Configuring NAT Directory
Table of Task for NAT Configuration
Translating Inside Source Address
Inside Global Address overloading
Translating overlapping address
Providing TCP Load Distribution
Change the timeout of Translation item and limit the number of links
Monitoring and Maintaining NAT
Demonstration of NAT Configuration
Demonstration of Dynamic Inside Source Address Translation
Demonstration of Inside Global Address Overloading
Demonstration of Translating Overlapping Address
Demonstration of TCP Load Distribution
The key issue facing the Internet is the lack of IP address space and the measurement of router. Network address translator (NAT) is a kind of feature allowing an IP network to use different IP address space virtually rather than the real utilization of IP address space. Through translating these address into global router address space, NAT allows an organization of non-global router address to be linked to Internet. NAT also allows a better recodification strategy to change service provider for the organization or for auto-coding to CIDR module. NAT will be introduced in RFC 1631.
NAT
has several applications. The applications for the following purpose are:
When host computer needs to link to the Internet, not all the host computers have a sole global IP address. NAT enables the private IP Internet with illegal registered IP address to log on Internat. NAT is usually configured at the border router of mono-linkage domain (internal network) and public network (Internet). Before transmitting the message to outside network, NAT will translate the inside local address into global sole IP address.
The inside address shall be changed. The address can be translated through NAT without changing it as takes too long.
The Load Distribution of basic TCP transmission shall be realized. The single global IP address can be mapped to multiple local IP address by using the TCP load distribution.
As the solution to the linkage issue, NAT has practical function only
when the relative small number of host computers in the mono-linkage domain
communicates with outside domain. At this time, the communication with the
outside is needed, IP address of inside few host computers will be translated
into the global sole IP address. These addresses can be re-used when they are
idle.
The notable advantage of NAT is that it can be configured without changing host computer or router. It is mentioned above that when a large number of host computers in the mono-linkage domain communicates with the outside, NAT is idle. What’s more, some application of embeded IP address can’t be translated by NAT equipment. These applications may not be able to work transparently or will not be translated by a NAT equipment. NAT conceal the identification mark of a host computer. This may be an advantage and a shortcoming.
The router configured with NAT has at least an inside interface and outside interface. In a typical environment, NAT is configured at the output router between mono-linkage domain and backbone domain. When a message is transmitted from the domain, NAT will translate the local valid source address into global sole address. When a message is transmitted into the domain, NAT will translate the global sole address into local address. If there exists multiple output points, each NAT shall have the same translating table. If the addresses are used up, the software is not able to distribute an address, the message will be abandoned and the ICMP host unreachable message will be issued.
The router configured with NAT shall not publicize the local network to the outside. However, The router information NAT receives from the outside can be published in mono-linkage domain.
As mentioned above, terminology “inside” means these networks possessed by an organization and whose IP address shall be translated. In this domain, the host computer will have an address in address space. When NAT is configured outside domain, they will have address in another address space. The first address space refers to local address space, the second address space is the global address spaceSimilarly, “outside” means those networks linked to mono-linked network. They are usually not controlled by an organization. As to be discussed later, the address of host on the outside network can or need to be translated into an address that may be a local address and global address.
In a word, NAT uses the following definition:
Inside
local address---On the inside network, a host is allocated with an address. The
address may not be the legal address allocated by network information center
(NIC) or service provider.
Inside
global address---a legal IP address (it is allocated by NIC or service provider)
describes one to multiple local IP address to the outside.
Outside
local address---The IP address of outside host inside the local network. The
address may not be a legal address. It can be allocated from address space of
router on the local network.
Outside global address—The
owner of host allocates IP address to host on outside network
The address can be allocated from global router address or network space.
Table of Task
for NAT Configuration
Translating
Inside Source Address
Inside
Global Address overloading
Translating
overlapping address
Providing
TCP Load Distribution
Change
the timeout of Translation item and limit the number of links
Monitoring and Maintaining NAT
Translating Inside Source Address
When network communicates with the outside, its own IP address will be translated into global sole IP address by using this character. The static or dynamic inside source address translation can be configured in the following method:
Static translation sets up one to one mapping between inside local address and inside global address. When an inside host need to be accessed by outside addresses, the static translation is useful.
