Monday 17 April 2023

What is NAT (Network Address Translation)? How NAT works? What is Static NAT? What dynamic NAT? What is PAT? How to configure NAT?

 What is NAT (Network Address Translation)?


NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. NAT generally operates on a router or firewall. 





Public IP addresses are routable through the internet but Private IP addresses are intended for use within an organization but not routable on the internet unless using NAT. Network address translation allows the private IP address to be translated into routable on the internet. 


 How NAT works?






Network address translation allows Private IP address range devices to access the Internet with a single Public IP address, NAT makes the corresponding entries of IP address and port number in the NAT table. Network Address Translation NAT is running out of IP addresses means no address is left in the pool then packets will be dropped and an ICMP packet is sent.


Why do we need Network Address Translation NAT? 


Network Address Translation NAT was originally developed to solve two problems:

  1. To help us to solve and handle a shortage of ipv4 addresses.
  2. Hide network addressing schemes.

 What

 are the types of NAT: -

  • Static NAT (SNAT)-
  • Dynamic NAT (DNAT)
  • Port address translation (PAT)

Static NAT- a single private IP address is mapped with a public IP address. One-to-one mapping is done manually. Every private IP address is need to be mapped with a registered IP address. Static NAT is used for Web hosting not for organizations because there are many devices, that want to access the internet, and to provide the internet we need many registered legal IP addresses which will be costly.


Dynamic DNAT- In DNAT Private IP address is translated into Public IP address dynamically from the pool of registered IP addresses (public). When the IP address in the pool is full and not free, The IP packet will be dropped and ICMP is sent.  Let’s say we have a pool with 3 IP addresses (public) then only 3 3 private IP addresses can be translated from private to public. If we want the 4th IP (private) need to access the internet then the packet will be dropped and ICMP sent host is unreachable. DNAT is also very costly because here we need to buy lots of registered IP addresses (public). Of course, mapping is done dynamically.  

  

Port Address Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of users can access to the internet using only one real global registered public IP address. PAT maps thousands to one by using ports. PAT is the only reason or solution we have not run out of valid IP addresses on the internet. This PAT is cost-effective because of single public IP is used; the port number is used to distinguish the traffic means which traffic belongs to which IP address.

 There are certain addresses in each class of IP address that is reserved for private networks. These addresses are called private addresses.

 

Class a 10.0.0.0        to       10.255.255.255

Class b 172.16.0.0     to      172.31.255.255

Class c 192.168.0.0    to     192.168.255.255


 How does PAT work with the Port number?

Whenever our client sends an IP packet, the packet has a source IP address, destination IP address, and also the source port number and destination port number. These port numbers keep the track separate. The different communication flows are kept separate in the router NAT translation table by considering port numbers.

 

 


when PC 1 with an IP address 20.1.1.1 sends a packet to the web server with an IP address 203.0.113.2, the client ephemeral port number 15000. The router notes that port number and translates the inside local address of 20.1.1.1 with a port number of 15000 to an inside global address of 198.50.100.1 with a port number of 13000.


If our PC 2 wants to access the same web server, its private IP address is 20.1.1.2 with a port number of 16000 is translated into and outside the local address of 198.50.100.1 with a port number of 13001.

now notice both of the PCs have the same global inside address 198.50.100.1. when our web server sends back traffic to clients those packets are destined for the same IP address which 198.50.100.1. now when the router receives the packets, our router knows which traffic belongs to which client because of the port number. understand if the packet from the web server 200.0.133.2 arrived at the router with the destination IP address 198.51.100.1 and also the destination port number 13000. router understands this packet belongs to PC1. 

 

let's see the configuration of SNAT, DNAT, and PAT and understand it better.



Topology: -



  • Configure the topology as per the diagram
  • Assign the IP addresses as per the topology
  • Configure static route from ISP to the router
  • Configure default route toward ISP
  • Configure Static NAT on router mapping with 50.0.0.0
  • Configure implementation on the inside interface and outside interface
  • Ping from the client and send traffic from the server back to a router 



FROM CLIENT-1

C:\>ipconfig 

   IP Address......................: 20.1.1.1

   Subnet Mask.....................: 255.0.0.0

   Default Gateway.................: 20.1.1.100




FROM CLIENT-2

C:\>ipconfig 

   IP Address......................: 20.1.1.2

   Subnet Mask.....................: 255.0.0.0

   Default Gateway.................: 20.1.1.100




Router(config)#interface gigabitEthernet 0/0

Router(config-if)#ip address 20.1.1.100 255.0.0.0

Router(config-if)#no shutdown 

Router(config-if)#exit


Router(config)#interface gigabitEthernet 0/2

Router(config-if)#ip address 198.50.100.1 255.255.255.0

Router(config-if)#no shutdown 

Router(config-if)#exit




ISP(config)#interface gigabitEthernet 0/0

ISP(config-if)#ip address 198.50.100.2 255.255.255.0

ISP(config-if)#no shutdown 

ISP(config-if)#exit


ISP(config)#interface gigabitEthernet 0/1

ISP(config-if)#ip address 203.0.113.1 255.255.255.0

ISP(config-if)#no shutdown 

ISP(config-if)#exit



Router(config)#do show ip interface br

Interface                   IP-Address      OK? Method Status                Protocol 

