One of the main issues that has faced the expanding network has been the progressive depletion of IP addresses as a result of growing demand. The existing IPv4 addressing scheme has struggled to keep up with the constant growth in the number of devices that continue to make up the public IP network which is commonly recognized as the Internet. IPv4 addressing has already faced depletion from IANA, the industry body that is responsible for the allocation of addressing globally.
One makeshift solution was to allocate a range of private addresses based on the existing IP address classes that could be reused. This solution has allowed network domains to implement these addressing schemes based on the private address range, and in relation to the scale of the network domain. This allows for traffic that originates and is destined for locations in the same domain to communicate without consumption of valued public addresses.
A problem arises however on facilitating communication beyond the private network domain where destinations for traffic exist within the public domain or in another private domain beyond that public domain. Network Address Translation has become the standard solution to this issue allowing end stations to forward traffic via the public network domain from a private network.
Network Address Translation (NAT) uses the generally established boundary of the gateway router to identify network domains for translation. Domains are considered to be either internal private networks or external public networks between which NAT is performed. The main principle lies in the reception of traffic with a source address that is in the private network and a destination address which represents a location beyond the private network domain.
The router is expected to implement NAT to translate the private address to a public address to allow the public destination address to receive a valid return public address via which packets received can be replied. NAT must also create a mapping table within the gateway to allow the gateway to determine as to which private network destination address a packet received from the public network should be sent, again requiring address translation to be performed along the return path.
A number of implementations of NAT are possible and are capable of being applied to a variety of different situations. Static NAT represents a direct one-toone mapping that allows the IP address of a specific end system to be translated to a specific public address. On a large scale the one-to-one mapping of static NAT does not do anything to alleviate the address shortage, however is applicable in cases such as where a host may wish to have certain privileges associated with an address to which the host is statically associated. This same principle may also apply to servers that may wish to be reached from the external network by a specific public address.
In the example given packets originating from source 192.168.1.1 are destined for the public network address of 1.1.1.1. The network gateway RTA, builds a mapping between the private address of 192.168.1.1 and a public address of 200.10.10.5 that is assigned as the source address of the packet before being forwarded by the gateway to the intended destination. Any return packet will be sent as a reply with the destination address of 200.10.10.5 to which the gateway will receive and perform the static translation, before forwarding the packet to the associated host of 192.168.1.1. The static mapping of addresses requires no real management of address allocation for users, since addressing is manually assigned.
Dynamic NAT works on the principle of address pools by which internal end systems wishing to forward traffic across the public network are capable of associating with a public address from an address pool. End systems requiring to communicate with destinations in the public network domain must associate with a unique public address that is attainable from the public address range of the pool.
An address is assigned from the NAT server address pool as each end system attempts to forward traffic to a public network destination. The number of IP addresses owned by the NAT server is far less than the number of internal hosts because not all the internal hosts access external networks at the same time. This is usually determined according to the number of internal hosts that access external networks at peak hours.
The example demonstrates a case where two internal hosts generate packets intended for the destination 1.1.1.1/24, in which each internal host is allocated a unique address from the address pool, to allow each host to be distinguished in the public network from the other. Once communication is no longer required over the public network, the address mapping will be removed to allow the public address to be returned to the address pool.
In addition to the many-to-many address translation found within Dynamic NAT, Network Address Port Translation (NAPT) can be used to implement concurrent address translation. NAPT allows multiple internal addresses to be mapped to the same public address. It is also called many-to-one address translation or address multiplexing. NAPT maps IP addresses and interfaces. The datagrams from different internal addresses are mapped to interfaces with the same public address and different port numbers, that is, the datagrams share the same public address.
The router receives a request packet sent from the host on the private network for accessing the server on the public network. The packet's source IP address is 192.168.1.1, and its port number is 1025. The router selects an idle public IP address and an idle port number from the IP address pool, and sets up forward and reverse NAPT entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number. The router translates the packet's source IP address and port number to the public IP address and port number based on the forward NAPT entry, and sends the packet to the server on the public network. After the translation, the packet's source IP address is 200.10.10.11, and its port number is 2843.
Easy IP is applied where hosts on small-scale local area networks require access to the public network or Internet. Small-scale LANs are usually deployed where only a few internal hosts are used and the outbound interface obtains a temporary public IP address through dial-up. The temporary public IP address is used by the internal hosts to access the Internet. Easy IP allows the hosts to access the Internet using this temporary public address.
The example demonstrates the Easy IP process. The router receives a request packet sent from the host on the private network for accessing a server in the public network. The packet's source IP address in this case is 192.168.1.1, and its port number is 1025. The router sets up forward and reverse Easy IP entries that specify the mapping between the source IP address and port number of the packet and the public IP address and port number of the interface connected to the public network. The router translates the source IP address and port number of the packet to the public IP address and port number, and sends the packet to the server on the public network. After the translation, the packet's source IP address is 200.10.10.1, and its port number is 2843.
After receiving a response from the server, the router queries the reverse Easy IP entry based on the packet's destination IP address and port number. The router translates the packet's destination IP address and port number to the private IP address and port number of the host on the private network, and sends the packet to the host. After the translation, the packet's destination IP address is 192.168.1.1, and its port number is 1025.
NAT can shield hosts on private networks from public network users. When a private network needs to provide services such as web and FTP services for public network users, servers on the private network must be accessible to public network users at any time.
The NAT server can address the preceding problem by translating the public IP address and port number to the private IP address and port number based on the preconfigured mapping.
