- Cisco Networking: NAT and PAT a complete explanation

o    Static NAT: The simplest type of NAT provides a one-to-one translation of IP addresses. It is often also referred to as one-to-one NAT. In this type of NAT only the IP addresses, IP header checksum and any higher level checksums that include the IP address need to be changed. The rest of the packet can be left untouched (at least for basic TCP/UDP functionality, some higher level protocols may need further translation). Basic NATs can be usedwhen there is a requirement to interconnect two IP networks with incompatible addressing. With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).

o    Dynamic NAT: Dynamic NAT has some similarities and differences compared to static NAT. Like static NAT, the NAT router creates a one-to-one mapping between an inside local and inside global address and changes the IP addresses in packets as they exit and enter the inside network. However, the mapping of an inside local address to an inside global address happens dynamically. Dynamic NAT sets up a pool of possible inside global addresses and defines matching criteria to determine which inside local IP addresses should be translated with NAT. The dynamic entry stays in the table as long as traffic flows occasionally. With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.

·         PAT

o    Static PAT: Static PAT translations allow a specific UDP or TCP port on a global address to be translated to a specific port on a local address. Static PAT is the same as static NAT, except that it enables you to specify the protocol (TCP or UDP) and port for the real and mapped addresses. Static PAT enables you to identify the same mapped address across many different static statements, provided that the port is different for each statement. You cannot use the same mapped address for multiple static NAT statements. With static PAT, translations exist in the NAT translation table as soon as you configure static PAT command(s), and they remain in the translation table until you delete the static PAT command(s).

o    NAT Overload or PAT: It is common to hide an entire IP address space, usually consisting of private IP addresses, behind a single IP address (or in some cases a small group of IP addresses) in another (usually public) address space. This type of NAT is called PAT in overload. The dynamic entry stays in the table as long as traffic flows occasionally. With PAT in overload, translations do not exist in the NAT table until the router receives traffic that requires translation. Translations have a timeout period after which they are purged from the translation table.

Example #1: Static Source NAT
How to translate the 172.16.0.5 IP address to the 10.16.0.5 ip address.

Define the ip nat inside:

CiscoCiro(config)#interface fa0/0

CiscoCiro(config-if)#ip nat inside

Define the ip nat outside:

CiscoCiro(config)#interface fa0/1

CiscoCiro(config-if)#ip nat outside

Define the static NAT entry:

ip nat inside source static 172.16.0.6 10.16.0.5

With static NAT, translation exists in the NAT translation table as soon as you configure static NAT command, and it remains in the translation table until you delete the static NAT command:

CiscoCiro#sh ip nat translations

Pro  Inside global      Inside local       Outside local      Outside global

---  10.16.0.5          172.16.0.5         ---                ---

CiscoCiro#

If the client sends an ICMP packet or an HTTP request to the web server, the nat table will be:

CiscoCiro#sh ip nat translations

Pro  Inside global      Inside local       Outside local      Outside global

icmp 10.16.0.5:1        172.16.0.5:1       10.0.0.100:1       10.0.0.100:1

tcp  10.16.0.5:56080    172.16.0.5:56080   10.0.0.100:80      10.0.0.100:80

---  10.16.0.5          172.16.0.5         ---                ---

CiscoCiro#

Remember: Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if an access list exists that allows it).

Example #2: Dynamic Source NAT
How to translate the 172.16.0.0/28 network in the 10.16.0.0/29 network.

Define the ip nat inside:

CiscoCiro(config)#interface fa0/0

CiscoCiro(config-if)#ip nat inside

Define the ip nat outside:

CiscoCiro(config)#interface fa0/1

CiscoCiro(config-if)#ip nat outside

Define the nat pool used in the NAT translation:

CiscoCiro(config)#ip nat pool dynamic-ip 10.0.16.1 10.0.16.6 prefix-length 29

Define which network will be translated:

CiscoCiro(config)#ip access-list standard client-list

CiscoCiro(config-std-nacl)#permit 172.16.0.0 0.0.0.15

Define the dynamic source NAT:

CiscoCiro(config)#ip nat inside source list client-list pool dynamic-ip

With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation.

