Cisco® CCNP Route Exam Notes : Configure And Verify Ipv4 Network Address Translation (NAT)

6. Infrastructure Services

6.4 Configure and verify IPv4 Network Address Translation (NAT)

Given below are the four important forms of NAT (Network Address Translation):

Static NAT: It is a one-to-one mapping between an unregistered IP address and a registered IP address.

Dynamic NAT:

Usually, Dynamic NAT is implemented, where a pool of public IP addresses is shared by an entire private IP subnet. When a private host initiates a connection, a public IP address is selected. The mapping of the computer's non-routable IP address matched to the selected IP address is stored in the NAT Table. As long as the outgoing connection is maintained, the private host can be reached by incoming packets sent to the specified public address. When the binding expires, the address is returned to the pool for reuse.

Overloading: A variation of Dynamic NAT, also known as Network Address Port Translation (NAPT) maps multiple unregistered IP addresses to a single registered IP address by multiplexing streams differentiated by the TCP/UDP port number.

Overlapping: When Overlapping is employed, the IP addresses used on the internal network are registered IP addresses utilized on another network. To avoid conflict, a NAT Table is built to translate these redundant internal addresses to a unique IP address. Vice versa, when sending packets into the private network, the registered addresses must be translated to an address unique in the network.

When you are configuring NAT, NAT should be enabled on at least one inside and one outside interface. Typically "ip nat inside" is configured on the interfaces in local environment which cannot be routed to the internet(typically private range of IP Addresses) and "ip nat outside" is configured on the interface which is connected to the internet

The following command configures a static NAT translation by mapping inside local address to the inside global address.

ip nat inside source static 192.168.0.100 88.248.153.137

Here, 192.168.0.100 is the inside local address, and 88.248.153.137 is the inside global address. A packet's source address 192.168.0.100 is changed to 88.248.153.137 by the NAT device.

The correct syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:

ip nat inside source list <access-list-number> pool <pool-name> overload

where <access-list-number> is the standard access list number, and <pool-name> is the pool name. Note that the option "overload" specifies many to one relationship. This configuration is typically used when many hosts with private IP addresses need to access Internet through a specified globally unique IP address.

The following two statements are true about dynamic NAT translations:

1. The inside IP addresses eligible for address translation are defined in a standard IP access-list.

2. Only packets moving between inside and outside networks will get translated. This is true even for static NAT. If a packet is destined for another host, but does not require to cross the NAT boundary, the packet source /destination addresses are not translated. This is understandable, since the packet is not crossing the inside network boundary.

Enable dynamic NAT on an interface include the following:

1. Defining a standard IP access-list using the command

access-list <access-list-number> {permit | deny} <local-ip-address>

2. Defining an IP NAT pool for the inside network using the command

ip nat pool <pool-name> <start-ip> <end-ip> {netmask <net-mask> | prefix-length <prefix-length>} [type-rotary]

Note that type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed.

3. Mapping the access-list to the IP NAT pool by using the command

ip nat inside source list <access-list-number> pool <pool-name>

4. Enabling NAT on at least one inside and one outside interface using the command:

ip nat {inside | outside}

Defining "type-rotary" to identify real inside hosts is not an essential command.

The following are statements true about NAT

1. NAT allows several hosts be connected to Internet by using fewer globally unique IP addresses. This in turn results in conserving the scarce public IP addresses. The terms public / global is used in the sense that the IP addresses are globally unique and officially registered.

2. NAT supports load sharing on inside machines. The inside machines are accessed in a round robin fashion, thus sharing load.

3. NAT offers some degree of security since IP addresses are not easily traceable. This is because, the actual host IP that is accessing the Internet is translated into outside IP address and vice versa. Thus, NAT offers protection against hacking.

4. One disadvantage of NAT is that it increases delay. This is obvious since address translation is involved.

5. Another disadvantage of NAT is that, when an application uses physical IP address, it may not function properly. This is because the physical IP address is changed by NAT.

The following is sample output of the Show ip nat translations command

Show ip nat translations command

The output shows Dynamic NAT translation with Overloading. This is evident from the fact that different inside local addresses have translated to the same inside global IP address, with different port mappings.

Previous   Contents   Next


CCNP Route Cram Notes Contents
certexams ad

simulationexams ad