What is NAT (Network Address Translation)?
NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. NAT generally operates on a router or firewall.
Public IP addresses
are routable through the internet but Private IP addresses are intended for use
within an organization but not routable on the internet unless using NAT. Network
address translation allows the private IP address to be translated into routable on the internet.
How NAT works?
Network address translation allows Private IP address range devices to access the Internet with a single Public IP address, NAT makes the corresponding entries of IP address and port number in the NAT table. Network Address Translation NAT is running out of IP addresses means no address is left in the pool then packets will be dropped and an ICMP packet is sent.
Why do we need Network Address Translation NAT?
Network Address Translation NAT was originally developed to solve two problems:
- To help us to solve and handle a shortage of ipv4 addresses.
- Hide network addressing schemes.
What
are the types of NAT: -
- Static NAT (SNAT)-
- Dynamic NAT (DNAT)
- Port address translation (PAT)
Static NAT- a single private IP address is mapped with a public IP address. One-to-one mapping is done manually. Every private IP address is need to be mapped with a registered IP address. Static NAT is used for Web hosting not for organizations because there are many devices, that want to access the internet, and to provide the internet we need many registered legal IP addresses which will be costly.
Dynamic DNAT- In DNAT Private IP address is translated into Public IP address dynamically from the pool of registered IP addresses (public). When the IP address in the pool is full and not free, The IP packet will be dropped and ICMP is sent. Let’s say we have a pool with 3 IP addresses (public) then only 3 3 private IP addresses can be translated from private to public. If we want the 4th IP (private) need to access the internet then the packet will be dropped and ICMP sent host is unreachable. DNAT is also very costly because here we need to buy lots of registered IP addresses (public). Of course, mapping is done dynamically.
Port Address
Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of
users can access to the internet using only one real global registered public
IP address. PAT maps thousands to one by using ports. PAT is the only reason or
solution we have not run out of valid IP addresses on the internet. This PAT is
cost-effective because of single public IP is used; the port number is used to
distinguish the traffic means which traffic belongs to which IP address.
Class a 10.0.0.0 to 10.255.255.255
Class b
172.16.0.0 to 172.31.255.255
Class c 192.168.0.0 to 192.168.255.255
How does PAT work with the Port number?
Whenever
our client sends an IP packet, the packet has a source IP address, destination IP
address, and also the source port number and destination port number. These port
numbers keep the track separate. The different communication flows are kept separate
in the router NAT translation table by considering port numbers.
when PC 1 with an IP address 20.1.1.1 sends a packet to the web server with an IP address 203.0.113.2, the client ephemeral port number 15000. The router notes that port number and translates the inside local address of 20.1.1.1 with a port number of 15000 to an inside global address of 198.50.100.1 with a port number of 13000.
If our PC 2 wants to access the same web server, its private IP address is 20.1.1.2 with a port number of 16000 is translated into and outside the local address of 198.50.100.1 with a port number of 13001.
now notice both of the PCs have the same global inside address 198.50.100.1. when our web server sends back traffic to clients those packets are destined for the same IP address which 198.50.100.1. now when the router receives the packets, our router knows which traffic belongs to which client because of the port number. understand if the packet from the web server 200.0.133.2 arrived at the router with the destination IP address 198.51.100.1 and also the destination port number 13000. router understands this packet belongs to PC1.
let's see the configuration of SNAT, DNAT, and PAT and understand it better.