Dynamic translation establishes a mapping between an inside local address and outside address pool.
Chart 5 indicates a router translates the source address in a network into the source address outside the network.
Chart 5 NAT Translation of inside source address
The following steps describes the translation of inside source address:, just as shown in Chart 5.
1 The user 1.1.1.1 sets up the connetion to host B
2 Router receives the data package from host 1.1.1.1 and check the NAT table of the data package
If
a static translation item is configured, router will turn to Step 3.
If
there exists no translation item, router determines that source address (SA)
1.1.1.1 shall be translately dynamically, then dynamic address pool will choose
a legal and global address, producing a translation item finally. The type of
the item is called simple item.
3 Router uses the global address of translation item to replace the inside local source address of host 1.1.1.1 and retransmit the message.
4 Host B receives the message and responds to host 1.1.1.1 by using inside global IP destination address (DA) 2.2.2.2
5 When a router receives the message of inside global IP address, it will uses inside global address as key word to execute the query of NAT table, then translate the address into the inside local address of host 1.1.1.1 and transmit the message to host 1.1.1.1.
Host
1.1.1.1 receives the message and continue to dialogue. Router will execute from
steps 2 to step 5 for each message.
Configuring static
translation
Steps
|
Command
|
Function
|
1
. |
ip
nat inside source static
local-ip global-ip |
Setting
up a static translation between inside local address and inside global
address |
2
. |
interface
type number |
Designating
inside interface |
3
. |
ip
nat inside |
Marking
the interface as being connected to inside network |
4
. |
interface
type number |
Designating
outside interface |
5
. |
ip
nat outside |
Marking
the interface as being connected to outside network. |
The above-mentioned is the minimum configuration. Multiple inside and outside interfaces can be configured.
Configuring Dynamic Translating
In
order to configure inside source address translation, the following command is
used under global configuration model
Steps
|
Command
|
Function
|
1
. |
ip
nat pool
name start-ip end-ip netmask |
Defining
a global address that will be allocated on the need |
2
. |
ip
access-list standard
access-list-name permit source [source-mask] |
Defining
a standard access list and allowing the address to be translated |
3
. |
ip
nat inside source list access-list-name
pool
name |
Establishing
dynamic source address Translating and designating the access list defined
in the previous step. |
4
. |
interface
type number |
Designating
inside interface |
5
. |
ip
nat inside |
Marking
the interface as being connected to inside network. |
6
. |
interface
type number |
Designating
outside interface |
7
. |
ip
nat outside |
Marking
the interface as being connected to outside network |
Note: Access table can only list the address that can be translated (it shall be remembered that at the end of each access table, there is a concealed “deny all”) The too optional access table will lead to unexpected result.
The demonstration of dynamic inside source address translating can be referred to the later part of “Examples of Dynamic Inside Source Address Translation”
Inside Global Address overloading
Router allows multiple local addresses to use a global address, the address can be saved at inside global address pool. When the overload is configured, router keeps the sufficient information from senior protocol (such as TCP or UDP port number) and translate the global address into right local address. When multiple global address map to a global address, the TCP or UDP port number of each inside host computer will be used to classify the multiple local addresses.
Chart 6 shows the NAT operation at a time when an inside global address represents multiple inside local addresses TCP Port Number serves as differentiator.
(NAT
operation when inside global address is overloaded)
User of host 1.1.1.1 issues command to connect to host B.
2.Router receives the first message from the host 1.1.1.1 and checks the NAT table of the message.
If there is no translation item, router determines that address 1.1.1.1 shall be translated and set up the translating from inside local address 1.1.1.1 to legal global address. If the overload works, another translating will be started. Router will re-use the global address from translating and saves the sufficient information that can be translated. This itsm is usually called extended item.
