NAT is one of the fundamental features every router, firewall and OS supports. NAT is the reason why multiple PCs in your home can access Internet using only one public IP address. Let’s explore NAT today and get to know how to configure it on a Cisco router.
What is NAT ?
Let’s say you have 10 PCs in your home or in a private network and each of these PCs needs to access the Internet. Without NAT, you would need to buy 10 public Internet IP addresses from your ISP (BSNL/Airtel/Hathway). This means the monthly Internet bill would now be ten times of what you would pay to one public IP address. Assuming one public IP costs 500 Rupees per month, ten IP addresses would cost 500 x 10 = 5000 Rs (my monthly home rent!).
With NAT, all the ten PCs in the private network can access the Internet using only one public IP address. This not only saves the money to you but hides your private network from the external Internet, giving security and privacy. Think about the IP addresses saved as a result of NAT. If 100 PCs can access Internet using only one public IP address, the rest of the 99 public IP addresses can now be assigned to 99 other customers by the ISP. That way the IP address space will be effectively utilized. As a matter of fact the pace of IP address depletion of IPv4 address space in the Internet has slowed down because of NAT. Thanks to its ability to efficiently translate between private and public IP address without any noticeable delay.
In summary NAT is a service usually enabled at the router which will translate private IP addresses into public IP addresses and vice-versa. To the hosts within the private network remains completely transparent and each behaves as if its connected to the Internet using a public IP address albeit the fact that it has assigned with a private IP address.
Keith Barker gives a concise explanation of NAT in this micro-nugget.
What are the advantages of NAT ?
- Security — Internet sees only one computer and the private network gets hidden
- Better usage of public IP address space
- Internet connection sharing
- Cost savings
Where does NAT implemented ?
Usually at the router. But any NAT capable device such as firewall, third-party appliance or even a PC running Linux can do NAT.
How NAT works ?
NAT works by maintaining a mapping table called NAT Table. The NAT Table maintains the mapping between the private IP address and the public IP address, so when the reply hits the public interface it knows to which host within the private network the packet should be forwarded to.
The NAT Table resides in the routers memory and the number of NAT translations the router can support depends on the size of the NAT Table.
With most NAT devices, the NAT session limit is bound by the available memory in the device. Each NAT translation consumes about 160 bytes in the device’s memory. As a result, 10,000 translations (a lot more than would normally be handled by a small router) will consume about 1.6 MB of memory. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations but in practice the story (as always) is different.
The larger router models and dedicated gateway/firewall appliances are able to track a lot more connections simultaneously (8000 to 25000), which makes them ideal for large corporations that need such capacity.
What are the different modes of NAT ?
NAT can operate in one of the following three modes.
- Static NAT : In static NAT, every private IP address requires a public IP address to map to. The mapping is statically bound to each private IP address. Consequently, every PC in the private network its IP address statically assigned. This mode doesn’t save any public IP address nor do scale well. Static NAT is very rarely used.
- Dynamic NAT : Similar to static NAT but overcomes the need to have statically assigned IP addresses to PCs. Dynamic NAT translates the private IP address into a public IP address from a pool of public IP addresses. The public IP address used for the host remains the same for the length of the session. When the same PC initiates another session, the public IP address mapped to it is likely to be changed. Do note that dynamic NAT requires as many public IP addresses as the number of hosts in the private network requiring the Internet access. Dynamic NAT has limited applications.
- NAT overload : NAT overload is the one which is widely used and is synonymous with NAT itself. NAT overload enables multiple private hosts to access the Internet simultaneously using only one public IP address. NAT overload works by tracking the source port number of every packet. Since the source port number is random and unique for every conversation, the NAT Table has enough information to identify the conversations without any ambiguity. NAT overload is known by other names like Port Address Translation (PAT), NAT with PAT, Network Address Port Translation (NAPT), and IP Masquerading.
How to configure NAT Overload on a Cisco router ?
Let’s consider the following network wherein the internal hosts require Internet access. NAT overloading need to be enabled on the private network edge router R1 which is connected to the ISP’s router R2.
There are three steps to configure NAT overload on any Cisco router.
Step # 1: Configure the inside and the outside interface. In the topology “FastEthernet 0/0” is the inside (private) interface and “Serial 2/0” is the outside (public) interface.
R1(config)#int fa0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#int serial2/0 R1(config-if)#ip nat outside R1(config-if)#exit
Step # 2: Create an access-list that marks the hosts of the internal network to be NAT’ed. We need to provide NAT’ing to hosts in 192.168.1.0/24 network.
R1(config)#access-list 100 remark ###[NAT controlled hosts]### R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any
Step # 3 : Enable NAT Overload and bind it to the outside interface.
R1(config)#ip nat inside source list 100 interface serial2/0 overload
The NAT Table can be viewed by running show ip nat translations.
R1#sh ip nat translations
The NAT Table is empty and gets populated with new entries as the hosts start initiating sessions across the router. After pinging ISP’s router from both the PCs, the NAT Table now has the following.
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 188.8.131.52:28775 192.168.1.10:28775 184.108.40.206:28775 220.127.116.11:28775 icmp 18.104.22.168:29031 192.168.1.10:29031 22.214.171.124:29031 126.96.36.199:29031 icmp 188.8.131.52:29287 192.168.1.10:29287 184.108.40.206:29287 220.127.116.11:29287 icmp 18.104.22.168:29543 192.168.1.10:29543 22.214.171.124:29543 126.96.36.199:29543 icmp 188.8.131.52:30055 192.168.1.10:30055 184.108.40.206:30055 220.127.116.11:30055 icmp 18.104.22.168:30823 192.168.1.20:30823 22.214.171.124:30823 126.96.36.199:30823 icmp 188.8.131.52:31079 192.168.1.20:31079 184.108.40.206:31079 220.127.116.11:31079 icmp 18.104.22.168:31335 192.168.1.20:31335 22.214.171.124:31335 126.96.36.199:31335 icmp 188.8.131.52:31591 192.168.1.20:31591 184.108.40.206:31591 220.127.116.11:31591 icmp 18.104.22.168:31847 192.168.1.20:31847 22.214.171.124:31847 126.96.36.199:31847
Note that each entry has protocol, IP as well as the source port number associated making each session unique.
Viewing the NAT translation table can sometimes reveal a lot of important information on your network’s activity. Here you’ll be able to identify traffic that’s not supposed to be routed to the Internet or traffic that seems suspicious.
Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time.
Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc., you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections running through the router can put some serious stress on the CPU.
To clear the IP NAT Table to free the resources, you can run
R1#clear ip nat translation *
The IP NAT service statistics provides information about total number of active translations, peak translations, expired translations and much more.
R1#sh ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 10, occurred 00:05:30 ago Outside interfaces: Serial2/0 Inside interfaces: FastEthernet0/0 Hits: 20 Misses: 0 CEF Translated packets: 20, CEF Punted packets: 0 Expired translations: 10 Dynamic mappings: -- Inside Source [Id: 1] access-list 100 interface Serial2/0 refcount 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0
Jeremy Cioara walks us through the configuration of NAT overload (PAT).
NAT | Firewall.cx