CCNA 5.6: Configure, verify, and troubleshoot inside source NAT

Overview:

Inside source Network Address Translation (NAT) is used to map private IP addresses on a LAN to a public IP address(es) on the outside interface of the router

Study Notes:

Inside source Network Address Translation (NAT) is used to map private IP addresses on a LAN to public IP address(es) on the outside interface of the router
The interface of the router connecting to the LAN network is the inside
The interface of the router connecting to the WAN is the outside
Different methods of NAT are used depending on the desired outcome: Static, Pool and PAT
Assign inside and outside NAT interfaces

Router(config)#interface F0/1
Router(config-if)#description OUTSIDE INTERFACE
Router(config-if)#ip address pu.bl.i.c 255.255.255.0
Router(config-if)#ip nat outside
Router(config)#interface F0/2
Router(config-if)#description OUTSIDE INTERFACE
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside

5.6.a Static

One-to-one mapping
Translates a specific inside IP address to a specific outside IP address
Translations are statically configured and placed in the translation table whether there is traffic or not
This is mostly useful for hosts that provide application services like mail, web, FTP, etc

Router(config)#ip nat inside source static 192.168.1.10 pu.bl.ic.12
Router(config)#ip nat inside source static 192.168.1.11 pu.bl.ic.25

5.6.b Pool

A form of Dynamic NAT
Many-to-many mappings
Translates multiple inside IP addresses to multiple outside IP addresses
Most useful when there are fewer addresses available (the pool) than actual hosts to be translated
Entries in the translation table are created when hosts initiate connections
One-to-on mappings are created, but it's said to be many-to-many because the mappings can vary and are dependent on the available IPs in the pool at the time of the request
NAT entries are removed from the translation table and the IP address is returned to the NAT pool after a specified and configurable amount of time where the host does not communicate

Steps to configure NAT

- Create a pool of addresses. This pool consists of 100 private addresses from .100 to .199 even though the netmask covers all 256 addresses

Router(config)#ip nat pool MYNATPOOL 
	192.168.1.100 192.168.1.199 netmask 255.255.255.0

- Create an access-list for the inside networks that has to be mapped

Router(config)#access-list 100 permit ip 
	192.168.1.0 0.0.0.255 any

- Associate the access-list 100 that is selecting the internal network 192.168.1.0 0.0.0.255 to be natted to the pool MYNATPOOL and then overload the addresses

Router(config)#ip nat inside source list 100 pool 
	MYNATPOOL overload

5.6.c PAT

PAT: Port-address translation
An extension to NAT that permits multiple IP addresses on a LAN to be mapped to a single public IP address
The goal of PAT is to conserve IP addresses
A PAT device transparently modifies IP packets as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host - the PAT device - on the public network.
PAT is a translation method that allows the user to conserve addresses in the global address pool by allowing source ports in TCP and UDP to be translated.
Different local addresses map to the same global address and the port translation provides the necessary uniqueness.
When translation is required, the new port number is picked out of the same range as the original following the convention of Berkeley Standard Distribution (SD).
This prevents end stations from seeing connection requests with source ports apparently corresponding to the Telnet, HTTP, or FTP daemon, for example.
As a result, Cisco IOS PAT supports about 4000 local addresses that can be mapped to the same global address.
To configure PAT/NAT correctly the first time, you need to understand the Cisco NAT terminology and how your IP networks/addresses map to each of the entities listed below:
- Inside Local—This is the local IP address of a private host on your network (e.g., a workstation's IP address).
- Inside Global—This is the public IP address that the outside network sees as the IP address of your local host.
- Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
- Outside Global—This is the public IP address of the remote host (e.g., the IP address of the remote Web server that a workstation is connecting to).

The overload command is essential to force the router to use PAT

PacketTracer Lab: CCNA-5.6-Configure-verify-and-troubleshoot-inside-source-NAT.pkt

Subscribe Now for access to the labs!

2 comments

joseph yang
July 30, 2019 at 5:56 am

do you have a demonstration of PAT?

Log in to Reply
- Joe Barger (CCNP/CCDP) • Post Author •
  July 30, 2019 at 10:29 pm
  
  As an example, most home routers do port address translation. All of the clients in the house have their own private IP addresses. They send traffic to the internet and the home router translates all of the private IPs to the same public IP. With PAT, the router also maps unique source ports to the public IP for each client. When responses return to the router, it looks up the destination port in the translation table and that’s how it knows which private IP to send the traffic to.

2 comments

joseph yang

Joe Barger (CCNP/CCDP) • Post Author •

Leave a ReplyCancel