Chapter 12 explored concepts relating to Network Address Translation (NAT), outlining how it can be used to allow privately addressed internal hosts to access Internet resources. Three different NAT techniques were looked at, including static NAT, dynamic NAT, and overloading (PAT). The ability to create mappings to allow Internet hosts to gain access to privately addressed internal servers was also discussed.
For the purpose of this example, I’m going to assume that we’re using NAT overloading (PAT) to allow our internal clients to access the Internet through a single public IP address. We’ll also create a static inbound mapping to allow external clients to gain access to a web server on our private network. The network properties used in this example are the same as those found in this figure.
Our first step involves configuring interface Ethernet 0 with its private IP address, and designating it as the internal NAT interface. The ip nat inside command designates an interface as internal.
Enter configuration commands, one per line. End with CNTL/Z.
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
The next step involves configuring Serial 0 with an IP address, and specifying it as the external NAT interface. External NAT interfaces are defined with the ip nat outside command.
Router(config-if)#ip address 18.104.22.168 255.255.255.240
Router(config-if)#ip nat outside
Depending on the NAT technique being used, a range of IP addresses could be configured as part of the NAT “pool”. Because we’re using NAT overloading, this “pool” will only consist of a single address – 22.214.171.124. The subnet mask associated with an address pool is specified with the prefix command.
Router(config)#ip nat pool Toronto 126.96.36.199 188.8.131.52 prefix 28
After the pool is defined, it needs to be configured for overloading. This is accomplished using the command shown below, which defines an access list. In this example, access list 88 allows us to control which addresses can access the Internet via NAT.
Router(config)#ip nat inside source list 88 pool Toronto overload
Router(config)#access-list 88 permit 192.168.1.0 0.0.0.255
Assuming that internal clients are configured with addresses in the 192.168.1.0/24 range, and that their default gateways are set to 192.168.1.1, they should now be able to access the Internet through the router’s NAT implementation.
In order to allow external clients to access the web server on our internal private network, we’ll create a mapping that tells NAT to forward all requests to address 184.108.40.206 port 80 to the internal address 192.168.1.100, port 80. This is accomplished using the command shown below.
Router(config)#ip nat inside source static tcp 192.168.1.100 80 220.127.116.11 80
Once implemented, NAT statistics can be viewed using the show ip nat statistics command, while address translations can be viewed using show ip nat translations.
While NAT is most commonly looked at as a way to allow internal clients to gain access to the Internet, it can also be used to allow external Internet hosts to gain access to resources on a private network. Recall that by default, a NAT server will drop all packets that are not replies to requests that were originated from the internal private network. However, it is also possible that your company has servers on its internal privately addressed network that need to be accessible from the Internet – both mail and web servers are good examples. In order to accomplish this, companies will most commonly use what is known as an inbound static mapping. This technique takes requests that are made to a certain ports on the external public interface of the NAT router, and statically maps them to an address and port number on the private network. If multiple public IP addresses are available, individual public addresses can be mapped to internal private addresses on a one-to-one basis.
Imagine that a company wishes to host its web server internally. In order for Internet clients to access our server, it will need to be accessible using a public IP address. In this example, the web server has a private address, 192.168.1.10, and is waiting for connections on the default HTTP port, TCP 80. This is illustrated in the figure below.
In order to allow Internet hosts to access the HTTP server, we will need to create an inbound static mapping. This will involve configuring NAT such that when it receives a request on the router’s public interface that is destined for TCP port 80, it will forward the request to the web server at 192.168.1.10, port 80. To the outside world, it appears as though our web server can be found at the public address. In reality, these requests are being translated by NAT and forwarded to the designated address and port on the internal network. This allows us to host services on the internal network, without external clients being any the wiser as to the true location of a server.
Overloading is a very popular NAT technique, and is sometimes referred to as Port Address Translation (PAT). Instead of requiring multiple public IP addresses, overloading instead uses a single (or small number) of public address, and differentiates between sessions according to port number. When a client on the internal network wishes to access the Internet, it forwards the request to its configured gateway, the router running NAT. The router will translate the source address and port number of the packet to use the router’s public IP address and the same port number (if not already in use by another client), and will forward the “new” packet to the destination host. NAT mappings are stored in the router’s NAT table, as shown in the table below.
