To see how NAT works, imagine a scenario with one router and a 192.168.1.0/24 network behind it. The router has a public IP of 152.226.152.18, and a private IP of 192.168.1.0. Whenever another host tries to access the internet through the router, it would come from a source IP of 192.168.1.x. This address is blocked by ISPs. To make things work, the router would have to translate the 192.168.1.x address into his 152.226.152.18.
Say for example a host tries to access a web server with a source socket of 192.168.1.25:10293, the router would translate the source socket to 152.226.152.18:10293 before sending it to the web server. When the server replies, it replies to 152.226.152.18:10293 which gets translated to 192.168.1.25:10293 before being sent back into the internal network.
If for some reason two computers use the same source port, the source port of the later computer would be incremented by 1. This form of NAT is known as PAT (Port Address Translation) because it works with the same address, just different port.
You can also host services through the NAT. To do this, we can add a static entry that always goes to the same server. For example, every time someone tries to access 152.226.152.18:80, it can be automatically redirected to 192.168.1.2:80. This is also known as port-forwarding.
Let's set up NAT using this familiar topology:
This article assumes that all routing and default gateways are configured properly. At this point, whenever the computer tries to ping the ISP (let's say it's 152.226.152.1), it would be blocked because it's private. We need to translate that private address to 152.226.152.18.
From SDM, you can configure both Basic NAT and Advanced NAT. Basic NAT just does PAT, while Advanced NAT allows you to specify a range of Internet Addresses as well as do some port forwarding. NAT is configured from the Configuration Tab > NAT:
The first thing the Wizard wants to know is which interface connects to the ISP. Simply choose the outside interface. Now, you'll have to tick all networks that should be translated. When you're done, click next. That is all!
Now what this does is a few things. First of all, the interface that you specified as the "outside" interface has this command typed under it:
ip nat outsideNext, whatever interface(s) you ticked would have this command typed under it:
ip nat insideNow, an access-list is created that permits the range from all the interfaces that are "inside":
ip access-l standard NAT
permit 192.168.1.0 0.0.0.255Finally, NAT is enabled from inside-out:
ip nat source list NAT interface f0/0 overloadThe overload keyword is to enable PAT instead of simply NAT. This is to allow multiple devices to use one address with different ports. Without overload, only 1 device can access the internet at one time.
To see the list of NAT translations, type:
show ip nat trInside local is the inside address seen locally, which is the internal address. Inside global is the inside address seen globally, which would be the translated address.
Outside local is the outside address seen locally, and outside global is the outside address seen globally. For this, we're doing an inside-out translation, so we'll only see the inside local and global changed.
We can actually use NAT to translate outside addresses coming in. For example, if we want 172.16.1.x/24 coming from outside to appear as 10.0.0.x/24, we can use an outside-in translation which uses an access-list to match the 172.16.1.x network. This is however, typically not used.
No comments :
Post a Comment