CiscoCiro#sh ip nat translations

CiscoCiro#

but when some packets match the ACL..

CiscoCiro#sh ip nat translations                             

Pro Inside global      Inside local       Outside local      Outside global

icmp 10.0.16.1:2       172.16.0.1:2       10.0.0.100:2       10.0.0.100:2

tcp 10.0.16.2:35694    172.16.0.2:35694   10.0.0.100:80      10.0.0.100:80

tcp 10.0.16.1:56185    172.16.0.1:56185   10.0.0.100:80      10.0.0.100:80

--- 10.0.16.1          172.16.0.1         ---                ---

--- 10.0.16.2          172.16.0.2         ---                ---

CiscoCiro#

Note: If a new packet arrives from yet another inside host, and it needs a NAT entry, but all the pooled IP addresses are in use, the router simply discards the packet.

This can be checked enabling the “debug ip nat”.

Feb 12 19:26:09.895: NAT: translation failed (E), dropping packet s=172.16.0.5 d=10.0.0.100

The user must try again until a NAT entry times out, at which point the NAT function works for the next host that sends a packet. Essentially, the inside global pool of addresses needs to be as large as the maximum number of concurrent hosts that need to use the Internet at the same time—unless we use PAT.

Remember: The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

Example #3: Static PAT
How to expose two different services on Internet:

1.    The Web server (172.16.0.5) is listening on tcp port 80; this server responds on public address 88.88.88.88:80 from the Internet (outside).

2.    The SSH server (172.16.0.6) is listening on tcp port 22; this server responds on public address 88.88.88.88:666 from the Internet (outside) .

Define the ip nat inside:

CiscoCiro(config)#interface fa0/0

CiscoCiro(config-if)#ip nat inside

Define the ip nat outside:

CiscoCiro(config)#interface fa0/1

CiscoCiro(config-if)#ip nat outside

Define the static PAT:

The web server responds on tcp port 80 on the ‘outside’ interface.

ip nat inside source static tcp 172.17.0.5 80 88.88.88.88 80

The SSH server responds on tcp port 666 on the ‘outside’ interface ; in this case, the real port (22 tcp) is translated to the 666 tcp port when a request comes from Internet.

ip nat inside source static tcp 172.17.0.6 22 88.88.88.88 666

Like static NAT, static PAT translation exists in the NAT translation table as soon as you configure static PAT command, and it remains in the translation table until you delete the static PAT command.

CiscoCiro#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 88.88.88.88:80     172.16.0.5:80      ---                ---

tcp 88.88.88.88:666    172.16.0.6:22      ---                ---

CiscoCiro#

If an Internet client sends an HTTP request or an SSH Connection (on tcp port 666), the nat table will be:

CiscoCiro#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 88.88.88.88:80     172.16.0.5:80      56.56.56.56:54686  56.56.56.56:54686

tcp 88.88.88.88:80     172.16.0.5:80      ---                ---

tcp 88.88.88.88:666    172.16.0.6:22      56.56.56.56:33704  56.56.56.56:33704

tcp 88.88.88.88:666    172.16.0.6:22      ---                ---

CiscoCiro#

Example #4: PAT – NAT Overload
How to share an Internet connection.

Define the ip nat inside:

CiscoCiro(config)#interface fa0/0

CiscoCiro(config-if)#ip nat inside

Define the ip nat outside:

CiscoCiro(config)#interface fa0/1

CiscoCiro(config-if)#ip nat outside

Define which network will be translated:

CiscoCiro(config)#ip access-list standard client-list

CiscoCiro(config-std-nacl)#permit 172.16.0.0 0.0.0.255

Define the NAT Overload:

CiscoCiro(config)#ip nat inside source list client-list interface fastethernet0/1 overload

Like dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation:

CiscoCiro#sh ip nat translations

CiscoCiro#

but when some packets match the ACL..

