RFC 1918 defines private IP addresses. private IP addresses are a reserverd block of numbers that can be used by onyone. these addresses can be used only in private networks and are not to routed in the internet. this way, onyone can use private IP addresses for his internal needs, without worrying the same address will be used by someone else. since packets containing private ip addresses are not to be routed in public networks (internet). blocks of reserved number used for private ip addresses are:
- Class A. 10.0.0.0 - 10.255.255.255. prefix length /8
- Class B. 172.16.0.0 - 172.31.255.255. prefix length /12
- Class C. 192.168.0.0 - 192.168.255.255. prefix length /16
unlike private ip addresses, public ip address must be registered with a
Regional Internet Registry (RIR). Organizations can lease public addresses from an ISP. those RIRs are:
- ARIN, America
- RIPE, Europe
- APNIC, Asia
- LACNIC, South America
- AfricNIC, Africa
in the old days, a device that needs to access the internet must be assigned with a public IP address. since there are not enough public addresses, there's no way an organization will assign each of its devices a public address. Network Address Translation provides a mechanism to enable private ip address devices to access the internet with only using one public address.
a NAT-enabled router has a pool of public IP addresses. these addresses can be used by the inside hosts when they want to communicate with a host outside the network (at the internet). the router will maintain a translation table. this table contains the inside local address, inside global address, outside global address. the router will act as a forwarder for the inside host, it will alter the source address of the packet sent to the outside network to one of the public address that it has. when the router receives a packet destined for a particular public address, it looks up at the table and find the corresponding inside local address. this allow the router to forward the packet to the correct host at the inside network.
some NAT terminologies:
- inside local address. actual address of inside host, most likely a private address.
- inside global address. public address given to an inside host when it wants to communicate with outside network.
- outside global address. public address assigned to a host in the internet.
- outside local addess. private address assigned to a host on the outside network. in most cases this is the same as outside global address.
the "inside" of a NAT is not synonymous with private addresses as defined by RFC 1918. "non-routable" means that it's not routable on the internet.
Types of NAT
Static NAT. one-to-one mapping, a particular inside host will always be given the same public address. this mapping remain constant. this is usually usefull for hosts that need a consistent public address (might be enterprise servers or networking devices).
Dynamic NAT. first-come, first-served basis mapping. when an inside host wants to communicate with outside network, it will be assigned with one of the public address from the pool that is available (not used by any other host yet).
NAT overload, also called Port Address Translation (PAT). maps multiple private addresses to a single public address or a few addresses. a PAT-enabled assigns a source port number to TCP/IP sessions opened by inside hosts. the router also ensures that every hosts use a different source port number. when reply messages come from the internet, the router will check the destination port of the messages and do a look up at the table to forward the message to the correct host at the inside network.
NAT overload assigns a next-available port if the port chosen by an inside host is already used by another host. if an inside host opens a session with outside network and choose port 1221 as it source port, NAT router will try not to alter the source port of inside local address, however if 1221 is already used by another host, NAT router will use the next available port (in this case 1222, if not used yet) for the inside global address of this session. it will choose a port number starting from appropriate port group 0-511, 512-1023, 1024-65535. if every ports has been used and there's more than one public ip addess, NAT router will use the next public address.
Configuring Static NAT
static NAT allows connections initiated by external devices to inside hosts. for example you may want to map an inside global address to your web server inside local address. the steps for configuring static NAT are:
- step 1. establish a static translation between an inside local address and an inside global address.
ip nat inside source static local-ip global-ip
local-ip: inside local address of a specific device
global-ip: public address available for the local device
- step 2. specify the inside interface.
interface type number
ip nat inside
type: the type of the interface [FastEthernet | Serial]
number: interface number
- step 3. specify the outside interface
interface type number
ip nat outside
type: the type of the interface [FastEthernet | Serial]
number: interface number
Configuring Dynamic NAT
dynamic NAT translates private addresses to public addresses from a pool. the steps are:
- step 1. Define a pool of global addresses to be allocated as needed.
ip nat pool name start-ip end-ip {netmask netmask-number|prefix-length pref-length}
name: word. name of the pool
start-ip: lowest public address to be available in the pool
end-ip: highest public addess to be available in the pool
netmask-number: subnet mask of the public addresses
pref-length: prefix length of the public addresses
- step 2. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)
- step 3. establish dynamic translation between private addresses and public addresses
ip nat inside source list acl-number pool name
acl-number: the number of ACL which permits private addresses to be translated
name: name of the pool that contains public addresses
- step 4. specify the inside interface.
interface type number
ip nat inside
type: the type of the interface [FastEthernet | Serial]
number: interface number
- step 5. specify the outside interface
interface type number
ip nat outside
type: the type of the interface [FastEthernet | Serial]
number: interface number
Configuring NAT overload
there are two ways to configure overloaded NAT. it depends on how many public address is given by the ISP. if only one address is given, the steps are:
- step 1. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)
- -step 2. establish overload translation.
ip nat inside source list acl-number interface interface-type/number overload
acl-number: the number of ACL which permits private addresses to be translated
interface-type/number: specify the interface that is assigned the public address (typically, address given by the ISP)
the "overload" keywords enables the addition of the source port number to the translation.
- step 3. specify the inside interface.
interface type number
ip nat inside
type: the type of the interface [FastEthernet | Serial]
number: interface number
- step 4. specify the outside interface
interface type number
ip nat outside
type: the type of the interface [FastEthernet | Serial]
number: interface number
to configure overloaded NAT with more than one public ip address:
- step 1. create a standard access-list permitting the addresses to be translated.
access-list acl-number permit source [ source-wildcard ]
acl-number: a number that identifies the standard acl
source: private address/network to be permitted
source-wildcard: wildcard of the source permitted (see ACL)
- step 2. Specify the global addresses as a pool.
ip nat pool name start-ip end-ip {netmask netmask-number|prefix-length pref-length}
name: word. name of the pool
start-ip: lowest public address to be available in the pool
end-ip: highest public addess to be available in the pool
netmask-number: subnet mask of the public addresses
pref-length: prefix length of the public addresses
- step 3. establish overload translation
ip nat inside source list acl-number pool name overload
acl-number: the number of ACL which permits private addresses to be translated
name: name of the pool that contains public addresses
- step 4. specify the inside interface.
interface type number
ip nat inside
type: the type of the interface [FastEthernet | Serial]
number: interface number
- step 5. specify the outside interface
interface type number
ip nat outside
type: the type of the interface [FastEthernet | Serial]
number: interface number
by default translation will time out after 24 hours, you can change the timers with the command "ip nat translation timeout timeout-seconds".
you can see the NAT you've configured using the command "show run". to verify NAT operations use the command "show ip nat translations [verbose]". the command "show ip nat statistics" displays information about total number of active translations, NAT configuration parameters, total addresses in the pool, and allocated addresses from the pool.
you can debug NAT operations using the command "debug ip nat".
Port Forwarding
port forwarding enables external users (from outside network) to initiate a connection to inside hosts. Port Forwarding does this by translating received messages destined to a specified port, to a particular host and destination port number at inside network.
for example, you have a web server in you inside network of which ip address is 192.168.1.252, if you want to enable external users to access your web server you can configure port forwarding HTTP traffic from your border router to the web server. you can specify traffic received at the WAN interface destined to port 80 (HTTP works at port 80), to be forwarded to inside interface with destination address 192.168.1.252 and destination port is 80. in this case, the external port and the internal port are the same. you can change the external port and the internal port to something else. if you change the external port, the external users must know the specific port number you use.