NAT
NAT
π Network Address Translation (NAT) β Complete Technical Notes
1. Introduction to NAT
1.1 What is NAT?
- NAT (Network Address Translation) modifies the source and/or destination IP address of packets.
- Performed by a router or firewall at the network edge.
- Enables private IP hosts to communicate with the internet by mapping them to public IPs.
- Supports private-to-public, public-to-public, and private-to-private translations (rare in practice).
1.2 Why NAT is Needed β IPv4 Exhaustion
- IPv4 addresses are limited.
- NAT, along with CIDR and Private IPv4 addressing (RFC 1918), extends IPv4βs lifespan until IPv6 adoption.
1.3 Private IPv4 Addresses (RFC 1918)
- 10.0.0.0/8 β 10.0.0.0 β 10.255.255.255
- 172.16.0.0/12 β 172.16.0.0 β 172.31.255.255
- 192.168.0.0/16 β 192.168.0.0 β 192.168.255.255
β οΈ These addresses are not routable on the internet β NAT is required.
1.4 Basic NAT Process
- Host sends packet (private IP).
- NAT device translates source IP to public IP.
- Server replies to public IP.
- NAT router translates back to private IP.
2. Cisco NAT Terminology
2.1 Inside vs. Outside
- Inside β Internal network.
- Outside β External network (e.g., Internet).
- Inside host β Host inside internal network.
- Outside host β Host in external network.
1
2
ip nat inside
ip nat outside
2.2 Local vs. Global
- Local address β Before NAT translation.
- Global address β After NAT translation.
2.3 The Four NAT Address Types
- Inside Local β Private IP (host in inside network).
- Inside Global β Public IP mapped for inside host.
- Outside Local β Outside hostβs IP from inside perspective.
- Outside Global β Actual IP of the outside host.
2.4 Perspective Dependency
NAT terms are always from the routerβs point of view.
3. NAT Process in Detail
3.1 Packet Flow
- Binding β Inside IP mapped to public IP.
- Lookup & Translation β IP & ports translated for each session.
- Unbinding β Entry removed when session ends.
3.2 Header Modifications
- IP Header β Source/Destination IP + checksum.
- TCP/UDP Header β Port + checksum.
- ICMP β IP in payload + checksum.
- Application Payload (FTP, etc.) β Needs ALG (Application Layer Gateway).
4. Types of NAT
4.1 Static NAT (One-to-One, Manual)
- Permanent mapping: One private IP β One public IP.
- Use Case: Servers needing fixed public IP (e.g., web server).
- Limitation: Doesnβt solve IPv4 exhaustion.
Config:
1
2
3
4
5
6
7
interface g0/0
ip nat inside
!
interface g0/1
ip nat outside
!
ip nat inside source static 192.168.1.10 203.0.113.10
Verify:
1
2
show ip nat translations
clear ip nat translation *
4.2 Dynamic NAT (One-to-One, Pool Based)
- Maps private IPs to a pool of public IPs dynamically.
- Limitation: Still one-to-one. If pool is exhausted β packets dropped.
Config:
1
2
3
ip nat pool NATPOOL 203.0.113.10 203.0.113.20 prefix-length 24
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool NATPOOL
4.3 Dynamic PAT (Port Address Translation) / NAT Overload (Many-to-One)
- Most common NAT type.
- Maps multiple private IPs to one public IP using port numbers.
- Supports up to 65,536 sessions.
Config using interface IP:
1
2
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface g0/1 overload
Config using NAT pool:
1
2
3
ip nat pool NATPOOL 203.0.113.10 203.0.113.20 prefix-length 24
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 pool NATPOOL overload
Verify:
1
2
show ip nat translations
show ip nat statistics
4.4 Other NAT Variants (RFCs)
- Basic NAT β Simple one-to-one translation.
- NAPT (Port NAT) β Translates IP + ports (like PAT).
- Bi-directional NAT β Sessions can start inside/outside.
- Twice NAT β Translates both source & destination IPs.
- Multihomed NAT β NAT with multiple ISPs (redundancy).
- RSIP (Realm-Specific IP) β End host temporarily borrows public IP.
5. NAT Operational Characteristics
5.1 Role of ALGs
- Required for apps embedding IPs in payload (FTP, H.323, SIP).
- Fails with encrypted traffic unless ALG can decrypt.
5.2 Security Impact
- Breaks end-to-end security (e.g., IPsec AH/ESP transport).
- Works with application-layer security (SSL/TLS).
5.3 Debugging & Privacy
- NAT hides internal addresses β more privacy.
- Harder troubleshooting (attack origin hidden).
5.4 Fragmentation Issues
- Problems with fragmented TCP/UDP packets in PAT.
5.5 Performance Considerations
- NAT is CPU-intensive (checksum recalculations).
5.6 Routing Considerations
- Never advertise private networks to the internet.
- Use VPNs for private inter-site connectivity.
5.7 UDP & Multicast Issues
- NAT struggles with UDP-based sessions (stateless).
- Multicast security weaker with NAT.
6. Key Commands β Cisco NAT Quick Review
| Command | Purpose |
|---|---|
ip nat inside / ip nat outside | Define NAT interfaces |
ip nat inside source static | Configure Static NAT |
ip nat pool | Define NAT pool of public IPs |
access-list | Define which inside IPs are translated |
ip nat inside source list <acl> pool <pool> [overload] | Dynamic NAT / PAT using pool |
ip nat inside source list <acl> interface <intf> overload | PAT using interface IP |
show ip nat translations | View active translations |
show ip nat statistics | View NAT counters and stats |
clear ip nat translation * | Flush NAT table |
β Quick Recap (Interview Style)
- Private IP Ranges (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
- Types of NAT:
- Static NAT β One-to-One.
- Dynamic NAT β One-to-One (pool).
- PAT (Overload) β Many-to-One.
- Key Limitation: NAT breaks end-to-end security (e.g., IPsec transport).
- Most Common in Enterprises: PAT (NAT Overload).
- Key Verification Commands:
show ip nat translations,show ip nat statistics.
π Connect With Me
This post is licensed under CC BY 4.0 by the author.