Configuring Network Address Translation (NAT)

18 Mar

Configuring Network Address Translation (NAT)
Perimeter routers help enterprises to solve IP address space depletion problems; they can also hide internal IP addresses from outside networks. To provide these functions as well as many others, perimeter routers use Network Address Translation (NAT) and Port Address Translation (PAT). The following sections provide guidelines for configuring the various types of NAT and PAT on Cisco routers.

Configuring Static NAT Translations
Static Network Address Translation (NAT) allows security administrators to configure their routers such that individual inside local IP addresses can be translated to individual global inside IP addresses.

Static NAT is particularly useful when hosts on the outside network need the capability to access a host or hosts on the inside network. NAT compares the packets that are destined to a global outside address against the inside local address that is configured on the NAT translation entries. If the source of the packet has a valid entry in the translation table, the packet source address is rewritten with the matching inside global IP address.

NAT maintains a table of translated IP addresses. To the outside network, the inside network appears to have a certain range of IP addresses. These addresses are mapped to the actual IP addresses that are used inside the enterprise. Static NAT is referred to as a simple translation entry.

Use the following steps to configure static NAT translation for inside IP addresses:

1.Use the following command to establish a static translation between an inside local address and an inside global address:

ip nat inside source static <inside local address> <inside global address>

The inside local address is the address that is to be translated, and the inside global address is the address that the inside local address is to be translated to.

2.Use this command to move into interface configuration mode:

interface <interface type> <interface number>

3.Use the ip nat inside interface configuration command to apply NAT to the interface that is connected to the networks with the local addresses.

4.Use this command to move into interface configuration mode:

interface <interface type> <interface number>

5.Use the ip nat outside interface configuration command to apply NAT to the interface that is connected to the networks with the inside global addresses.

The preceding steps included the minimum commands needed to configure static NAT translation. Figure 3.5 displays a network that must use NAT to communicate with outside networks.

Figure 3.5: Static NAT.
The networks that are behind Router 1 are all allocated from RFC 1918 nonroutable address space. The Web server has an inside local address of 10.10.10.30 and must be accessible to outside networks via the address 192.168.10.30. The other server is an email server that has an IP address of 10.10.10.53 and must be accessible to outside networks via the address 192.168.10.53. The commands used to configure static NAT translations on Router 1 are shown in Listing 3.11.

Listing 3.11: Static NAT configuration.

#config t
#ip nat inside source static 10.10.10.30 192.168.10.30
#ip nat inside source static 10.10.10.53 192.168.10.53
!
#interface FastEthernet0/0
#ip address 10.10.10.2 255.255.255.0
#ip nat inside
!
#interface Serial1/0
#ip address 192.168.10.2 255.255.255.0
#ip nat outside

In Listing 3.11, Router 1 has been configured with two static translation entries.

Note Although the 192.168.0.0 range is allocated from RFC 1918 private address space, it is being used in these examples as a registered IP address block.

The Fast Ethernet interface is designated as the inside interface with the ip nat inside command, and interface Serial1/0 is designated as the outside interface with the ip nat outside command. To verify that the configuration is correct, issue the sh ip nat translation command. The following output lists the information related to the simple translation entry:

Router−1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
− 192.168.10.30 10.10.10.30 − −
− 192.168.10.53 10.10.10.53 − −

The show ip nat translations command lists the protocol field, the inside global address, the inside local address, the outside local address, and the outside global address. The outside local and outside global fields will be discussed later in this chapter when you learn more about extended entries. Another command that can be used to monitor and verify the operation of NAT is the show ip nat translations verbose command. Issuing this command on Router 1 displays the following output:

Router−1#sh ip nat trans ver
Pro Inside global Inside local Outside local Outside global
− 192.168.10.30 10.10.10.30 − −
create 00:49:01, use 00:00:01,
flags: static, use_count: 74
− 192.168.10.53 10.10.10.53 − −
create 00:49:12, use 00:00:7,
flags: static, use_count: 50
Router−1#

The verbose argument of the show ip nat translations command produces more detailed information regarding the status of the NAT translations. As you can see in the preceding output, the fields that are listed with the verbose argument are the same as the fields that were listed without it. The output when the verbose argument is used includes a create field that lists how long ago the entry was created. The use field lists how long ago the translation entry was last used. The times in the create and use fields are listed in the hours:minutes:seconds format. The flag field indicates the type of translation entry, and there are a total of five possible flags:

static—States that the entry was created by a static translation entry
extended—States that the entry was created by an extended translation entry
outside—States that the entry was created by an outside translation entry
destination—States that the entry was created by an outside translation entry
time out—States that the entry will no longer be used and is being torn down

The use count field lists the total number of times the entry has been used. One last command used to monitor and verify the operation of NAT is the show ip nat statistics command. The following output is displayed when the show ip nat statistics command is issued on Router 1:

Router−1#sh ip nat stat
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial1/0
Inside interfaces:
FastEthernet0/0
Hits: 124 Misses: 0
Expired translations: 0
Dynamic mappings:
Router−1#

The total active translations field lists the total number of active NAT translations on the router. This field is populated in realtime; each time a translation entry is created, the field is incremented accordingly, and each time a translation entry is dropped or times out, the field is decremented accordingly. The outside interface is then listed and is determined based on the ip nat outside command. The inside interface is listed next and is determined based on the ip nat inside command. The hits field lists the total number of times NAT does a translation table lookup and finds a match. The misses field list the total number of times NAT does a translation table lookup, fails to find an entry, and attempts to create one. The expired translations field lists the total number of entries that have expired. The dynamic mapping field lists information that pertains to a NAT entry that was created by a dynamic translation entry. This field will be discussed later in this chapter.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.