NAT: Basic operations and how to configure

Certification: Cisco CCIE Routing and Switching - Cisco Certified Internetwork Expert Routing and Switching

Network Address Translation, or NAT, is a way to modify network addresses inIP datagram packet headers in the time in which they are transiting across routing devices for remapping of IP address space purposes.  Sometimes used for more specific indication of mapping between IPv4 addresses, the NAT44 term is typically for use among the majority of internet traffic. Mapping an IPv4 address to an IPv6, or the other way around, is called NAT64. NAT was used initially to map all addresses of one space to a corresponding one in another, like when companies change their service providers. It can be used in conjunction with IP masquerading to hide entire IP spaces, leaving the masqueraded network system unreachable from the outside. Due to its popularity, the NAT term has been the default method of IP masquerading.

The simplest use of NAT is to allow one-to-one IP translations, usually private IP addresses, usually in another address space. However, a one-to-many approach can also be used; however the information must be altered in addition, like the TCP/UDP numbers.

Other naming for NAT or specific NAT uses include NAPT, PAT, IP masquerading, etc…

Basic Operations

Most NATs attribute multiple private hosts to a single exposed IP address. Typically, a LAN makes use of one such “private” IP subnet. The router does not connect to the internet with its own IP but rather with the public one assigned by the IS provider. Most of the translation is done on the go as traffic passes along to the internet. While it does, a kind of “report” is created upon which to return the reply to the specific private router. Generally, packets passing from private to public will have the address translated, and sometimes, to not be mistaken, they are further modified. To put it bluntly, the server puts a “mask” in shape of an IP that is especially used for such a thing on your personal IP, and nobody but the server knows how to take it off. Also, the “how to take off the mask” data is deleted right after the exchange is completed. Hence the term “masquerading”.

There are many ways to implement this, of which 3 are most commonly used. In some cases of protocols needing IP address information, the external address of the NAT (the detected address) must be detected needed by any program/application running on a masqueraded network. Categorization and mapping might also be needed. That’s why the Simple traversal of UDP over NATs, or rather STUN was created, classifying NAT implementations into 4 types (Full/restricted/port-restricted –cone NAT, and symmetric NAT), also proposing a way to test it accordingly. Faulty or inadequate however, they were later discarded as changes of the RFC 5389 appeared.

Full-cone NAT, one of the 4 types, also called the one-to-one NAT, allowed for any external host to send packets via the iAddr:iPort by an intermediate one;

Restricted-cone NAT only allowed that if iAddr:Iport had previously sent a package.

Port-Restricted-cone NAT was about the same as a Restricted-cone, but with port restrictions also added.

Symmetric NAT mapped much more than the others, and disallowed any external host that was not contacted by an internal to contact the internal.

However, these limitations proved unfeasible in real-life as most NAT implementation described a combination of the types, with few implementations having such discerning features

Problems may arise when a NAT port peer tries to communicate with another distinct NAT peer. These problems are called NAT traversal problems, but they can be countered either by port forwarding, or by using a TCP NAT traversal technique, like the TCP hole punching.

How it is implemented

The first step to implementing a NAT is to establish a two-way communication. Both TCP and UDP packets need a source IP address and port number, along with the destination address/number. The port number for instance, is very important when it comes to accessing public services, like the web, not to mention the IP address. Due to problems that may arise due to two different devices trying to connect to something else at the same time, there is need for the port address translation feature. After that, the translation of the internal ip and port to that of the external, and all the other technicalities happen, and done! Also, remember that NAT functionality is usually transparent on both sides.

How to configure

Configuring the NAT is sometimes difficult; especially when you have no real idea of what do you actually want to configure it to. But, as always, when in doubt, the best idea is to look at what our friends at CISCO say. First off, its imperative you know what you actually want. Try to define the inside and outside of the NAT interfaces. Try thinking on user placement, and if there will be more than one interface on the internet. Try to explain to yourself what you want to accomplish using NAT: will you allow internal users to be able to use the internet? Will you permit the internet to access the internal hardware?  How about redirecting TCP traffic to another port/address? Network transition? Overlapping of the networks?

After you finish all the hassle of actually figuring out what you want to do, it’s time you set upon doing it. The actual configuration depends on your needs. However, most configurations will ask you to configure an Ethernet interface, either 0, or 1 (sometimes both), along with their serial. An example of a command is:

interface Ethernet/serial  0 (just one or the other per line)

ip address

ip nat inside

Once finished configuring, don’t forget to test out the system to verify if the change was made, or if it was correct. Use either the show commands or debug tools to do that.

An in-depth explanation of the configuration procedures are available at the cisco support documents, at this webpage for every type of configuration that you need.

Related IT Guides

  1. Are students advised to complete four CCNA Routing and Switching courses before enrolling in the CCNA security course?
  2. Are the CCNA Routing and Switching certifications exam changing?
  3. Basis CCNA Routing and Switching latest curriculum
  4. CCNA Routing and switching exams: Which is easier CCNAX or ICND
  5. CCNAX or the ICND: Which exam pathway is better for CCNA R&S and why?
  6. Common OSPF problems and its troubleshooting
  7. Eleventh hour CCNA Routing and switching exam: What to do?
  8. How do students move from CCNA discovery and exploration to CCNA Routing and Switching?
  9. How does CCNA Routing and Switching differ from CCNA discovery and CCNA exploration?
  10. How to build your CCNA Routing and Switching lab on your own?
  11. How to get CCIE Routing & Switching practice labs for free?
  12. How to get CCNA Routing and Switching practice questions online for free?
  13. How to prepare for CCIE Routing & Switching exam?
  14. How to Prepare for CCIE Routing and Switching Lab?
  15. How to prepare for CCIE routing and switching online?
  16. How to resolve EIGRP problems
  17. How to take online training for CCIE Routing and Switching exam
  18. How to verify network status and switch operation using basic utilities: Ping, SSH and telnet
  19. Lab equipment for CCIE Routing & Switching
  20. Most important dumps for CCIE Routing & Switching written exams
  21. Tackling the CCIE written exam: what topics make the difference?
  22. Technology and Media access control method for Ethernet networks
  23. What are Common Routing Issues and How to resolve them
  24. What are the basic operations of the protocols in the OSI and TCP/IP Models
  25. What are the basic routing concepts? Packet forwarding, Router lookup process and process switching:
  26. What is Access control list or ACL: configuration to filter network traffic?
  27. Why private and public IP addresses for IPv4 addressing is necessary