Network Address Translation (NAT)

IP address depletion is a key problem facing the Internet. To assist in maximizing the use of your registered IP addresses, Cisco IOS Release 11.2 software implements Network Address Translation (NAT). This feature, which is Cisco's implementation of RFC 1631, The IP Network Address Translator, is a solution that provides a way to use the same IP addresses in multiple internal stub networks, thereby reducing the need for registered IP addresses. Supported NAT features include:

Static address translation---Establishes a one-to-one mapping between inside local and global addresses.
Dynamic source address translation---Establishes a dynamic mapping between the inside local and global addresses. This is done by describing the local addresses to be translated and the pool of addresses from which to allocate global addresses, and associating the two. The router will create translations as needed.
Address overloading---You can conserve addresses in the inside global address pool by allowing source ports in TCP connections or UDP conversations to be translated. When different inside local addresses map to the same inside global address, each inside host's TCP or UDP port numbers are used to distinguish between them.
TCP load distribution---A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, destination addresses matching an access list are replaced with an address from a rotary pool. Allocation is done on a round-robin basis, and only when a new connection is opened from the outside to the inside. All non-TCP traffic will be passed untranslated (unless other translations are in effect).

NAT Terminology

The following terms relate to NAT.

Term Definition

Inside Local IP Address (A) The IP address assigned to a host on the inside network. The address was globally unique but obsolete, allocated from RFC 1918, Address Allocation for Private Internet Space, or randomly picked.

Inside Global IP Address (B) A legitimate IP address (assigned by the NIC or service provider) that represents one or more inside local IP addresses to the outside world. The address was allocated from globally unique address space, typically provided by the ISP.

Outside Global IP Address (C) The IP address that was assigned to a host on the outside network by its owner. The address was allocated from a globally routable address space.

Outside Local IP Address The IP address of an outside host as it appears to the inside network. The address was allocated from address space routable on the inside, or possibly allocated from RFC 1918, for example.

Simple Translation Entry A translation entry that maps one IP address to another.

Extended Translation Entry A translation entry that maps one IP address and port pair to another.

Term	Definition
Inside Local IP Address (A)	The IP address assigned to a host on the inside network. The address was globally unique but obsolete, allocated from RFC 1918, Address Allocation for Private Internet Space, or randomly picked.
Inside Global IP Address (B)	A legitimate IP address (assigned by the NIC or service provider) that represents one or more inside local IP addresses to the outside world. The address was allocated from globally unique address space, typically provided by the ISP.
Outside Global IP Address (C)	The IP address that was assigned to a host on the outside network by its owner. The address was allocated from a globally routable address space.
Outside Local IP Address	The IP address of an outside host as it appears to the inside network. The address was allocated from address space routable on the inside, or possibly allocated from RFC 1918, for example.
Simple Translation Entry	A translation entry that maps one IP address to another.
Extended Translation Entry	A translation entry that maps one IP address and port pair to another.

Why Use NAT?

Use NAT in the following situations:

When you want to connect to the Internet but not all the hosts have globally unique IP addresses. NAT technology enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. A NAT router is placed on the border of a stub domain (referred to as the inside network) and a public network such as the Internet (referred to as the outside network), and translates the internal local addresses into globally unique IP addresses before sending packets to the outside network.

NAT takes advantage of the fact that relatively few hosts in a stub domain communicate outside of the domain at any given time. Because most of the hosts do not communicate outside of their stub domain, only a subset of the IP addresses in a stub domain must be translated into globally unique IP addresses when outside communication is necessary.

When you need to modify your internal addresses because of changing ISPs. For example, NAT can be used to translate the appropriate addresses. This enables you to change addresses incrementally, without changes to hosts or routers other than those bordering stub domains.

When you want to do basic load sharing. You can map outside IP addresses to inside IP addresses using the TCP Load Distribution feature.

NAT Operation

NAT can be used to perform several functions. This section discusses the operation of the following NAT functions:

Translating Inside Local Addresses
Overloading Inside Global Addresses
Handling Overlapping Networks
TCP Load Distribution

Translating Inside Local Addresses

The graphic illustrates NAT operation when NAT is used to translate addresses from inside your network to destinations outside of your network.

User at Host 1.1.1.1 opens a connection to Host B.
The first packet that the router receives from 1.1.1.1 causes the router to check its NAT table.

The router replaces 1.1.1.1's inside local IP address with the selected inside global address and forwards the packet.
Host B receives the packet and responds to 1.1.1.1 using the inside global IP address 2.2.2.2.
When the router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address as the reference. The router then translates the address to 1.1.1.1's inside local address and forwards the packet to 1.1.1.1.
1.1.1.1 receives the packet and continues the conversation. For each packet, the router performs steps 2 through 5.

Overloading Inside Global Addresses

The graphic illustrates NAT operation when a single inside global address can be used to represent multiple inside local addresses simultaneously.

User at Host 1.1.1.1 opens a connection to Host B.
The first packet the router receives from 1.1.1.1 causes the router to check its NAT table.

