Configuring NAT Directory

NAT Application

Advantage of NAT

Terminology of NAT

Table of Task for NAT Configuration

Translating Inside Source Address

Inside Global Address overloading

Translating overlapping address

Providing TCP Load Distribution

Change the timeout of Translation item and limit the number of links

Monitoring and Maintaining NAT

Demonstration of NAT Configuration

Demonstration of Dynamic Inside Source Address Translation

Demonstration of Inside Global Address Overloading

Demonstration of Translating Overlapping Address

Demonstration of TCP Load Distribution

The key issue facing the Internet is the lack of IP address space and the measurement of router. Network address translator (NAT) is a kind of feature allowing an IP network to use different IP address space virtually rather than the real utilization of IP address space. Through translating these address into global router address space, NAT allows an organization of non-global router address to be linked to Internet. NAT also allows a better recodification strategy to change service provider for the organization or for auto-coding to CIDR module. NAT will be introduced in RFC 1631.

NAT Application

NAT has several applications. The applications for the following purpose are:

When host computer needs to link to the Internet, not all the host computers have a sole global IP address. NAT enables the private IP Internet with illegal registered IP address to log on Internat. NAT is usually configured at the border router of mono-linkage domain (internal network) and public network (Internet). Before transmitting the message to outside network, NAT will translate the inside local address into global sole IP address.

The inside address shall be changed. The address can be translated through NAT without changing it as takes too long.

The Load Distribution of basic TCP transmission shall be realized. The single global IP address can be mapped to multiple local IP address by using the TCP load distribution.

 As the solution to the linkage issue, NAT has practical function only when the relative small number of host computers in the mono-linkage domain communicates with outside domain. At this time, the communication with the outside is needed, IP address of inside few host computers will be translated into the global sole IP address. These addresses can be re-used when they are idle.

 

Advantage of NAT

The notable advantage of NAT is that it can be configured without changing host computer or router. It is mentioned above that when a large number of host computers in the mono-linkage domain communicates with the outside, NAT is idle. What’s more, some application of embeded IP address can’t be translated by NAT equipment. These applications may not be able to work transparently or will not be translated by a NAT equipment. NAT conceal the identification mark of a host computer. This may be an advantage and a shortcoming.

The router configured with NAT has at least an inside interface and outside interface. In a typical environment, NAT is configured at the output router between mono-linkage domain and backbone domain. When a message is transmitted from the domain, NAT will translate the local valid source address into global sole address. When a message is transmitted into the domain, NAT will translate the global sole address into local address. If there exists multiple output points, each NAT shall have the same translating table. If the addresses are used up, the software is not able to distribute an address, the message will be abandoned and the ICMP host unreachable message will be issued.

The router configured with NAT shall not publicize the local network to the outside. However, The router information NAT receives from the outside can be published in mono-linkage domain.

Terminology of NAT

As mentioned above, terminology “inside” means these networks possessed by an organization and whose IP address shall be translated. In this domain, the host computer will have an address in address space. When NAT is configured outside domain, they will have address in another address space. The first address space refers to local address space, the second address space is the global address space

Similarly, “outside” means those networks linked to mono-linked network. They are usually not controlled by an organization. As to be discussed later, the address of host on the outside network can or need to be translated into an address that may be a local address and global address.

In a word, NAT uses the following definition:

Inside local address---On the inside network, a host is allocated with an address. The address may not be the legal address allocated by network information center (NIC) or service provider.

Inside global address---a legal IP address (it is allocated by NIC or service provider) describes one to multiple local IP address to the outside.

Outside local address---The IP address of outside host inside the local network. The address may not be a legal address. It can be allocated from address space of router on the local network.

Outside global address—The owner of host allocates IP address to host on outside network  The address can be allocated from global router address or network space.