Topology: -
- Configure the topology as per the diagram
- Assign the IP addresses as per the topology
- Configure static route from ISP to the router
- Configure default route toward ISP
- Configure Static NAT on router mapping with 50.0.0.0
- Configure implementation on the inside interface and outside interface
- Ping from the client and send traffic from the server back to a router
FROM CLIENT-1
C:\>ipconfig
IP Address......................: 20.1.1.1
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.1.1.100
FROM CLIENT-2
C:\>ipconfig
IP Address......................: 20.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.1.1.100
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 20.1.1.100 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface gigabitEthernet 0/2
Router(config-if)#ip address 198.50.100.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
ISP(config)#interface gigabitEthernet 0/0
ISP(config-if)#ip address 198.50.100.2 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface gigabitEthernet 0/1
ISP(config-if)#ip address 203.0.113.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
Router(config)#do show ip interface br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 20.1.1.100 YES manual up up
GigabitEthernet0/2 198.50.100.1 YES manual up up
ISP#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 198.50.100.2 YES manual up up
GigabitEthernet0/1 203.0.113.1 YES manual up up
Router(config)#ip route 0.0.0.0 0.0.0.0 198.50.100.2
ISP(config)#ip route 50.0.0.0 255.0.0.0 198.50.100.1
Router(config)#ip nat inside source static 20.1.1.1 50.1.1.1
Router(config)#ip nat inside source static 20.1.1.2 50.1.1.2
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface gigabitEthernet 0/2
Router(config-if)#ip nat outside
Router(config-if)#exit
C:\>ipconfig
IP Address......................: 20.1.1.1
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.1.1.100
C:\>ping 203.0.113.2
Pinging 203.0.113.2 with 32 bytes of data:
Reply from 203.0.113.2: bytes=32 time=1ms TTL=126
Reply from 203.0.113.2: bytes=32 time<1ms TTL=126
Reply from 203.0.113.2: bytes=32 time=1ms TTL=126
Reply from 203.0.113.2: bytes=32 time<1ms TTL=126
Ping statistics for 203.0.113.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ipconfig
IP Address......................: 20.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.1.1.100
C:\>ping 203.0.113.2
Pinging 203.0.113.2 with 32 bytes of data:
Reply from 203.0.113.2: bytes=32 time=1ms TTL=126
Reply from 203.0.113.2: bytes=32 time<1ms TTL=126
Reply from 203.0.113.2: bytes=32 time=1ms TTL=126
Reply from 203.0.113.2: bytes=32 time=1ms TTL=126
Ping statistics for 203.0.113.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
FROM SERVER
C:\>ipconfig
IP Address......................: 203.0.113.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 203.0.113.1
C:\>ping 50.1.1.1
Pinging 50.1.1.1 with 32 bytes of data:
Reply from 50.1.1.1: bytes=32 time<1ms TTL=126
Reply from 50.1.1.1: bytes=32 time<1ms TTL=126
Reply from 50.1.1.1: bytes=32 time=1ms TTL=126
Reply from 50.1.1.1: bytes=32 time<1ms TTL=126
Ping statistics for 50.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 50.1.1.1:5 20.1.1.1:5 203.0.113.2:5 203.0.113.2:5
icmp 50.1.1.1:6 20.1.1.1:6 203.0.113.2:6 203.0.113.2:6
icmp 50.1.1.1:7 20.1.1.1:7 203.0.113.2:7 203.0.113.2:7
icmp 50.1.1.1:8 20.1.1.1:8 203.0.113.2:8 203.0.113.2:8
icmp 50.1.1.2:10 20.1.1.2:10 203.0.113.2:10 203.0.113.2:10
icmp 50.1.1.2:11 20.1.1.2:11 203.0.113.2:11 203.0.113.2:11
icmp 50.1.1.2:12 20.1.1.2:12 203.0.113.2:12 203.0.113.2:12
icmp 50.1.1.2:9 20.1.1.2:9 203.0.113.2:9 203.0.113.2:9
--- 50.1.1.1 20.1.1.1 --- ---
--- 50.1.1.2 20.1.1.2 --- ---
Router#show ip nat statistic
Total translations: 10 (2 static, 8 dynamic, 8 extended)
Outside Interfaces: GigabitEthernet0/2
Inside Interfaces: GigabitEthernet0/0
Hits: 34 Misses: 50
Expired translations: 28
Dynamic mappings: