What is NAT - Network Address Translation

When Internet was born long back and IPv4 addressing first came out, there were only a few
computers all over the world. IPv4 addresses are 32-bit binary numbers and the networking
experts of that time suggested that there were plenty of IPv4 addresses to cover the IPv4 address
requirement of that period and that of the future.

Theoretically, we have 4,294,967,296 unique IPv4 addresses (2^32) available. But the number of
available IPv4 addresses for use is less because there are many IPv4 address reservations for
specific uses.

When the internet developed from its initial state of a few computers to millions of network
devices in 1990's the available IPv4 addresses were not enough. There was a sharp increase in
the number of home networks and business networks all over the globe.

Therefore the number of available IPv4 addresses were not enough to address the devices on the
fast expanding internet.

The main reason why Network Address Translation (NAT) technology developed was to prevent
the fast depletion of IPv4 addresses. NAT (Network Address Translation) allows a network
device (such as a Router, Firewall or a Server running Network Operating Systems like
Windows 2008, Windows 2012, GNU Linux or Unix) to translate addresses between the public
internet and a local private network.

You may wonder "How this type of address translation can save the depleting IPv4 addresses?"

The answer to the above question is the private range of IPv4 addresses. There are defined
ranges of private IPv4 addresses that can be used to configure IPv4 addresses for private use (Ex.
inside an enterprise network, inside a home network, inside a hotel network etc.).

The IPv4 traffic originating from or destined to private IPv4 addresses is not allowed to move (or
dropped) in a public internet routers (in other words, public internet routers are configured to
drop any traffic coming from or going to a private IPv4 network).

This permits the re-usability of private IPv4 addresses in different non-public networks. There is
no IPv4 address conflict between two private IPv4 addresses separated by NAT devices.
Because, the private IPv4 addresses are translated to globally unique public IPv4 addresses,
when they leave their own network.

 NAT allows only a single globally unique IPv4 address to represent an entire network to
the outside world.
Three types of NAT commonly in use are

1) Static NAT

2) Dynamic NAT

3) Port Address Translation (PAT/NAT Overload)

What are the Advantages and Disadvantages of NAT (Network Address Translation)

Network Address Translation (NAT) technology has many advantages and disadvantages.
Main advantages and disadvantages of NAT (Network Address Translation) are listed
below.

Advantages of NAT

• The main advantage of NAT (Network Address Translation) is that it can prevent the
depletion of IPv4 addresses.

• NAT (Network Address Translation) can provide an additional layer of security by making
the original source and destination addresses hidden.

• NAT (Network Address Translation) provides increased flexibility when connecting to the
public Internet.

• NAT (Network Address Translation) allows to use your own private IPv4 addressing
system and prevent the internal address changes if you change the service provider.

Disadvantages of NAT

• NAT (Network Address Translation) is a processor and memory resource consuming

technology, since NAT (Network Address Translation) need to translate IPv4 addresses for all
incoming and outgoing IPv4 datagrams and to keep the translation details in memory.

• NAT (Network Address Translation) may cause delay in IPv4 communication.

• NAT (Network Address Translation) cause loss of end-device to end-device IP traceability

• Some technologies and network applications will not function as expected in a NAT
(Network Address Translation) configured network.
Static NAT (Network Address Translation) - Static NAT (Network Address Translation)
is one-to-one mapping of a private IP address to a public IP address. Static NAT (Network
Address Translation) is useful when a network device inside a private network needs to be
accessible from internet.

Dynamic NAT (Network Address Translation) - Dynamic NAT can be defined as

mapping of a private IP address to a public IP address from a group of public IP addresses
called as NAT pool. Dynamic NAT establishes a one-to-one mapping between a private IP
address to a public IP address. Here the public IP address is taken from the pool of IP
addresses configured on the end NAT router. The public to private mapping may vary based
on the available public IP address in NAT pool.

PAT (Port Address Translation) - Port Address Translation (PAT) is another type of
dynamic NAT which can map multiple private IP addresses to a single public IP address by
using a technology known as Port Address Translation.

Here when a client from inside network communicate to a host in the internet, the router
changes the source port (TCP or UDP) number with another port number. These port
mappings are kept in a table. When the router receives from internet, it will refer the table
which keep the port mappings and forward the data packet to the original sender.

Cisco classifies the IPv4 addresses used for Network Address Translation (NAT) as four
types. These four types of addresses present in other Network Address Translation
(NAT) implementation also.

Inside Local address – Consider the term "Inside" as inside our network. Inside local
address is an IP address assigned to a workstation inside our network. Inside Local
addresses are typically private IP addresses, which stay inside our network.

Inside Global address - Inside Global address are typically public IP addresses which are
assigned to our end internet facing router to be used as the IP address for communicating
with other devices in the internet. The Inside Local IP addresses are removed at the NAT
router and translated with Inside Global address.

An IP datagram moves out to the internet from our private network will always has an IP
address from Inside Global address range as the source IP address.

Outside Global address - Outside Global address is the public IP address assigned to the
end device on the other network to communicate other devices in the internet. Outside
Global addresses are public IP addresses which are routable.

Outside local address - Outside local address is the real IP address of the end device at
other network. Outside local addresses are typically private IP addresses assigned to the
computers in the other private network. We cannot know the Outside local addresses
because in a NAT enabled network we use the destination IP address as Outside Global
address.

How to configure static NAT in a Cisco Router

We want to connect our web server with outside world, so that general public can visit our
web pages. Our webserver is configured with IP address 172.18.122.170, which is a private
IP address.