GigabitEthernet0/0     20.1.1.100      YES manual up                    up 

GigabitEthernet0/2     198.50.100.1    YES manual up                    up 



ISP#show ip interface brief 

Interface                    IP-Address      OK? Method Status                Protocol 

GigabitEthernet0/0     198.50.100.2    YES manual up                    up 

GigabitEthernet0/1     203.0.113.1     YES manual up                    up 



Router(config)#ip route 0.0.0.0 0.0.0.0 198.50.100.2


ISP(config)#ip route 50.0.0.0 255.0.0.0 198.50.100.1




Router(config)#ip nat inside source static 20.1.1.1 50.1.1.1

Router(config)#ip nat inside source static 20.1.1.2 50.1.1.2



Router(config)#interface gigabitEthernet 0/0

Router(config-if)#ip nat inside

Router(config-if)#exit


Router(config)#interface gigabitEthernet 0/2

Router(config-if)#ip nat outside

Router(config-if)#exit






C:\>ipconfig

   IP Address......................: 20.1.1.1

   Subnet Mask.....................: 255.0.0.0

   Default Gateway.................: 20.1.1.100


C:\>ping 203.0.113.2


Pinging 203.0.113.2 with 32 bytes of data:


Reply from 203.0.113.2: bytes=32 time=1ms TTL=126

Reply from 203.0.113.2: bytes=32 time<1ms TTL=126

Reply from 203.0.113.2: bytes=32 time=1ms TTL=126

Reply from 203.0.113.2: bytes=32 time<1ms TTL=126


Ping statistics for 203.0.113.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms




C:\>ipconfig 

   IP Address......................: 20.1.1.2

   Subnet Mask.....................: 255.0.0.0

   Default Gateway.................: 20.1.1.100


C:\>ping 203.0.113.2


Pinging 203.0.113.2 with 32 bytes of data:


Reply from 203.0.113.2: bytes=32 time=1ms TTL=126

Reply from 203.0.113.2: bytes=32 time<1ms TTL=126

Reply from 203.0.113.2: bytes=32 time=1ms TTL=126

Reply from 203.0.113.2: bytes=32 time=1ms TTL=126


Ping statistics for 203.0.113.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms





FROM SERVER

C:\>ipconfig

IP Address......................: 203.0.113.2

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 203.0.113.1


C:\>ping 50.1.1.1


Pinging 50.1.1.1 with 32 bytes of data:


Reply from 50.1.1.1: bytes=32 time<1ms TTL=126

Reply from 50.1.1.1: bytes=32 time<1ms TTL=126

Reply from 50.1.1.1: bytes=32 time=1ms TTL=126

Reply from 50.1.1.1: bytes=32 time<1ms TTL=126


Ping statistics for 50.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms






Router#show ip nat translations 

Pro  Inside global     Inside local       Outside local      Outside global

icmp 50.1.1.1:5        20.1.1.1:5         203.0.113.2:5      203.0.113.2:5

icmp 50.1.1.1:6        20.1.1.1:6         203.0.113.2:6      203.0.113.2:6

icmp 50.1.1.1:7        20.1.1.1:7         203.0.113.2:7      203.0.113.2:7

icmp 50.1.1.1:8        20.1.1.1:8         203.0.113.2:8      203.0.113.2:8

icmp 50.1.1.2:10       20.1.1.2:10        203.0.113.2:10     203.0.113.2:10

icmp 50.1.1.2:11       20.1.1.2:11        203.0.113.2:11     203.0.113.2:11

icmp 50.1.1.2:12       20.1.1.2:12        203.0.113.2:12     203.0.113.2:12

icmp 50.1.1.2:9        20.1.1.2:9         203.0.113.2:9      203.0.113.2:9

---  50.1.1.1          20.1.1.1           ---                ---

---  50.1.1.2          20.1.1.2           ---                ---


Router#show ip nat statistic

Total translations: 10 (2 static, 8 dynamic, 8 extended)

Outside Interfaces: GigabitEthernet0/2

Inside Interfaces: GigabitEthernet0/0

Hits: 34 Misses: 50

Expired translations: 28

Dynamic mappings:



What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...