3.The global address chosen by router replaces inside local source address 1.1.1.1 and retransmit the data package.
4.Host B receives data package and respond to host 1.1.1.1 through inside global IP address.
5.Router uses protocol, inside global address and port, outside address and port as key word for searching NAT table when it receives the message by using inside global IP address. Then it translates the address into inside local address 1.1.1.1 and transmit the message to host 1.1.1.1.
6. Host 1.1.1.1 receives the message and continues to dialogue. Router executes from step 2 to step 5 for each message.
In order to configure the overload of inside global address, the following commands are used under global configuration model:
Steps
|
Command
|
Function
|
1
. |
ip
nat pool
name start-ip end-ip netmask |
Defining
a global address that will be allocated on the need |
2
. |
ip
access-list standard
access-list-name permit source [source-mask] |
Defining
a standard access list |
3
. |
ip
nat inside source list
access-list-name pool name overload |
Setting
up dynamic address translating and determining the access table defined
previous time |
4
. |
interface
type number |
Designating
inside interface |
5
. |
ip
nat inside |
Marking
the interface as being conneted to inside network. |
6
. |
interface
type number |
Designating
outside interface |
7
. |
ip
nat outside |
Marking
the interface as being connected to outside network |
Note: Access table can only list the address that can be translated (it shall be remembered that at the end of each access table, an address is concealed. “deny all”) The too optional access table will lead to unexpected result.
The demonstration of global address overloading can be referred to the later part of “Inside Global Address Overloading”
Translating overlapping address
When a inside local address is the same as the outside address it wants to connect to, then the condition of address overlapping occurs.
Chart 7 demonstrate how to translate overlapping network
When translating the overlapping address, router executes the following steps:
l The user of host 1.1.1.1 uses domain name to issue a command to connect to Host C and request a check of address from DNS server.
l DNS server have a response that it returns the address 1.1.1.1 of host C. Router intercepts the response of DNS and choose a address from the outside local address pool to replace the address parsed by DNS server. Here, use the address 3.3.3.3 replace address 1.1.1.1.
l Router establishes the mapping table of address translation, i.e. inside local address and inside global address, outside global address and outside local address.
l Host 1.1.1.1 sends packets to host C,the destination IP adress of packets is just the outside local address 3.3.3.3.
l When Router A receives packets which destination address is the outside local address, then uses inside global address to replace source address and outside global address to replace destination address.
l Host C receives packets and continues to dialogue.
Configuring Static Translation
In order to configure static address translation, the following commands are used under global configuration:
Steps |
Command
|
Function
|
1
. |
ip
nat outside source static
global-ip local-ip |
Setting
up static translation between outside local address and outside global
address |
2
. |
interface
type number |
Designating
inside interface |
3
. |
ip
nat inside |
Marking
the interface as being connected to inside network. |
4
. |
interface
type number |
Designating
outside interface |
5
|
ip
nat outside |
Marking
the interface as being connected to outside network |
Configuring Dynamic Translation
In
order to configure the translation of dynamic outside source address, the
following commands are executed under global configuration model.
Steps
|
Command
|
Function
|
1
. |
ip
nat pool
name start-ip end-ip netmask |
Defining
the local address that is to be allocated on needs |
2
. |
ip
access-list standard
access-list-name permit source [source-mask] |
Defining
a standard access list |
3
. |
ip
nat outside source list
access-list-name pool name |
Establishing
dynamic outside source address translation and designating the access
lists defined previous time |
4
. |
interface
type number |
Designating
inside interface |
5
. |
ip
nat inside |
Marking
the interface as being connected to the inside network. |
6
|
interface
type number |
Designating
outside interface |
7
. |
ip
nat outside |
Marking
the interface as being connected to outside network |
Note:
Access table can only list
the address that can be translated (it shall be remembered that at the end of
each access table, there is a concealed.
“deny all”) The too optional access table will lead to unexpected result.
