NAT ( Network Address Translation )questions and answers

Private IP addressing is defined in RFC1918 according which the following IP address blocks can be used with in an organization for private use: • Class A network: 10.0.0.0 to 10.255.255.255 • Class B network: 172.16.0.0 to 172.31.255.255 • Class C network: 192.168.0.0 to 192.168.255.255 what is NAT? The NAT protocol is used when connecting multiple devices on internal private networksto a public network such as the Internet using a limited number of public IPv4 addresses. It was originally designed for conserving IPv4 address space because the IPv4 address space is not big enough to uniquely identify all devices that need Internet connectivity. 00:01 01:13 when can you use NAT? typically NAT is used when a private IP address needs to be routed in a public network, let's say internet. but it could also be used when there is an overlap between intranets. NAT uses the terms inside and outside, what do these means? and what their types? Inside means internal to your network, and outside means external to your network. NAT includes the following four types of addresses: • Inside local address: The IPv4 address assigned to a device on the internal network. • Inside global address: The IPv4 address of an internal device as it appears to the external network. This is the address to which the inside local address is translated. • Outside local address: The IPv4 address of an external device as it appears to the internal network. If outside addresses are being translated, this is the address to which the outside global address is translated. • Outside global address: The IPv4 address assigned to a device on the external network. what are the three types of NAT? • Static NAT: Static NAT is one-to-one translation. Static NAT is particularly useful when a device must be accessible from outside the network. (For example, when a server with a static IPv4 address needs to be accessible from the Internet, that server's private address can be translated to a public address.) • Dynamic NAT: Dynamic NAT is many-to-many translation, using a pool of addresses. When an inside device accesses an outside network, it is assigned an available IPv4 address from the pool on a first-come, first-serve basis. When using dynamic NAT, you need to ensure that there are enough addresses available in the pool to satisfy the total number of user sessions. An example of when this type of NAT could be used is when two companies that are using the same private address space merge; dynamic NAT readdressing could be used as a temporary measure until the entire network is readdressed. • Port Address Translation (PAT): PAT is many-to-one translation; for example, it maps multiple inside local IPv4 addresses to a single inside global IPv4 address by tracking port numbers. PAT is also known as NAT overloading. It is a form of dynamic NAT and is the most common type of NAT. PAT is used in business and home routers, allowing multiple devices to access the Internet, even though only one public IPv4 address is available. what is the command used to verify which addresses are currently being translated? The show ip nat translations command is used to verify which addresses are currently being translated. how do you configure static NAT? You first define inside and outside interfaces, using the ip nat inside and ip nat outside interface configuration commands. You next specify which inside local address should be translated to which inside global address, using the ip nat inside source static local-ip global-ip global configuration command Router(config)# interface Ethernet 0/1 Router(config-if)# ip address 209.165.201.1 255.255.255.240 Router(config-if)# ip nat outside Router(config-if)# exit Router(config)# interface Ethernet 0/0 Router(config-if)# ip address 172.16.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# exit Router(config)# ip nat inside source static 172.16.1.10 209.165.201.5 how do you configure dynamic NAT? Like static NAT, you first identify each interface as an inside or outside interface. You then define the set of inside local addresses to be translated, using an ACL. The next step is to define the set of inside global addresses to which the inside local addresses will be translated, using the ip nat pool name start-ip end-ip. Finally, the ACL-to-NAT pool mapping is defined by the following global configuration command: ip nat inside source list {access-list-number | access-list-name} pool name Router(config)# access-list 1 permit 172.16.1.0 0.0.0.255 Router(config)# ip nat pool NAT-POOL 209.165.201.5 209.165.201.10 netmask 255.255.255.240 Router(config)# interface Ethernet 0/1 Router(config-if)# ip address 209.165.201.1 255.255.255.240 Router(config-if)# ip nat outside Router(config-if)# exit Router(config)# interface Ethernet 0/0 Router(config-if)# ip address 172.16.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)#exit Router(config)# ip nat inside source list 1 pool NAT-POOL what is connection tracking mechanism in NAT? Incoming packets from the outside network are delivered to the destination device on the inside network by looking for a match in the NAT translations table and translating IPv4 headers, both address and port number, accordingly. how do you configure PAT? To configure PAT, you again first identify each interface as an inside or outside interface, and define the set of inside local addresses to be translated, using an ACL. To configure PAT, you use the following global configuration command: ip nat inside source list {access-list-number | access-list-name} {interface type number} [overload] This command translates all addresses permitted by the ACL to the address of the specified outside interface; the overload parameter does the PAT. Router(config)# access-list 1 permit 172.16.1.0 0.0.0.255 Router(config)# interface Ethernet 0/0 Router(config-if)# ip address 172.16.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# interface Ethernet 0/1 Router(config-if)# ip address 209.165.201.1 255.255.255.240 Router(config-if)# ip nat outside Router(config-if)# exit Router(config)# ip nat inside source list 1 interface Ethernet 0/1 overload what are the limitation of NAT • End-to-end visibility issues: Many applications depend on end-to-end functionality, with unmodified packets being forwarded from source to destination. By changingend-to-end addresses, NAT effectively blocks such applications. For example, some security applications, such as digital signatures, fail because the source IP addresses change. Applications that use physical addresses rather than a qualified domain name do not reach destinations that are translated across the NAT router. Also, because of address changes along the way, the traceability of endpoints is lost, which can make troubleshooting challenging. Another visibility problem is session initiation from the outside network; services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. • Tunneling becomes more complex: Using NAT can complicate tunneling protocols, such as IPsec, because NAT modifies the values in the headers and thus interferes with the integrity checks done by IPsec and other tunneling protocols. what is NVI? As of Cisco IOS Software Release 12.3(14)T Cisco introduced a new feature, NAT virtual interface (NVI), which removes the requirement to configure an interface as inside or outside. The NVI order of operations is also slightly different than NAT. Recall that classic NAT first performs routing and then translation when going from an inside interface to an outside interface, and vice versa when the traffic flow is reversed. NVI, however, performs routing, translation, and routing again; NVI performs the routing operation twice, before and after translation, before forwarding the packet to an exit interface. The whole process is symmetrical, no matter which way the traffic is flowing. Because of the added routing step, packets can flow, in classic NAT terms, from an inside to an inside interface; as described in the previous section, this scenario fails if classic NAT is used.