Network Address Translation (NAT)

To go to the Internet we need to get an public IP address and it is unique all over the world. If
each host in the world required a unique public IP address, we would have run out of IP
address years ago. But by using Network Address Translation (NAT) we can save tons of IP
addresses for later uses. We can understand NAT like this:
“NAT allows a host that does not have a valid registered IP address to communicate with
other hosts through the Internet”
For example your computer is assigned a private IP address of 10.0.0.9 and of course this
address can not be routed on the internet but you can still access the internet. This is because
your router (or modem) translates this address into a public IP address, 123.12.23.1 for
example, before routing your data into the internet.

Of course when your router receives a reply packet destined for 123.12.23.1 it will convert
back to your private IP 10.0.0.9 before sending that packet to you.
Maybe you will ask “hey, I don’t see any difference of using NAT to save tons of IP
addresses because you still need a public IP address for each host to access the Internet and it
doesn’t save you anything, why you need to use NAT?”
Ok, you are right :), in the above example we don’t see its usefulness but you now understand
the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but your Internet Service Provider (ISP) only
gives you 50 public IP addresses. It means that you can only allow 50 hosts to access the
internet at the same time. Here NAT comes to save your life!
One thing you should notice that in real life, not all of your employees uses internet at the
same time. Say, maybe 50 of them use internet to read newspaper at the morning; 50 others
use internet at noon for checking mail… By using NAT you can dynamically assign these 50
public IP addresses to those who really need them at that time. This is called dynamic NAT.
But the above NAT solution does not solve our problem completely because in some days
there can be more than 50 people surfing web at the morning. In this case, only the first 50
people can access internet, others must wait to their turns.
Another problem is, in fact, your ISP only gives you much lesser IP addresses than the
number 50 because each public IP is very precious now.
To solve the two problems above, another feature of NAT can be used: NAT Overload or
sometimes called Port Address Translation (PAT)
PAT permits multiple devices on a local area network (LAN) to be mapped to a single public
IP address with different port numbers. Therefore, it’s also known as port address translation
(PAT). When using PAT, the router maintains unique source port numbers on the inside
global IP address to distinguish between translations. In the below example, each host is
assigned to the same public IP address 123.1.1.1 1 but with different port numbers (from
1000 to 1002).

Note: Cisco uses the term inside local for the private IP addresses and inside global for the
public IP addresses replaced by the router.
The outside host IP address can also be changed with NAT. The outside global address
represents the outside host with a public IP address that can be used for routing in the public
Internet.
The last term, outside local address, is a private address of an external device as it is referred
to by devices on its local network. You can understand outside local address as the inside
local address of the external device which lies at the other end of the Internet.
Maybe you will ask how many ports can we use for each IP? Well, because the port number
field has 16 bits, PAT can support about 216 ports, which is more than 64,000 connections
using one public IP address.
Now you have learned all the most useful features of NAT but we should summary all
features of NAT:
There are two types of NAT translation: dynamic and static.
Static NAT: Designed to allow one-to-one mapping between local and global addresses. This
flavour requires you to have one real Internet IP address for every host on your network.
Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a
pool of registered IP addresses. You don’t have to statically configure your router to map an
inside to an outside address as in static NAT, but you do have to have enough real IP
addresses for everyone who wants to send packets through the Internet. With dynamic NAT,
you can configure the NAT router with more IP addresses in the inside local address list than
in the inside global address pool. When being defined in the inside global address pool, the
router allocates registered public IP addresses from the pool until all are allocated. If all the
public IP addresses are already allocated, the router discards the packet that requires a public
IP address.
PAT (NAT Overloading): is also a kind of dynamic NAT that maps multiple private IP
addresses to a single public IP address (many-to-one) by using different ports. Static NAT
and Dynamic NAT both require a one-to-one mapping from the inside local to the inside
global address. By using PAT, you can have thousands of users connect to the Internet using
only one real global IP address. PAT is the technology that helps us not run out of public IP
address on the Internet. This is the most popular type of NAT.
Besides NAT gives you the option to advertise only a single address for your entire network
to the outside world. Doing this effectively hides the internal network from the public world
really well, giving you some additional security for your network.
NAT terms:
* Inside local address – The IP address assigned to a host on the inside network. The address
is usually not an IP address assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service
provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the
inside network.
* Outside global address – The IP address assigned to a host on the outside network. The
owner of the host assigns this address.

