Network Address Translation

Network Address Translation, sometimes called Network Address Translator (NAT), was originally outlined in RFC 1631 in 1994. This was to allow devices on the inside network the use of private IP addresses that are presently defined in RFC 1918. NAT makes it possible to have a very big internal network with thousands of local addresses represented by a handful of global addresses or possibly a single global address.

basicnat

We will setup a basic static and dynamic NAT configuration.

To the left we have a basic example of how NAT operates.  Starting from the bottom we have our …

  • Inside Local Addresses
  • Outside Local Address
  • Inside Global Address
  • Outside Global Address
Our ISP has given us the following IP range.  189.45.23.56/29, looking at this subnet we can tell that our network starts on the 8th subnet range and this will give us 6 usable addresses

(For simplicity we will not be using subnet-zero)

  • Network ID: 189.45.23.56 (Will always be even)
  • First usable address: 189.45.23.57 (Will always be odd)
  • Last usable address: 189.45.23.62 (Will always be even)
  • Broadcast address: 189.45.23.63 (Remember BrODDcast, always odd)
  • Netmask of: 255.255.255.248

For more subnet information refer to The Last Subnet Doc

Now we know that our usable range will be from 189.45.23.57 to 189.45.23.63 for a total of 6 addresses.   189.45.23.57 is already being used for out serial0 interface of our router.  That leaves us five usable hosts.

For our INSIDE LOCAL address, I would like to reserve the IP of 189.45.23.58; this will point to our company’s web server.  For this we will need to configure a static nat.  Once we complete this configuration we will be left with four usable hosts.

Router#config t
Router(config)# ip nat inside source static 192.168.1.125 189.45.23.58

The above config shows that 192.168.1.125 will be known as 189.45.23.58 to the outside world.Next we must configure our host 192.168.1.125 from accessing our NAT pool.  Let’s start by setting up or NAT pool

1. Router#config t **ADD250X250**
2. Router(config)# ip nat pool MyPool 189.45.23.59 189.45.23.63 netmask 255.255.255.248
3. Router(config)# access-list 1 deny host 192.168.1.125
4. Router(config)# access-list 1 permit 192.168.1.0 0.0.0.7
5. Router(config)# ip nat inside source list 1 pool MyPool
6. Router(config)#int e0
7. Router(config-if)#ip nat inside
8. Router(config-if)#exit
9. Router(config)#int s0
10. Router(config-if)#ip nat outside
11. Router(config-if)#exit
12. Router#

Line 3 prevents host 192.168.1.125 from accessing our NAT pool, he already has an IP.

Line 4 allows the remaining hosts to access the NAT pool.

Line 5 defines our pool to access-list 1, lets him know what security rules to follow.

Lines 6 through 10, we apply the access-list to our inside (e0) and outside (so) interfaces.

That completes our basic static and dynamic NAT configuration.

What have we done?

Configured a static nat for our inside web server.

Configured a dynamic NAT, to allow our hosts access to the internet.

Keep in mind that above configuration does NOT allow much room for growth , also that we start with eight  hosts and we lost two before we even got started on configuring our NAT pool.  This leaves us with only six usable address of 189.45.23.57, 189.45.23.58,  189.45.23.59,  189.45.23.60, 189.45.23.61 and 189.45.23.62; for our pool to hand out.

By default NAT allows the hosts to keep the requested IP for 24 hours.  The above topology shows that we already have four hosts connected to our switch, if any more users were added to network; they would not be able to access the internet.

This leads us to my next article – PAT (Port Address Translation).    Next week we will discuss how PAT many hosts to access the internet on several or one registered internet address. We will discuss the use of nat overloading (Many IP’s to One)

Updated : 2010-12-22 for typo’s and IP corrections.  By Ron Staples

Leave a Reply

Your email address will not be published. Required fields are marked *

*