Network Address Translation (NAT) is a technology that enables administrators to hide an unregistered TCP/IP address on the internal network behind a registered external address.This can be manipulated to hide many “private” addresses behind one registered public address, or many private addresses behind many public addresses.
Enabling Network Address Translation conserves the TCP/IP address pool because several Internet users can use one registered TCP/IP address, thus mini-mizing the requirement for valid Internet addresses.
NAT also provides increased security for the internal network.When users send traffic out to the Internet, they are not using their actual TCP/IP addresses.
This makes malicious attacks on your internal network more difficult, which may be enough to turn the predator onto easier prey.
Because of the recent explosion of TCP/IP connectivity in the last ten years, as responsible administrators, we must conserve public TCP/IP addresses. Not only are public TCP/IP addresses in short supply, but they are also costly.
To understand Network Address Translation, it is critical to understand Request For Comments (RFC) 1918, developed by the Internet Engineering Task Force (IETF), and the reasons that network engineers worldwide are imple-menting this standard.The standards can be researched on the IETF’s Web page at www.ietf.org.
RFC 1918 addresses are reserved blocks of addresses designated as internal, or private, addresses.This means that RFC 1918 addresses should not be routed onto the Internet, and border routers should be implementing NAT to translate these private addresses into registered public addresses.Table 1.18 illustrates the dif-ferent classes of RFC 1918 address blocks.
Table 1.18RFC 1918 Reserved Private Address Blocks
Network Mask Address Block
10.0.0.0 255.0.0.0 1 Class A Networks
172.16.0.0–172.31.0.0 255.255.0.0 16 Contiguous Class B Networks 192.168.0.0–192.168.255.0 255.255.255.0 256 Contiguous Class C Networks
There are four features of Cisco’s implementation of Network Address Translation:
■ Static Address Translation
■ Dynamic Source Address Translation
■ Port Address Translation (PAT)
■ Destination Address Rotary Translation
Static Address Translationis a one-to-one mapping from a private internal address to a registered public address. Static Address Translation does create administrative overhead, because each addition, deletion, or change to the NAT must be done manually by the administrator. On the other hand, you do maintain more control with Static Address Translation because of this overhead.To con-figure a Static Address Translation, you would use the following command.
ip nat inside source static <local-ip><global-ip>
Here is an example.
www.syngress.com
Router1(config)#ip nat inside source static 192.168.20.1 30.20.10.1
Dynamic Source Address Translationassociates an internal host automatically with a public address from a pool of addresses.This would be implemented in an envi-ronment where there is a group of public addresses to be used for Network Address Translation and numerous users may be on the Internet at any one time.
This feature is dynamic, which eases administrative burden.The command to establish a NAT pool is as follows.
ip nat pool <name> <start-ip> <end-ip> { netmask <netmask> | prefix-length
<prefix-length> } [ type { rotary } ]
Consider this example.
Router1(config)#ip nat pool Syngress 30.20.10.1 30.20.10.254 prefix-length 24
Port Address Translationgives the administrator the option to conserve public addresses in the address pool by enabling source ports in TCP or UDP connec-tions to be translated.This provides the opportunity for numerous different pri-vate addresses to be associated with one public address by using port translation for the proper distinctiveness.When more detailed translation is required, the new port number is assigned from the same pool as the original, following Berkley Standard Distribution (BSD) conventions (Table 1.17).The keyword overload enables UDP and TCP port translation.To configure a Port Address Translation, use the following command.
ip nat inside source list <acl> pool <name> [overload]
Here is an example.
Router1(config)#ip nat inside source list 1 pool Syngress overload
Destination Address Rotary Translationprovides public address connectivity to private addresses. Once the relationship has been established, a destination private address matching an access list is replaced with an address from a pool using a round-robin procedure. A switch is made when every new TCP connection is made from the outside. All traffic that is not TCP will not be translated when passed.
This technique is used for protocol translation load distribution.This is low-level load distribution, so if a server were to go down, the rotary translation would still send inbound network traffic to the down server.
ip nat pool <name> <start-ip> <end-ip> { netmask <netmask> | prefix-length <prefix-prefix-length> } [ type { rotary } ]
Here is a more concrete example.
Router1 (config)#ip nat pool Syngress 30.20.10.1 30.20.10.254 prefix-length 24 type rotary
Table 1.19Berkley Standard Distribution
Beginning of Range End of Range
1 511
512 1023
1024 4999
5000 65535
Table 1.20 defines what traffic is supported by Cisco’s Network Address Translation solution.
Table 1.20Supported Traffic Types
TCP/UPD* NetBIOS ICMP FTP DNS
H.323 NetMeeting HTTP TFTP Telnet
Archie Finger NTP NFS rlogin, rsh, rcp
* TCP/UDP traffic that does not have a source/destination address in the data stream
To enable a NAT on the interface, you would use the following basic command.
ip nat { inside | outside }
Here is an example.
Router1(config-if)#ip nat inside
The above command applies the NAT to the interface and designates that interface to be an “inside” interface.The “Inside” keyword in the command means that this interface is using private addresses, which need to be translated to
“outside” or public addresses.
www.syngress.com