 

Table of Task for NAT Configuration

Before configuring any NAT translation, the scope of inside local address and inside global address must be known. The next part will demonstrate how to use NAT for executing the following optional tasks:

Translating Inside Source Address

Inside Global Address overloading

Translating overlapping address

Providing TCP Load Distribution

Change the timeout of Translation item and limit the number of links

Monitoring and Maintaining NAT

Translating Inside Source Address

When network communicates with the outside, its own IP address will be translated into global sole IP address by using this character. The static or dynamic inside source address translation can be configured in the following method:

Static translation sets up one to one mapping between inside local address and inside global address. When an inside host need to be accessed by outside addresses, the static translation is useful.

Dynamic translation establishes a mapping between an inside local address and outside address pool.

Chart 5 indicates a router translates the source address in a network into the source address outside the network.

Chart 5 NAT Translation of inside source address

 

The following steps describes the translation of inside source address:, just as shown in Chart 5.

1   The user 1.1.1.1 sets up the connetion to host B

2   Router receives the data package from host 1.1.1.1 and check the NAT table of the data package

If a static translation item is configured, router will turn to Step 3.

If there exists no translation item, router determines that source address (SA) 1.1.1.1 shall be translately dynamically, then dynamic address pool will choose a legal and global address, producing a translation item finally. The type of the item is called simple item.

3   Router uses the global address of translation item to replace the inside local source address of host  1.1.1.1 and retransmit the message.

4   Host B receives the message and responds to host 1.1.1.1 by using inside global IP destination address (DA) 2.2.2.2

5   When a router receives the message of inside global IP address, it will uses inside global address as key word to execute the query of NAT table, then translate the address into the inside local address of host 1.1.1.1 and transmit the message to host 1.1.1.1.

Host 1.1.1.1 receives the message and continue to dialogue. Router will execute from steps 2 to step 5 for each message.

Configuring static translation

   In order to configure static inside source address translation, the following commands are used under global configuration model.

Steps

Command

Function

1 .

ip nat inside source static local-ip global-ip

Setting up a static translation between inside local address and inside global address

2 .

interface type number

 Designating inside interface

3 .

ip nat inside

 Marking the interface as being connected to inside network

4 .

interface type number

Designating outside interface

5 .

ip nat outside

Marking the interface as being connected to outside network.

The above-mentioned is the minimum configuration. Multiple inside and outside interfaces can be configured.

Configuring Dynamic Translating

In order to configure inside source address translation, the following command is used under global configuration model

Steps 

Command

Function

1 .

ip nat pool name start-ip end-ip netmask

Defining a global address that will be allocated on the need

2 .

ip access-list standard access-list-name permit source [source-mask]

Defining a standard access list and allowing the address to be translated

3 .

ip nat inside source list access-list-name pool name

Establishing dynamic source address Translating and designating the access list defined in the previous step.

4 .

interface type number

Designating inside interface

5 .

ip nat inside

Marking the interface as being connected to inside network.

6 .

interface type number

Designating outside interface

7 .

ip nat outside

 Marking the interface as being connected to outside network

Note: Access table can only list the address that can be translated (it shall be remembered that at the end of each access table,  there is a  concealed “deny all”) The too optional access table will lead to unexpected result.

The demonstration of dynamic inside source address translating can be referred to the later part of “Examples of Dynamic Inside Source Address Translation”

Inside Global Address overloading

Router allows multiple local addresses to use a global address, the address can be saved at inside global address pool. When the overload is configured, router keeps the sufficient information from senior protocol (such as TCP or UDP port number) and translate the global address into right local address. When multiple global address map to a global address, the TCP or UDP port number of each inside host computer will be used to classify the multiple local addresses.

Chart 6 shows the NAT operation at a time when an inside global address represents multiple inside local addresses TCP Port Number serves as differentiator.


(NAT operation when inside global address is overloaded)

Router executes the following process in the overloaded inside global address, as shown in chart 6. Host B and Host C all think that they are dialoging with the host whos address is 2.2.2.2. Actually, they are dialoging with different hosts. The port number is the identification mark. As a matter of fact, the utilization multiple different port numbers enable multiple inside hosts share an inside global IP address.

