BASIC NAT CONCEPTS

BY TYLER CHRISTIANSEN, AKA PACKET TALK

T ERMINOLOGY
Inside Local: Inside Global: Outside Global: Outside Local: Inside interface: Outside Interface: Static NAT: Dynamic NAT: NAT Overload: RFC1918 address local to the originating host. Publicly routable address local to the originating AS. Publicly routable address remote to the originating AS. RFC1918 address remote to the originating AS. The interface on the LAN. The interface on the WAN. Manually configured 1:1 NAT. Dynamically allocated 1:1 NAT. Dynamically allocated many:1 NAT tracked by port numbers.

B ASIC NAT T RANSLATION

A packet undergoes a basic transformation process as it goes from source to destination when NAT is implemented. Our source address starts as our inside local address, but once it hits the router performing NAT, the source address is replaced with the specified publicly routable IP addressthe inside global address. The destination address remains the same at this point. It is still the outside global address. As the packet traverses the cloud, the source address and destination address remain the same inside global and outside global, respectively. Once the remote router receives the packet, it will do one of two things. It will either forward the packet to the device that owns the IP address in the destination address field (if the device is publicly accessible), or it will provide its own NAT services and translate the packet it received. If it does this, then we see the outside local address come into play. The source address will remain the inside global address, but the destination address will be swapped for the inside local address, an RFC1918 private IP address that is not routable across the internet. When we discuss and implement NAT, we have two primary types of interfaces on the router performing NAT. One is the inside interface. This interface is the networkfacing, or internal, or inside interface. The other type of interface we have is the outside interface. This is typically the WAN or external interface.

V ISUAL A IDS
Assume we have the topology in the image below. The loopback addresses represent and simulate host PCs on a given network. They use RFC1918 addresses that cannot be routed across the internet. The Fast Ethernet interfaces have public IP addresses.

Assume that we are sending a packet from lo0 on the Corporate router to lo0 on the Remote router. This will give us addresses according to the following table: Inside Local Inside Global Outside Global Outside Local 10.0.0.1 198.10.7.3 8.8.8.8 172.16.0.1

Remember that lo0 will be the inside interface and fa0/0 will be the outside interface. Now lets see how a packet from Corporates lo0 interface will change on its way to Remotes lo0 interface. We will only be looking at source and destination IP addresses. When lo0 originally sends the packet, it will have a source of 10.0.0.1 and a destination of 8.8.8.8. We see this in the graphic below.

Next, once the Corporate router performs the NAT service, the source address will change to become a publicly routable address. See the graphic below.

Remember that this is still the same packet. We are just changing the source IP address at this point so that it can traverse the public internet. Once the packet reaches the Remote router, the Remote router will replace the public destination IP address with the private IP of the target host. See the image below.

As you can see, the inside global address remains the same despite the translation on the Remote router. Next, well talk about the different types of NAT: static, dynamic, and overloaded.

T YPES OF NAT
There are three types of NAT that we use in today s networks. They are static, dynamic, and overloaded. Overloaded NAT is sometimes also called PAT, or Port Address Translation. This will be described shortly. Static NAT A manually defined 1:1 mapping in which a single RFC1918 private IP address is mapped to a single publicly routable IP address. A dynamically allocated 1:1 mapping in which a single RFC1918 private IP is mapped to a single publicly routable IP address which is part of a pool of available IP addresses. A dynamically allocated many:1 mapping in which several RFC1918 private IP addresses can be mapped to a single routable IP address which may or may not be part of a pool of available IP addresses. NAT Overload is tracked according to unique port numbers assigned by the router.

Dynamic NAT

NAT Overload

S PECIAL C ONSIDERATIONS
When we configure dynamic or overloaded NAT, we need to create an access list that will permit a list of hosts to have their addresses translated into an address in the NAT pool. We then need to link the NAT pool with that access list. We discuss NAT configuration in more detail in other articles and documents.

C ONCLUSION
Please keep the information above in your mind whenever you configure NAT. Understanding these concepts is vital to configuring the expected behavior in NAT.