Saturday, Jul 31, 2010
Login

NAT Unplugged

Posted by Divin John in Cisco *STUFF*, NAT,PAT, Routing Tuesday, 28 April 2009 15:01 No Comments

In its simplest configuration, the Network Address Translator (NAT) operates on a router connecting two networks together; one of these networks (designated as inside) is addressed with either private or obsolete addresses that need to be converted into legal addresses before packets are forwarded onto the other network (designated as outside). The translation operates in conjunction with routing, so that NAT can simply be enabled on a customer-side Internet access router when translation is desired.

TERMINOLOGY

Figure 1

NAT Concepts

Inside

The set of networks that are subject to translation.

Outside

All other addresses. Usually these are valid addresses located on the Internet.

Figure 2

NAT Terminology « Inside Addressing»

Inside Local

Configured IP address assigned to a host on the inside network. Address may be globally unique, allocated out of the private address space defined in RFC 1918, or might be officially allocated to another organization

Inside Global

The IP address of an inside host as it appears to the outside network, “Translated IP Address”. Addresses can be allocated from a globally unique address space, typically provided by the ISP (if the enterprise is connected to the global Internet)

Figure 3

NAT Terminology “Outside Addressing”

Outside Local

The IP address of an outside host as it appears to the inside network. These addresses can be allocated from the RFC 1918 space if desired.

Outside Global

The configured IP address assigned to a host in the outside network.

Simple Translation Entry

A translation entry which maps one IP address to another.

Extended Translation Entry

A translation entry which maps one IP address and port pair to another.

Port Address Translation (PAT)

Figure 4

Basic Concepts of PAT

Figure 5

Unique Source Port per Translation Entry

Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as “overload”, a subset of NAT functionality.

PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.

The stuff above is from Cisco Doc CD. http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html
Now to lab it up and find out whether this thing actually works.
I have 3 routers in this config. R0, R1, R2. R0 and R2 has FastEthernet Ports connected to a Switch. The lab topology is given below.
nat
I decided to use OSPF as the routing protocol. I set the interfaces up, gave them ip addresses. Now, The NAT part. I need to accomplish the following:
A User on the R0 FastEthernet Segment when connecting to anywhere in the network through Se0/0 should go out with the IP address 200.4.4.0/24 and there should be full connectivity.
Here is the running-config of all the routers.
R0
interface Serial0/0
ip address 110.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
clock rate 64000
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 40.4.4.5 255.255.255.0 secondary
ip address 40.4.4.6 255.255.255.0 secondary
ip address 40.4.4.7 255.255.255.0 secondary
ip address 40.4.4.10 255.255.255.0 secondary
ip address 40.4.4.11 255.255.255.0 secondary
ip address 40.4.4.12 255.255.255.0 secondary
ip address 40.4.4.13 255.255.255.0 secondary
ip address 40.4.4.14 255.255.255.0 secondary
ip address 40.4.4.20 255.255.255.0 secondary
ip address 40.4.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 40.4.4.1 0.0.0.0 area 0
network 110.1.1.1 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
!
ip nat translation timeout 5
ip nat pool NAT_POOL 200.4.4.1 200.4.4.254 netmask 255.255.255.0 type match-host
ip nat inside source static network 40.4.4.0 200.4.4.0 /24
!
!
ip access-list standard PERMIT_ETH10_NAT
permit 40.4.4.0 0.0.0.255 log
!
!
R1
interface Serial0/0
ip address 110.1.1.2 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial0/1
ip address 120.1.1.2 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 110.1.1.2 0.0.0.0 area 0
network 120.1.1.2 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
!
!
!
!
R2
interface Serial0/0
ip address 120.1.1.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 20.2.2.10 255.255.255.0 secondary
ip address 20.2.2.11 255.255.255.0 secondary
ip address 20.2.2.12 255.255.255.0 secondary
ip address 20.2.2.13 255.255.255.0 secondary
ip address 20.2.2.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 20.2.2.1 0.0.0.0 area 0
network 120.1.1.1 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
If you are wondering why all the secondary IP addresses configured on R0′s Fa1/0. Its just a work around to simulate PC’s on the FastEthernet Segment. So that you can source ICMP Echo’s from those IP addresses rather than have a an actual PC on the ethernet segment with that IP address.
I have configured static NAT(Inside Source) using the command
ip nat inside source static network 40.4.4.0 200.4.4.0 /24
This statement specifies that i am trying do translate my inside local[40.4.4.0/24] (Fa1/0) to Outside local[200.4.4.0/24]. With this the entire 40.4.4.0/24 network gets translated to 200.4.4.0/24. This is equivalent to writing 254 One-to-One Static Mapping.
Now to check whether my NATing is working. I tried pinging 20.2.2.1 with a source IP of 40.4.4.1
R0#ping 20.2.2.1 sour
R0#ping 20.2.2.1 source 40.4.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.4.4.1
…..
Success rate is 0 percent (0/5)

Can you guess whats wrong? Is the NAT working? So i ran a debug ip nat and then tried pinging 20.2.2.1 with source 40.4.4.1.
R0#debug ip nat
IP NAT debugging is on
R0#ping 20.2.2.1 source 40.4.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.4.4.1

*Mar  1 00:11:16.411: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [10].
*Mar  1 00:11:18.407: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [11].
*Mar  1 00:11:20.407: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [12].
*Mar  1 00:11:21.647: NAT: expiring 200.4.4.1 (40.4.4.1)
*Mar  1 00:11:22.407: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [13].
*Mar  1 00:11:24.407: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [14].
Success rate is 0 percent (0/5)

Indeed NAT’s working fine! So why are ICMP replies coming back to R0. The ICMP Echo packets are going out of R0′s Se0/0 interface with an IP of 200.4.4.1. So does R2 know how to reach the 200.4.4.0/24 network. R2′s routing table is pasted below.
R2#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
C       20.2.2.0 is directly connected, FastEthernet1/0
110.0.0.0/24 is subnetted, 1 subnets
O       110.1.1.0 [110/128] via 120.1.1.2, 00:13:26, Serial0/0
40.0.0.0/24 is subnetted, 1 subnets
O       40.4.4.0 [110/129] via 120.1.1.2, 00:13:26, Serial0/0
120.0.0.0/24 is subnetted, 1 subnets
C       120.1.1.0 is directly connected, Serial0/0

and there you go. R2 doesn’t know how to get to 200.4.4.0/24. So the work around would be introducing that particular network into the OSPF domain.
To dodge this i add a static route on R0 for the 200.4.4.0/24 with the next-hop as R0′s FastEthernet Interface. and redistribute this into OSPF. And my R0′s running-config after the redistribution is pasted below.
R0
interface Serial0/0
ip address 110.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
clock rate 64000
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet1/0
ip address 40.4.4.5 255.255.255.0 secondary
ip address 40.4.4.6 255.255.255.0 secondary
ip address 40.4.4.7 255.255.255.0 secondary
ip address 40.4.4.10 255.255.255.0 secondary
ip address 40.4.4.11 255.255.255.0 secondary
ip address 40.4.4.12 255.255.255.0 secondary
ip address 40.4.4.13 255.255.255.0 secondary
ip address 40.4.4.14 255.255.255.0 secondary
ip address 40.4.4.20 255.255.255.0 secondary
ip address 40.4.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 40.4.4.1 0.0.0.0 area 0
network 110.1.1.1 0.0.0.0 area 0
!
ip http server
no ip http secure-server
!
ip route 200.4.4.0 255.255.255.0 FastEthernet1/0 200
!
ip nat translation timeout 5
ip nat pool NAT_POOL 200.4.4.1 200.4.4.254 netmask 255.255.255.0 type match-host
ip nat inside source static network 40.4.4.0 200.4.4.0 /24
!
!
ip access-list standard PERMIT_ETH10_NAT
permit 40.4.4.0 0.0.0.255 log
!
!
R2′s Routing Table after the R0′s static route and redistribution
R2#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

200.4.4.0/24 is subnetted, 1 subnets
O E2    200.4.4.0 [110/20] via 120.1.1.2, 00:01:26, Serial0/0
20.0.0.0/24 is subnetted, 1 subnets
C       20.2.2.0 is directly connected, FastEthernet1/0
110.0.0.0/24 is subnetted, 1 subnets
O       110.1.1.0 [110/128] via 120.1.1.2, 00:18:38, Serial0/0
40.0.0.0/24 is subnetted, 1 subnets
O       40.4.4.0 [110/129] via 120.1.1.2, 00:18:38, Serial0/0
120.0.0.0/24 is subnetted, 1 subnets
C       120.1.1.0 is directly connected, Serial0/0

Now. I will try pinging again…..!
R0#ping 20.2.2.1 source 40.4.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.4.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/36/60 ms
R0#
*Mar  1 00:20:06.591: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [30]
*Mar  1 00:20:06.643: NAT*: s=20.2.2.1, d=200.4.4.1->40.4.4.1 [30]
*Mar  1 00:20:06.651: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [31]
*Mar  1 00:20:06.691: NAT*: s=20.2.2.1, d=200.4.4.1->40.4.4.1 [31]
*Mar  1 00:20:06.699: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [32]
*Mar  1 00:20:06.719: NAT*: s=20.2.2.1, d=200.4.4.1->40.4.4.1 [32]
*Mar  1 00:20:06.723: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [33]
*Mar  1 00:20:06.747: NAT*: s=20.2.2.1, d=200.4.4.1->40.4.4.1 [33]
*Mar  1 00:20:06.747: NAT: s=40.4.4.1->200.4.4.1, d=20.2.2.1 [34]
*Mar  1 00:20:06.767: NAT*: s=20.2.2.1, d=200.4.4.1->40.4.4.1 [34]