User of host 1.1.1.1 issues command to connect to host B.

2.Router receives the first message from the host 1.1.1.1 and checks the NAT table of the message.

 If there is no translation item, router determines that address 1.1.1.1 shall be translated and set up the translating from inside local address 1.1.1.1 to legal global address. If the overload works, another translating will be started. Router will re-use the global address from translating and saves the sufficient information that can be translated. This itsm is usually called extended item.

3.The global address chosen by router replaces inside local source address 1.1.1.1 and retransmit the data package.

4.Host B receives data package and respond to host 1.1.1.1 through inside global IP address.

5.Router uses protocol, inside global address and port, outside address and port as key word for searching NAT table when it receives the message by using inside global IP address. Then it translates the address into inside local address 1.1.1.1 and transmit the message to host 1.1.1.1.

6. Host 1.1.1.1 receives the message and continues to dialogue. Router executes from step 2 to step 5 for each message.

In order to configure the overload of inside global address, the following commands are used under global configuration model:

Steps

Command

Function

1 .

ip nat pool name start-ip end-ip netmask

Defining a global address that will be allocated on the need

2 .

ip access-list standard access-list-name permit source [source-mask]

Defining a standard access list

3 .

ip nat inside source list access-list-name pool name overload

Setting up dynamic address translating and determining the access table defined previous time

4 .

interface type number

Designating inside interface

5 .

ip nat inside

Marking the interface as being conneted to inside network.

6 .

interface type number

Designating outside interface

7 .

ip nat outside

 Marking the interface as being connected to outside network

Note: Access table can only list the address that can be translated (it shall be remembered that at the end of each access table, an address is concealed. “deny all”) The too optional access table will lead to unexpected result.

The demonstration of global address overloading can be referred to the later part of “Inside Global Address Overloading”

Translating overlapping address

When a inside local address is the same as the outside address it wants to connect to, then the condition of address overlapping occurs.

 Chart 7 demonstrate how to translate overlapping network

 

When translating the overlapping address, router executes the following steps:

l        The user of host 1.1.1.1 uses domain name to issue a command to connect to Host C and request a check of address from DNS server.

l        DNS server have a response that it returns the address 1.1.1.1 of host C. Router intercepts the response of DNS and choose a address from the outside local address pool to replace the address parsed by DNS server. Here, use the address 3.3.3.3 replace address 1.1.1.1.

l       Router establishes the mapping table of address translation, i.e. inside local address and inside global address, outside global address and outside local address.

l        Host 1.1.1.1 sends packets to host C,the destination IP adress of packets is just the outside local address 3.3.3.3.

l        When Router A receives packets which destination address is the outside local address, then uses inside global address to replace source address and outside global address to replace destination address.

l        Host C receives packets and continues to dialogue.

Configuring Static Translation

In order to configure static address translation, the following commands are used under global configuration:

Steps

Command

Function

1 .

ip nat outside source static global-ip local-ip

 Setting up static translation between outside local address and outside global address

2 .

interface type number

Designating inside interface

3 .

ip nat inside

Marking the interface as being connected to inside network.

4 .

interface type number

Designating outside interface

5

ip nat outside

Marking the interface as being connected to outside network

 

Configuring Dynamic Translation

In order to configure the translation of dynamic outside source address, the following commands are executed under global configuration model.

Steps

Command

 Function

1 .

ip nat pool name start-ip end-ip netmask

Defining the local address that is to be allocated on needs

2 .

ip access-list standard access-list-name permit source [source-mask]

 Defining a standard access list

3 .

ip nat outside source list access-list-name pool name

Establishing dynamic outside source address translation and designating the access lists defined previous time

4 .

 

interface type number

Designating inside interface

5 .

ip nat inside

Marking the interface as being connected to the inside network.

