basic nat concepts and configuration

Basic NAT Concepts and ConfigurationDue in large part to alleged NAT support on consumer devices, many people are confused about what NAT really is. Network Address Translation is used for many purposes, including but certainly not limited to, saving IP addresses. In this installment of Networking 101, we'll try to clear all this up.NAT is a feature of a router that will translate IP addresses. When a packet comes in, it will be rewritten in order to forward it to a host that is not the IP destination. A router will keep track of this translation, and when the host sends a reply, it will translate back the other way.Home users who talk about NAT are actually talking about PAT, or Port Address Translation. This is quite easy to remember: PAT translates ports, as the name implies, and likewise, NAT translates addresses. Sometimes PAT is also called Overloaded NAT. It doesn't really matter what you call it, just be careful about blanket "NAT can't" statements: they are likely incorrect.Now that that's out of the way, let's clarify some terminology required for a NAT discussion. When we refer to theinside, we're talking about the internal network interface that receives egress traffic. This internal network may or may not be using private addressesmore on those in a minute. Theoutsiderefers to the external-facing network interface, the one that receives ingress traffic. In the real world, it is not the case that NAT is simply using a single outside IP; translating traffic into internal IPs and ports. That's what your Linksys does.The "inside" of a NAT configuration is not synonymous with "private" or RFC1918 addresses. The often-referred-to "non-routable" addresses are not unroutable. You may configure most any router to pass traffic for these private IP subnets. If you try and pass a packet to your ISP for any of these addresses, it will be dropped. This is what "non-routable" means: not routable on the Internet. You can and should mix RFC1918 addresses (for management interfaces) on your local internal network.NAT is not used to simply share a single IP address. But when it is, in this strange configuration that's really called PAT, issues can arise. Say two geeks want to throw up an IPIP tunnel between their networks so they can avoid all the issues of firewall rules and state-keeping. If they both use the same IP subnet, they can't just join two networks together: they won't be able to broadcast for each other, so they will never communicate, right? It would seem that one side or the other would have to renumber their entire subnet, but there is a trick. Using a semi-complicated NAT and DNS setup, the hosts could actually communicate. This is another case of blanket "NAT is evil" statements actually having little reflection on reality. This issue does come up frequently when two companies merge and various branch offices need to communicate.So why in the world would someone want to use one external IP and map it to one internal IP, as opposed to just translating the port? Policy. It's even likely that both sides will use real bona fide Internet IP addresses. Everyone understands that NAT (the naive definition) will keep track of state; it's the only way to make translations happen. What they may not realize is that stateful filtering is a powerful security mechanism.Stateful filtering means that the router will keep track of a TCP connection. Remember from our previousinstallment on TCPandits followupthat a TCP connection consists of four parts: the remote and local IP address, and the connected ports. Stateful filters verify that every packet into the network is part of an already established, pre-verified connection.Imagine a b2b transaction that ships very sensitive data across the Internet, even between continents. It's not feasible to lay fiber for this purpose, so the Internet has to be used. What to do? How would you secure this transaction, or set of transactions? It can be done with IPSEC, but also utilizing NAT at the same time. Each side will have a 1:1 (real) NAT router configured to only allow specific connections from specific hosts. This guarantees that from either network, only authorized hosts will be making a connection. This also guarantees that hosts on both sides have been minimally exposed, and very unlikely compromised, since nobody else can get into that network.Once the session starts, packets are carefully inspected in and out of each NAT router. If something nefarious happens, and someone in-between is able to inject a forged packet into the stream, at least one side will notice. One of the NAT routers will be able to detect that a sequence number anomaly has occurred, and can immediately terminate all communication. When the TCP session completes with a FIN, the state is wiped clean.In much the same way, home users take advantage of PAT to keep their less-than-secure machines from being completely taken over on a daily basis. When a connection attempt from the outside hits the external interface of a PAT device, it cannot be forwarded unless state already exists. State setup can only be done from the inside, when an egress attempt is made. If this version of NAT didn't exist on such a wide scale, the Internet would be a completely different place. Nobody would ever successfully install and patch a Windows computer prior to a compromise without some the minimal protection provided by PAT.Clearly NAT is useful in these cases. So why do people say that NAT is evil? They are likely referring to PAT, the bastard child of NAT. It's called "overloaded" for a reason.IPv6 introduces the ability to have way more IP addresses than we really need. Does that mean that IPv6 will eliminate NAT? No. It also won't eliminate the usage of NAT everyone's familiar with: PAT. We all need somewhere to stow Windows boxes away from the myriad of uninitiated connection attempts that come from the Internet.The use of Network Address Translation (NAT) has been widespread for a number of years; this is because it is able to solve a number of problems with the same relatively simple configuration. At its most basic, NAT enables the ability to translate one set of addresses to another; this enables traffic coming from a specific host to appear as though it is coming from another and do it transparently. This article looks at some of the basic concepts that are used when configuring NAT and reviews the configuration steps required to get NAT working.NAT ConceptsThere are a number of different concepts that must be explained in order to really get a good understanding of how NAT operates, which ultimately makes the configuration of NAT increasingly simple. This section reviews these different concepts and begins with an understanding of how NAT can be used. Some of the main uses for NAT include: Translation of non-unique addresses into unique addresses when accessing the Internet:This is one of the most common uses of NAT today; almost every household that has a router to access the Internet is using NAT on this device to translate between internal private address and public Internet addresses. Translation of addresses when transitioning internal addresses from one address range into another (this is common when the organization of addresses within a company is being changed):This is often done when a company is transitioning their IP addressing plan; common scenarios include when expanding (and the IP addressing plan was not built sufficiently when the initial addresses were assigned) and when a company is merging with another with potential overlapping addresses. When simple TCP load sharing is required across many IP hosts:This is very common, as many highly used servers are not really a single machine but a bank of several machines that utilize load balancing. In this scenario, commonly, a single public address is translated into one of several internal addresses in a round robin fashion.This is not a complete list of every possible way that NAT can be configured but simply a list of the most common ways that it is used in modern networks.There are a couple of main concepts that also must be reviewed and understood before configuring NAT: Inside and Outside Addresses NAT typesInside and Outside AddressesIn typical NAT configurations, interfaces are placed into one of two categories (or locations):insideoroutside.Insideindicates traffic that is coming from within the organizational network. Outsideindicates traffic that is coming from an external network that is outside the organizational network.These different categories are then used to define different types of address depending on location of the address and how it is being seen. These different types include: inside local address: This is the inside address as it is seen and used within the organizational network. inside global address: This is the inside address as it is seen and used on the outside of the organizational network. outside local address: This is the outside address as it seen and used within the organizational network. outside global address: This is the outside address as it is seen and used on the outside of the organizational network.NAT TypesAnother important concept to be familiar with is the different types of NAT and how they are defined. On most networks there are three different types of NAT that are defined: Static address translation (Static NAT):This type of NAT is used when a single inside address needs to be translated to a single outside address or vice versa. Dynamic address translation (Dynamic NAT):This type of NAT is used when an inside address (or addresses) need to be translated to an outside pool of addresses or vice versa. Overloading (Port Address Translation (PAT):This type of NAT is a variation on dynamic NAT. With dynamic NAT, there is always a one to one relationship between inside and outside addresses; if the outside address pool is ever exhausted, traffic from the next addresses requesting translation will be dropped. With overloading, instead of a one to one relationship, traffic is translated and given a specific outside port number to communicate with; in this situation, many internal hosts can be using the same outside address whil utilizing different port numbers.NAT ConfigurationThere are few methods (and commands) that are used to configure NAT. The main three methods include one for static NAT, one for Dynamic NAT, and one for TCP load sharing.Static NAT ConfigurationThere a few steps that are required when configuring static NAT; the number of the commands depends on whether there will be more than one static translation:1Enter global configuration mode.router#configure terminal

