Cisco CCNA 200-301 – NAT – Network Address Translation

1. Introduction

This section you’ll learn about Nat network address translation. We already spoke a bit earlier about why we have the need for nap, which is because of the exhaustion of the IPV four address space. That was a while back though, to the first lecture. Here I’ll give you a refresher with an overview of of that again. So once we’ve covered the need for it, we’ll get into the different types of Nat and how to actually configure and verify them.

We’ll start off with static Nat, which is a way that we can do a fixed one to one translation between a private IP address on the inside and a public IP address on the outside. This is usually used when we’ve got servers on the inside, like a web server or an email server, for example, that needs to accept incoming connections from people out on the public Internet. After a static nap, we will cover dynamic nap. Dynamic Nat is usually used when you have got hosts on the inside that don’t accept incoming connections. We’re not running any services, but they do need to have outbound connectivity out to the Internet.

So for those hosts, we configure a pool of addresses which are used on a first come, first serve basis. That is dynamic Nat. A problem with dynamic Nat is that we’re usually going to have more hosts on the inside than we’ve got public IP addresses available on the outside. So if we just do a standard dynamic Nat configuration, we’re going to run out of IP addresses to give our hosts. So the solution for that is to use pat port address translation that allows multiple hosts on the inside to reuse the same public IP address on the outside so that you don’t run out of addresses. And that’s the last Nat type that we’ll cover in this section. Okay, that’s everything that we’re going to be covering. See you in the next lecture.

2. IPv4 Address Exhaustion and NAT

In this lecture, I’ll give you an overview of IPV Four address exhaustion and network address translation. That’s not now, a lot of what we’re going to cover here was already spoken about back in the subnetting section, but that was a white hole back. So I’ll give you a quick review again here. First up, our RFC 1918 private Addresses. The IETF Document Standards with RFCs and RFC 1918 specifies private IP address ranges which are not routable on the public Internet.

So if you send traffic with a destination address, which is a private IP address, out to the Internet, then the service provider routers will just drop that traffic. Private addresses were originally designed for hosts which should have no Internet connectivity. For example, maybe it’s a university and they need to have connectivity between the hosts internally, but they don’t want the students to have any internet access.

Public IP addresses cost money, and if an organization has a part of their network where the hosts need to communicate with each other over IP, but they don’t need outside connectivity to the Internet, then they can assign those hosts private IP addresses. There is a range of private addresses in each address class A, B and C. Our range in class A is ten dot or to ten 2525-5255, which can also be written as ten or eight. The range in class B is one 7216 or two 1723-125-5255. That can be written as one 7216 or twelve. And the range in class C is 192168 or to one 9216-825-5255 that’s 192168 or 16. So the Class A range of ten or eight and the class C range of one thing 2168 or 16. They’re dead easy to remember. The one to commit to memory is the Class B range, which is one 7216 1723-125-5255.

Now, the designers of IPV Four did not envision the explosive growth of its use, and 4. 3 billion addresses seemed more than enough. They didn’t know that everybody would be wanting to get on the Internet, and not just with one device, but with their laptop, their mobile, their tablet, etc. That and that’s just personal users. We’ve also got all the business users as well.

So 4. 3 billion addresses seemed like it was going to be more than enough, but of course it wasn’t also, that 4. 3 billion addresses. That’s just a theoretical limit. It doesn’t actually get anywhere near that with the usable addresses because the protocol is not particularly efficient in its use of the available space and many of those addresses are wasted.

The Internet authorities started to predict address exhaustion in the late 1980s, and IPV Six was developed in the 90s as the long term solution to this problem. IPV Six uses a 128 bit address compared to IPV Four’s 32 bit address. So the address is four times as long when you write it down. But it’s not just a four times bigger address space. IPV Six actually provides more than 7. 9 times ten to the power of 28 times as many addresses as IPV Four. So way more addresses than are available in IPV Four. And the idea is that the IPV six address space will never run out.

But a problem is that there’s not a seamless migration path from IPV four to IPV six. IPV six is not backwards compatible with IPV four, so there’s not an easy way to change from one to the other. So that network address translation was implemented as a temporary workaround to mitigate the lack of IPV four addresses until organizations had time to migrate to IPV six.

So the original idea with using that for this was that it was just going to be temporary until everybody had time to change to IPV six. But it’s actually turned out to be more of a long term solution in the real world. An organization can use private IP addresses on their inside network when they’re using that, but still grant their hosts Internet access by translating them to their outside public IP addresses. That’s the translation. Many hosts on the inside can share a few or a single public IP addresses on the outside.

So let’s look and see how that works. So we’ve got Office A, which is actually at Company A on the left, and Office B at Company B on the right. And you can see that both companies are using the same private IP addresses. They’re using 19216 810 Om 24. That’s not a problem. There’s no conflict because the private IP addresses are just used on the inside.

They’re not used for traffic when it’s going between the companies on the outside. You can also see that the companies are reusing public IP addresses here as well. Company A, Office A, they’ve got 200 hosts on the inside, but they’ve only got 14 public addresses that’s range 203 011-3128. Company B, they’ve only got six addresses 203 one 1316 29, but they’ve got 100 hosts on the inside.

