NAT

Course Objectives

• To understand the basic principles of NAT.

• To understand the basic NAT configurations on routers.

Contents

1. Basic Concepts and Principles of NAT

2. NAT Deployment on Routers

Background

• IPv4 addresses are used up.

• How do LAN users who use private IPv4 addresses to access the public network?
• How does the server using the private IPv4 address on a LAN provide services to the public network?
• How to allow a specific internal server to provide services to the external network while at the same
time hiding the internal network address?

192.168.1.0/24

Internet
202.10.1.23/24
Server
192.168.200.1/24 LAN
What Is NAT

NAT is short for network address translation. It is a mechanism used to change the source or
destination IP address in IP packets.

Private IPv4 address space

Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)

Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
Advantages and Disadvantages of NAT

Advantage Disadvantage

Saves IP address space. Forwarding delay exists.

Resolves IP address overlapping. E2E addressing is difficult.

Improves the flexibility of network

Some applications do not support NAT.
access to the Internet.

Reduces IP readdressing in case of The entries generated NAT occupy

network changes. device memory space.

Enhances security by hiding internal IP CPU resources are consumed for NAT
addresses. operations.
NAT Types

• Static NAT

• No-PAT

• EasyIP

• NAT server
Static NAT

PC inside outside Server

192.168.1.1 8.8.8.8
GE0/0/0
200.1.1.1
Internet

192.168.1.1:1092 8.8.8.8:80 NAT 200.1.1.100:1092 8.8.8.8:80

Source IP address Destination IP address

8.8.8.8:80 192.168.1.1:1092 NAT 8.8.8.8:80 200.1.1.100:1092

Source IP address Destination IP address

Inside Global Static NAT cannot save

public IP addresses but can
192.168.1.1 200.1.1.100 hide the internal network.
Address Pool-based 1:1 Mapping (No-PAT)

NAT Pool
200.1.1.100 to 200.1.1.110

PC inside outside Server

192.168.1.1 8.8.8.8
GE0/0/0
200.1.1.1
Internet

192.168.1.1:1092 8.8.8.8:80 NAT 200.1.1.100:1092 8.8.8.8:80

Source IP address Destination IP address

8.8.8.8:80 192.168.1.1:1092 NAT 8.8.8.8:80 200.1.1.100:1092

Source IP address Destination IP address

Inside Global When user traffic arrives, a private IP

address is extracted from the NAT
192.168.1.1 200.1.1.100 address pool for public network access.
This is still 1:1 mapping actually, without
saving IP addresses.
Address Pool-based N:1 Mapping

NAT Pool
200.1.1.100 to 200.1.1.110

PC inside outside Server

192.168.1.1 8.8.8.8
GE0/0/0
200.1.1.1
Internet

192.168.1.1:1092 8.8.8.8:80 NAT 200.1.1.100:1092 8.8.8.8:80

Source IP address Destination IP address

8.8.8.8:80 192.168.1.1:1092 NAT 8.8.8.8:80 200.1.1.100:1092

Source IP address Destination IP address

Inside Global The translation by IP address and ports

allows multiple internal network users to
192.168.1.1 200.1.1.100 share the same public IP address. This
mode saves IP addresses.
NAPT

• NAPT is the many-to-one translation by IP address and port number.

• No-PAT is the one-to-one translation only for IP addresses but not ports.

192.168.1.1:1099 200.1.1.100: 2003

192.168.1.2:1098 200.1.1.100 200.1.1.100: 2004

192.168.1.3:1097 200.1.1.100: 2005

NAT Server

Web Server Inside Outside Client

192.168.1.1 8.8.8.8
GE0/0/0
200.1.1.1
Internet

Source Destination Source Destination

8.8.8.8:1098 192.168.1.1:80 NAT 8.8.8.8:1098 200.1.1.100:8080

Source Destination
192.168.1.1:80 8.8.8.8:1098 NAT 200.1.1.100:8080 8.8.8.8:1098

NAT deployment on routers

This mode is widely used in
Inside Outside scenarios where the internal
network server provides services
192.168.1.1:80 200.1.1.111:8080 to the external network.
Contents

