 192.168.1.50 on TCP port 80. However, when it receives a request on 195.1.1.1, using TCP port 21 (FTP), it redirects it to the internal address 192.168.1.100 on TCP port 21.
In this way, NAT can act as a type of firewall (allowing only some ports through to specific hosts) and give you the flexibility of offering many services through the same IP address. Using static NAT with ports even makes it possible to redirect port numbers. For example, you might be using one of those scandalous DSL or cable Internet providers that block certain port numbers to keep you from running a web server from home. You can configure static NAT in such a way that when your router receives a request on TCP port 800 it redirects it to an internal IP address on TCP port 80.
Dynamic NAT
Static NAT is superb if you have a few hosts that need to be translated; however, if many hosts need to be translated, creating static entries for each one can be quite tedious. This is where dynamic NAT can help. Dynamic NAT enables you to define a pool of addresses to be translated along with a pool of addresses to which they are to be translated. The router then dynamically maps these IP addresses as the need arises. This is not the same thing as allowing multiple hosts to share the same IP address (known as NAT overloading). Dynamic NAT makes many one-to-one mappings without requiring you to configure them statically
NAT Overload and Port Address Translation
Now we come to the form of NAT that made it famous. NAT overload, also known as Port Address Translation (PAT), enables a single IP address to support many internal clients. Whenever a host establishes communication with a server outside the NAT firewall, it tries to access a specific port number (known as the destination port). However, it also uses a source port number to allow for return traffic (this is discussed more thoroughly in Chapter 19, “Using Cisco Access Lists”). Figure 20.3 shows how NAT overload also incorporates this source port number into the translation.
The hosts communicating randomly generate the source ports. The NAT router then appends these to the public IP address to make the source socket (or IP address and port number combination) unique. When the Internet server replies to whatever request was made, it does so to the source IP and socket. When the NAT router receives the reply, it then can redirect it to the correct internal host by referring to its NAT translation table. Because hosts use random source ports, there is very little possibility that two hosts will choose the same source port number (one chance out of some 60,000). However, if two hosts do happen to choose the same port number, the NAT device causes one of the device sessions to reset and choose a different port number. By using unique port numbers, the router can originate thousands of requests from its single Internet IP address. This provides Internet access to the internal network clients while using just one Internet address.
To review, Table 20.1 shows the three forms of NAT and the styles of translation they perform.
NAT Terminology
Believe it or not, setting up NAT is not very difficult; it’s learning the terminology used with NAT that can fry your brain. The first time you see these terms, it may make no sense to you, and that’s just fine. It takes some time to soak in. Now, keep in mind that these are not “Cisco terms.” Rather, they are an industry standard way of referring to the four different points in a NAT-based network. Before trying to understand four NAT address descriptions, you must understand the building blocks used to construct these terms:
- Inside/outside: These NAT descriptors refer to where a device is physically located. If a device is “inside,” it is under your control; it is in your network. If a device is “outside,” it is not under your control; it is outside your network.
- Local/global: These NAT descriptors refer to where an IP address is located from the perspective of a NAT device. The NAT device is a network device that has its address translated through a NAT router. It could be a PC, a server, an Xbox, or any other type of host that has a private address that is translated to a real address on the Internet. If the IP address is considered “local,” it is seen as a device on the local subnet from the perspective of a NAT device (this may or may not be true). If the IP address is considered “global,” it is seen as not on the local subnet from the perspective of a NAT device.
If that doesn’t sound confusing, just wait until we start combining these terms for the four NAT address descriptions. Figure 20.4 shows a visual location of these address on the network. - Inside local addresses: These addresses are the easiest to understand because they refer to everything inside your network. Remember the word constructs discussed just a moment ago: An address “inside” is physically located inside your network. From the perspective of the NAT device, it is “local,” meaning it is seen on the internal network. If an inside local address were to communicate with another inside local address, that communication would be described as standard LAN connectivity. No routers would be needed.
- Inside global addresses: Now the terms begin to mix a little bit. Let’s break this down into the individual pieces: First, the address is “inside,” which means that it is physically located on your network; it is under your control. “Global” means that it is seen as an IP address not on the local subnet from the perspective of one of your NAT devices. Put all this together and you are left with the Internet valid IP address assigned to your router that is directly connected to the Internet. This is where a fundamental understanding of inside and outside can really help. If the address were an
“outside global,” it would not be under your control, meaning that it could be any of the millions of devices attached to the Internet. - Outside global addresses: Outside global addresses refer to devices that are physically “outside” your network—outside your control. These addresses are “global,” meaning that the NAT devices on the inside of your network see these as nonlocal addresses. Put these two pieces together and you have a description of a standard Internet IP address.
- Outside local addresses: I saved the best for last. Outside local addresses confused me for quite some time until I fully understood the capabilities of NAT. First, let’s look at the pieces: This address is physically “outside” your network, out of your control, out on the Internet. However, it appears to NAT devices as an IP address on the “local” subnet. What this describes is an Internet host translated as it comes through the NAT router into your local network. You can think of this as “reverse NAT,” or just NAT in the other direction. As shown in Figure 20.4, when the cisco.com web server speaks to the internal hosts on the 192.168.0.0/24 network, they believe it to be co-located on the local subnet with them. They come to this conclusion because the NAT router translates the outside global address to something local (perhaps 192.168.0.1, the NAT gateway’s address).
TIP
Understanding the four NAT address descriptors listed is useful not only for the ICND1, ICND2, and CCNA exams, but also for understanding any real-world NAT documentation.