6

interface type number

Designating outside interface

7 .

ip nat outside

 Marking the interface as being connected to outside network

 Note: Access table can only list the address that can be translated (it shall be remembered that at the end of each access table, there is a  concealed. “deny all”) The too optional access table will lead to unexpected result.

The example of translating overlapping address can be referred to the later part of “The Demonstration of Translating Overlapping Address”

Providing TCP Load Distribution

Another method of using NAT has nothing to do with Internet address. Your organization probably has multiple hosts that shall communicate with a frequently-used host. A virtual host used for coordinating load distribution in real hosts shall be established on the inside network. The destination address of access list shall be configured and shall be replaced by the address of recycled address pool. Address allocation is completed in a cycle only when a new linkage from the outside to the inside is opened. Non-TCP communication needs no translating (except for other valid translation). Chart 8 shows such character.

Chart 8 NAT TCP Load Distribution

When translating cycled address, router execute the following steps:

The user of host B (9.6.7.3) issues command to connect to the virtual host 1.1.1.127

Router receives request and set up a new translation item and allocate inside local IP address to a host (1.1.1.1)

The address of real host chosen by router replaces the destination address and retransmit the message. 

Host 1.1.1.1 receives message and respond.

Router receives the message and uses inside local address and port number and outside address and port number as key word to check NAT table. Then router translate the source address into the address of virtual host and retransmit the message.

The next request will make router to allocate inside local address 1.1.1.2. In order to configure destination translating, the following commands shall be executed under global configuration model. These commands allow the address of a virtual host to map to the addresses of multiple real hosts. Each new TCP dialogue opened with the virtual host will be translated into the dialogue with  different real host.

Steps

Command

Functions

ip nat pool name start-ip end-ip netmask

Defining an address pool containing real host computer.

ip access-list standard access-list-name permit source [source-mask]

Defining an access table of containing the address of virtual host computer

ip nat inside destination list access-list-name pool name

Establishing dynamic inside target translating and determining the access table defined in previous time

interface type number

Designating inside interface

ip nat inside

Marking the interface as being connected to inside network.

interface type number

Designating outside interface

ip nat outside

Marking the interface as being connected to outside network

 Notice: Note: Access table can only list the address that can be translated (it shall be remembered that at the end of each access table,  there is a concealed. “deny all”) The too optional access table will lead to unexpected result.

The example of cycled translating can be referred to the later part of “Examples of TCP Load Distribution”

 

Change the timeout of Translation item and limit the number of links

Under default state and after an idle period, the dynamic address item will have expired. If needed, the default value of timeout can be changed. When the overload is not configured, the simple translation item will have expired after an hour. In order change this value, the following command is executed under global configuration model:

Command

Function

ip nat translation timeout seconds

Changing the value of timeout without using overloaded dynamic address translation

 If overloading is configured, it will have a good control of the timeout of translation item as each item includes more contents. Under the global configuration model, the following one or multiple commands shall be executed for changing the timeout in extended item:

Command

Function

ip nat translation udp-timeout seconds

Changing UDP timeout value (default value is 5 minutes)

ip nat translation dns-timeout seconds

Changing DNS timeout value (default value is 1 minutes)

ip nat translation tcp-timeout seconds

Changing TCP timeout value (default value is an hour)

ip nat translation icmp-timeout seconds

Setting ICMP timeout value of NAT (default value is 60 seconds)

ip nat translation syn-timeout seconds

Setting the timeout of NAT under TCP SYN status (default value is 60seconds) 

ip nat translation finrst-timeout seconds

Changing TCP FIN or RST timeout value (default value is one minutes)

There are three methods to limite the number of links. Under the mode of global configuration, executing the following commands can realize these:

 

Command

Function

ip nat translation max-entries  numbers

Setting the maximum translation entries of NAT(default value is 4000).

