The use of Network Address Translation (NAT) has been widespread
for a number of years; this is because it is able to solve a number of problems
with the same relatively simple configuration. At its most basic, NAT enables
the ability to translate one set of addresses to another; this enables traffic
coming from a specific host to appear as though it is coming from another and
do it transparently. This article looks at some of the basic concepts that are
used when configuring NAT and reviews the configuration steps required to get
NAT working.
NAT Concepts
There are a number of different concepts that must be explained in
order to really get a good understanding of how NAT operates, which ultimately
makes the configuration of NAT increasingly simple. This section reviews these
different concepts and begins with an understanding of how NAT can be used.
Some of the main uses for NAT include:
- Translation of non-unique
addresses into unique addresses when accessing the Internet:
This
is one of the most common uses of NAT today; almost every household that has a
“router” to access the Internet is using NAT on this device to translate
between internal private address and public Internet addresses.
- Translation of addresses when
transitioning internal addresses from one address range into another (this
is common when the organization of addresses within a company is being
changed):
This
is often done when a company is transitioning their IP addressing plan; common
scenarios include when expanding (and the IP addressing plan was not built
sufficiently when the initial addresses were assigned) and when a company is
merging with another with potential overlapping addresses.
- When simple TCP load sharing is
required across many IP hosts:
This
is very common, as many highly used servers are not really a single machine but
a bank of several machines that utilize load balancing. In this scenario,
commonly, a single public address is translated into one of several internal
addresses in a round robin fashion.
This is not a complete
list of every possible way that NAT can be configured but simply a list of the
most common ways that it is used in modern networks.
There are a couple of
main concepts that also must be reviewed and understood before configuring NAT:
- Inside and Outside Addresses
- NAT types
Inside and Outside Addresses
In typical NAT configurations, interfaces are placed into one of
two categories (or locations): inside or outside. Inside indicates
traffic that is coming from within the organizational network. Outside indicates
traffic that is coming from an external network that is outside the
organizational network.
These different categories are then used to define different types
of address depending on location of the address and how it is being “seen”.
These different types include:
- inside
local address: This is
the inside address as it is seen and used within the organizational
network.
- inside
global address: This is
the inside address as it is seen and used on the outside of the
organizational network.
- outside
local address: This is
the outside address as it seen and used within the organizational network.
- outside
global address: This is
the outside address as it is seen and used on the outside of the
organizational network.
NAT Types
Another important concept to be familiar with is the different
types of NAT and how they are defined. On most networks there are three
different types of NAT that are defined:
- Static
address translation (Static NAT): This
type of NAT is used when a single inside address needs to be translated to
a single outside address or vice versa.
- Dynamic
address translation (Dynamic NAT): This
type of NAT is used when an inside address (or addresses) need to be
translated to an outside pool of addresses or vice versa.
- Overloading
(Port Address Translation (PAT): This
type of NAT is a variation on dynamic NAT. With dynamic NAT, there is
always a one to one relationship between inside and outside addresses; if
the outside address pool is ever exhausted, traffic from the next
addresses requesting translation will be dropped. With overloading,
instead of a one to one relationship, traffic is translated and given a
specific outside port number to communicate with; in this situation, many
internal hosts can be using the same outside address whil utilizing
different port numbers.
NAT Configuration
There are few methods (and commands) that are used to configure
NAT. The main three methods include one for static NAT, one for Dynamic NAT,
and one for TCP load sharing.