To learn how to configure NAT please read my Configure NAT GNS3 Lab tutorial
 Example of Static NAT :
Configuring Static NAT Using Cisco IOS

NAT enables hosts with internal private addresses to communicate on the Internet. When
configuring NAT, at least one interface must be configured as the inside interface. The inside
interface is connected to the internal, private network. Another interface, usually the external
interface used to access the Internet, must be configured as the outside interface. When
devices on the internal network communicate out through the external interface, the addresses
are translated to one or more registered IP addresses.

There are occasions when a server located on an internal network must be accessible from the
Internet. This accessibility requires that the server has a specific registered address that
external users can specify. One way to provide this address to an internal server is to
configure a static translation.

Static NAT ensures that addresses assigned to hosts on the internal network are always
translated to the same registered IP address.

Configuring NAT and static NAT using the Cisco IOS CLI requires a number of steps.

– Step 1. Specify the inside interface.

– Step 2. Set the primary IP address of the inside interface.

– Step 3. Identify the inside interface using the ip nat inside command.

– Step 4. Specify the outside interface.

– Step 6. Identify the outside interface using the ip nat outside command.

– Step 7. Define the static address translation.

– Step 8. Verify the configuration.

There are several router CLI commands to view NAT operations for verification and

troubleshooting.

One of the most useful commands is show ip nat translations. The output displays the

detailed NAT assignments. The command shows all static translations that have been

configured and any dynamic translations that have been created by traffic. Each translation is

identified by protocol and its inside and outside local and global addresses.

The show ip nat statistics command displays information about the total number of active

translations, NAT configuration parameters, how many addresses are in the pool, and how

many have been allocated.

Additionally, use the show run command to view NAT configurations.

Another Example of Static NAT

R0uter(config)#ip nat inside source static

Therefore we should configure the loopback interface of R0 as the source IP address and the fa0/0
interface of R0 as the “outgoing static NAT” address.

R0#configure terminal
R0(config)#int loopback0
R0(config-if)#ip address 10.0.0.1 255.0.0.0
R0(config-if)#ip nat inside

R0(config-if)#int f0/0
R0(config-if)#ip address 200.0.0.1 255.255.255.0
R0(config-if)#no shutdown
R0(config-if)#ip nat outside
R0(config-if)#exit

Finally, we have to tell the router to translate my private IP 10.0.0.1 to public IP 200.0.0.2 so
that I can go to the Internet!

R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2

R1#config terminal
R1(config)#int f0/0
R1(config-if)#ip address 200.0.0.10 255.255.255.0
R1(config-if)#no shutdown

Another Example of Static NAT :

Another Example of Static NAT :

With static NAT, routers or firewalls translate one private IP address to one public IP
address. Each private IP address has been mapped to a single public IP address.
Static NAT is not often used because it requires one public IP address for each
private IP address.

To configure static NAT, three steps are required:

1. configure private/public IP address mapping by using the ip nat inside source static
PRIVATE_IP PUBLIC_IP command
2. configure the router’s inside interface using the ip nat inside command
3. configure the router’s outside interface using the ip nat outside command

Here is an example.

Computer A requests a web resource from S1. Computer A uses its private IP
address when sending the request to router R1. Router R1 receives the request,
changes the private IP address to the public one and sends the request to S1. S1
responds to R1. R1 receives the response, looks up in its NAT table and changes
the destination IP address to the private IP address of Computer A.

In the example above, we need to configure static NAT. To do that, the following
commands are required on R1: