Cisco® CCENT Exam Cram Notes : Network Address Translation(NAT)

5. Infrastructure Services & Maintenance

3. NAT

Static NAT: It is a one-to-one mapping between an unregistered IP address and a registered IP address.

Enabling Static NAT for an Inside Source Address

For inside source translation, the traffic flows from inside interface to the outside interface. NAT translates the inside local IP address to the inside global IP address. On the return traffic, the destination inside global IP address gets translated back to the inside local IP address.

Step 1 : R1#configure terminal

Enters global configuration mode.

Step 2 : R1(config)#ip nat inside source static local-ip-address global-ip-address [group group-id]

Configures static NAT to translate the inside global address to the inside local address or to translate the opposite (the inside local traffic to the inside global traffic).

Step 3 : R1(config)#copy running-config startup-config (Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example:

R1>enable
R1#configure terminal
Enter into global configuration mode
R1(config)#ip nat inside source static
192.168.1.10 200.200.200.3 
R1(config)#ip nat inside source static
192.168.1.11 200.200.200.4

192.168.1.10, 192.168.1.11 = inside local addresses
200.200.200.3, 200.200.200.4 = inside global addresses

ip nat pool <pool-name> <ip-address> <ip-address> netmask <mask-address>

Configuring NAT when translating private LAN addresses to public internet addresses on router.

The following command configures a static NAT translation by mapping inside local address to the inside global address.

ip nat inside source static 192.168.0.100 88.248.153.137

Here, 192.168.0.100 is the inside local address, and 88.248.153.137 is the inside global address. A packet's source address 192.168.0.100 is changed to 88.248.153.137 by the NAT device.

The correct syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:

ip nat inside source list <access-list-number> pool <pool-name> overload

where <access-list-number> is the standard access list number, and <pool-name> is the pool name.

Dynamic NAT:

Usually, Dynamic NAT is implemented, where a pool of public IP addresses is shared by an entire private IP subnet. When a private host initiates a connection, a public IP address is selected. The mapping of the computer's non-routable IP address matched to the selected IP address is stored in the NAT Table. As long as the outgoing connection is maintained, the private host can be reached by incoming packets sent to the specified public address. When the binding expires, the address is returned to the pool for reuse.

The following two statements are true about dynamic NAT translations:

1. The inside IP addresses eligible for address translation are defined in a standard IP access-list.

2. Only packets moving between inside and outside networks will get translated. This is true even for static NAT. If a packet is destined for another host, but does not require to cross the NAT boundary, the packet source /destination addresses are not translated. This is understandable, since the packet is not crossing the inside network boundary.

Enable dynamic NAT on an interface include the following:

1. Defining a standard IP access-list using the command

access-list <access-list-number> {permit | deny} <local-ip-address>

2. Defining an IP NAT pool for the inside network using the command

ip nat pool <pool-name> <start-ip> <end-ip> {netmask <net-mask> | prefix-length <prefix-length>} [type-rotary]

Note that type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed.

3. Mapping the access-list to the IP NAT pool by using the command

ip nat inside source list <access-list-number> pool <pool-name>

4. Enabling NAT on at least one inside and one outside interface using the command:

ip nat {inside | outside}

Overloading: A variation of Dynamic NAT, also known as Network Address Port Translation (NAPT) maps multiple unregistered IP addresses to a single registered IP address by multiplexing streams differentiated by the TCP/UDP port number.

Overlapping: When Overlapping is employed, the IP addresses used on the internal network are registered IP addresses utilized on another network. To avoid conflict, a NAT Table is built to translate these redundant internal addresses to a unique IP address. Vice versa, when sending packets into the private network, the registered addresses must be translated to an address unique in the network.

Note that the option "overload" specifies many to one relationship.

This configuration is typically used when many hosts with private IP addresses need to access internet through a specified globally unique IP address.

Advantages and Disadvantages of NAT

1. NAT allows several hosts be connected to Internet by using fewer globally unique IP addresses. This in turn results in conserving the scarce public IP addresses. The terms public/ global is used in the sense that the IP addresses are globally unique and officially registered.

2. NAT supports load sharing on inside machines. The inside machines are accessed in a round robin fashion, thus sharing load.

3. NAT offers some degree of security since IP addresses are not easily traceable. This is because, the actual host IP that is accessing the Internet is translated into outside IP address and vice versa. Thus, NAT offers protection against hacking.

4. One disadvantage of NAT is that it increases delay. This is obvious since address translation is involved.

5. Another disadvantage of NAT is that, when an application uses physical IP address, it may not function properly. This is because the physical IP address is changed by NAT.

Previous   Contents   Next


CCENT Cram Notes Contents
certexams ad

simulationexams ad