Network Address Translation (NAT)
Network Address Translation provides a method for mapping an internal IP address space to an external IP address space. This mapping is beneficial for making smooth transitions to different ISPs, hiding internal IP addresses, and conserving IP addresses.
To better understand what NAT does, consider Figure 13-2. NAT is configured on our gateway. The serial0 interface is configured with our global Internet address (from the address space given to our network by our ISP). This is the outside portion of NAT. The ethernet0 interface, and any devices that are connected to this Ethernet, have addresses that are invisible to the outside world; this is the inside portion of NAT.
Figure 13-2. NAT example
There are two methods of performing NAT: static and dynamic. With static translation, each inside address is mapped to a specific outside address. With dynamic translation, possible outside addresses are collected into an address pool and are selected from the pool on an as-needed basis.
Let's look at how to implement the address translation used in Figure 13-2. In this example, the internal network has the address space of 10.10.1.0/24. We need to map these addresses to the external address space, 172.168.1.0/24. First, let's look at the configuration with the static mapping:
! Assign IP address for NAT for IP addresses .2 through .10 ! (Skip 172.168.1.1 because that is our serial0 interface) ip nat inside source static 10.10.1.2 172.168.1.2 ip nat inside source static 10.10.1.3 172.168.1.3 ip nat inside source static 10.10.1.4 172.168.1.4 ip nat inside source static 10.10.1.5 172.168.1.5 ip nat inside source static 10.10.1.6 172.168.1.6 ip nat inside source static 10.10.1.7 172.168.1.7 ip nat inside source static 10.10.1.8 172.168.1.8 ip nat inside source static 10.10.1.9 172.168.1.9 ip nat inside source static 10.10.1.10 172.168.1.10 ip nat inside source static 10.10.1.11 172.168.1.11 ! interface ethernet 0 ip address 10.10.1.1 255.255.255.0 ip nat inside ! interface serial 0 ip address 172.168.1.1 255.255.255.0 ip nat outside
The static configuration configures only the first 10 IP addresses in our address space, but it's easy to see how to use the rest. Remember that we can't map 172.168.1.1 because that's the address of the serial0 interface.
Here's the configuration for dynamic NAT. This time, we use our entire global address space, 172.168.1.1 through 172.168.1.254:
! Define the IP address pool ! (Leave out 172.168.1.1 because that is our serial 0 interface) ip nat pool poolone 172.168.1.2 172.168.1.254 netmask 255.255.255.0 ip nat inside source list 20 pool poolone ! interface ethernet0 ip address 10.10.1.1 255.255.255.0 ip nat inside ! interface serial0 ip address 172.168.1.1 255.255.255.0 ip nat outside ! ! Access list for our pool, which is used above to select which IP ! addresses can be translated access-list 20 permit 10.10.0.0 0.0.255.255
Static and dynamic mappings can be combined; just don't include your statically mapped internal addresses in your address pool. This allows you to specify some hosts (such as mail servers) that have a fixed external address but belong to your internal network, while allowing other hosts to be assigned their external address dynamically.
If you're using a bridged configuration, remember that your BVI is the outside interface of your NAT configuration.
13.3.1. Overloading NAT Address Space
If you use the overload command, the pooled NAT address space will be shared among as many internal hosts as possible by multiplexing the ports. In the previous dynamic configuration, changing the third line to the following enables overloading :
ip nat inside source list 20 pool poolone overload
For example, if an FTP session to an Internet host is started from 10.10.1.3, the outbound connection might be mapped to 172.168.1.3. While that connection is going, a telnet connection is started from 10.10.1.4 to another Internet host. This connection might also be mapped to 172.168.1.3. This means you could have one public IP address shared by hundreds of internal private IP addresses. The router keeps track of what packets belong to what sessions and makes sure that all the packets reach the appropriate destination. This is often called Port Address Translation (PAT) because the router uses the port number to distinguish between different connections using the same address.
