Network Address Translation, sometimes called Network Address Translator (NAT), was originally outlined in RFC 1631 in 1994. This was to allow devices on the inside network the use of private IP addresses that are presently defined in RFC 1918. NAT makes it possible to have a very big internal network with thousands of local addresses represented by a handful of global addresses or possibly a single global address.
We will setup a basic static and dynamic NAT configuration.
To the left we have a basic example of how NAT operates. Starting from the bottom we have our …
- Inside Local Addresses
- Outside Local Address
- Inside Global Address
- Outside Global Address
(For simplicity we will not be using subnet-zero)
- Network ID: 184.108.40.206 (Will always be even)
- First usable address: 220.127.116.11 (Will always be odd)
- Last usable address: 18.104.22.168 (Will always be even)
- Broadcast address: 22.214.171.124 (Remember BrODDcast, always odd)
- Netmask of: 255.255.255.248
For more subnet information refer to The Last Subnet Doc
Now we know that our usable range will be from 126.96.36.199 to 188.8.131.52 for a total of 6 addresses. 184.108.40.206 is already being used for out serial0 interface of our router. That leaves us five usable hosts.
For our INSIDE LOCAL address, I would like to reserve the IP of 220.127.116.11; this will point to our company’s web server. For this we will need to configure a static nat. Once we complete this configuration we will be left with four usable hosts.
Router(config)# ip nat inside source static 192.168.1.125 18.104.22.168
The above config shows that 192.168.1.125 will be known as 22.214.171.124 to the outside world.Next we must configure our host 192.168.1.125 from accessing our NAT pool. Let’s start by setting up or NAT pool
1. Router#config t **ADD250X250**
2. Router(config)# ip nat pool MyPool 126.96.36.199 188.8.131.52 netmask 255.255.255.248
3. Router(config)# access-list 1 deny host 192.168.1.125
4. Router(config)# access-list 1 permit 192.168.1.0 0.0.0.7
5. Router(config)# ip nat inside source list 1 pool MyPool
6. Router(config)#int e0
7. Router(config-if)#ip nat inside
9. Router(config)#int s0
10. Router(config-if)#ip nat outside
Line 3 prevents host 192.168.1.125 from accessing our NAT pool, he already has an IP.
Line 4 allows the remaining hosts to access the NAT pool.
Line 5 defines our pool to access-list 1, lets him know what security rules to follow.
Lines 6 through 10, we apply the access-list to our inside (e0) and outside (so) interfaces.
That completes our basic static and dynamic NAT configuration.
What have we done?
Configured a static nat for our inside web server.
Configured a dynamic NAT, to allow our hosts access to the internet.
Keep in mind that above configuration does NOT allow much room for growth , also that we start with eight hosts and we lost two before we even got started on configuring our NAT pool. This leaves us with only six usable address of 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52; for our pool to hand out.
By default NAT allows the hosts to keep the requested IP for 24 hours. The above topology shows that we already have four hosts connected to our switch, if any more users were added to network; they would not be able to access the internet.
This leads us to my next article – PAT (Port Address Translation). Next week we will discuss how PAT many hosts to access the internet on several or one registered internet address. We will discuss the use of nat overloading (Many IP’s to One)
Updated : 2010-12-22 for typo’s and IP corrections. By Ron Staples