Saturday, April 3, 2010


The internet is a big network of networks. Many devices are connected to the internet and soon we ran out of public IP addresses. NAT (which stands for Network Address Translation) allows multiple devices to go into the internet using a single (or a range of) public address. NAT is a prohibitor of progress because it stops people from moving on to IPv6.
To see how NAT works, imagine a scenario with one router and a network behind it. The router has a public IP of, and a private IP of Whenever another host tries to access the internet through the router, it would come from a source IP of 192.168.1.x. This address is blocked by ISPs. To make things work, the router would have to translate the 192.168.1.x address into his

Say for example a host tries to access a web server with a source socket of, the router would translate the source socket to before sending it to the web server. When the server replies, it replies to which gets translated to before being sent back into the internal network.

If for some reason two computers use the same source port, the source port of the later computer would be incremented by 1. This form of NAT is known as PAT (Port Address Translation) because it works with the same address, just different port.

You can also host services through the NAT. To do this, we can add a static entry that always goes to the same server. For example, every time someone tries to access, it can be automatically redirected to This is also known as port-forwarding.

Let's set up NAT using this familiar topology:

This article assumes that all routing and default gateways are configured properly. At this point, whenever the computer tries to ping the ISP (let's say it's, it would be blocked because it's private. We need to translate that private address to

From SDM, you can configure both Basic NAT and Advanced NAT. Basic NAT just does PAT, while Advanced NAT allows you to specify a range of Internet Addresses as well as do some port forwarding. NAT is configured from the Configuration Tab > NAT:

The first thing the Wizard wants to know is which interface connects to the ISP. Simply choose the outside interface. Now, you'll have to tick all networks that should be translated. When you're done, click next. That is all!

Now what this does is a few things. First of all, the interface that you specified as the "outside" interface has this command typed under it:
ip nat outside

Next, whatever interface(s) you ticked would have this command typed under it:
ip nat inside

Now, an access-list is created that permits the range from all the interfaces that are "inside":
ip access-l standard NAT

Finally, NAT is enabled from inside-out:
ip nat source list NAT interface f0/0 overload

The overload keyword is to enable PAT instead of simply NAT. This is to allow multiple devices to use one address with different ports. Without overload, only 1 device can access the internet at one time.

To see the list of NAT translations, type:
show ip nat tr

Inside local is the inside address seen locally, which is the internal address. Inside global is the inside address seen globally, which would be the translated address.

Outside local is the outside address seen locally, and outside global is the outside address seen globally. For this, we're doing an inside-out translation, so we'll only see the inside local and global changed.

We can actually use NAT to translate outside addresses coming in. For example, if we want 172.16.1.x/24 coming from outside to appear as 10.0.0.x/24, we can use an outside-in translation which uses an access-list to match the 172.16.1.x network. This is however, typically not used.

No comments :

Post a Comment