The webserver is not directly accessible from the public internet because all the traffic
originating from or destined to private IP addresses are dropped by public internet routers.
Here static NAT can be used to allow forwarding traffic from the internet to a server inside
our network with a private IP address. Generally, this technology is known as port
forwarding.

When web clients try to make a connection to our webserver, they connect using a public
IP address configured on our NAT (Network Address Translation) router (HTTP - TCP
port number 80). The connection is, then translated and sends to the webserver. The HTTP
response from the webserver is send back to the HTTP client.

The static NAT configuration command syntax for a Cisco Router is as below.

R1(config)#ip nat inside source static tcp <inside_local_ip_address> <inside_local_port>

<inside_global_ip_address> <inside_global_port>

After configuring static NAT using above command, you have to identify which is the
inside interface (facing the private network) and which is the outside interface (facing the
public internet) using ip nat inside and ip nat outside from interface configuration mode.

The configuration commands are as below.

R1>enable

R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

.R1(config)#ip nat inside source static tcp 172.18.122.170 80 108.160.236.251 80

R1(config)#interface fa0/1

R1(config-if)#ip nat outside

R1(config-if)#interface fa0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

Interface fa0/1 is the interface which is facing public internet and fa0/0 is the interface
which is facing private inside network.

How to configure Dynamic NAT in a Cisco Router

Dynamic NAT is another NAT (Network Address Translation) technology which allows
the address translation of a private IP address to a pool of public IP addresses configured
on the NAT router. Dynamic NAT is mostly used when inside computers configured
with private IP addresses needs to access outside public internet.

The main difference between Static NAT and Dynamic NAT is that Static NAT allows a
remote host to connect to an inside private IP addresses configured computer and Dynamic
NAT allows a group of private IP addresses to connect to public internet, using the public
IP address pool (a range of public IP addresses).

The configured public IP address pool (a range of public IP addresses) typically has fewer
addresses than the inside private IP addresses.

Dynamic NAT is typically used for providing internet access to a private network. But the
problem with Dynamic NAT is that the number of public IP addresses in the NAT pool
may not be sufficient for mapping large number of computers configured with private IP
addresses.

To configure Dynamic NAT on a Cisco router, first you need to create an access list to
identify the group of private inside IPv4 addresses, which are allowed for NAT translation.
That can be done by creating a standard IP access list.

Then you have to create a pool of public IP addresses (which your ISP (internet service
provider) has allocated to you).

After creating an IP access list to identify the traffic and a pool of public IP addresses
which your ISP (internet service provider) has allocated to you, you must configure NAT
using “ip nat” command. Finally you must specify which is inside interface and which is
outside interface.

The configuration command to configure Dynamic NAT is shown below.

R1>enable

R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 10 permit 172.18.122.0 0.0.0.255

R1(config)#ip nat pool G4IT 108.160.236.230 108.160.236.239 netmask 255.255.255.0

R1(config)#ip nat inside source list 10 pool G4IT

R1(config)#interface fa0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#int fa0/1

R1(config-if)#ip nat outside

R1(config-if)#exit

R1(config)#exit

How to configure PAT (Port Address Translation or NAT overload) in a Cisco

Router

Static NAT is type of Network Address Translation (NAT) which is a one-to-one IP

address mapping (one private IP address to one public IP address) and Dynamic NAT is a
type NAT using many public IP addresses in a NAT address pool.

Static NAT and Dynamic NAT therefore cannot be used providing internet access to
inside users, because both require large number of IP public addresses.

PAT (Port Address Translation or NAT overload) is another Network Address

Translation (NAT) technology, which can be used to provide internet access to inside
users. In PAT (Port Address Translation or NAT overload), several inside private IP
addresses can be translated to one or a few outside public IP addresses. PAT (Port
Address Translation) is also known as NAT overload.

The main advantage of PAT (Port Address Translation or NAT overload) is that it can
be used efficiently for large number of inside private IP addresses even with a single
public IP address.

PAT (Port Address Translation or NAT overload) uses unique source port number
translation, instead of IP address translation. Port Numbers are 16-bit binary numbers and
we have 65535 port numbers available. PAT (Port Address Translation or NAT
overload) uses port numbers on Inside Global IP address to distinguish between
translations.

PAT (Port Address Translation or NAT overload) will try to keep the original source
port from the inside private IP address. If this source port is already allocated to some
other inside computer, PAT will allocate another port number.

To configure PAT (Port Address Translation or NAT overload) on a Cisco router, first
you need to create an access list to identify the group of private inside IP addresses,
which are allowed for NAT translation. That can be done by creating a standard IP access
list.

Then you have to create a NAT pool, with a range public IP addresses (which your ISP
(internet service provider) has allocated to you). This pool may contain even one public
IP address also.

After creating an IP access list to identify the traffic and a pool of public IP addresses
which your ISP (internet service provider) has allocated to you, you must
configure NAT using “ip nat” command. Finally you must specify which is inside
interface and which is outside interface.

The main difference between configuring Dynamic NAT and PAT (Port Address
Translation or NAT overload) is the use of keyword "overload".

The configuration command to configure PAT (Port Address Translation or NAT

overload) is shown below.

R1>enable
R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 10 permit 172.18.122.0 0.0.0.255

R1(config)#ip nat pool G4IT 108.160.236.251 108.160.236.251 netmask 255.255.255.0

R1(config)#ip nat inside source list 10 pool GIT overload

R1(config)#interface fa0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#int fa0/1

R1(config-if)#ip nat outside

R1(config-if)#exit

R1(config)#exit