Category: NAT

For the purpose of this example, I’m going to assume that we’re using NAT overloading (PAT) to allow our internal clients to access the Internet through a single public IP address. We’ll also create a static inbound mapping to allow external clients to gain access to a web server on our private network. The network properties used in this example are the same as those found in this figure.

Our first step involves configuring interface Ethernet 0 with its private IP address, and designating it as the internal NAT interface. The ip nat inside command designates an interface as internal.

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside

The next step involves configuring Serial 0 with an IP address, and specifying it as the external NAT interface. External NAT interfaces are defined with the ip nat outside command.

Router(config-if)#int s0
Router(config-if)#ip address 131.107.2.200 255.255.255.240
Router(config-if)#ip nat outside

Depending on the NAT technique being used, a range of IP addresses could be configured as part of the NAT “pool”. Because we’re using NAT overloading, this “pool” will only consist of a single address – 131.107.2.200. The subnet mask associated with an address pool is specified with the prefix command.

Router(config)#ip nat pool Toronto 131.107.2.200 131.107.2.200 prefix 28

After the pool is defined, it needs to be configured for overloading. This is accomplished using the command shown below, which defines an access list. In this example, access list 88 allows us to control which addresses can access the Internet via NAT.

Router(config)#ip nat inside source list 88 pool Toronto overload
Router(config)#access-list 88 permit 192.168.1.0 0.0.0.255

Assuming that internal clients are configured with addresses in the 192.168.1.0/24 range, and that their default gateways are set to 192.168.1.1, they should now be able to access the Internet through the router’s NAT implementation.

In order to allow external clients to access the web server on our internal private network, we’ll create a mapping that tells NAT to forward all requests to address 131.107.2.200 port 80 to the internal address 192.168.1.100, port 80. This is accomplished using the command shown below.

Router(config)#ip nat inside source static tcp 192.168.1.100 80 131.107.2.200 80

Once implemented, NAT statistics can be viewed using the show ip nat statistics command, while address translations can be viewed using show ip nat translations.

While NAT is most commonly looked at as a way to allow internal clients to gain access to the Internet, it can also be used to allow external Internet hosts to gain access to resources on a private network. Recall that by default, a NAT server will drop all packets that are not replies to requests that were originated from the internal private network. However, it is also possible that your company has servers on its internal privately addressed network that need to be accessible from the Internet – both mail and web servers are good examples. In order to accomplish this, companies will most commonly use what is known as an inbound static mapping. This technique takes requests that are made to a certain ports on the external public interface of the NAT router, and statically maps them to an address and port number on the private network. If multiple public IP addresses are available, individual public addresses can be mapped to internal private addresses on a one-to-one basis.

Imagine that a company wishes to host its web server internally. In order for Internet clients to access our server, it will need to be accessible using a public IP address. In this example, the web server has a private address, 192.168.1.10, and is waiting for connections on the default HTTP port, TCP 80. This is illustrated in the figure below.

Figure: A web server hosted on the internal private network can be accessed from the Internet if an inbound static mapping is defined.

In order to allow Internet hosts to access the HTTP server, we will need to create an inbound static mapping. This will involve configuring NAT such that when it receives a request on the router’s public interface that is destined for TCP port 80, it will forward the request to the web server at 192.168.1.10, port 80. To the outside world, it appears as though our web server can be found at the public address. In reality, these requests are being translated by NAT and forwarded to the designated address and port on the internal network. This allows us to host services on the internal network, without external clients being any the wiser as to the true location of a server.

Overloading is a very popular NAT technique, and is sometimes referred to as Port Address Translation (PAT). Instead of requiring multiple public IP addresses, overloading instead uses a single (or small number) of public address, and differentiates between sessions according to port number. When a client on the internal network wishes to access the Internet, it forwards the request to its configured gateway, the router running NAT. The router will translate the source address and port number of the packet to use the router’s public IP address and the same port number (if not already in use by another client), and will forward the “new” packet to the destination host. NAT mappings are stored in the router’s NAT table, as shown in the table below.

Table: The router’s NAT table shows a session mappings from three different internal clients.

When host 192.168.1.54 attempts to access the web server at address 204.242.16.4, the request is first passed to the NAT server, where the source address and port number are translated, and a mapping is added to the NAT table. To the external web server, the request appears to be coming from address 131.107.2.200, TCP port 4085. The web server will send its reply to this address and port number. Once received by the router, it will look in its NAT table, and discover that since the packet’s destination is address 131.107.2.200 TCP port 4085, it should be forwarded to internal host 192.168.1.12, TCP port 4085. The process is illustrated step-by-step in the figure below.

Figure: The steps involved when an internal client forwards a request to the Internet through a NAT router.

The overloading technique is obviously a very efficient way to implement NAT, since it requires only a single public IP address at a minimum. With thousands of TCP and UDP port numbers available, the technique is capable of supporting many internal clients using private addressing.

Dynamic NAT works slightly differently in that private and public addresses are not mapped on a one-to-one basis. Instead, a range of public IP addresses is configured on the NAT device, and private internal clients will be mapped to an available address as necessary. The NAT table is built dynamically, avoiding the need for mappings to be statically defined. The address translation function that occurs is similar to that with static NAT, with the obvious exception that address mappings may change.

A static NAT implementation is one in which each private internal IP address is mapped to unique public external IP address. This technique involves defining a static NAT table on the router that maps each internal private address to its external public counterpart. Consider the example illustrated in the figure below. It shows a small network consisting of five client systems, each configured with a private address in the 192.168.1.0/24 range. The router is configured for NAT, and has five external public addresses. The NAT table shown in the example illustrates the mapping between the private and public addresses.

Figure: With static NAT, each internal private address that requires access to the Internet is mapped to a dedicated public IP address.

With static NAT, when client 192.168.1.12 attempts to access an Internet resource, the request will be forwarded to its configured default gateway, 192.168.1.1. When the router receives this packet, it will change the source address to 131.107.1.46, as per the information stored in the NAT table. When the destination web server receives the request, it considers it to have originated from 131.107.1.46. This is also the address to which the subsequent reply will be sent. Once received by the router, it will check its NAT table, and will again translate the packet such that its destination address is changed to 192.168.1.12. The packet will then be forwarded to the internal client.

Companies generally don’t implement static NAT for the purpose of allowing internal hosts to gain access to the Internet. It is simply too time consuming to build the NAT table, and companies often do not have an available public IP address for each and every internal host. Instead, static NAT is most often used in order to allow Internet hosts to gain access to internal servers. This will be discussed shortly.