Routing and Switching

Instructor: Dr. Saleem ullah

Department of Computer Science
KFUEIT – Rahim Yar Khan

Khwaja Fareed University of Engineering & Information Technology, Abu Dhabi Road, Rahim Yar Khan. Tel: +92 68 5882400, +92 68 5882432, Fax: +92 68 5882405, www.kfueit.edu.pk
Contents

• Network Address Translation (NAT)

• NAT Types
• Static NAT
• Static PAT
• Dynamic NAT
• NAT Overload
• NAT Configuration

Khwaja Fareed University of Engineering & Information Technology, Abu Dhabi Road, Rahim Yar Khan. Tel: +92 68 5882400, +92 68 5882432, Fax: +92 68 5882405, www.kfueit.edu.pk
Network Address
Translation (NAT)
The process of translating one IP address to another is known as
Network Address Translation, or NAT.

The rapid growth of the Internet resulted in a shortage of available

IPv4 addresses. In response, a specific subset of the IPv4 address
space was designated as private, to temporarily alleviate this
problem.

A public address can be routed on the Internet. Thus, devices that

must be Internet-accessible must be configured with (or reachable
by) public addresses. Allocation of public addresses is governed by
the Internet Assigned Numbers Authority (IANA).

A private address is intended for internal use within a home or

organization, and can be freely used by anyone. However, private
addresses can never be routed on the Internet. In fact, Internet
Routers are configured to immediately drop traffic with private
addresses.
Network Address Translation (NAT)
To access the Internet, one public IP address is needed, but we can use a private IP address in our private network. The idea of NAT is to
allow multiple devices to access the Internet through a single public address. To achieve this, the translation of a private IP address to a
public IP address is required. Network Address Translation (NAT) is a process in which one or more local IP address is translated into
one or more Global IP address and vice versa in order to provide Internet access to the local hosts. Also, it does the translation of port
numbers i.e. masks the port number of the host with another port number, in the packet that will be routed to the destination. It then makes
the corresponding entries of IP address and port number in the NAT table. NAT generally operates on a Router or firewall.
Generally, the border Router is configured for NAT i.e the Router which has one interface in the local (inside) network and one interface in
the global (outside) network. When a packet traverse outside the local (inside) network, then NAT converts that local (private) IP address
to a global (public) IP address. When a packet enters the local network, the global (public) IP address is converted to a local (private) IP
address.
If NAT runs out of addresses, i.e., no address is left in the pool configured then the packets will be dropped and an Internet Control
Message Protocol (ICMP) host unreachable packet to the destination is sent.
Why mask port numbers ?

Suppose, in a network, two hosts A and B are connected. Now, both of them request for the same destination, on the same port number, say
1000, on the host side, at the same time. If NAT does only translation of IP addresses, then when their packets will arrive at the NAT, both
of their IP addresses would be masked by the public IP address of the network and sent to the destination. Destination will send replies to
the public IP address of the Router. Thus, on receiving a reply, it will be unclear to NAT as to which reply belongs to which host (because
source port numbers for both A and B are the same). Hence, to avoid such a problem, NAT masks the source port number as well and
makes an entry in the NAT table.
NAT Terminologies
• Inside local address – An IP address that is assigned to a host on the Inside (local) network. The address is probably not an IP address assigned by the
service provider i.e., these are private IP addresses. This is the inside host seen from the inside network.

• Inside global address – IP address that represents one or more inside local IP addresses to the outside world. This is the inside host as seen from the
outside network.

• Outside local address – This is the actual IP address of the destination host in the local network after translation.

• Outside global address – This is the outside host as seen from the outside network. It is the IP address of the outside destination host before translation.
NAT Types
• Static NAT
• Static PAT
• Dynamic NAT
• NAT Overload / Port Address Translation
Static NAT
Static NAT – performs a static one-to-one translation
between two addresses, or between a port on one
address to a port on another address. Static NAT is
most often used to assign a public address to a device
behind a NAT-enabled firewall/Router.
Static PAT
• According to the definitions outlined in the NAT Terminology article, a Static PAT implies a translation of the IP address and Port,
where the post-translation attributes are explicitly defined.
• There are multiple use cases for a Static PAT, but they all have one thing in common – a need to manually change the TCP or UDP
port as a packet moves through a Router or firewall.
Multiple Servers using one Public IP Address
• One specific use case for Static PAT is to use a single Public IP address to host multiple services on different internal servers. This
is in contrast with a Static NAT which would only allow you to use a single Public IP address to host multiple services on
the same server.
• This illustration will show how Static PAT can enable the single IP address 73.8.2.44 to host two different services (HTTP and
HTTPS) using two separate internal servers (10.4.4.41 and 10.4.4.42):
 Dynamic NAT – utilizes a pool of global addresses
to dynamically translate the outbound traffic of
Dynamic NAT clients behind a NAT-enabled device.
 PAT translates the outbound traffic of clients to unique port
NAT Overload numbers of a single global address. PAT is necessary when
the number of internal clients exceeds the available global
/ PAT addresses.
NAT Summary
 • NAT-Device(config)# int f0/0
•
Static NAT •
NAT-Device(config-if)# ip nat inside
NAT-Device(config)# int f0/1
•
Configuration •
NAT-Device(config-if)# ip nat outside
NAT-Device(config)# ip nat inside source static 172.16.1.1 158.80.1.40
•
 • NAT-Device(config)# int f0/0
• NAT-Device(config-if)# ip nat inside
Dynamic NAT • NAT-Device(config)# int f0/1
• NAT-Device(config-if)# ip nat outside
Configuration • NAT-Device(config)# ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask
255.255.255.0
• NAT-Device(config)# access-list 10 permit 172.16.1.0 0.0.0.255
• NAT-Device(config)# ip nat inside source list 10 pool POOLNAME
 • NAT-Device(config)# int f0/0
• NAT-Device(config-if)# ip nat inside
NAT Overload • NAT-Device(config)# int f0/1
• NAT-Device(config-if)# ip nat outside
• NAT-Device(config)# ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask
Configuration 255.255.255.0
• NAT-Device(config)# access-list 10 permit 172.16.1.0 0.0.0.255
• NAT-Device(config)# ip nat inside source list 10 pool POOLNAME overload
NAT Troubleshoot

•To view all current static and dynamic translations:

NAT-Device# show ip nat translations

•To view whether an interface is configure as an inside or outside NAT interface, and
to display statistical information regarding active NAT translations:
NAT-Device# show ip nat statistics

•To view NAT translations in real-time:

NAT-Device# debug ip nat

•To clear all dynamic NAT entries from the translation table:
NAT-Device# clear ip nat translation