The example of translating overlapping address can be referred to the later part of “The Demonstration of Translating Overlapping Address”
Providing TCP Load Distribution
Another method of using NAT has nothing to do with Internet address. Your organization probably has multiple hosts that shall communicate with a frequently-used host. A virtual host used for coordinating load distribution in real hosts shall be established on the inside network. The destination address of access list shall be configured and shall be replaced by the address of recycled address pool. Address allocation is completed in a cycle only when a new linkage from the outside to the inside is opened. Non-TCP communication needs no translating (except for other valid translation). Chart 8 shows such character.
Chart 8 NAT TCP Load Distribution
The user of host B (9.6.7.3) issues command to connect to the virtual host 1.1.1.127
Router receives request and set up a new translation item and allocate inside local IP address to a host (1.1.1.1)
The address of real host chosen by router replaces the destination address and retransmit the message.
Host 1.1.1.1 receives message and respond.
Router receives the message and uses inside local address and port number and outside address and port number as key word to check NAT table. Then router translate the source address into the address of virtual host and retransmit the message.
The next request will make router to allocate inside local address 1.1.1.2. In order to configure destination translating, the following commands shall be executed under global configuration model. These commands allow the address of a virtual host to map to the addresses of multiple real hosts. Each new TCP dialogue opened with the virtual host will be translated into the dialogue with different real host.
Steps
|
Command
|
Functions
|
1 |
ip
nat pool
name start-ip end-ip netmask |
Defining an address pool containing real host
computer. |
2 |
ip
access-list standard
access-list-name permit source [source-mask] |
Defining an access table of containing the
address of virtual host computer |
3 |
ip
nat inside destination list access-list-name pool name |
Establishing dynamic inside target translating
and determining the access table defined in previous time |
4 |
interface
type number |
Designating
inside interface |
5 |
ip
nat inside |
Marking
the interface as being connected to inside network. |
6 |
interface
type number |
Designating
outside interface |
7 |
ip
nat outside |
Marking
the interface as being connected to outside network |
Notice:
Note: Access table can only
list the address that can be translated (it shall be remembered that at the end
of each access table, there is a
concealed. “deny all”) The too optional access table will lead to unexpected
result.
The example of cycled translating can be referred to the later part of “Examples of TCP Load Distribution”
Change the timeout of Translation item and limit the number of links
Under default state and after an idle period, the dynamic address item will have expired. If needed, the default value of timeout can be changed. When the overload is not configured, the simple translation item will have expired after an hour. In order change this value, the following command is executed under global configuration model:
Command
|
Function
|
ip
nat translation timeout
seconds |
Changing
the value of timeout without using overloaded dynamic address translation |
If overloading is configured, it will have a good control of the timeout of translation item as each item includes more contents. Under the global configuration model, the following one or multiple commands shall be executed for changing the timeout in extended item:
Command
|
Function
|
ip
nat translation udp-timeout seconds |
Changing
UDP timeout value (default value is 5 minutes) |
ip
nat translation dns-timeout
seconds |
Changing
DNS timeout value (default value is 1 minutes) |
ip
nat translation tcp-timeout
seconds |
Changing
TCP timeout value (default value is an hour) |
ip
nat translation icmp-timeout seconds |
Setting
ICMP timeout value of NAT (default value is 60 seconds) |
ip
nat translation syn-timeout
seconds |
Setting
the timeout of NAT under TCP SYN status (default value is 60seconds)
|
ip
nat translation finrst-timeout
seconds |
Changing
TCP FIN or RST timeout value (default value is one minutes) |
There are three methods to limite the
number of links. Under the mode of global configuration, executing the following