The router replaces 1.1.1.1's inside local IP address with the selected inside global address and forwards the packet.
Host B receives the packet and responds to 1.1.1.1 using the inside global IP address 2.2.2.2.
When the router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address and port number, and the outside address and port number as the references. The router then translates the address to 1.1.1.1's inside local address and forwards the packet to 1.1.1.1.
1.1.1.1 receives the packet and continues the conversation. For each packet, the router performs steps 2 through 5.

Handling Overlapping Networks

The graphic illustrates NAT operation when addresses in the inside network overlap with addresses that are in the outside network.

User at 1.1.1.1 opens a connection to Host C (1.1.1.3) so 1.1.1.1 does a name-to-address lookup to a DNS server.
The router intercepts the DNS reply and translates the returned address if there is an overlap. In this case, 1.1.1.3 overlaps with an inside address. To translate the return address of Host C, the router creates a simple translation entry that maps the overlapping address 1.1.1.3 to an address from a separately configured outside local address pool. In this example, the address is 3.3.3.3.
The router then forwards the DNS reply to 1.1.1.1. The reply has Host C's address as 3.3.3.3. At this point, 1.1.1.1 opens a connection to 3.3.3.3.
When the router receives the packet for Host C, the router sets up a translation that maps the inside local and global addresses and outside global and local addresses. The router does this by replacing the source address of 1.1.1.1 with the inside global address 2.2.2.2 and replacing the destination address of 3.3.3.3 with Host C's outside global address 1.1.1.3.
Host C receives a packet and continues the conversation.

TCP Load Distribution

The graphic illustrates NAT operation when NAT is used to map one virtual host to several real hosts.

User on Host B (9.6.7.3) opens a TCP connection to the virtual host at 1.1.1.127.
The router receives the connection request and creates a new translation allocating the next real host (1.1.1.1) for the inside local IP address.
The router replaces the destination address with the selected real host address and forwards the packet.
Host 1.1.1.1 receives the packet and responds.
The router receives the packet and performs a NAT table lookup using the inside local address and port number and outside address and port number as the key. The router then translates the source address to the address of the virtual host and forwards the packet.

The next connection request will cause the router to allocate 1.1.1.2 for the inside local address.

Configuring NAT

This section includes details about how to configure various NAT capabilities.

Configuring NAT for Basic Local IP Address Translation

The procedure used to enable basic local IP address translation is as follows.

Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router.

Step 2 If you are doing static address translations for inside local addresses, define the addresses.

router(config)#ip nat inside source static local-ip global ip

Step 3 If you are doing dynamic translations, define a standard IP access list for the inside network.

Step 4 If doing dynamic translation, define an IP NAT pool for the inside network.

router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Define a pool of contiguous addresses using start address, end address, and netmask or prefix length. These addresses will be allocated as needed.

Step 5 If you are doing dynamic translation, define a map between the access list and the IP NAT pool.

router(config)#ip nat inside source list access-list-number pool name

Step 6 Enable NAT on at list one inside and one outside interface.

router(config-if)#ip nat {inside | outside}

Only packets moving between "inside" and "outside" interfaces can be translated. For example, if a packet is received on an "inside" interface but is not destined for an "outside" interface, it will not be translated.

Configuring Inside Global Address Overloading

The procedure used to configure inside global address overloading is as follows.

Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router.

Step 2 Configure dynamic address translation, as described in the "Configuring NAT for Basic Local IP Address Translation" section.

When you define the mapping between the access list and the IP NAT pool using the following command, add the overload keyword to the command:

router(config)#ip nat inside source list access-list-number pool name overload

Step 3 Enable NAT on the appropriate interfaces.

router(config-if)#ip nat {inside | outside}

Configuring NAT to Translate Overlapping Addresses

The procedure used to configure overlapping address translation is as follows.

Step 1 At a minimum, IP routing and appropriate IP addresses must be configured on the router.

Step 2 Define the standard IP access list for the inside network, as previously discussed.

Step 3 Define an IP NAT pool for the inside network, as previously discussed.

router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Step 4 Define an IP NAT pool for the outside network.

router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Step 5 Define mapping between the access list and the inside global pool, as previously discussed.

router(config)#ip nat inside source list access-list-number pool name [overload]

Step 6 Define mapping between the access list and the outside local pool using the following command:

router(config)#ip nat outside source list access-list-number pool name

Step 7 Enable NAT on the appropriate interface, as previously discussed.

router(config-if)#ip nat {inside | outside}

Configuring TCP Load Distribution

The procedure used to configure TCP load distribution is as follows.

Step 1 At a minimum, configure IP routing and appropriate IP addresses on the router.

Step 2 Define a standard IP access list with a permit statement for the virtual host.

Step 3 Define an IP NAT pool for the real hosts, making sure it is a rotary type pool.

router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary

Step 4 Define a mapping between the access list and the real host pool.

router(config)#ip nat inside destination list access-list-number pool name

Step 5 Enable NAT on the appropriate interface, as previously discussed.

router(config-if)#ip nat {inside | outside}

Verifying NAT

This section lists show and clear commands that are used to verify NAT operation.

The following commands can be used to verify NAT operation.