Your public IP addresses cost money, so it’s good that we don’t need to pay for a public IP address for every host on the inside. Also, that wouldn’t work anyway because of the lack of IPV four addresses. So that solves that because we can use those private addresses on the inside and they can share multiple the same IP public IP addresses on the outside. Many industry experts predicted in the early two thousands that IPV six would be ubiquitous within a few years, that everybody would be using it. But it hasn’t actually worked out that way. Most normal enterprises today are using RFC 1918 IPV four addresses with Nat, but not using IPV six at all. RFC 1918 has the security benefit of hiding inside hosts by default. But on a private IP address, they don’t have a publicly Routable IP address.

So it’s not possible for attackers on the inside to directly connect to them from the outside. So that makes things more secure. Plus, network engineers have more experience with IPV four than IPV six. Like I said, most places are just using IPV Four. Today, IPV Six is very different than IPV Four, and people tend to not like change, so engineers are comfortable already working with IPV Four. That is working great as a workaround, as a solution. So that’s why the uptake of IPV Six hasn’t actually been as quick, because people were originally expecting.

3. Static NAT

In this lecture you’ll learn about static Nat, which is the first of the available Nat types that we’re going to cover with static Nat. It’s a permanent one to one mapping, usually between a public and private IP address. This is used for servers which must accept incoming connections. For example, your mail server or a public web server if you’re hosting that yourself. The next type is Dynamic Nat that uses a pool of public addresses which are given out on an as needed, first come, first served basis. These are usually used for internal hosts which need to connect out to the Internet that they don’t accept incoming connections. And the last nap type is pat port address. Translation this allows the same public IP address to be reused. And we’re going to be covering the other two types, dynamic Nap and Pat in detail later on in this section with the examples I’m going to be giving you.

This is the Natlab that we’re using. So you can see that we are the organization over on the left and R One is our Internet edge router. We’ve got a server which is in S One, that’s internal server One, which is at ten 0110. And then we’ve got our internal normal hosts. Our normal desktops are on another IP subnet. As you would see in the real world, they’re on the 1002 org 24 subnet. So we need to configure a static natural to allow incoming connections to internal server One because it’s running public services like it’s a web server and it’s supporting users out on the Internet. Or maybe it’s our mail server and we need to accept email coming into the organization.

Down below you see the PCs. They’re not running any services that people on the Internet need to connect into, but they need to be able to connect out to the Internet. For example, for our users browsing web pages. So that’s what we’re going to be configuring. For the examples, we’ve got external S One XS One over on the right. That is an external server that I’m just going to use for testing and for checking that Nat is working. So our static Nat scenario, we’ve bought the range of public IP addresses, 203 011-3028, from our service provider.

It’s a slash 28. So that gives us 14 public IP addresses. Of those addresses, 203 01132 is used on the outside interface on our Internet edge router, R One. So let’s just look at the diagram again. You can see we’ve got 230-11-3028 is our range of public IP addresses on our outside interface, fast zero and R One. And we’re using 203 01132 on our outside interface.

And over on the service provider side of that link, 203 01131 is being used there. So that leaves 203 01133 to 2030 One. 1314 available that we can assign INTs One at 100. 110 is an internal web server which needs to accept incoming connections from the Internet so that people out on the Internet can browse our website. So we need to assign a fixed public IP address to accept incoming connections. We will use the first available address in our range that was two or 301133. So that gives us a permanent public IP address that external people can use to connect into our web server. We’re using a private IP address on the inside of ten 110. So we’re going to need to configure a static permanent map translation to translate the public IP address.

Two or 301133 on the outside fast zero interface to ten 10 on the inside fast 10 interface for those incoming connections. Now, the translation is bi directional, so we’re going to configure the static Nat translation for traffic coming from the outside to the inside. Our server also needs to send traffic back out to the Internet as well. But we don’t need to configure a separate Nat rule for that. Our static Nat rules are bi directional, so it will also take care of the outgoing traffic. So here is how we do the configuration. So on R one, first off, we need to specify which interface is the outside and which is the inside. So we say interface fast zero, IP not outside and then interface fast 10 IP not inside.

Then we configure the static Nat translation. For that we say Ipnot inside sourced static 100 10 is the inside IP address, 203 01133 is the outside IP address. And that’s it. That’s the whole config. Now, whenever the host ten dot o dot one one dot 10, since traffic coming in on interface fast 10 and it’s going out to the outside out fast zero, the router will change its source IP address on the outbound traffic from ten 0110 to 203 01133.

So that’s for the outgoing traffic, for the incoming traffic, whenever traffic comes in with 203 01133 is the destination address coming in on interface fast zero on the outside, the router will change that destination address to 100 110 and send it through to interface fast 10. So this is going to take care of our Nat translation for traffic in both directions. To verify that it is working, send some traffic to or from that host with the outside and then do the command show IP net translation and there’s quite a lot to the output there. So explain that in the next lecture.