ip nat translation max-links A.B.C.D numbers

according to specified inside IP address,limiting the maximum number of NAT link items it can establish, no default value.

ip nat translation max-links all numbers

according to all inside IP address,limiting the maximum number of NAT link items that the single IP address can establish, the default value is equal to max-entries


Monitoring and Maintaining NAT

Under default status, dynamic address translation will have expired according to the specified time in NAT translation table. Before expired, the following command is executed to clear the link items under management mode:

Command

Function

clear ip nat translation *

Clearing all dynamic address translation items in NAT translation table

clear ip nat translation inside local-ip global-ip [outside local-ip global-ip]

Clearing a simple dynamic translation item containing inside translation, or containing inside translation or outside translation

clear ip nat translation outside local-ip global-ip

Clearing the simple dynamic translation item containing outside translation.

clear ip nat translation inside local-ip local-port global-ip global-port [outside local-ip local-port global-ip global-port]

Clearing extended dynamic translation item

 Under management mode, any one of the following command is executed for showing translation information:

Command

Function

show ip nat translations [verbose]

Showing active translation items

show ip nat statistics

Showing translation statistic information

 

Demonstration of NAT Configuration

The following is the demonstration of NAT configuration

 

Demonstration of Dynamic Inside Source Address Translation

The following example shows that all source address configured with access list (al) is translated into an address in net-208 pool. The scope of addresses in the Pool is 171.69.233.208 to 171.69.233.233

ip nat pool net-208 171.69.233.208 171.69.233.233  255.255.255.240

ip nat inside source list a1 pool net-208

!

interface serial1/0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet1/1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

ip access-list 1 standard a1

 permit 192.168.1.0 255.255.255.0

!

Demonstration of Inside Global Address Overloading

The following example sets up an address pool named net-208. The pool contains the address from 171.69.233.208 to 71.69.233.233. Access list allows the data package of source address from 192.168.1.0 to 192.168.1.255. If there is no exchange, the data package of configuring access lsit will be translated into an address in the pool. Router allows multiple local addresses (from 192.168.1.0 to192.168.1.255) to use the same global address. Router reserves port number to distinguish the links.

ip nat pool net-208 171.69.233.208 171.69.233.233 255.255.255.240

ip nat inside source list a1 pool net-208 overload

!

interface serial1/0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet1/1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

ip access-list standard a1

 permit 192.168.1.0 255.255.255.0

 

Demonstration of Translating Overlapping Address

In the following example, the address of local area network is used legally by other people on the Internet. Access to the outside network needs extra translating. Net.10 pool is outside local IP address pool. The syntax “ip nat outside source list 1 pool net-10” translates the address of host computer coming from outside overlapping network into the address in the pool.

ip nat pool net-208 171.69.233.208 171.69.233.223 255.2555.255.240

ip nat pool net-10 10.0.1.0 10.0.1.255 255.255.255.0

ip nat inside source list a1 pool net-208

ip nat outside source list a1 pool net-10

!

interface serial1/0

 ip address 171.69.232.192 255.255.255.240

 ip nat outside

!

interface ethernet1/1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

ip access-list standard a1

 permit 192.168.1.0 255.255.255.0

!

Demonstration of TCP Load Distribution

The purpose of the following example is to define a virtual address. In a group of real hosts, the connection to the address is distributed. The pool defines the address of real host computer. Access list defines virtual address. The destination address coming from serial port 1/0 (outside interface) and TCP data package configuring with access list will be translated into the address in the pool.

ip nat pool real-hosts 192.168.15.2 192.168.15.15 255.255.255.240

ip nat inside destination list a2 pool real-hosts

!

interface serial1/0

 ip address 192.168.15.129 255.255.255.240

 ip nat outside

interface ethernet1/1

 ip address 192.168.15.17 255.255.255.240

 ip nat inside

!

ip access-list standard a2

 permit 192.168.15.1 255.255.255.0