commands can realize these:
Command |
Function |
ip
nat translation max-entries
numbers |
Setting
the maximum translation entries of NAT(default value is 4000). |
ip
nat translation max-links A.B.C.D numbers |
according
to specified inside IP address,limiting the maximum number of NAT link
items it can establish, no default value. |
ip
nat translation max-links all
numbers |
according
to all inside IP address,limiting the maximum number of NAT link items
that the single IP address can establish, the default value is equal to max-entries |
Monitoring and Maintaining NAT
Under default status, dynamic address translation will have expired according to the specified time in NAT translation table. Before expired, the following command is executed to clear the link items under management mode:
Command |
Function
|
clear
ip nat translation * |
Clearing
all dynamic address translation items in NAT translation table |
clear
ip nat translation inside
local-ip global-ip [outside local-ip global-ip] |
Clearing
a simple dynamic translation item containing inside translation, or
containing inside translation or outside translation |
clear
ip nat translation outside
local-ip global-ip |
Clearing
the simple dynamic translation item containing outside translation. |
clear
ip nat translation inside
local-ip local-port global-ip global-port [outside local-ip
local-port global-ip global-port] |
Clearing
extended dynamic translation item |
Under management mode, any one of the following command is executed for showing translation information:
Command
|
Function
|
show
ip nat translations [verbose] |
Showing
active translation items |
show
ip nat statistics |
Showing
translation statistic information |
Demonstration of
NAT Configuration
The following is the demonstration of NAT configuration
Demonstration
of Dynamic Inside Source Address Translation
The following example shows that all source address configured with access list (al) is translated into an address in net-208 pool. The scope of addresses in the Pool is 171.69.233.208 to 171.69.233.233
ip
nat pool net-208 171.69.233.208 171.69.233.233
255.255.255.240
ip
nat inside source list a1 pool net-208
!
interface
serial1/0
ip
address 171.69.232.182 255.255.255.240
ip
nat outside
!
interface
ethernet1/1
ip
address 192.168.1.94 255.255.255.0
ip
nat inside
!
ip
access-list 1 standard a1
permit
192.168.1.0 255.255.255.0
!
Demonstration
of Inside Global Address Overloading
The following example sets up an address pool named net-208. The pool contains the address from 171.69.233.208 to 71.69.233.233. Access list allows the data package of source address from 192.168.1.0 to 192.168.1.255. If there is no exchange, the data package of configuring access lsit will be translated into an address in the pool. Router allows multiple local addresses (from 192.168.1.0 to192.168.1.255) to use the same global address. Router reserves port number to distinguish the links.
ip
nat pool net-208 171.69.233.208 171.69.233.233 255.255.255.240
ip
nat inside source list a1 pool net-208 overload
!
interface
serial1/0
ip
address 171.69.232.182 255.255.255.240
ip
nat outside
!
interface
ethernet1/1
ip
address 192.168.1.94 255.255.255.0
ip
nat inside
!
ip
access-list standard a1
permit
192.168.1.0 255.255.255.0
!
Demonstration
of Translating Overlapping Address
ip
nat pool net-208 171.69.233.208 171.69.233.223 255.2555.255.240
ip
nat pool net-10 10.0.1.0 10.0.1.255 255.255.255.0
ip
nat inside source list a1 pool net-208
ip
nat outside source list a1 pool net-10
!
interface serial1/0
ip address 171.69.232.192 255.255.255.240
ip nat outside
!
interface ethernet1/1
ip address 192.168.1.94 255.255.255.0
ip
nat inside
!
ip
access-list standard a1
permit
192.168.1.0 255.255.255.0
!
Demonstration of TCP Load Distribution
The purpose of the following example is to define a virtual address. In a group of real hosts, the connection to the address is distributed. The pool defines the address of real host computer. Access list defines virtual address. The destination address coming from serial port 1/0 (outside interface) and TCP data package configuring with access list will be translated into the address in the pool.
ip nat pool real-hosts 192.168.15.2 192.168.15.15 255.255.255.240
ip
nat inside destination list a2 pool real-hosts
!
interface
serial1/0
ip
address 192.168.15.129 255.255.255.240
ip nat outside
interface ethernet1/1
ip
address 192.168.15.17 255.255.255.240
ip
nat inside
!
ip
access-list standard a2
permit
192.168.15.1 255.255.255.0