Network Address Translation
Network address translation or NAT in short is a process where internet routable addresses is reused by many user's inside a Local area network. NAT acts as a firewall that provides an extra layer of security for the inside users.
The subnets 10.0.0.0/8, 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255 are defined as private addresses, RFC 1918 explains this.
In real world when NAT is implemented, user pc's(or pda's, cell phn's etc) are provided ip addresses from the private range. When these devices tries to go to the internet, the boundary router or firewall changes these inside addresses to a publicly routable address, when the retirn traffic comes the reverse action is perfromed.
There are 3 types of NAT
1)Static
Here 1 inside ip is manually mapped to 1 public ip, i.e. this is a one-to-one mapping.This kind of NAT is two way in nature, i.e. using the public ip anyone from the internet can reach the inside host.
For Cisco Router's the configuration will be as follows
R(conf)#ip nat inside source static x.x.x.x y.y.y.y where x.x.x.x = private ip
y.y.y.y = public ip
put "ip nat inside" in the interface connected to the local LAN and "ip nat outside" to the interface connected to the internet.
2)Dynamic
Here equal number of private ip's(or hosts) and public ip's are mapped together in a dynamic way. Public ip's are provided from a defined pool to the internet going LAN host's in a first-come-first-serve basis.The translation is taken off when the trafiic returns, i.e. in the return path, so that the traffic can go to the original host.
For Cisco Router's the configuration will be as follows
create a standard access-list to define the range of the inside hosts
so if my local LAN is like 192.168.1.0 /24
then the AL will be created as
R(conf)# access-list 1 permit 192.168.1.0 0.0.0.255
then
R(conf)#ip nat inside source list 1 pool abc
R(conf)#ip nat pool abc x.x.x.1 x.x.x.254 netmask 255.255.255.0
where x.x.x.1 - x.x.x.254 represents the public range.
put "ip nat inside" in the interface connected to the local LAN and "ip nat outside" to the interface connected to the internet.
3)PAT or port address translation
Here a group of inside, private ip's are mapped to a single public ip.(in most cases there will be 1 public ip, in rare cases a huge number of inside ip's are mapped to 2 or 3 public ips)
Each inside host will be identified in the internet by the same public ip. The boundary router or firewall identifies each inside host by assigning seperate ports to each session.
For Cisco Router's the configuration will be as follows
so if my local LAN is like 192.168.1.0 /24
then the AL will be created as
R(conf)# access-list 1 permit 192.168.1.0 0.0.0.255
R(conf)# access-list 1 permit 192.168.1.0 0.0.0.255
then
R(conf)#ip nat inside source list 1 pool abc overload
R(conf)#ip nat pool abc x.x.x.x x.x.x.x netmask 255.255.255.0 where x.x.x.x is the public ip
OR
R(conf)#ip nat inside source list 1 interface fastethernet 1/1 overload
where fastethernet 1/1 is the internet facing interface.
***** the "overload" keyword is very importat here.
in Cisco Router's the following commands helps in troubleshooting and verification of NAT
1>show ip nat translation - for verification
2>debug ip nat - for troubleshooting (use this with immense care in a production network, because this can freeze the router with too many results.)
No comments:
Post a Comment