In this example, we have one public IP address (172.168.1.2) that is shared by all our hosts on the 10.10.1.0/24 private network:
! Define the IP address pool ! (Leave out 172.168.1.1 because that is our serial 0 interface) ip nat pool poolone 172.168.1.2 172.168.1.2 netmask 255.255.255.0 ! Add the overload command ip nat inside source list 20 pool poolone overload ! interface ethernet0 ip address 10.10.1.1 255.255.255.0 ip nat inside ! interface serial0 ip address 172.168.1.1 255.255.255.0 ip nat outside ! ! Access list for our pool, which is used to select which IP addresses ! should be translated access-list 20 permit 10.10.0.0 0.0.255.255
The previous configuration, which creates an explicit external address pool and then uses it to map inside addresses, is the most common way to set up address translation. But in this case, where you're creating a pool that has only a single IP address, there's a shortcut. You can omit the ip nat pool command and instead tell the ip nat inside command to use the IP address of your serial interface for translations. The result looks like this:
! Define IP address translation (PAT) without using an address pool ip nat inside source list 20 interface serial0 overload ! interface ethernet0 ip address 10.10.1.1 255.255.255.0 ip nat inside ! interface serial0 ip address 172.168.1.1 255.255.255.0 ip nat outside ! ! Access list for our pool, which is used to select which IP addresses ! should be translated access-list 20 permit 10.10.0.0 0.0.255.255
13.3.1.1. Mapping incoming ports to different NAT addresses
One of the drawbacks of having all your internal IP addresses mapped to one external address is that you don't have room for adding external services. That is, if you want to run a web server or any other public service, that machine's address must be visible to the outside world. With the kinds of dynamic address translation we've seen so far, that isn't the casea host isn't visible to the outside world until it initiates a connection, and even then, its address might be shared. If someone from the Internet tries to start a connection to an internal server using a shared address, how will the router know which machine should receive the packets?
Let's take this example a step further. What if you want to run a web server and a mail server? You could put both on the same machine and create one static mapping to a single external address. Or you could put the mail and web servers on different machines and create static mappings to two external addresses. But what if you want the servers on different machines but you want only one external address?
The solution to this problem is static PAT. To do the port-based translation, we use the keyword extendable, which allows us to map UDP and TCP ports to internal addresses. In this example, we have one unique global IP address (172.168.1.1) mapped to our internal network (10.10.1.0/24) using the overload keyword. We want our incoming email traffic (port 25) to go to 10.10.1.5, and our incoming web traffic (port 80) to go to 10.10.1.4. The following configuration handles this:
! Use PAT to overload our internal IP space 10.10.1.0/24 to ! one external IP address 172.168.1.1 (serial0's IP address) ip nat inside source list 20 interface Serial0 overload ! Map incoming mail (port 25) to device 10.10.1.5 ip nat inside source static tcp 10.10.1.5 23 172.168.1.1 25 extendable ! Map incoming web (port 80) to device 10.10.1.4 ip nat inside source static tcp 10.10.1.4 80 172.168.1.1 80 extendable ! access-list 20 permit 10.10.0.0 0.0.255.255
By changing the port type, you can do translations based on UDP ports as well:
ip nat inside source static udp 10.10.1.6 172.168.1.1 69 extendable
13.3.2. NAT show Commands
show ip nat statistics and show ip nat translations are the two most helpful show commands for NAT. The statistics show the total number of translations, the interfaces configured for NAT, the hits (the number of times the router looked in the NAT table and found a match), the misses (the number of times the router looked in the NAT table and didn't find an entry), and the number of translations that have expired:
Router1#show ip nat statistics Total translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 9 Misses: 1 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 20 pool poolone refcount 1 pool poolone: netmask 255.255.255.0 start 172.168.1.2 end 172.168.1.2 type generic, total addresses 1, allocated 1 (100%), misses 1
show ip nat translations simply shows all the NAT translations that occur.
Router1#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 172.168.1.2 10.10.1.1 --- ---
This output shows the inside mapping of the local address 10.10.1.1 to the outside global address of 172.168.1.2.
There's one other essential command. It's possible for dynamic address translation to get confused. When this happens, translated traffic stops flowing through the router. There's a simple fix: clear ip nat translations *. The asterisk means to clear all dynamic translations. You can replace it with the address of a particular translation, but that usually isn't worth the effort.
