Patrick Denis > Cisco > Routing and Switching > Network Address Translation “NAT”

Network Address Translation “NAT”

March 26, 2015 0 Comments

Cisco, Routing and Switching

Nat allows a single device to act as an Internet gateway for internal LAN clients by translating the clients’ internal network IP Addresses into the IP Address on the NAT-enabled gateway device.In other words, NAT runs on the device that’s connected to the Internet and hides the rest of your network from the public.NAT is transparent to your network, meaning all internal network devices are not required to be reconfigured in order to access the Internet. All that’s required is to let your network devices know that the NAT device is the default gateway to the Internet.

From the diagram above you can see 3 hosts ( pc ) and the router ( gateway ) and the internet . Hosts are using 192.168.0.0/24 and And 1 public address that connect to the internet .

for example if PC 1 want to reach a host on the internet with an IP of 70.70.70.70 this is how the packet travel :

1- PC1 send a packet with a destination ip of 70.70.70.70 with a source ip of 192.168.0.5 and a source port  80 and destination port 4000 .
2- After the packet pass the router after the NAT  the new packet has a destination ip 70.70.70.70 with a source ip 200.100.101.1 and a source port  80 and destination port 4000

All possible because of the router NAT TABLE !

The NAT table track everything that goes in and out of the interfaces .

STATIC NAT

Static NAT allow internal private hosts to be accessible from your private network or internet .

From the diagram above lets say a host outside or private network wants to connect to PC 1 we will need to configure a static NAT :

On Router :
(config)#ip nat source inside ( local pc ip) 192.168.0.5 ( outside globlal ip ) 200.100.101.1
then we need to configure the inside , outside interface
(config)#interface fa 0/0
(config-if)#ip nat inside
(config)#interface serial 0/0
(config-if)#ip nat outisde
Dont forget that a static route must be made to reach your global address to your router from your ISP

Dynamic NAT

For private network to access the internet :

On Router :

Configure the inside , outside interface
(config)#interface fa 0/0
(config-if)#ip nat inside
(config)#interface serial 0/0
(config-if)#ip nat outisde
Create an access-list 
ip access-list 1 permit 192.168.0.0 0.0.0.255
Then you need to apply it 
ip nat source list 1 interface or next hop ip adsress

i will continue to update this section because there is a lot more to it .

Port Address Translation (  NAT Overload )

 

NAT Order of Operation

NAT Overview

In this table, when NAT performs the global to local, or local to global, translation is different in each flow.

Inside-to-Outside Outside-to-Inside
  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

Related Posts

Leave a Comment