Network Address Translation and Port Address Translation

NAT is a router function, which allows it to translate the addresses of hosts behind a firewall. This also helps to overcome IP address shortage. It also provides security by hiding the entire network and their real IP addresses.

NAT is typically used for internal IP networks that have unregistered (not globally unique) IP addresses. NAT translates these unregistered addresses into legal addresses on the outside (public) network.

PAT provides additional address expansion but is less flexible than NAT. With PAT, one IP address can be used for up to 64,000 hosts by mapping several IP port numbers to one IP address. PAT is secure because the inside hosts' source IP addresses are hidden from the outside world. The perimeter router typically provides the NAT or PAT function.

NAT is defined in RFC 1631, Cisco devices started supporting NAT in IOS versions 11.2 and higher. NAT basically provides the capability to retain your network's original IP addressing scheme while translating that scheme into a valid Internet IP address to ensure that intruders never view your private address.

NOTE IOS 12.0 and higher support full NAT functionality in all images. Version 11.2 and higher need "PLUS" image for a NAT feature set.

NAT changes the Layer 3 address when the packet is sent out to the Internet. This is a function no other protocol will do (that is, alter the Layer 3 source address).

For your review to fully prepare you for the exam, Table 7-2 explains some of the terminology used in a NAT environment.

Table 7-2 NAT Terminology



Inside local address

An IP address that is assigned to a host on the internal network; that is, the logical address that is not being advertised to the Internet. A local administrator generally assigns this address. This address is NOT a legitimate Internet address.

Inside global address

A legitimate registered IP address, as assigned by the InterNIC.

Outside local address

The IP address of a network's outside host that is being translated as it appears to the inside network.

Outside global address

The IP address assigned to a host on the outside of the network that is being translated by the host's owner.

Figure 7-2 displays a typical scenario where a private address space is deployed that requires Internet access. The Class A is not routable in the Internet.

Figure 7-2 Typical NAT Scenario

Inside or Private Network

Outside Network

Inside or Private Network

Outside Network

NAT Table

Inside Address Outside Address

InterNic Assigned Address

NAT Table

Inside Address Outside Address

InterNic Assigned Address

The users in Figure 7-2 are configured with the inside local addresses ranging from to To allow Internet access, NAT (PAT could also be configured if only one IP address was allocated by InterNIC) is configured on Router R1 to permit the inside local addresses access to the Internet. Advantages of using NAT include the following:

• You can hide the Class A address space

To view the NAT translation table on the Cisco router, apply the exec command show ip nat translations on the CLI interface.

• It gives you the capability to connect a nonroutable network to the Internet.

• You can use unregistered address space and NAT to the Internet.

• You can use both NAT/PAT on the same router.

• You can have 64,000 inside hosts per allocated IP address.

The InterNic is an Internet authority assigned the task of allocating IP address space to the public. In Figure 7-2, assume that the InterNIC assigned the address space for use.

NOTE Disadvantages of NAT/PAT include the following:

• CPU processing power.

• Layer 3 header and source address changes.

• Voice over IP is not supported yet.

• Some Multimedia-intensive applications do not support NAT, especially when the data stream inbound is different from the outbound path (for example, in multicast environments).

0 0

Post a comment