13.3.3. Stateful NAT (SNAT)
As network downtime becomes less and less tolerable, we need new ways to support immediate network failover. For NAT, a new feature called Stateful NAT or SNAT provides increased IP resiliency. SNAT allows two or more routers to perform NAT. One router is the active NAT router while the other device or devices serve as the backup. The active router continuously sends NAT state changes to the backup devices. If a failover does occur, the backup device can immediately take over NAT.
SNAT is designed to work in concert with HSRP to detect failover. However, you can configure SNAT to work on its own.
The first release of SNAT (in IOS 12.2(13)T) offered limited protocol support (there was no FTP support, for example). IOS 12.4 added a feature that broadens SNAT's protocol support: embedded addressing. With embedded addressing, the NAT process learns ports from the application itself. This new feature allows SNAT to support VoIP, FTP, and DNS applications.
13.3.3.1. Configuring SNAT with HSRP
In our first example, we are going to configure SNAT to work with HSRP. To do this, we use the ip nat stateful command. This command takes three important options; id, redundancy, and mapping-id. The id simply identifies the router to the SNAT protocol (each router should be configured with a unique id value). The redundancy option identifies the HSRP process that we are going to use for our configuration. In this example, we have given our HSRP configuration the name SNATHSRP. And finally, the mapping-id option identifies which NAT translations are sent to SNAT peers. In this case, we have chosen a mapping id of 10, which means that any translations created in our NAT rule (the ip nat inside command) will have an id of 10 associated with them. These translations are then identifiedby the mapping idas ones to send to our peer router. You can have multiple mapping-ids that form a mapping list.
Here's the configuration for Router 1:
! Interface ethernet0 ip address 10.10.1.1 255.255.255.0 ip nat inside ! enable HSRP standby name SNATHSRP standby preempt standby priority 120 standby ip 10.10.1.3 ! ! Enable Snat for the group (id is 1 for router 1) ! Any NAT translations with a mapping id of 10 are sent ! to our peer ip nat stateful id 1 redundancy SNATHSRP mapping-id 10 ! ! Define our NAT POOL ip nat pool poolone 172.168.1.1 172.168.1.254 prefix-length 24 ! ! Configure our NAT translation;don't forget the mapping-id ! that identifies what translations we want to tell our peer about ip nat inside source list 20 pool poolone mapping-id 10 overload ! access-list 20 permit 10.10.0.0 0.0.255.255
And here's the configuration for Router 2:
! Interface ethernet0 ip address 10.10.1.2 255.255.255.0 ip nat inside ! enable HSRP standby name SNATHSRP standby ip 10.10.1.3 ! ! Enable Snat for the group (id is 2 for router 2) ! Any NAT translations with a mapping id of 10 are sent ! to our peer ip nat stateful id 2 redundancy SNATHSRP mapping-id 10 ! ! Define our NAT POOL ip nat pool poolone 172.168.1.1 172.168.1.254 prefix-length 24 ! ! Configure our NAT translation; don't forget the mapping-id ! that identifies what translations we want to tell our peer about ip nat inside source list 20 pool poolone mapping-id 10 overload ! access-list 20 permit 10.10.0.0 0.0.255.255
One important configuration note: we configured NAT pools on both routers. Had we configured a NAT pool only on Router 1 and Router 1 failed, Router 2 would continue to support already translated addresses but would not be able to create new sessions without the pool command. In order to support new sessions in the event of a failover, it's important to specify the pool command on both routers.
13.3.3.2. Configuring SNAT without HSRP
It is possible to configure SNAT without the benefit of HSRP by using a static primary and peer relationship. To do this, we use the primary command, which defines the interface and IP address to use for SNAT.
Here's the configuration for Router 1:
ip nat stateful id 1 primary 10.10.1.1 peer 10.10.1.2 mapping-id 10
Here's the configuration for Router 2:
ip nat stateful id 2 primary 10.10.1.2 peer 10.10.1.1 mapping-id 10