2Configure the static NAT translation (this command can be used multiple times depending on the number of static translations required). Theoverloadkeyword enables the use of PAT.router(config)#ip nat inside source staticlocal-ip global-ip[overload]

3Enter interface configuration mode for the inside interface.router(config)#interfaceinterface-id

4Configure the interface as the inside NAT interface.router(config-if)#ip nat inside

5Enter interface configuration mode for the outside interface.router(config-if)#interfaceinterface-id

6Configure the interface as the outside NAT interface.router(config-if)#ip nat outside

7Exit configuration mode.router(config-if)#end

Static NAT Configuration ExampleTo ensure the configuration of static NAT is clear, lets look at an example (Figure 1) that explains the concepts described above:

Figure 1In this example, the inside host 192.168.1.20 will be translated to 172.16.1.5 when sending traffic out of interface f0/1.Dynamic NAT ConfigurationDynamic NAT requires a few additional commands over a static configuration as the source of the traffic and the NAT address pool must be configured:1Enter global configuration mode.router#configure terminal

2Configure the dynamic NAT address pool.router(config)#ip nat poolpool-name start-ip end-ip{netmasknetmask|prefix-lengthprefix-length}

3Configure a static access list to define the addresses to be translated.router(config)#access-listaccess-list-numberpermitsource[source-wildcard]

4Configure the dynamic NAT translation. Theoverloadkeyword enables the use of PAT.router(config)#ip nat inside source listaccess-list-numberpoolpool-name[overload]






Dynamic NAT Configuration ExampleTo ensure the configuration of dynamic NAT is clear, lets look at an example (Figure 2) that explains the concepts described above:

Figure 2In this example, the hosts that have addresses from 192.168.1.1 through 192.168.1.254 will be translated to an address from the pool which includes addresses from 172.16.1.10 through 172.16.1.20; if a 12thhost attempts to send traffic out of the f0/1 interface, the translation will fail.TCP Load Balancing ConfigurationThe TCP load balancing feature enables the ability to assign a single outside address that is translated into one of a pool of addresses in order to balance the load of traffic over a number of different hosts. The following commands are used to configure TCP load balancing:1Enter global configuration mode.router#configure terminal

2Configure the NAT address pool that contains the list of real host IP addresses to load balance to.router(config)#ip nat poolpool-name start-ip end-ip{netmasknetmask|prefix-lengthprefix-length}type rotary

3Configure a static access list to define the virtual address that will be used for outside communication.router(config)#access-listaccess-list-numberpermitsource[source-wildcard]

4Configure TCP server load balancing.router(config)#ip nat inside destination-listaccess-list-numberpoolpool-name






TCP Load Balancing Configuration ExampleTo ensure the configuration of TCP load balancing is clear, lets look at an example (Figure 3) that explains the concepts described above:

Figure 3In this example, all traffic that is addressed to 192.168.1.5 will be translated and sent to the hosts with addresses from 192.168.1.10 through 192.168.1.20 in a round robin fashion.SummaryThere are certainly many different situations where the functionality of NAT can be used. This article takes a look at some of the ways that NAT can be configured and offers examples of how the functionality can be implemented. Hopefully this article has made the concepts and configuration of NAT a little simpler to understand so that they can be implemented with little trouble or confusion.

basic nat concepts and configuration

Documents