When host 192.168.1.54 attempts to access the web server at address 18.104.22.168, the request is first passed to the NAT server, where the source address and port number are translated, and a mapping is added to the NAT table. To the external web server, the request appears to be coming from address 22.214.171.124, TCP port 4085. The web server will send its reply to this address and port number. Once received by the router, it will look in its NAT table, and discover that since the packet’s destination is address 126.96.36.199 TCP port 4085, it should be forwarded to internal host 192.168.1.12, TCP port 4085. The process is illustrated step-by-step in the figure below.
The overloading technique is obviously a very efficient way to implement NAT, since it requires only a single public IP address at a minimum. With thousands of TCP and UDP port numbers available, the technique is capable of supporting many internal clients using private addressing.
Dynamic NAT works slightly differently in that private and public addresses are not mapped on a one-to-one basis. Instead, a range of public IP addresses is configured on the NAT device, and private internal clients will be mapped to an available address as necessary. The NAT table is built dynamically, avoiding the need for mappings to be statically defined. The address translation function that occurs is similar to that with static NAT, with the obvious exception that address mappings may change.
A static NAT implementation is one in which each private internal IP address is mapped to unique public external IP address. This technique involves defining a static NAT table on the router that maps each internal private address to its external public counterpart. Consider the example illustrated in the figure below. It shows a small network consisting of five client systems, each configured with a private address in the 192.168.1.0/24 range. The router is configured for NAT, and has five external public addresses. The NAT table shown in the example illustrates the mapping between the private and public addresses.
With static NAT, when client 192.168.1.12 attempts to access an Internet resource, the request will be forwarded to its configured default gateway, 192.168.1.1. When the router receives this packet, it will change the source address to 188.8.131.52, as per the information stored in the NAT table. When the destination web server receives the request, it considers it to have originated from 184.108.40.206. This is also the address to which the subsequent reply will be sent. Once received by the router, it will check its NAT table, and will again translate the packet such that its destination address is changed to 192.168.1.12. The packet will then be forwarded to the internal client.
Companies generally don’t implement static NAT for the purpose of allowing internal hosts to gain access to the Internet. It is simply too time consuming to build the NAT table, and companies often do not have an available public IP address for each and every internal host. Instead, static NAT is most often used in order to allow Internet hosts to gain access to internal servers. This will be discussed shortly.
In Chapter 5 we took a look at how companies have moved to using private IP addresses on their internal networks. The reason for this transition is twofold. Firstly, the rapid growth of the Internet has led to a serious reduction in the number of public addresses available in the IP version 4 address space. While this is being addressed by a new version of IP (IPv6), the wide-scale deployment of IPv6 is likely to take many years to occur. The second reason for the increased use of private addresses is the benefit that they provide from a security and administration point of view. Not only do they allow administrators more flexibility in terms of addressing, these addresses are not routable on the public Internet, providing an additional layer of security for internal systems. The private internal IP address ranges specified in RFC 1918 include:
In order for hosts using private addresses to access the Internet, they require an intermediary device to process their requests. This is usually accomplished through the use of Network Address Translation (NAT), where requests from internal clients for resources on the public Internet are “translated”, such that they appear to have been initiated from a valid public Internet address.
Consider the example network illustrated in the figure below. A company has a small private network with hosts addressed in a private range – 192.168.1.0/24. The router in the illustration is acting as a NAT device, and has one public IP address configured on its S0 interface. When internal hosts make a request for Internet resources, these requests are sent to the router, which is configured as the clients’ default gateway. The router, seeing that the request is for an external Internet address, will “translate” the packet, such that the source address and port number are changed to the public address associated with its S0 interface. The router will store a mapping in its NAT table that keeps track of which client initiated the request, so that the subsequent reply can be forwarded to the correct host.
Before looking at the different ways in which NAT can be implemented on a network, we should first look at what it is that we want to accomplish with NAT. For example, is our goal only to allow internal clients to access the public Internet, or do we also want to allow Internet systems to be able to gain access to certain internal servers? By default, NAT will act as a type of firewall, blocking all requests that do not originate from the internal private network. This allows internal clients to access Internet resources, but stops Internet clients from accessing our internal LAN. In cases where you have a server on your private network that must be accessible from the Internet (such as a web or mail server), NAT must be explicitly configured to forward these requests. If not, all requests that originate from the public Internet will be dropped.
There are a number of different ways in which NAT can be configured. The three most popular NAT implementation techniques are static NAT, dynamic NAT, and what is known as overloading. These techniques can be used individually, or in combination with one another.