Network Address Translation
NAT substitutes the local address on a packet with a global address that is routable on the destination network.
By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command).
Note NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a security appliance from an earlier version, then the nat-control command is automatically added to your configuration to maintain the expected behavior.
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the Internet
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
CONFIGURING NAT OVERLOAD
NAT (Network Address Translation) is a method that allows the translation (modification) of IP addresses while packets/datagrams are traversing the network. NAT Overload, also known as PAT (Port Address Translation) is essentially NAT with the added feature of TCP/UDP ports translation.
The main purpose of NAT is to hide the IP address (usually private) of a client in order to reserve the public address space. For example a complete network with 100 hosts can have 100 private IP addresses and still be visible to the outside world (internet) as a single IP address. Other benefits of NAT include security and economical usage of the IP address ranges at hand.
The following steps explain basic Cisco router NAT Overload configuration. NAT overload is the most common operation in most businesses around the world, as it enables the whole network to access the Internet using one single real IP address.
You can implement address translation as:
• Dynamic NAT
• Port Address Translation (PAT)
• Static NAT
Static NAT: Puts a permanent mapping between an internal private address and a public address. In this scenario, 192.168.8.50 will always map out to 192.0.2.75. This type of NAT may be used for allowing traffic into a mail server or web server.
Dynamic NAT: Puts a dynamic mapping between an internal private address and a public address. This also creates a one-to-one relationship on a first-come-first-served basis. The public address that is used by private devices can change over time and cannot be trusted. This would allow systems out, when you are not concerned with outside devices trying to connect in, as with the previous web server example.
Port Address Translation (PAT) or Overloading: In this case, multiple internal devices are able to share one public address, as mappings are placed into the mappings table based on the source and destination ports that are used. As long as ports are available to be remapped, then any number of devices can share a very small pool of public addresses or just one public address.
Overlapping: NAT can be used when public or registered addresses are used inside your network. In this case, you may use a public address block on multiple internal networks. NAT allows you to translate those “internal” addresses to other publicly accessible addresses when you connect to the “public” side of the router.
Many people quickly become lost understanding local, global, inside, and outside addresses.
The following list describes the different types of addresses:
• Local: This refers to what happens on the inside of your network.
• Global: This refers to what happens on the outside of your network.
• Inside Local Address: This is an address of a host on your internal network, for example, 192.168.8.25.
• Inside Global Address: This is the mapped address that people on the Internet would see, which represents the inside host.
• Outside Global Address: The IP address of a remote Internet-based host as assigned by the owner that can communicate with an inside host, for example, 192.0.2.100.
• Outside Local Address: This is the address that the inside hosts use to reference an outside host. The outside local address may be the outside host’s actual address or another translated private address from a different private address block.
Therefore, the router could translate that address to 192.168.10.50, or it could be the public address of the external host. The internal hosts would contact this address to deal with the external host.
2. configure terminal
3. ip nat inside source static local-ip global-ip
4. interface type number
5. ip address ip-address mask [secondary ]
6. ip nat inside
8. interface type number
9. ip address ip-address mask [secondary ]
10. ip nat outside
You can also configure rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT
Network Address Translation (NAT) can be configured to work on your network a few different ways.
The type of NAT you choose to implement depends on what your goals are for NAT and your public address management.