CCENT1

NAT (Network Address Translation)

 

The Fundamentals of NAT and PAT

You know we’re translating a network address. What address are we translating?

Network Address Translation takes a host’s private IP address and translates it to a non-private routable address. It’s a simple but important job!  Because without NAT, a host such as this one on the 10.1.1.0/24 network couldn’t communicate with the outside world (anybody outside of their local network)

They couldn’t communicate with anybody outside of their local network because those are considered private non-routable addresses they have to be changed to something that can be routed across the land.

The addresses we’ll be translating , are from the RFC 1918 range of private addresses.

A general reminder: The masks for these private address ranges are NOT the same as those for the full Class A(/8), Class B(/16), and Class C(/24) address ranges.

Class A: 10.0.0.0 /8

Class B: 172.16.0.0 /12

Class C: 192.168.0.0 /16

You should be very familiar with these private address ranges before you take your exam you need to be able to spot a private IP address.

The only thing that’s even the slightest bit tricky about NAT are the names given to the addresses in the overall NAT process. We have inside local, outside local, and outside global.

We start with an inside local address, the address used by hosts on the local network to communicate with other hosts on the local network.

The inside local address is the address being translated locally. It’s being translated by a router on our side of the land.

In this network, the inside local address is 10.1.1.1 /24.

The inside local address is translated to an inside global address. (it is translated by our router). In this case, that’ll be for example 200.1.1.1/24

Outside local addresses are the non-routable addresses of hosts on the remote network, while outside global addresses are our routable addresses assigned to hosts on a remote network when the translation takes place.

The terms “inside” and “outside” really depend on your perspective.

If the address is in use on your network (whether it’s global or local) It’s an inside address.

If it’s in use by the other involved network (where the host that we’re communicating with is) then it’s an outside address.

If you are the character on the left and you’re looking at that address 10.1.1.1,  that’s inside local to you because it’s at the network that you are at. If you are looking across the land like the character on the right, that is outside local.

Your local addresses are always going to be the private addresses. Your global addresses are always going to be the routable ones.

When a router performs NAT, that router makes an entry in its NAT translation table, and it maps the inside local address to the assigned inside global address.

(When we’re configuring static Nat and dynamic Nat you’ll see exactly how that assignment takes place.)

What happens is that the router simply says “OK let me make a note of that and I’m going to map 10.1.1.1 to 200.1.1.1

The private address is never seen outside the local network, and the host receiving these packets has no idea NAT has occurred. The host sending the packets doesn’t know about NAT either!   The only device that even knows this is going on is the NAT router.

When the packets come back in with a routable address, the router checks its NAT table to see if another translation is in order. If so, the router translates the inside global address back to the appropriate inside local address and then routes the packets accordingly.

So when packets come back in for 200.1.1.1, the NAT router takes a look and says: “Hey that’s a translation and I have that address map to 10.1.1.1 in my NAT table.”

So that router translates the destination IP address from 200.1.1.1 to 10.1.1.1 and sends them on their merry way.

And again that host has absolutely no idea that any of that stuff happened.

Speaking of configuration We’ve got two different ways we can go with that.

And while I think you’ll see “Dynamic NAT” much more in the real world and you’ll see why, “Static NAT” is still out there and it might just show up on your exam as well.

Static NAT (SNAT)

If a limited number of hosts need NAT, static net might be the way to go.

But one other reason you might want to use static NAT is that you have a server who will need to use NAT, and you don’t want to pull a routable address from a Nat Pool in that situation (because that’s what dynamic Nat is)

So maybe we don’t want to do that because of course the address would change from time to time and you would want a static address for that server, and static Nat gives you just that.

SNAT is simply a one-on-one (or one to one) mapping of inside local to inside global addresses.

And what we’re going to do here is work with those two loop backs I have here on R1 at 10.1.1.2/32 and 10.1.1.22 /32 respectively

With this network,  we would need two mappings for SNAT.

Before creating the mapping ( whether you’re running static Nat or dynamic Nat or port address translation) I strongly recommend you configure the required ip nat inside and ip nat outside commands on the appropriate interfaces. you’ve got to put IP NAT inside an IP NAT outside on the appropriate interfaces because you don’t want to spend a half hour  troubleshooting your NAT mappings and then realize you forgot the interface-level commands!  

IP nat inside goes on the interface or interfaces closest to the hosts having their addresses translated, and IP net outside goes on the exit interface of the router performing NAT.

We’re going to put IP nat inside on our two loopbacks and IP net outside on the serial interface.

In real world you would really likely have a fast ethernet interface here. We’re using a couple of loopbacks as I want a couple of extra networks and also to get you used to putting IP net inside on the loopback interface itself. But typically you’ll have a bunch of hosts off of fast ethernet interface that need NAT and you would just put IP Nat inside on the ethernet interface or fast Ethernet.

So again it’s just a good rule of thumb before you even get started with identifying who’s going to be able to use that and who’s not and what kind of Nat you’re going to use, get your IP nat inside and outside commands taking care of first…

Nothing wrong with having multiple inside interfaces with IP nat inside that’s the other reason I’m using loopbacks here because we tend to think when we start looking at NAT that it’s one outside interface and one inside interfaces! But you may have multiple inside interfaces.

Let’s go out to our serial Interface

That’s it.

Exit mobile version