1. Basic Concepts and Principles of NAT

2. NAT Deployment on Routers

Static NAT

192.168.1.1/24 GE0/0/0 GE0/0/1 GE0/0/0

Gateway 192.168.1.254/24 192.168.1.254/24 200.1.1.1/24 200.1.1.2/24

Internet

OR WAN

• The IP addresses of the internal and external networks as well as the router OR are
shown in the figure.
• To allow the PC to access the external network, configure static NAT on the OR and
allocate the public IP address 200.1.1.100 to the PC with the IP address of 192.168.1.1.
Static NAT

The configurations of the router OR are as follows:

[OR] interface GigabitEthernet0/0/0

[OR-GigabitEthemet0/0/0] ip address 192.168.1.254 24

[OR-GigabitEthemet0/0/0] interface GigabitEthernet0/0/1

[OR-GigabitEthemet0/0/1] ip address 200.1.1.1 24

[OR-GigabitEthemet0/0/1] quit

[OR-GigabitEthemet0/0/1] nat static global 200.1.1.100 inside 192.168.1.1

[OR] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2

Address Pool-based 1:1 Mapping (No-PAT)

NAT Pool
200.1.1.100 — 200.1.1.110

192.168.1.1/24
GE0/0/0 GE0/0/1 GE0/0/0
Gateway 192.168.1.254/24
192.168.1.254/24 200.1.1.1/24 200.1.1.2/24

Internet

OR WAN

• The IP addresses of the internal and external networks as well as the router OR are shown
in the figure.

• To allow PCs on the network segment 192.168.1.0 24 to access the external network,
deploy 1:1 NAT with the requested IP addresses in the public network address pool ranging
from 200.1.1.100 to 200.1.1.200. That is, only IP addresses but not ports in data packets
are converted.
Address Pool-based 1:1 Mapping (No-PAT)

The configurations of the router OR are as follows (interfaced IP address omitted):

[OR] nat address-group 1 200.1.1.100 200.1.1.200 #Define a NAT address pool.

[OR] acl 2000 #Define ACL 2000 which is used to match the internal network address segment for NAT.

[OR-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255

[OR-acl-basic-2000] quit

[OR] interface GigabitEthernet0/0/1

[OR-GigabitEthernet0/0/1] nat outbound 2000 address-group 1 no-pat

[OR-GigabitEthernet0/0/1] quit

[OR] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2

EasyIP

192.168.1.1/24 GE0/0/0 GE0/0/1 GE0/0/0

Gateway 192.168.1.254/24 192.168.1.254/24 200.1.1.1/24 200.1.1.2/24

Internet

OR WAN

 The IP addresses of the external network and the router OR are shown in the figure.

 PCs in the network segment 192.168.1.0/24 need to access the public network.
Configure EasyIP to allow the internal network to use the public IP address of the GE
0/0/01 interface to access the public network.
EasyIP

The configurations of the router OR are as follows (interfaced IP address omitted):

[OR] acl 2000 #Define ACL 2000 which is used to match the internal address segment for NAT.

[OR-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255

[OR-acl-basic-2000] quit

[OR] interface GigabitEthernet0/0/1

[OR-GigabitEthernet0/0/1] nat outbound 2000 interface GigabitEthernet 0/0/1

[OR-GigabitEthernet0/0/1] quit

[OR] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2

NAT Server

Server
192.168.1.1/24 GE0/0/0 GE0/0/1 GE0/0/0
Gateway 192.168.1.254/24 192.168.1.254/24 200.1.1.1/24 200.1.1.2/24

Internet

OR WAN

• The IP addresses for the internal and external networks as well as the router OR are
shown in the figure.

• The internal network server needs to provide the web service to the external network and
the requested public IP address is 200.1.1.100. Now, the port TCP 80 of the internal
network server needs to map to the port TCP 80 with the IP address of 200.1.1.100 to
ensure external network access.
NAT Server

The configurations of the router OR are as follows (interfaced IP address omitted):

[OR] interface GigabitEthernet0/0/1

[OR-GigabitEthemet0/0/1] nat server protocol tcp global 200.1.1.100 8080 inside 192.168.1.1 80

[OR] ip route-static 0.0.0.0 0.0.0.0 200.1.1.2