Static NAT Configuration
There a few steps that are required when configuring static NAT;
the number of the commands depends on whether there will be more than one
static translation:
1
|
Enter global configuration mode.
|
router#configure terminal
|
|
2
|
Configure the static NAT
translation (this command can be used multiple times depending on the number
of static translations required). The overload keyword enables
the use of PAT.
|
router(config)#ip nat inside
source staticlocal-ip global-ip [overload]
|
|
3
|
Enter interface configuration mode
for the inside interface.
|
router(config)#interface interface-id
|
|
4
|
Configure the interface as the
inside NAT interface.
|
router(config-if)#ip nat inside
|
|
5
|
Enter interface configuration mode
for the outside interface.
|
router(config-if)#interface interface-id
|
|
6
|
 Configure the interface as the router(config-if)#ip nat
outside
Outside NAT interface.
|
||
7
|
Exit configuration mode. router(config-if)#end
|
||
Static NAT Configuration Example
To ensure the
configuration of static NAT is clear, let’s look at an example (Figure 1) that explains the concepts described above:
In this example, the
inside host 192.168.1.20 will be translated to 172.16.1.5 when sending traffic
out of interface f0/1.
Dynamic NAT Configuration
Dynamic NAT requires a
few additional commands over a static configuration as the source of the
traffic and the NAT address pool must be configured:
1
|
Enter global configuration mode.
|
router#configure terminal
|
2
|
Configure the dynamic NAT address
pool.
|
router(config)#ip nat
pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length}
|
3
|
Configure a static access list to
define the addresses to be translated.
|
router(config)#access-list access-list-number permit source [source-wildcard]
|
4
|
Configure the dynamic NAT
translation. The overload keyword enables the use of PAT.
|
router(config)#ip nat inside
source listaccess-list-number pool pool-name[overload]
|
5
|
Enter interface configuration mode
for the inside interface.
|
router(config)#interface interface-id
|
6
|
Configure the interface as the
inside NAT interface.
|
router(config-if)#ip nat inside
|
7
|
Enter interface configuration mode
for the outside interface.
|
router(config-if)#interface interface-id
|
8
|
Configure the interface as the
outside NAT interface.
|
router(config-if)#ip nat
outside
|
9
|
Exit configuration mode.
|
router(config-if)#end
|
Dynamic NAT Configuration Example
To ensure the
configuration of dynamic NAT is clear, let’s look at an example (Figure 2) that explains the concepts described above:
In this example, the
hosts that have addresses from 192.168.1.1 through 192.168.1.254 will be
translated to an address from the pool which includes addresses from
172.16.1.10 through 172.16.1.20; if a 12th host attempts to
send traffic out of the f0/1 interface, the translation will fail.
TCP Load Balancing Configuration
The TCP load balancing
feature enables the ability to assign a single outside address that is
translated into one of a pool of addresses in order to balance the load of
traffic over a number of different hosts. The following commands are used to
configure TCP load balancing:
1
|
Enter global configuration mode.
|
router#configure terminal
|
2
|
Configure the NAT address pool
that contains the list of real host IP addresses to load balance to.
|
router(config)#ip nat
pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length} type
rotary
|
3
|
Configure a static access list to
define the virtual address that will be used for outside communication.
|
router(config)#access-list access-list-number permit source [source-wildcard]
|
4
|
Configure TCP server load
balancing.
|
router(config)#ip nat inside
destination-list access-list-number pool pool-name
|
5
|
Enter interface configuration mode
for the inside interface.
|
router(config)#interface interface-id
|
6
|
Configure the interface as the
inside NAT interface.
|
router(config-if)#ip nat inside
|
7
|
Enter interface configuration mode
for the outside interface.
|
router(config-if)#interface interface-id
|
8
|
Configure the interface as the
outside NAT interface.
|
|
9
|
Exit configuration mode.
|
router(config-if)#end
|
TCP Load Balancing Configuration Example
To ensure the
configuration of TCP load balancing is clear, let’s look at an example (Figure 3) that explains the concepts described above:
In this example, all traffic that is addressed
to 192.168.1.5 will be translated and sent to the hosts with addresses from
192.168.1.10 through 192.168.1.20 in a round robin fashion.
Summary
There are certainly many
different situations where the functionality of NAT can be used. This article
takes a look at some of the ways that NAT can be configured and offers examples
of how the functionality can be implemented. Hopefully this article has made
the concepts and configuration of NAT a little simpler to understand so that
they can be implemented with little trouble or confusion.
No comments:
Post a Comment