Basic NAT Concepts and Configuration
Date: Jul 6, 2011
The use of Network Address Translation (NAT) has been widespread for a number of years; this is because it is able to solve a number of problems with the same relatively simple configuration. At its most basic, NAT enables the ability to translate one set of addresses to another; this enables traffic coming from a specific host to appear as though it is coming from another and do it transparently. This article looks at some of the basic concepts that are used when configuring NAT and reviews the configuration steps required to get NAT working.
NAT Concepts
There are a number of different concepts that must be explained in order to really get a good understanding of how NAT operates, which ultimately makes the configuration of NAT increasingly simple. This section reviews these different concepts and begins with an understanding of how NAT can be used. Some of the main uses for NAT include:
- Translation of non-unique addresses into unique addresses when accessing the Internet:
- Translation of addresses when transitioning internal addresses from one address range into another (this is common when the organization of addresses within a company is being changed):
- When simple TCP load sharing is required across many IP hosts:
This is one of the most common uses of NAT today; almost every household that has a “router” to access the Internet is using NAT on this device to translate between internal private address and public Internet addresses.
This is often done when a company is transitioning their IP addressing plan; common scenarios include when expanding (and the IP addressing plan was not built sufficiently when the initial addresses were assigned) and when a company is merging with another with potential overlapping addresses.
This is very common, as many highly used servers are not really a single machine but a bank of several machines that utilize load balancing. In this scenario, commonly, a single public address is translated into one of several internal addresses in a round robin fashion.
This is not a complete list of every possible way that NAT can be configured but simply a list of the most common ways that it is used in modern networks.
There are a couple of main concepts that also must be reviewed and understood before configuring NAT:
- Inside and Outside Addresses
- NAT types
Inside and Outside Addresses
In typical NAT configurations, interfaces are placed into one of two categories (or locations): inside or outside. Inside indicates traffic that is coming from within the organizational network. Outside indicates traffic that is coming from an external network that is outside the organizational network.
These different categories are then used to define different types of address depending on location of the address and how it is being “seen”. These different types include:
- inside local address: This is the inside address as it is seen and used within the organizational network.
- inside global address: This is the inside address as it is seen and used on the outside of the organizational network.
- outside local address: This is the outside address as it seen and used within the organizational network.
- outside global address: This is the outside address as it is seen and used on the outside of the organizational network.
NAT Types
Another important concept to be familiar with is the different types of NAT and how they are defined. On most networks there are three different types of NAT that are defined:
- Static address translation (Static NAT): This type of NAT is used when a single inside address needs to be translated to a single outside address or vice versa.
- Dynamic address translation (Dynamic NAT): This type of NAT is used when an inside address (or addresses) need to be translated to an outside pool of addresses or vice versa.
- Overloading (Port Address Translation (PAT): This type of NAT is a variation on dynamic NAT. With dynamic NAT, there is always a one to one relationship between inside and outside addresses; if the outside address pool is ever exhausted, traffic from the next addresses requesting translation will be dropped. With overloading, instead of a one to one relationship, traffic is translated and given a specific outside port number to communicate with; in this situation, many internal hosts can be using the same outside address whil utilizing different port numbers.
NAT Configuration
There are few methods (and commands) that are used to configure NAT. The main three methods include one for static NAT, one for Dynamic NAT, and one for TCP load sharing.
Static NAT Configuration
There a few steps that are required when configuring static NAT; the number of the commands depends on whether there will be more than one static translation:
1 |
Enter global configuration mode. |
router#configure terminal |
2 |
Configure the static NAT translation (this command can be used multiple times depending on the number of static translations required). The overload keyword enables the use of PAT. |
router(config)#ip nat inside source static local-ip global-ip [overload] |
3 |
Enter interface configuration mode for the inside interface. |
router(config)#interface interface-id |
4 |
Configure the interface as the inside NAT interface. |
router(config-if)#ip nat inside |
5 |
Enter interface configuration mode for the outside interface. |
router(config-if)#interface interface-id |
6 |
Configure the interface as the outside NAT interface. |
router(config-if)#ip nat outside |
7 |
Exit configuration mode. |
router(config-if)#end |
Static NAT Configuration Example
To ensure the configuration of static NAT is clear, let’s look at an example (Figure 1) that explains the concepts described above:
In this example, the inside host 192.168.1.20 will be translated to 172.16.1.5 when sending traffic out of interface f0/1.
Dynamic NAT Configuration
Dynamic NAT requires a few additional commands over a static configuration as the source of the traffic and the NAT address pool must be configured:
1 |
Enter global configuration mode. |
router#configure terminal |
2 |
Configure the dynamic NAT address pool. |
router(config)#ip nat pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length} |
3 |
Configure a static access list to define the addresses to be translated. |
router(config)#access-list access-list-number permit source [source-wildcard] |
4 |
Configure the dynamic NAT translation. The overload keyword enables the use of PAT. |
router(config)#ip nat inside source list access-list-number pool pool-name [overload] |
5 |
Enter interface configuration mode for the inside interface. |
router(config)#interface interface-id |
6 |
Configure the interface as the inside NAT interface. |
router(config-if)#ip nat inside |
7 |
Enter interface configuration mode for the outside interface. |
router(config-if)#interface interface-id |
8 |
Configure the interface as the outside NAT interface. |
router(config-if)#ip nat outside |
9 |
Exit configuration mode. |
router(config-if)#end |
Dynamic NAT Configuration Example
To ensure the configuration of dynamic NAT is clear, let’s look at an example (Figure 2) that explains the concepts described above:
In this example, the hosts that have addresses from 192.168.1.1 through 192.168.1.254 will be translated to an address from the pool which includes addresses from 172.16.1.10 through 172.16.1.20; if a 12th host attempts to send traffic out of the f0/1 interface, the translation will fail.
TCP Load Balancing Configuration
The TCP load balancing feature enables the ability to assign a single outside address that is translated into one of a pool of addresses in order to balance the load of traffic over a number of different hosts. The following commands are used to configure TCP load balancing:
1 |
Enter global configuration mode. |
router#configure terminal |
2 |
Configure the NAT address pool that contains the list of real host IP addresses to load balance to. |
router(config)#ip nat pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary |
3 |
Configure a static access list to define the virtual address that will be used for outside communication. |
router(config)#access-list access-list-number permit source [source-wildcard] |
4 |
Configure TCP server load balancing. |
router(config)#ip nat inside destination-list access-list-number pool pool-name |
5 |
Enter interface configuration mode for the inside interface. |
router(config)#interface interface-id |
6 |
Configure the interface as the inside NAT interface. |
router(config-if)#ip nat inside |
7 |
Enter interface configuration mode for the outside interface. |
router(config-if)#interface interface-id |
8 |
Configure the interface as the outside NAT interface. |
router(config-if)#ip nat outside |
9 |
Exit configuration mode. |
router(config-if)#end |
TCP Load Balancing Configuration Example
To ensure the configuration of TCP load balancing is clear, let’s look at an example (Figure 3) that explains the concepts described above:
In this example, all traffic that is addressed to 192.168.1.5 will be translated and sent to the hosts with addresses from 192.168.1.10 through 192.168.1.20 in a round robin fashion.
Summary
There are certainly many different situations where the functionality of NAT can be used. This article takes a look at some of the ways that NAT can be configured and offers examples of how the functionality can be implemented. Hopefully this article has made the concepts and configuration of NAT a little simpler to understand so that they can be implemented with little trouble or confusion.