What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: 16.7 Introducing NAT
Select a size
16.7 Introducing NAT
Introducing NAT Section 16: Enabling Internet Connectivity In the early years of the Internet, IP addresses were directly allocated to any organization (and sometimes individuals) who requested them. With a 32bit address space yielding nearly 4 billion IP addresses, it was not uncommon for organizations to obtain Class B blocks (up to about 16,000 hosts), even if they only had a few hundred actual IP hosts. Because IP addresses were essentially free and plentiful, all hosts used public (globally routable) addresses. Even companies that did not connect to the Internet were using public IP addresses in their internal networks. With the release of the Mosaic web browser in 1993, the Internet began to rapidly expand. By the mid1990s, the Internet community recognized that the exponential demand for public IP addresses would eventually deplete the supply. There was a two phase plan devised for overcoming the problem of IP address depletion: RFC 1918: This RFC defines (reserves) blocks of private (nonroutable IP addresses) to be allocated to IP hosts that are on the inside of the network of an organization. IPv6: IPv6 defines a new version of the Internet Protocol that includes a 128bit address space. 2 addresses equates to 340 trillion trillion trillion potential IP hosts. To put this number into perspective, there are enough IPv6 addresses to grant every person on earth the equivalent of the entire IPv4 address space (2 ) and still have many trillions of IP addresses remaining. The private addressing plan that is defined in RFC 1918 provides enterprises with considerable flexibility in network design. This addressing enables operationally and administratively convenient address allocation, as well as easier growth. RFC 1918 defines three blocks of IP addresses that are dedicated to private use. Private Addressing Plan IP Address Class Private IP Address Range A 10.0.0.0 to 10.255.255.255 B 172.16.0.0 to 172.31.255.255 C 192.168.0.0 to 192.168.255.255 128 32 However, private IP addresses are not routable over the Internet. And since there are not enough public addresses to allow all organizations to provide private addresses to all of their hosts, a mechanism is needed to translate private addresses to public addresses (and back) at the edge of their networks. NAT provides this mechanism. Without NAT, a host with a private address cannot access the Internet. Using NAT, companies can provide some or all of their hosts with private addresses and also use NAT to provide address translation to allow access to the Internet. The NAT process of mapping a private IP address for a public address is separate from the convention that is used to determine what is public and private, and devices must be configured to recognize which IP networks are to be translated. Benefits of NAT Benefits of NAT include the following: NAT eliminates, or significantly reduces, the need to purchase public IP addresses from your ISP. It protects network security. Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when they gain controlled external access with NAT. Drawbacks of NAT Potential drawbacks of NAT include the following: NAT may have a slight impact on router performance. The router needs to alter the IP header and possibly alter the TCP or UDP header. The performance impact of NAT is very minor in current Cisco IOS routers that use Cisco Express Forwarding switching. Some applications rely on the source and destination IP addresses remaining constant, with unmodified packets forwarded from the source to the destination. By changing endtoend addresses, NAT blocks some applications that embed IP addressing in the application payload. For example, some security applications, such as digital signatures, fail because the source IP address changes at a router border. Applications that use IP addresses instead of an FQDN do not reach destinations that are translated across the NAT router. Endtoend IP traceability ends at a NAT boundary. When using commands such as ping or traceroute, the termination point of the diagnostic output usually ends at the NAT border device. Using NAT complicates tunneled protocols, such as IPsec. Because NAT modifies values in the IP headers, this process can interfere with the integrity checks that are performed by IPsec and other tunneling protocols. Special precautions are required to exempt traffic from being translated if the source and destination IP hosts connect over an IPSec tunnel. Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destinations. Some protocols can accommodate one instance of NAT between participating hosts (passive mode FTP, for example) but they can fail when both systems are separated from the Internet by NAT. Applications that require special handling are supported by combining NAT with the Cisco IOS ZoneBased Policy Firewall feature. Types of Addresses in NAT In NAT terminology, the inside network is the set of networks that is subject to translation. The outside network refers to all other addresses. Usually, these are valid addresses that are located on the Internet. To speak confidently about NAT, there are some NATspecific terms you should understand: Inside local address: This IPv4 address is assigned to an IP host on the inside network, or private network. The inside local IP address is typically an RFC 1918 private IP address and is not globally routable. Inside global address: An inside global IP address is the IP address of the IP host on the Internet as it appears on the inside network. Depending on how the translation is configured, this IP address can appear as a publicly routable IP address or as a private IP address. The most common scenario is that the inside global address is the same as the outside global IP address. Outside local address: An outside local address represents the mapping of the inside local address to a globally routable address on the public Internet. This IP address can be