Roy's CCNA Notes

Day 45 - NAT (2)

Mar 08, 20256 min read

Jeremy’s IT Lab lecture video:

Day 45 - NAT (2)

Commands

NAT Info

Static NAT Reminder

Static NAT

Static NAT involves statically configuring one-to-one mappings of private IP addresses to public IP addresses.

  • When traffic from the internal host is sent to the outside network, the router will translate the source address.
  • Also, this one-to-one mapping also allows external hosts to access the internal host via the Inside Global address.

Static NAT Configuration

  • show ip nat translations
    • Shows information about IP addresses that have been translated through NAT.
    • Includes the following information:
      • Protocol used in the connection
      • Inside Local address
      • Inside Global address
      • Outside Local address
      • Outside Global address
  • show ip nat statistics
    • Shows statistics about the current NAT process
    • Includes the following information:
      • Total active translations (static, dynamic, extended)
      • Peak translations (highest amount of translations in one time)
      • Outside interfaces
      • Inside interfaces
      • Etc.
  • clear ip nat translation *
    • Clears all dynamic NAT translations in the NAT translation table
    • (One type of dynamic translations is IP address translations with a port included)
  • ip nat inside
    • Defines the ‘inside’ interface(s) connected to the internal network
  • ip nat outside
    • Defines the ‘outside’ interface(s) connected to the external network
  • ip nat inside source static INSIDE-LOCAL-IP INSIDE-GLOBAL-IP
    • Configures a one-to-one (Static NAT) IP address mapping
Link to original

Dynamic NAT

Dynamic NAT involves dynamically mapping Inside Local addresses to Inside Global addresses as needed.

  • Although they are dynamically assigned, the mappings are still one-to-one. (One Inside Local IP address per Inside Global IP address)
  • It uses an ACL to identify which traffic should be translated.
    • If the source IP is permitted by the ACL, the source IP will be translated.
    • If the source IP is denied by the ACL, the source IP will not be translated.
  • A NAT Pool is also used to define the available Inside Global addresses to be used for the translation.

What does it mean if an address is 'not translated'?

  • When an address is not translated (due to NAT Pool Exhaustion or being denied by the ACL), that does NOT mean that the traffic will get dropped.
  • Instead, it simply means that the traffic won’t go through the NAT process and will be sent with its original source IP address.
Dynamic NAT demonstration

NAT Pool Exhaustion

If there aren’t enough Inside Global IP addresses available in the NAT Pool (all the addresses are currently being used), that is called ‘NAT Pool Exhaustion

  • If a packet from another inside host arrives and needs NAT but there are no available addresses, the router will drop the packet.
  • The host will be unable to access outside networks (which requires NAT translations) until one of the Inside Global IP addresses becomes available.
  • Dynamic NAT entries will time out automatically if they’re not used, or they can be cleared manually through clear ip nat translation *

Be careful: 'Not translated' traffic and 'dropped' traffic

  • Watch out for these two similar terms.
    • When traffic is ‘not translated’ it means that it won’t go through the NAT process and will retain its original source IP address, therefore, and it can still be sent to others devices in the LAN for example.
    • When traffic needs a NAT translation (in order to reach outside networks) and the Dynamic NAT Pool is full and completely in use, the traffic will be completely ‘dropped’ and discarded.

Dynamic NAT Configuration

  • show ip nat translations
    • Shows information about IP addresses that have been translated through NAT.
    • Includes the following information:
      • Protocol used in the connection
      • Inside Local address
      • Inside Global address
      • Outside Local address
      • Outside Global address
  • show ip nat statistics
    • Shows statistics about the current NAT process.
    • Includes the following information:
      • Total active translations (static, dynamic, extended)
      • Peak translations (highest amount of translations in one time)
      • Outside interfaces
      • Inside interfaces
      • Etc.
  • clear ip nat translation *
    • Clears all dynamic NAT translations in the NAT translation table.
    • (One type of dynamic translations is IP address translations with a port included)
  • ip nat inside
    • Defines the ‘inside’ interface(s) connected to the internal network.
  • ip nat outside
    • Defines the ‘outside’ interface(s) connected to the external network.
  • access-list ACL-ID permit ARGUMENTS
    • Defines the traffic that should be translated
    • (Permitted traffic by the ACL will be translated)
  • ip nat pool POOL-NAME START-IP END-IP { prefix-length PREFIX-LENGTH | netmask SUBNET-MASK }
    • Defines the NAT Pool of Inside Global IP addresses.
  • ip nat inside source list ACL-ID pool POOL-NAME
    • Configures Dynamic NAT on the router by mapping the ACL to the NAT Pool.

