Please enable JavaScript.
Coggle requires JavaScript to display documents.
R&S C11 : Network Address Translation for IPv4 (11.2 Configuring NAT…
R&S C11 : Network Address Translation for IPv4
11.1 NAT operation
11.1.1 NAT Characteristics
11.1.1.1 IPv4 Private
Address Space
not big enough for internet
private addresses not
routed by interner routers
public addresses are
private addresses fix problem amount of IPv4 addresses but need to be
translated
first
translation proces is NAT
ietf DEVELOPED rfc 1918
3 ipv4 address ranges
class
B
172.16.0.0 - 172.31.255.255
172.16.0.0/12
C
192.168.0.0 - 192.168.255.255
192.168.0.0/16
A
RANGE
10.0.0.0 - 10.255.255.255
1 more item...
11.1.1.2 What is NAT ?
translate network addresses
device use private address in network but use one public address
usually implemented at border
network devices, such as firewalls / routers
on traffic, the border router translates addresses to a public and globally unique address
11.1.1.3 NAT Terminology
applied from the perspective of
the device with the translated address
inside address
the address of the device
which is being translated by NAT
Outside address
The Address of the
destination device
NAT also uses concept
NAT also uses the concept
of local or global with respect to addresses
Local address
a local address is any address
that appears on the inside portion of the network
Global address
a global address is any address
that appears on the outside portion of the network
other termnology
Inside network is the set
of devices using private addresses
Outside network refers to all other networks
NAT includes four types of addresses
Inside local address
Inside global address
outside global address
outside local address
11.1.1.5 How NAT Works
11.1.6 Activity
11.1.2 Types of NAT
11.1.2.1 Static NAT
One-to-one address mapping
between local and global addresses
permanently binds an inside local address to an inside global address
mappings are configured by the administrator and remain constant
typically used to configure an internal server that must be accessed from the outside world
SUMMARY
statis NAT uses a one-to-one
mapping of local and global addresses
mappings are configured by the network administrator and remain constant
static NAT is particularly useful when servers hosted in the inside network must be accessible form the outside network
a network administrator can SSH to a server in the inside network by pointing the SSH client to the proper inside global address
11.1.2.2 Dynamic NAT
Many-to-many address
mapping between local and global addresses
dynamic NAT uses a pool of public addresses and assigns them on a first come, first-served basis
when an inside device requests access to an outside network,
dynamic NAT assigns an available public IPv4 address from the pool
dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions
11.1.2.3 Port Address Translation (PAT)
many-to-one address mapping between local and global addresses
method also known as
overloading
> NAT overloading
PAT maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses
PAT uses the pair source port and source IP address to keep track of what traffic belongs to what internal client
PAT is also known as NAT overload
by also using the port number, PAT forwards the response packets to the correct internal device
the PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session
11.1.2.4 Next available port
11.1.2.5 Comparing NAT and PAT
NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4 addresses
PAT modifies both the address and the port number
NAT forwards incoming packets to their inside destination by referring to the incoming source IPv4 address provided by the host on the public network
with PAT , there is generally only one or a very few publicly exposed IPv4 addresses
PAT is able to translate protocols that do not use port numbers, such as ICMP; each one of these protocols is supported diffrently by PAT
11.1.2.6 PT
11.1.3 Benefits of NAT
11.1.3.1 Benefits of NAT
conserves the legally registered addressing scheme
increases the flexibility of connections to the public network
provides consistency for internal network addressing schemes
provides netwokr security
11.1.3.2 Disadvantages of NAT
performance degraded
end-to-end functionality is degraded
end-to-end Ip traceability is lost
tunneling is more complicated
initiating TCP connectoins can be disrupted
color usage :::
11.2 Configuring NAT
11.2.1 Configuring Static NAT
11.2.1.1 Configuring Static NAT
create a mapping between the
inside local address and the inside global addresses