In the above excerpt 40.4.4.1 gets translated to 200.4.4.1. Note in the bottom excerpt 40.4.4.12 gets translated to 200.4.4.12. It indeed is a One-to-One Mapping.!
R0#ping 20.2.2.1 source 40.4.4.12

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 40.4.4.12
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/35/76 ms
R0#
*Mar  1 00:20:47.991: NAT: s=40.4.4.12->200.4.4.12, d=20.2.2.1 [35]
*Mar  1 00:20:48.015: NAT*: s=20.2.2.1, d=200.4.4.12->40.4.4.12 [35]
*Mar  1 00:20:48.023: NAT: s=40.4.4.12->200.4.4.12, d=20.2.2.1 [36]
*Mar  1 00:20:48.091: NAT*: s=20.2.2.1, d=200.4.4.12->40.4.4.12 [36]
*Mar  1 00:20:48.099: NAT: s=40.4.4.12->200.4.4.12, d=20.2.2.1 [37]
*Mar  1 00:20:48.115: NAT*: s=20.2.2.1, d=200.4.4.12->40.4.4.12 [37]
*Mar  1 00:20:48.123: NAT: s=40.4.4.12->200.4.4.12, d=20.2.2.1 [38]
*Mar  1 00:20:48.143: NAT*: s=20.2.2.1, d=200.4.4.12->40.4.4.12 [38]
*Mar  1 00:20:48.151: NAT: s=40.4.4.12->200.4.4.12, d=20.2.2.1 [39]
R0#ping 20.2.2.1 source 40.4.4.12
*Mar  1 00:20:48.167: NAT*: s=20.2.2.1, d=200.4.4.

So you might be wondering can the same be accomplished by dynamic NATing(NOT PAT). Yes you can. Instead of the ip nat inside source static network 40.4.4.0 200.4.4.0 /24 you gotta give

R0(config)#ip nat inside source list PERMIT_ETH10_NAT pool  NAT_POOL

where PERMIT_ETH10_NAT is an accesslist specifying which packets are eligible for NAT. and NAT_POOL is a Pool of IP addresses for NAT(200.4.4.0/24).

If you want 40.4.4.1 —> 200.4.4.1 and 40.4.4.12 —> 200.4.4.1 , then you must use TYPE as Match-Host while specifying the NAT Pool.

For Example

ip nat pool NAT_POOL 200.4.4.1 200.4.4.254 netmask 255.255.255.0 type match-host

For PAT just use

R0(config)#ip nat inside source list PERMIT_ETH10_NAT pool  NAT_POOL overload

IP NAT translation table with dynamic NATing.

R0#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 200.4.4.12:10     40.4.4.12:10       20.2.2.1:10        20.2.2.1:10
icmp 200.4.4.12:11     40.4.4.12:11       20.2.2.1:11        20.2.2.1:11
— 200.4.4.12         40.4.4.12          —                —
icmp 200.4.4.20:12     40.4.4.20:12       20.2.2.1:12        20.2.2.1:12
— 200.4.4.20         40.4.4.20          —                —

Now The same NAT translation table after PAT is enabled.

R0#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 200.4.4.1:16      40.4.4.1:16        20.2.2.1:16        20.2.2.1:16
icmp 200.4.4.1:17      40.4.4.10:17       20.2.2.1:17        20.2.2.1:17
icmp 200.4.4.1:18      40.4.4.11:18       20.2.2.1:18        20.2.2.1:18
icmp 200.4.4.1:19      40.4.4.12:19       20.2.2.1:19        20.2.2.1:19

See the inside global address. Its 200.4.4.1. and each Inside local (IP address,Portnumber) is mapped to a Inside Global(Ip address,Portnumber). In this way, we can support like 64000 connections simulataneously using a single inside global IP address.!

Refer : http://articles.techrepublic.com.com/5100-10878_11-1053789.html
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Related posts:

  1. RIP:Which one has More priority Autosummary or Manual Summary(interface level)?
  2. OSPF : Calculating the shortest-path tree for an area
  3. IP prefix-list
  4. Behavior of RIP and IGRP When Sending and Receiving Updates
  5. Subnetting Cheat Sheet
Tags: , , , , , , , , , , ,
This entry was posted on Tuesday, April 28th, 2009 at 3:01 PM and is filed under Cisco *STUFF*, NAT,PAT, Routing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.