Introduction to the NAT (Network Address Translation), PAT (Port Address Translation), Dynamic NAT and Static NAT
Today I am going to talk about the NAT which stands for Network Address Translation of the IPs in your network. NAT is one of the most important topic of the network space and is used in almost all the enterprise networks. With the help of NAT you can save your IPs from the public domain.
I knew we have multiple questions on NAT and i also knew that many of you guys already knew about the NAT, the concept and the configuration part. This post is generally for the new comers in the network space who really want to understand the basics of it. Lets start from the beginning why and where to start from.
Requirement of NAT(Network Address Translation)
Its a kind of shortage of the public IPv4 address space has forced the all of us to think harder about alternative ways of addressing networked hosts. Network Address Translation (NAT) therefore was introduced to overcome these addressing problems that occurred with the rapid expansion of the Internet.
Even if NAT was suggested as a temporary solution, it has been adopted by all network hardware manufacturers, and it is considered a very useful technology, not only for IP address conservation, but also for many other purposes including security. Basically NAT allows a single network device (e.g a router, firewall etc) to act as an agent between a private local area network and a public network such as the Internet.
Fig 1.1- NAT ( Network Address Translation) |
The above shown diagram is just a example to showcase how NAT works, what will be the IPs on the network inside and how it changes at the internet or on public space.
The purpose of this NAT device is to translate the source IP addresses of the internal network hosts into public routable IP addresses in order to communicate with the Internet.
Let's talk about the advantages of the NAT:
Some of the advantages of using NAT in IP networks are the following:
- NAT helps to mitigate the depletion of the global public IP address space
- Networks can now use the RFC 1918 private address space internally and still have a way to access the Internet using NAT.
- NAT increases security by hiding the internal network topology and addressing scheme.
I will take an example of the Cisco Routers where we talk about the 4 types of NAT which includes PAT, Dynamic NAT, Static NAT and Port re-direction. Let's discuss all in short one by one as below
Overloading NAT or Port Address Translation (PAT)
This method is one of the most frequently used form of NAT in IP networks. It uses the concept of “many-to-one” translation where multiple connections from different internal hosts are “multiplexed” into a single registered (public) IP address using different source port numbers. This type of NAT allows a maximum of 65,536 internal connections to be translated into a single public IP. This type of NAT is very useful in situations where our ISP has assigned us only a single public IP address, as shown below.
As an example if let us suppose that our internal network range is 192.168.31.0/24 and our assigned public IP address is 213.18.122.100. All internal hosts will be translated to the public address using different port numbers.
Configuration of Port Address Translation (PAT)
NDNA(config)# interface ethernet 0
NDNA(config-if )# ip address 192.168.31.1 255.255.255.0
NDNA(config-if )# ip nat inside
NDNA(config)# interface serial 0
NDNA(config-if )# ip address 213.18.122.100 255.255.255.0
NDNA(config-if )# ip nat outside
NDNA(config)# ip nat pool overload-pool 213.18.122.100 213.18.122.100 prefix-length 24
NDNA(config)# ip nat inside source list 1 pool overload-pool overload
NDNA(config)# access-list 1 permit 192.168.31.0 0.0.0.255
Dynamic NAT(Network Address Translation)
Dynamic NAT translates internal private IP addresses to public addresses from a range (pool) of public addresses assigned to our network from an ISP.
As an example if we assume that we own the range of public IP addresses 213.18.122.0/24. Any internal host accessing the internet, will be translated by the NAT router to the first available public IP in the public pool range. In our example above, internal host 192.168.31.10 is translated to 213.18.122.116 (one-to-one mapping). Similarly, 192.168.31.12 is translated to 213.18.122.112 etc.
Configuration of Dynamic NAT
NDNA(config)# interface ethernet 0
NDNA(config-if)# ip address 192.168.31.1 255.255.255.0
NDNA(config-if)# ip nat inside
NDNA(config)# interface serial 0
NDNA(config-if)# ip address 100.100.100.1 255.255.255.252
NDNA(config-if)# ip nat outside
NDNA(config)# ip nat pool dynamic-pool 213.18.122.0 213.18.122.255 prefix-length 24
NDNA(config)# ip nat inside source list 1 pool dynamic-pool
NDNA(config)# access-list 1 permit 192.168.31.0 0.0.0.255
Static NAT(Network Address Translation)
This form of NAT creates a permanent one-to-one static mapping of a public IP address with a private IP address. It is particularly useful in cases where an internal host needs to be accessible from the outside public internet.
As an example if we assume that the internal host with private IP address 192.168.31.10 will always be translated to 213.18.122.110. Hosts from the outside public internet will be able to directly access the statically nat-ed internal hosts by accessing their mapped public IP address. This scenario is useful to provide access to public company servers such as Web Server, Email Server etc.
Configuration of Static NAT
NDNA(config)# interface ethernet 0
NDNA(config-if)# ip address 192.168.31.1 255.255.255.0
NDNA(config-if)# ip nat inside
NDNA(config)# interface serial 0
NDNA(config-if)# ip address 100.100.100.1 255.255.255.252
NDNA(config-if)# ip nat outside
NDNA(config)# ip nat inside source static 192.168.31.10 213.18.122.110
NDNA(config)# ip nat inside source static 192.168.31.12 213.18.122.111
NDNA(config)# ip nat inside source static 192.168.31.15 213.18.122.112
Port Redirection
This is useful in situations where we have a single public IP address and we need to use it for accessing two or more internal servers from outside.
Assume that we have a Web and Email servers that we need to provide access from outside using only a single public IP address. Assume that our public address is 100.100.100.1. Inbound traffic coming towards address 100.100.100.1 port 80 will be redirected to our internal Web Server 192.168.31.10, and inbound traffic coming towards address 100.100.100.1 port 25 will be redirected to our internal Email Server 192.168.31.20.
Configuration of Port Redirection
NDNA(config)# interface ethernet 0
NDNA(config-if)# ip address 192.168.31.1 255.255.255.0
NDNA(config-if)# ip nat inside
NDNA(config)# interface serial 0
NDNA(config-if)# ip address 100.100.100.1 255.255.255.252
NDNA(config-if)# ip nat outside
NDNA(config)# ip nat inside source static tcp 192.168.31.10 80 100.100.100.1 80
NDNA(config)# ip nat inside source static tcp 192.168.31.20 25 100.100.100.1 25