Address translation entries of the NAT server are configured on the router, after which the router receives an access request sent from a host on the public network. The router queries the address translation entry based on the packet's destination IP address and port number. The router translates the packet's destination IP address and port number to the private IP address and port number based on the address translation entry, and sends the packet to the server on the private network. The destination IP address of the packet sent by the host on the public network is 200.10.10.5, and the destination port number of 80. After translation is performed by the router, the destination IP address of the packet is 192.168.1.1, and its port number is 8080. After receiving a response packet sent from the server on the private network, the router queries the address translation entry based on the packet's source IP address and port number. The router translates the packet's source IP address and port number to the public IP address and port number based on the address translation entry, and sends the packet to the host on the public network. The source of the response packet sent from the host on the private network is 192.168.1.1, and its port number is 8080. After translation by the router, the source IP address of the packet is 200.10.10.5, and the port number is again port 80.
Static NAT indicates that a private address is statically bound to a public address when NAT is performed. The public IP address in static NAT is only used for translation of the unique and fixed private IP address of a host. The nat static [protocol {<tcp>|<udp>}global { <global-address >| current-interface <globalport>} inside {<host-address> <host-port >} vpn-instance <vpn-instance-name> netmask <mask> acl <acl-number> description <description >] command is used to create the static NAT and define the parameters for the translation.
The key parameters applied as in the example are the global parameter to configure the external NAT information, specifically the external address, and the inside parameter that allows for the internal NAT information to be configured. In both cases the address and port number can be defined for translation. The global port specifies the port number of the service provided for external access. If this parameter is not specified, the value of global-port is 0. That is, any type of service can be provided. The host port specifies the service port number provided by the internal server. If this parameter is not specified, the value of host-port is the same as the value of global-port.
The configuration of static NAT can be viewed through the display nat static command. The command displays the network address translation information with regards to the interface through which the address translation is performed, the global and inside addresses which are translated along with the used ports. Where the ports are not defined, a null result will be displayed. The configuration for translation may be protocol specific to either TCP or UDP protocol traffic, in which case the Protocol entry will be defined.
The configuration of dynamic network address translations involves implementation of the nat outbound command. It relies on the prior configuration of a network access control list that is used to specify a rule to identify specific traffic to which an event or operation will be applied. The details regarding access control lists are covered in a later unit. An association is made between these access control list rules and the NAT address pool. In this manner, the addresses specified in the access control list can be translated by using the NAT address pool.
The example demonstrates how the nat outbound command has been associated with an access control list with an identifier of 2000 to allow traffic from the 192.168.1.0/24 network range to be translated as part of an address group referred to as address-group 1. This defines a pool range from 200.10.10.11 through to 200.10.10.16 which internal addresses will employ for address translation. The no-pat parameter in the command means that no port address translation will occur for the addresses in the pool, therefore each host must translate to a unique global address.
Two specific display commands will enable the detailed information regarding the dynamic address translation to be verified. The display nat address-group<groupindex> command allows the general network address translation pool range to be determined. In addition the display nat outbound command will provide specific details for any dynamic network address translation configuration applied to a given interface. In the example it can be understood that the interface Serial1/0/0 is associated with an access control list rule together with the address group 1 for address translation on the given interface. The no-pat output confirms that port address translation is not in effect in this network address translation.
The Easy IP configuration is very similar in configuration to that of dynamic network address translation, relying on the creation of an access control list rule for defining the address range to which translation is to be performed and application of the nat outbound command. The main difference is in the absence of the address group command since no address pool is used in the configuration of Easy IP. Instead the outbound interface address is used to represent the external address, in this case that being external address 200.10.10.1 of interface serial1/0/0. Additionally it is necessary that port address translation be performed, and as such the no-pat parameter cannot be implemented where an address group does not exist. The nat outbound 2000 represents a binding between the NAT operation and the access control list rule detailing the address range to which the translation will apply
The same display nat outbound command can be used to observe the results of the nat outbound configuration and verify its correct implementation. The interface and access control list (ACL) binding can be determined as well as the interface (in this case) for the outbound translation. The type listing of easyip makes it clearly understood when Easy IP has been successfully configured.
Where it is necessary to provide internal access to external users such as in the case of a public server which is part of an internal network, the NAT server configuration can be performed to enable traffic destined for an external destination address and port number to be translated to an internal destination address and port number.
The nat server [protocol {<tcp >|<udp>}global {<global-address> | currentinterface <global port>} inside {<host-address ><host-port> vpn-instance <vpninstance-name> acl <acl-number> description <description >] command enables the external internal translation to be performed, where protocol identifies a specific protocol (either TCP or UDP depending on the service) to be permitted for translation along with the global address, indicating the external address for translation and the inside address relating to the internal server address.
The port number for the external address should be defined, and commonly relates to a specific service such as http (www) on port 80. As a means of further improving the overall shielding of internal port numbers from external threats, an alternative port number can be applied to the inside network and translated through the same means as is used for address translation.
The display nat server command details the configuration results to verify the correct implementation of the NAT server. The interface defines the point at which the translation will occur. The global and inside IP addresses and associated port numbers can be verified. In this case the global address of 202.10.10.5 with a port number of 80 (www) will be translated to an inside server address of 192.168.1.1 with a port number of 8080 as additional security against potential port based attacks. Only TCP traffic that is destined for this address and port will be translated.
The NAT internal server configuration will allow a unique public address to be associated with a private network server destination, allowing inbound traffic flow from the external network after translation. Internal users are able to reach the server location based on the private address of the server.
The PAT feature will perform translation based on the port number as well as the IP addresses. It is used as a form of address conservation where the number of public addresses available for translation are limited, or insufficient to support the number of private addresses that require possible translation.