Info: show ip nat translations command with Dynamic NAT

  • When the command is used, the one-to-one dynamic mappings will show, just like Static NAT, as well as any translated addresses and their ports.
  • Using the clear ip nat translation * command will clear all the translations except the one-to-one mappings.

Port Address Translation (PAT) / NAT Overload

Port Address Translation (PAT) or NAT Overload is a protocol that translates both the IP address and port number (if necessary)

  • By using a unique port number for each communication flow, a single public IP address can be used by many different internal hosts.
  • (Port numbers are 16 bits, which is over 65,000 available port numbers)
  • The router will keep track of which Inside Local address is using which Inside Global address and port.
  • PAT is really good for preserving public IP addresses, as many inside hosts can share a single public IP.
PAT Demonstration
(In this case, PAT translated both the IP address and ports, as both of the hosts were using the same port of 54321)

PAT Configuration (Pools)

  • show ip nat translations
    • Shows information about IP addresses that have been translated through NAT.
    • Includes the following information:
      • Protocol used in the connection
      • Inside Local address
      • Inside Global address
      • Outside Local address
      • Outside Global address
  • show ip nat statistics
    • Shows statistics about the current NAT process.
    • Includes the following information:
      • Total active translations (static, dynamic, extended)
      • Peak translations (highest amount of translations in one time)
      • Outside interfaces
      • Inside interfaces
      • Etc.
  • clear ip nat translation *
    • Clears all dynamic NAT translations in the NAT translation table.
    • (One type of dynamic translations is IP address translations with a port included)
  • ip nat inside
    • Defines the ‘inside’ interface(s) connected to the internal network.
  • ip nat outside
    • Defines the ‘outside’ interface(s) connected to the external network.
  • access-list ACL-ID permit ARGUMENTS
    • Defines the traffic that should be translated
    • (Permitted traffic by the ACL will be translated)
  • ip nat pool POOL-NAME START-IP END-IP { prefix-length PREFIX-LENGTH | netmask SUBNET-MASK }
    • Defines the NAT Pool of Inside Global IP addresses.
  • ip nat inside source list ACL-ID pool POOL-NAME overload
    • Configures PAT on the router by mapping the ACL to the NAT Pool with the overload argument at the end.

Info: show ip nat translations command with PAT

  • When the command is used, only translated addresses and their ports will show up.
  • PAT does not have any ‘one-to-one’ mappings like Static and Dynamic NAT.
  • Using the clear ip nat translation * command will clear all the translations.

PAT Configuration (Interface)

  • show ip nat translations
    • Shows information about IP addresses that have been translated through NAT.
    • Includes the following information:
      • Protocol used in the connection
      • Inside Local address
      • Inside Global address
      • Outside Local address
      • Outside Global address
  • show ip nat statistics
    • Shows statistics about the current NAT process.
    • Includes the following information:
      • Total active translations (static, dynamic, extended)
      • Peak translations (highest amount of translations in one time)
      • Outside interfaces
      • Inside interfaces
      • Etc.
  • clear ip nat translation *
    • Clears all dynamic NAT translations in the NAT translation table.
    • (One type of dynamic translations is IP address translations with a port included)
  • ip nat inside
    • Defines the ‘inside’ interface(s) connected to the internal network.
  • ip nat outside
    • Defines the ‘outside’ interface(s) connected to the external network.
  • access-list ACL-ID permit ARGUMENTS
    • Defines the traffic that should be translated
    • (Permitted traffic by the ACL will be translated)
  • ip nat inside source list ACL-ID interface INTERFACE-ID overload
    • Configures PAT on the router by mapping the ACL to an interface on the router with the overload argument at the end.
    • When traffic is translated, it will use the IP address of the specified interface.
PAT via interface Demonstration

Graph View

Backlinks