Network Address Translation and Port Address Translation

NAT is a router function, which allows it to translate the addresses of hosts behind a firewall. This also helps to overcome IP address shortage, and provides security by hiding the entire network and its real IP addresses.

NAT is typically used for internal IP networks that have unregistered (not globally unique) IP addresses. NAT translates these unregistered addresses into legal addresses on the outside (public) network.

PAT provides additional address expansion but is less flexible than NAT. With PAT, one IP address can be used for up to 64,000 hosts by mapping several IP port numbers to one IP address. PAT is secure because the inside hosts' source IP addresses are hidden from the outside world. The perimeter router typically provides the NAT or PAT function.

NOTE PAT uses unique source port numbers on the inside global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number of ports could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port. If this source port is already allocated, PAT will attempt to find the first available port number starting from the beginning of the appropriate port group, 0-511, 512-1023, or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses. (From http:// www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm.)

NAT is defined in RFC 1631, the text of which can be read at http://www.ietf.org/rfc/rfc1631.txt. Cisco devices started supporting NAT in Cisco IOS versions 11.2 and higher. NAT basically provides the capability to retain your network's original IP addressing scheme while translating that scheme into a valid Internet IP address to ensure that intruders never view your private address.

NOTE Cisco IOS 12.0 and higher support full NAT functionality in all images. Version 11.2 and higher need "Plus" image for a NAT feature set.

NAT changes the Layer 3 address when the packet is sent out to the Internet. This is a function no other protocol will do (that is, alter the Layer 3 source address).

For your review and to fully prepare you for the exam, Table 6-2 explains some of the terminology used in a NAT environment.

Table 6-2 NAT Terminology

Term

Meaning

Inside local address

An IP address that is assigned to a host on the internal network; that is, the logical address that is not being advertised to the Internet. A local administrator generally assigns this address. This address is not a legitimate Internet address.

Inside global address

A legitimate registered IP address that represents one or more inside local IP addresses as assigned by the InterNIC.

Outside local address

The IP address of an Internet's outside host that is being translated as it appears to the inside network.

Outside global address

The IP address assigned to a host on the outside of the network before it is translated by the router's owner.

Figure 6-2 displays a typical scenario where a private address space is deployed that requires Internet access. The Class A 10.0.0.0/8 address is not routable in the Internet.

Figure 6-2 Typical NAT Scenario

Inside or Private Network Outside Network

Inside or Private Network Outside Network

Inside Address Outside Address 210.1.1.0/24

Inside Address Outside Address 210.1.1.0/24

The users in Figure 6-2 are configured with the inside local addresses ranging from 10.99.34.1/24 to 10.99.34.254/24. To allow Internet access, NAT (PAT could also be configured if only one IP address was allocated by InterNIC) is configured on Router R1 to permit the inside local addresses access to the Internet. Advantages of using NAT include the following:

■ You can hide the Class A address space 10.99.34.0/24.

To view the NAT translation table on the Cisco router, apply the EXEC command show ip nat translations on the CLI.

■ You can connect a nonroutable network to the Internet.

■ You can use unregistered address space and NAT to the Internet.

■ You can use both NAT and PAT on the same router.

■ You can have 64,000 inside hosts per allocated IP address.

The InterNIC is an Internet authority that is assigned the task of allocating IP address space to the public. For example, Figure 6-2 assumes that the InterNIC assigned the address space 210.1.1.0/ 24 for use.

NOTE Disadvantages of NAT/PAT include the following:

■ Drain on CPU processing power.

■ Layer 3 header and source address changes.

■ Some multimedia-intensive applications do not support NAT, especially when the data stream inbound is different from the outbound path (for example, in multicast environments).

0 0

Post a comment