ip nat inside source static - inside-local inside-global
identify the inside and
outside NAT interfaces
ip nat inside
ip nat outside
example
ip nat inside source static 192.168.10.254 209.165.201.5
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
ip nat inside
exit
interface Serial0/1/0
ip address 209.165.200.225 255.255.255.224
ip nat inside
11.2.1.2 Analyzing Static NAT
11.2.1.3 Verifying Static NAT
clear ip nat statistics
show ip nat translations
11.2.1.4 PT
11.2.2 Configuring Dynamic NAT
11.2.2.1 Dynamic NAT Operation
the pool o fpublic IPv4 addresses (inside global address poolà is available to any device on the inside network on a first-come, first-served basis
with dynamic NAT, a single inside address is translated to a sin=gle outside address
the pool must be large enough to accommodate all inside devices
a device is unable to communicate to any external networks if no addresses are available in the pool
11.2.2.2 Configuring Dynamic NAT
define a pool o fglobal addresses ot be used for translation
2 configure a standard access list permitting the addresses that should be translated
3.establish dynamic source translation , specifying the access list and pool defined in prior steps
idenityf the inside interface
identify the outside interface
11.2.2.3 Analyzing Dynamic NAT
11.2.2.4 Verifying Dynamic NAT
show ip nat translations
show ip nat translations verbose
11.2.2.5 PT
11.2.2.6 Lab
11.2.3 Configuring Port Address
Translation (PAT)
11.2.3.1 Configuring PAT: Address Pool
11.2.3.2 Configuring PAT: Single Address
define a standard access list permitting the addresses that should be translated
establish dynamic source translation, specifying the ACL, exit interface and overload options
identify the inside interface
identify the outside interface
11.2.3.3 Verifying PAT
11.2.3.4 Verifying PAT
11.2.3.5 Activity
11.2.3.6 PT + 11.2.3.7 Lab
11.2.4 Port Forwarding
11.2.4.1 Port Forwarding
port forwarding is the act of forwarding a network port form one network node to another
a packet sent to the public IP address and port of a router can be forwarded to a private IP address an dport in inside network
Port forwarding is helpful in situations where servers have private addresses, not reachable from the outside networks
11.2.4.2 Wireless Router Example
11.2.4.3 Configuring Port Forwarding with IOS
in IOS, port forwarding is essentially a static NAT translation with a specified TCP or UDP port number
11.2.4.4 PT
11.2.5 Configuring NAT and IPv6
11.2.5.1 NAT for IPv6?
NAT is a workaround for IPv4 scarcity
IPv6 with a 128-bit address provides 340 undecillion addresses
address space is not an issue for IPv6
Ipv6 makes Ipv4 public-private NAT unnecessary by design;
however, IPv6 does implement a form of private addresses, and it is implemented differently than they are for IPv4
11.2.5.2 IPv6 Unique Local Addresses
IPv6 unique local addresses (ULAs) are designed to allow IPv6 communications within a local site
ULAs are not meant to provide additional IPv6 address space
ULAs have the prefix FC00::/7, which results in a first hextet range of FC00 to FDFF
ULAs are also known as local IPv6 addresses (not to be confused with IPv6 link-local addresses)
11.2.5.3 NAT for IPv6
IPv6 also uses NAT, but in a much different context
in IPv6 , NAT is used to provide transparent communication between IPv6 and IPv4
NAT64 is not intended to be a permanent solution; it is meant to be a transition mechanism
Network Address Translation-Protocol Translation (NAT-PT) was another NAT- based transition mechanism for IPv6, but now deprecated by IETF
NAT64 is now reocmmended
11.3 Troubleshooting NAT
11.3.1 Troubleshooting NAT
11.3.1.1 Troubleshooting NAT: show commands
clear ip nat statistics
clear ip nat translation *
show ip nat statistics
show ip nat translations
11.3.1.2 Troubleshooting NAT : debug command
debug ip nat
11.3.1.3 Case Study
11.3.1.4 PT - 11.3.1.5 Lab
11.4 Summary
How NAT is used to help alleviate the depletion of the IPv4 address space
NAT conserves public address space and saves considerable administrative overhead in managing adds, moves and changes
NAT for IPv4 , including:
NAT characteristics, terminology, and general operations
Different types of NAT, including static NAT, dynamic NAT, and NAT with overloading
benefits and disadvantages of NAT
the configuration, verification, and analysis of static NAT, dynamic NAT, and NAT with overloading
how port forwarding can be used to access an internal devices from the internet
troubleshooting NAT using
show
and
debug
commands
How NAT for IPv6 is used to translate between IPv6 addresses and IPv4 addresses