Wednesday, August 29, 2012

Network Address Translation

There are three types of NAT:

  1.     Dynamic NAT
  2.     NAT Overload
  3.     Static NAT

Dynamic NAT: Inside addresses are a 1:1 translation with a pool of public addresses. Dynamic NAT is commonly used to solve problems with addressing, mainly overlapping addresses. The client must own the addresses used in the NAT pool.

NAT overload is commonly called PAT or “port address translation.”

NAT overload translates a private address to a public address by maintaining the same port number across the translation table.

Static NAT is used for servers, meaning a single private address is mapped to a single public address. Every time communication occurs, the private is mapped to that specific public address, and vice versa. The public address in the static mapping does not have to be assigned to the outside interface of the router doing NAT. A public address can be split into multiple NAT mappings based on port numbers.

Additional references: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml




NAT OVERLOAD:
  1. Label interfaces with the IP NAT INSIDE/IP NAT OUTSIDE command
  2. Identify the private address(es) to be translated
  3. Write access list: ip access-list standard ALLOWED_NAT_ADDRESSES; permit 192.168.1.0 0.0.0.255, permit 192.168.2.0 0.0.0.255
  4.  Enable NAT overload: ip nat inside source list ALLOWED_NAT_ADDRESSES interface s0/0 overload


Inside global is the public IP address of the router. The inside local is the IP address of the client that initiated the connection. The outside local is the address that was queried.

STATIC NAT:
  1. Remove PAT (overload) configurations.
  2.  Create a POOL of public IP addresses that you have available for use: ip nat pool PUBLIC_IP_ADDRESSES 209.165.200.2 209.165.200.10 netmask 255.255.255.224 Note: This is DYNAMIC NAT
  3. Define NAT statement: ip nat inside source list ALLOWED_NAT_ADDRESSES pool PUBLIC_IP_ADDRESSES overload. Ensure you use the overload command!
  4. Define Static NAT statement for server(s):  ip nat inside source static 192.168.2.2 209.165.200.3
  5. Other Static NAT mappings might look like this for specific ports which might be more secure:

router (config)# ip nat inside source static tcp 10.1.1.2 25 63.63.63.2 25
router (config)# ip nat inside source static tcp 10.1.1.2 443 63.63.63.2 443
router (config)# ip nat inside source static tcp 10.1.1.2 80 63.63.63.2 80
router (config)# ip nat inside source static tcp 10.1.1.2 110 63.63.63.2 110


The above configuration is called STATIC port NAT mapping and can be useful to redirect specific services like SMTP (port 25) HTTPS (port 443) Web Traffic to say a web server (80), and 110 (POP3). This is especially useful in getting the most out of your single public address.

Overview:

NAT: Translate one private address to one public address (no port translation used)

NAT overload: Translate a group of private addresses to one public address (port translation used, allowing for that "group" of addresses to use that one public address)

Dymanic NAT: Translate n number of private addresses to n number of public addresses (so if we have a pool of 4 public addresses, the first 4 private addresses to arrive at the router will be NATed. This form should of course not be used)

Dymanic NAT overload: Translate a group of private addresses to n number of public addresses (port translation used, allowing for the "group" to use those public addresses).