NAT Basics
Think of two networks: your local area network (using private IP addresses), and the outside world (using public IP addresses). The packets on your LAN will typically have source IP addresses in the private IP address ranges (such as 192.168.1.1), so how can they travel outside your local network?
The answer is to let the packets swap out their private source addresses temporarily for a globally routable, public IP address. This can be from a pool of public IP addresses your company may have purchased. The router is told what the pool is, and then one of those addresses is grabbed and becomes the source address for the outgoing packet:
The reverse then happens when the packet is coming back.
This can also be used to make a privately addressed web server available to the public. In that case, then, packets with a public IP address are swapped out with the private internal IP address of your web server:
The reasons to use NAT? Most often, it is used to share Internet access with all computers in a private LAN. The outgoing packets have their
Some Tricky Terminology
A real, private, local IP address is called "inside local". A real, public, IP address is called "outside global."
After a packet has passed through NAT and had its source or destination IP address changed, a real, public IP address that has been "transformed" into an internal, private IP address is called "outside local." Because it is an outside address that has been changed temporarily to a local private IP address.
And a packet that has passed through NAT going from your private LAN to a globally routable IP address is called "inside global", because it is an inside private address that has been swapped out temporarily with a globally routable public address.
To recap this terminology because it can be confusing:
- Outside global: a public IP address, before NAT translation
- Inside local: a private IP address, before NAT translation
- Outside local: a public IP address that has been turned into a private address by NAT
- Inside global: a private IP address that has been turned into a public address by NAT
Step1: Tell the router which interfaces are inside and which are outside
The first step to configuring NAT is to tell the router which interface is inside and which is outside. Generally, inside interfaces would be the LAN, and outside would be public outward-facing interfaces. This is not set in stone, however. For example, you may decide to connect two internal networks together and use NAT because you have overlapping IP subnets. In this case, it is arbitrary which network is "inside" and which is "outside", since they are both technically inside.
Step 2: Create the pool of addresses to use for the swapping
Next, you tell the router your pool of addresses you want to use for swapping purposes. This could be a range of IP addresses, or just a single IP address. This type of NAT is called "dynamic", since the router "decides" which address to swap out on the fly. You could also create a one-to-one address swap, which is called "static NAT". In that case, there is no need for a pool of addresses, obviously.
Step 3: Decide whether to use overloading or not
A third possibility is to have source addresses swapped out with the router's own single public (outside) interface address. This is called "overloaded NAT", since every single local computer will be swapped out with the single source address of your router. How does the router keep track of which local IP address to put back on the returning packet, though, if they all have the same address? They take advantage of the fact that packets will have a randomly generated source port number (so packets know which application they are destined for when returning), and this port number is how the router knows which internal address to put back on the returning packet. For this reason, it is also called Port Address Translation (PAT). Overloaded NAT is what is used for home routers which give Internet access to every computer in the home.
Step 4: Access List
Then, you will create the list of devices that should use NAT. Typically, the list of your internal devices that you want to be translated to outside global addresses. If you just want your entire internal network to use NAT, for example, you would just create an access list permitting your entire subnet.
Step 5: Turn it On
Finally, turn NAT on by telling the router whether to swap out source or destination addresses, the name of the access list of devices that are to use NAT, the name of the pool of addresses that will be used for the swapping, and whether to use overloaded NAT or not.
Example 1
1. Set interfaces to be inside or outside:
int fa0/02. Create a pool named "OurPool" of IP addresses from 11.2.1.2 to 11.2.1.200, with a subnet mask of 255.0.0.0:
ip nat inside
int s0/0
ip nat outside
ip nat pool OurPool 11.2.1.2 11.2.1.200 netmask 255.0.0.03. Create an access list allowing certain devices to use NAT; in this case, all internal devices:
access-list 7 permit 192.168.1.0 0.0.0.2554. Finally, turn NAT on by telling it whether to swap outgoing source or outgoing destination addresses. In this case, we are telling it to swap outbound packet source addresses with the "inside source" command. For packets coming in, this would swap out the destination address. If you want the outgoing packets to swap out their destination addresses, you would use "outside souce". This command also lists the access list (the inside devices that should use NAT), the pool of addresses for swapping, and that it should not use overloading:
ip nat inside source list 7 pool OurPool no-overloadExample 2
1. Set interfaces to be inside or outside:
int fa0/02. Create a pool named "OurPool" of the single public IP address of the router. We will do overloading with this configuration:
ip nat inside
int s0/0
ip nat outside
ip nat pool overld OurPool 11.2.1.2 netmask 255.0.0.03. Create an access list allowing certain devices to use NAT; in this case, all internal devices:
access-list 7 permit 192.168.1.0 0.0.0.2554. Finally, turn NAT on by telling it whether to swap outgoing source or outgoing destination addresses. In this case, we are telling it to swap outbound packet source addresses with the "inside source" command. For packets coming in, this would swap out the destination address. If you want the outgoing packets to swap out their destination addresses, you would use "outside souce". This command also lists the access list (the inside devices that should use NAT), the pool of addresses for swapping, and that it should not use overloading:
ip nat inside source list 7 pool OurPool overloadNOTE: You could also skip the pool, and replace "pool OurPool" in this last command with "interface serial 0/0" to automatically have the router use its serial interface IP address for the overloading.
No comments:
Post a Comment