assigned from a pool of one or more available public IP addresses. Outside global address: An outside global address is an IP address that is assigned to a host on the outside network by the host owner. The outside global address is allocated from a globally routable address or network space. In the figure, the inside IP host 10.1.1.100 (an inside local address) translates to 126.96.36.199 (an inside global address). The inside host wants to connect to http://www.cisco.com. When 10.1.1.100 makes a DNS query, the IP address 188.8.131.52 is returned by the DNS server. In the context of NAT, 184.108.40.206 represents both the outside global and inside global IP addresses for http://www.cisco.com. From the perspective of the Cisco web server, the server would respond to the inside global IP address 220.127.116.11. Types of NAT On a Cisco IOS router, NAT can be divided into three distinct categories, each having a clear use case. Static NAT: This type of NAT is employed when an inside global address requires a permanent mapping to its outside global IP address. The common use case for static IP addresses is for IP hosts that need to remain at a constant IP address, like mail servers, DNS servers, and web servers (to name a few). Dynamic NAT: This type of NAT works well when the number of IP hosts is fewer than the number of public addresses available in the pool. When a dynamic NAT translation is made, an inactivity timer begins a countdown. At the end of the countdown, the translation is cleared and that IP address is added back to the pool for another user to map to its outside global address. NAT overloading: This type of dynamic NAT is implemented when there are not enough public IP addresses to satisfy the number of inside local IP hosts that need Internet access. The pool of available public IP addresses may be as small as one. PAT Versus NAT One of the most common implementations of NAT is PAT, which is also referred to as overload in the context of a Cisco IOS configuration. NAT can use PAT to translate many inside local addresses into just one or a few inside global addresses. Most home routers operate in this manner. Your ISP assigns one address to your router, yet several members of your family can simultaneously connect to the Internet. With static or dynamic NAT, the router replaces the source IP address of the inside local address with the inside global IP address. NAT generally translates IP addresses only as a 1:1 correspondence between publicly exposed IP addresses and privately held IP addresses. When NAT overload is configured, multiple addresses can be mapped to one or a few addresses because the router maintains a table of TCP and UDP port numbers that are associated with the connections of each private address. When a client opens a TCP/IP session, the NAT router assigns a port number to its source address. NAT overload ensures that clients use a different TCP or UDP port number for each client session with a server on the Internet. NAT overload modifies the private IP address and potentially the port number of the sender. NAT overload chooses the port numbers that hosts see on the public network. When a response comes back from the server, the source port number (which becomes the destination port number on the return trip) determines the client to which the router routes the packets. It also validates that the incoming packets were requested, thus adding a degree of security to the session. NAT routes incoming packets to their inside destination by referring to the incoming source IP address given by the host on the public network. With NAT overload, there is generally only one publicly exposed IP address (or a very few). Incoming packets from the public network are routed to their destinations on the private network by referring to a table in the NAT overload device that tracks public and private port pairs. This mechanism is called connection tracking. PAT port number determination is based on the following: PAT uses unique source port numbers on the inside global IPv4 address to distinguish between translations. Because the port number is encoded in 16 bits, the total number of internal addresses that NAT can translate into one external address is, theoretically, as many as 65,536. PAT attempts to preserve the original source port. If the source port is already allocated, PAT attempts to find the first available port number. It starts from the beginning of the appropriate port group, 0 to 511, 512 to 1023, or 1024 to 65535 (in the figure, port 2031 is used). If PAT does not find an available port from the appropriate port group and if more than one external IPv4 address is configured, PAT moves to the next IPv4 address and tries to allocate the original source port again. PAT continues trying to allocate the original source port until it runs out of available ports and external IPv4 addresses. Up Next: Understanding Static NAT IOS router, NAT can be divided into three distinct categories, each having a clear use case. Static NAT: This type of NAT is employed when an inside global address requires a permanent mapping to its outside global IP address. The common use case for static IP addresses is for IP hosts that need to remain at a constant IP address, like mail servers, DNS servers, and web servers (to name a few). Dynamic NAT: This type of NAT works well when the number of IP hosts is fewer than the number of public addresses available in the pool. When a dynamic NAT translation is made, an inactivity timer begins a countdown. At the end of the countdown, the translation is cleared and that IP address is added back to the pool for another user to map to its outside global address. NAT overloading: This type of dynamic NAT is implemented when there are not enough public IP addresses to satisfy the number of inside local IP hosts that need Internet access. The pool of available public IP addresses may be as small as one. PAT Versus NAT One of the most common implementations of NAT is PAT, which is also referred to as overload in