CiscoCiro#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 88.88.88.88:7921   172.16.0.2:7921    95.100.96.233:443  95.100.96.233:443

tcp 88.88.88.88:8651   172.16.0.5:8651    173.194.44.18:80   173.194.44.18:80

tcp 88.88.88.88:8652   172.16.0.111:8652  173.194.44.18:443  173.194.44.18:443

tcp 88.88.88.88:8653   172.16.0.223:8653  173.194.70.84:443  173.194.70.84:443

udp 88.88.88.88:64116  172.16.0.222:64116 8.8.8.8:53         8.8.8.8:53

udp 88.88.88.88:64756  172.16.0.223:64756 8.8.4.4:53         8.8.4.4:53

CiscoCiro#

Are there other types of NAT/PAT?

The answer is YES! One type of NAT/PAT widely used is the ip nat outside source; this command permits to translate the source address of a packet that enter in the ‘outside’ interface and leave the ‘inside’ interface.

In simple terms, if you see the first example #1

The command:

ip nat outside source static 10.0.0.100 192.168.0.100

translate the 10.0.0.100 to the 192.168.0.100 , so the client must call the 192.168.0.100 ip address to contact the server web and not the 10.0.0.100.

Another particolar type of nat is the ip nat inside destination used when multiple inside devices are identical servers with mirrored content, which from the outside appear to be a single server load balancing.

You define a pool of addresses containing the real hosts’ addresses ending with “type rotary” making the servers available in round-robin fashion. The access list now permits the IP address of the virtual host, i.e. what the outside world thinks is the host address. So the virtual host is 123.123.123.132, with the real hosts being 172.16.0.2 through 10.

Partial configuration

interface FastEthernet0/0

ip address 172.16.0.0 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 88.88.88.88 255.255.255.252

ip nat outside

!

ip nat pool real-ip-server 172.16.0.2 172.16.0.10 prefix-length 24 type rotary

ip nat inside destination list 1 pool real-ip-server

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

access-list 1 permit 123.123.123.123

This translation is not bi-directional in nature. You will have to use a one to one static NAT to accomplish it. A “ip nat inside source static” kind of funtionality can be achieved with the above configuration using a single address in the NAT pool, but that would only work for outside to inside traffic.

Where apply nat inside/outside?

Typically “ip nat inside” is configured on the interfaces in your local environment which cannot be routed to the Internet (typically private range of IP Addresses) and  and “ip nat outside” on the interface which is connected to the Internet.

When does the router perform NAT?

Inside to Outside:

1.    If IPSec then check input access list

2.    decryption – for CET (Cisco Encryption Technology) or IPSec

3.    check input access list

4.    check input rate limits

5.    input accounting

6.    redirect to web cache

7.    policy routing

8.    routing

9.    NAT inside to outside (local to global translation)

10. crypto (check map and mark for encryption)

11. check output access list

12. inspect (Context-based Access Control (CBAC))

13. TCP intercept

14. encryption

15. Queueing

Outside to Inside:

1.    If IPSec then check input access list

2.    decryption – for CET or IPSec

3.    check input access list

4.    check input rate limits

5.    input accounting

6.    redirect to web cache

7.    NAT outside to inside (global to local translation)

8.    policy routing

9.    routing

10. crypto (check map and mark for encryption)

11. check output access list

12. inspect CBAC

13. TCP intercept

14. encryption

15. Queueing

Some useful comands:

·         To see some statistics about NAT: show ip nat statistics

·         To see a complete list of the static/dynamic NAT/PAT entries: show ip nat translations 

·         To clear dynamic nat entry: clear ip na translation *

·         To debug NAT: debug ip nat

References:

·         http://www.cisco.com/…/tech_note09186a0080094837.shtml

·         http://www.cisco.com/…/tech_note09186a0080133ddd.shtml

·         http://en.wikipedia.org/wiki/Network_address_translation