In my next few posts, we’re going to discuss NAT and PAT. No, they’re not brother and sister, they’re not even cousins. They are Network Address Translation (NAT) and Port Address Translation (PAT).
It’s common today to use private addressing within an Autonomous System (an “AS” is a collection of routers and subnets under a common administrative domain). Per RFC 1918 (Address Allocation for Private Internets), the private networks are:
- 10.0.0.0/8 – One class “A” network
- 172.16.0.0/12 – A block of sixteen class “B” networks
- 192.168.0.0/16 – A block of 256 class “C” networks
One problem is that per RFC 1918, advertising the address spaces listed above to the public Internet is not allowed. What this means is, that if you send a packet with a “private” source address to the Internet, the destination will not be able to reply to you (because the routers on the Internet backbone won’t know where you are). The solution to this problem is NAT, specified by RFC 1631 (The Network Address Translator).
The first type of NAT we’ll discuss is referred to as “static NAT”. In this method, you build the translation table by hand. For example, let’s say that we want to translate addresses on the 10.1.2.0/24 subnet (private address space) to addresses on the 22.214.171.124/24 network (public). We could translate the first address like this:
- Router(config)#ip nat inside source static 10.1.2.1 126.96.36.199
The translation tells the router that if a packet with the specified source address (10.1.2.1) hits the inside interface and is bound for the outside interface, translate the source address statically to the second address (188.8.131.52). You can have multiple translation lines, as many as you need, so let’s add some more:
- Router(config)#ip nat inside source static 10.1.2.2 184.108.40.206
- Router(config)#ip nat inside source static 10.1.2.3 220.127.116.11
- Router(config)#ip nat inside source static 10.1.2.4 18.104.22.168
The next thing to do is to tell the router which interface (or subinterface) is the “inside” and which is the “outside”. For our example, let’s assume that the FastEthernet0/0 interface connects to our LAN, and the Serial0/0 interface leads to our Internet Service Provider (ISP):
- Router(config)#interface fa0/0
- Router(config-if)#ip nat inside
- Router(config-if)#int s0/0
- Router(config-if)#ip nat outside
Notice that although we only specified the translation of the source address as the packet transited from the inside to outside interface, the router will automatically translate the destination addresses of packets traversing the router from the outside to inside interface. You can have multiple “inside” and/or “outside” interfaces (or subinterfaces). The beauty of it is that the translation is invisible to all devices, other than the one device performing the translation.
You can view the translation table with the command show ip nat translations, and which interfaces are the “inside” and “outside” (along with other info) with show ip nat statistics.
When you display the translation table (sh ip nat trans), you’ll notice that it specifies “inside local” and “inside global” addresses. The “inside” refers to where the addressed device physically resides (inboard of the “inside” interface, that is, on our side of the router). The “local” or “global” refers to the vantage point from where the address is being viewed. That is, “local” means “as seen from the inside”, and “global” means “as seen from the outside”. In other words, the “inside local” address is our host’s untranslated (actual) address, and the “inside global” address is the translated address (as seen by those outboard of the “outside” interface).
Next time, we’ll examine a variation referred to as “dynamic NAT”.
Author: Al Friebe