Network Address Translation (NAT)

NAT is one of the fundamental features every router, firewall and OS supports. NAT is the reason why multiple PCs in your home can access Internet using only one public IP address. Let’s explore NAT today and get to know how to configure it on a Cisco router.

What is NAT ?

Let’s say you have 10 PCs in your home or in a private network and each of these PCs needs to access the Internet. Without NAT, you would need to buy 10 public Internet IP addresses from your ISP (BSNL/Airtel/Hathway). This means the monthly Internet bill would now be ten times of what you would pay to one public IP address. Assuming one public IP costs 500 Rupees per month, ten IP addresses would cost 500 x 10 = 5000 Rs (my monthly home rent!).

Without NAT

With NAT, all the ten PCs in the private network can access the Internet using only one public IP address. This not only saves the money to you but hides your private network from the external Internet, giving security and privacy. Think about the IP addresses saved as a result of NAT. If 100 PCs can access Internet using only one public IP address, the rest of the 99 public IP addresses can now be assigned to 99 other customers by the ISP. That way the IP address space will be effectively utilized. As a matter of fact the pace of IP address depletion of IPv4 address space in the Internet has slowed down because of NAT. Thanks to its ability to efficiently translate between private and public IP address without any noticeable delay.

With NAT

In summary NAT is a service usually enabled at the router which will translate private IP addresses into public IP addresses and vice-versa. To the hosts within the private network remains completely transparent and each behaves as if its connected to the Internet using a public IP address albeit the fact that it has assigned with a private IP address.

Keith Barker gives a concise explanation of NAT in this micro-nugget.


What are the advantages of NAT ?

  1. Security — Internet sees only one computer and the private network gets hidden
  2. Better usage of public IP address space
  3. Internet connection sharing
  4. Cost savings

Where does NAT implemented ?

Usually at the router. But any NAT capable device such as firewall, third-party appliance or  even a PC running Linux can do NAT.

How NAT works ?

NAT works by maintaining a mapping table called NAT Table. The NAT Table maintains the mapping between the private IP address and the public IP address, so when the reply hits the public interface it knows to which host within the private network the packet should be forwarded to.

The NAT Table resides in the routers memory and the number of NAT translations the router can support depends on the size of the NAT Table.

With most NAT devices, the NAT session limit is bound by the available memory in the device. Each NAT translation consumes about 160 bytes in the device’s memory. As a result, 10,000 translations (a lot more than would normally be handled by a small router) will consume about 1.6 MB of memory. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations but in practice the story (as always) is different.

The larger router models and dedicated gateway/firewall appliances are able to track a lot more connections simultaneously (8000 to 25000), which makes them ideal for large corporations that need such capacity.

What are the different modes of NAT ?

NAT can operate in one of the following three modes.

  1. Static NAT : In static NAT, every private IP address requires a public IP address to map to. The mapping is statically bound to each private IP address. Consequently, every PC in the private network its IP address statically assigned. This mode doesn’t save any public IP address nor do scale well. Static NAT is very rarely used.
  2. Dynamic NAT : Similar to static NAT but overcomes the need to have statically assigned IP addresses to PCs. Dynamic NAT translates the private IP address into a public IP address from a pool of public IP addresses. The public IP address used for the host remains the same for the length of the session. When the same PC initiates another session, the public IP address mapped to it is likely to be changed. Do note that dynamic NAT requires as many public IP addresses as the number of hosts in the private network requiring the Internet access. Dynamic NAT has limited applications.
  3. NAT overload : NAT overload is the one which is widely used and is synonymous with NAT itself. NAT overload enables multiple private hosts to access the Internet simultaneously using only one public IP address. NAT overload works by tracking the source port number of every packet. Since the source port number is random and unique for every conversation, the NAT Table has enough information to identify the conversations without any ambiguity. NAT overload is known by other names like Port Address Translation (PAT), NAT with PAT, Network Address Port Translation (NAPT), and IP Masquerading.


How to configure NAT Overload on a Cisco router ?

Let’s consider the following network wherein the internal hosts require Internet access. NAT overloading need to be enabled on the private network edge router R1 which is connected to the ISP’s router R2.

Topology NAT overload

There are three steps to configure NAT overload on any Cisco router.

Step # 1: Configure the inside and the outside interface. In the topology “FastEthernet 0/0” is the inside (private) interface and “Serial 2/0” is the outside (public) interface.

R1(config)#int fa0/0
R1(config-if)#ip nat inside

R1(config)#int serial2/0
R1(config-if)#ip nat outside


Step # 2: Create an access-list that marks the hosts of  the internal network to be NAT’ed. We need to provide NAT’ing to hosts in network.

R1(config)#access-list 100 remark ###[NAT controlled hosts]###
R1(config)#access-list 100 permit ip any


Step # 3 : Enable NAT Overload and bind it to the outside interface.

R1(config)#ip nat inside source list 100 interface serial2/0 overload

The NAT Table can be viewed by running show ip nat translations.

R1#sh ip nat translations 

The NAT Table is empty and gets populated with new entries as the hosts start initiating sessions across the router. After pinging  ISP’s router from both the PCs, the NAT Table now has the following.

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

Note that each entry has protocol, IP as well as the source port number associated making each session unique.

Viewing the NAT translation table can sometimes reveal a lot of important information on your network’s activity. Here you’ll be able to identify traffic that’s not supposed to be routed to the Internet or traffic that seems suspicious.

Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time.

Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc., you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections running through the router can put some serious stress on the CPU.

To clear the IP NAT Table to free the resources, you can run

R1#clear ip nat translation *

The IP NAT service statistics provides information about total number of active translations, peak translations, expired translations and much more.

R1#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 10, occurred 00:05:30 ago
Outside interfaces:
Inside interfaces:
Hits: 20  Misses: 0
CEF Translated packets: 20, CEF Punted packets: 0
Expired translations: 10
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 interface Serial2/0 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0


Jeremy Cioara walks us through the configuration of NAT overload (PAT).



About Deepak Devanand

Seeker of knowledge
This entry was posted in NAT and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s