Command Description

show ip nat translations [verbose] Shows active translations.

show ip nat statistics Shows translation statistics.

Command	Description
show ip nat translations [verbose]	Shows active translations.
show ip nat statistics	Shows translation statistics.

Clearing NAT Translation Entries

If you need to clear a dynamic translation entry, use the following commands.

Command Description

clear ip nat translation * Clears all translation entries.

clear ip nat translation inside global-ip local-ip [outside local-ip global-ip] Clears a simple translation entry containing an inside translation, or both an inside and outside translation.

clear ip nat translation outside local-ip global-ip Clears a simple translation entry containing an outside translation.

clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] Clears an extended entry (in its various forms).

Command	Description
clear ip nat translation *	Clears all translation entries.
clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]	Clears a simple translation entry containing an inside translation, or both an inside and outside translation.
clear ip nat translation outside local-ip global-ip	Clears a simple translation entry containing an outside translation.
clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]	Clears an extended entry (in its various forms).

Troubleshooting NAT

If you need to use a trace on NAT operation, use the following command.

Command Description

debug ip nat [list | detailed] Displays a line of output for each packet that gets translated.

As shown in the example, decode the debug output using the following keys.

Command	Description
debug ip nat [list \| detailed]	Displays a line of output for each packet that gets translated.

The asterisk next to "NAT" indicates that the translation is occurring in the fast path. The first packet in a conversation will always go through the slow path (be process-switched). The remaining packets will go through the fast path if a cache entry exists.
s=171.69.1.161 is the source address.
d=2.2.2.2 is the destination address.
2.2.2.2->1.1.1.1 indicates that the address was translated.
The value in brackets is the IP identification number. This information may be useful for debugging because it enables you to correlate with other packet traces from Sniffers, for example.

Implementation Considerations

Evaluate the following considerations before implementing this feature:

Translation introduces delays into the switching paths.
NAT makes some applications that use IP addresses difficult or impossible to use. For example, public World Wide Web pages that have links expressed using local IP addresses rather than DNS names will not be usable by outside hosts.
NAT hides the "real" identity of hosts.
All packets that need to be translated must go through the NAT router, which may place limitations on the network design.

Summary

This chapter discussed how NAT operates and when it can be used. It also summarized how you configure, verify, and troubleshoot this feature.

Review Questions

Answer the following questions about NAT.

What is the difference between a simple translation entry and an extended translation entry? And, how is each used?

Give one example of when NAT could be used.

Assume your company's networks are addressed using subnets of 10.1.1.0/24, and that your service provider has given you the globally unique network 192.1.1.0/24 to be used for accessing the Internet. What commands would you configure to instruct the router to translate from 10.1.1.0/24 to 192.1.1.0/24 when accessing the Internet?

When viewing the show ip nat translations command, how can you determine when an inside global address is being used for overloading inside global addresses?

Answers to Review Questions

The following are the answers to the review questions.

What is the difference between a simple translation entry and an extended translation entry? And, how is each used?

A simple entry is used for translating inside local addresses. It is a one-for-one match between an inside local address and an inside global address.

A simple translation entry results when a router allocates a new address and sets up a translation of an inside local address, such as 1.1.1.1, to a legal global address from the dynamic address pool.

An extended translation entry is used when you want to overload inside global addresses by letting a single inside global address represent multiple inside local addresses simultaneously.

An extended translation entry results when a router reuses a global address from an existing translation and save enough information about the translation, such as the TCP port number, to be able to distinguish it from the existing translation entry.

Give one example of when NAT could be used.

Want to connect to the Internet but not all the hosts have globally unique IP addresses. NAT technology enables private IP internetworks that use nonregistered IP addresses to connect to the Internet.
Need to modify your internal addresses. NAT enables you to change addresses incrementally, without changes to hosts or routers other than those bordering stub domains.
Want to do basic load sharing.

Assume your company's networks are addressed using subnets of 10.1.1.0/24, and that your service provider has given you the globally unique network 192.1.1.0/24 to be used for accessing the Internet. What commands would you configure to instruct the router to translate from 10.1.1.0/24 to 192.1.1.0/24 when accessing the Internet?

To instruct the router to translate 10.1.1.1 through 10.1.1.254, do the following: access-list 1 permit 10.1.1.1 0.0.0.254
To define the address pool, do the following: ip nat pool test 192.1.1.1 192.1.1.254 netmask 255.255.255.0 (Instead of the mask, you can write the prefix; in this case it is 24.)
To map 10.1.1.0 to the address pool, do the following: ip nat inside source list 1 pool test
Enable the translation on the inside interface using the command: ip nat inside
Enable the translation on the outside interface using the command: ip nat outside

When viewing the show ip nat translations command, how can you determine when an inside global address is being used for overloading inside global addresses?

An inside global address is listed for each inside local address it represents. If it is representing three inside local addresses, it will appear three times, each time with a different port number.
The port number of each entry will match the port number for the inside local address it is representing. The port numbers are used to distinguish between each inside local address that the single inside global address is being used for.

Table of Contents

Network Address Translation (NAT)