Chapter 9 – Sections & Objectives
- 9.1 Network Layer Protocols
- Explain how NAT provides IPv4 address scalability in a small to medium-sized business network.
- 9.2 Configuring NAT
- Configure NAT services on the edge router to provide IPv4 address scalability in a small to medium-sized business network.
- 9.3 Troubleshoot NAT Configurations
- Troubleshoot NAT issues in a small to medium-sized business network.
9.1 NAT Operation
NAT Characteristics
- IPv4 Private Address Space
- 10.0.0.0 /8, 172.16.0.0 /12, and 192.168.0.0 /16
- What is NAT?
- Process to translate network IPv4 address
- Conserve public IPv4 addresses
- Configured at the border router for translation
- NAT Terminology
- Inside address
- Inside local address
- Inside global address
- Outside address
- Outside local address
- Outside global address
Types of NAT
- Static NAT
- One-to-one mapping of local and global addresses
- Configured by the network administrator and remain constant.
- Dynamic NAT
- Uses a pool of public addresses and assigns them on a first-come, first-served basis
- Requires that enough public addresses for the total number of simultaneous user sessions
- Port Address Translation (PAT)
- Maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses
- Also known as NAT overload
- Validates that the incoming packets were requested
- Uses port numbers to forward the response packets to the correct internal device
NAT Advantages
- Advantages of NAT
- Conserves the legally registered addressing scheme
- Increases the flexibility of connections to the public network
- Provides consistency for internal network addressing schemes
- Provides network security
- Disadvantages of NAT
- Performance is degraded
- End-to-end functionality is degraded
- End-to-end IP traceability is lost
- Tunneling is more complicated
- Initiating TCP connections can be disrupted
9.2 Configuring NAT
Configuring Static NAT
• Configuring Static NAT
° Create the mapping between the inside local and outside local addresses
ip nat inside source static local-ip global-ip
° Define which interfaces belong to the inside network and which belong to the outside network
ip nat inside ip nat outside
• Analyzing Static NAT
• Verifying Static NAT
show ip nat translations show ip nat statistics clear ip nat statistics
Configuring Dynamic NAT
• Dynamic NAT Operation
° The pool of public IPv4 addresses (inside global address pool) is available to any device on the inside network on a first-come, first-served basis.
° With dynamic NAT, a single inside address is translated to a single outside address.
° The pool must be large enough to accommodate all inside devices.
° A device is unable to communicate to any external networks if no addresses are available in the pool.
• Configuring Dynamic NAT
° Create the mapping between the inside local and outside local addresses
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
° Create a standard ACL to permit those addresses to be translated
access-list access-list-number permit source [source-wildcard]
° Bind the ACL to the pool
ip nat inside source list access-list-number pool name
° Identify the inside and outside interfaces
ip nat inside ip nat outside
• Analyzing Dynamic NAT
• Verifying Dynamic NAT
show ip nat translations show ip nat translations verbose clear ip nat statistics clear ip nat translations *
Configuring Port Address Translations (PAT)
• Configuring PAT: Address Pool
° Create the mapping between the inside local and outside local addresses
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
° Create a standard ACL to permit those addresses to be translated
access-list access-list-number permit source [source-wildcard]
° Bind the ACL to the pool
ip nat inside source list access-list-number pool name
° Identify the inside and outside interfaces
ip nat inside ip nat outside
• Configuring PAT: Single Address
° Define a standard ACL to permit those addresses to be translated
access-list access-list-number permit source [source-wildcard]
° Establish dynamic source translation, specify the ACL, exit interface, and overload option
ip nat inside source list access-list-number interface type name overload
° Identify the inside and outside interfaces
ip nat inside ip nat outside
• Analyzing PAT
• Verifying PAT
show ip nat translations show ip nat statistics slear ip nat statistics
Port Forwarding
- Port Forwarding
- Port forwarding is the act of forwarding a network port from one network node to another.
- A packet sent to the public IP address and port of a router can be forwarded to a private IP address and port in inside network.
- Port forwarding is helpful in situations where servers have private addresses, not reachable from the outside networks.
- Wireless Router Example
- Configuring Port Forwarding with IOS
ip nat inside source [static {tcp | udp local-ip local-port global-ip global-port} [extendable]
Configuring NAT and IPv6
- NAT for IPv6?
- IPv6 with a 128-bit address provides 340 undecillion addresses.
- Address space is not an issue for IPv6.
- IPv6 makes IPv4 public-private NAT unnecessary by design; however, IPv6 does implement a form of private addresses, and it is implemented differently than they are for IPv4.
- IPv6 Unique Local Address
- IPv6 unique local addresses (ULAs) are designed to allow IPv6 communications within a local site.
- ULAs are not meant to provide additional IPv6 address space.
- ULAs have the prefix FC00::/7, which results in a first hextet range of FC00 to FDFF.
- ULAs are also known as local IPv6 addresses (not to be confused with IPv6 link-local addresses).
- NAT for IPv6
- IPv6 also uses NAT, but in a much different context.
- In IPv6, NAT is used to provide transparent communication between IPv6 and IPv4.
- NAT64 is not intended to be a permanent solution; it is meant to be a transition mechanism.
- Network Address Translation-Protocol Translation (NAT-PT) was another NAT-based transition mechanism for IPv6, but is now deprecated by IETF.
- NAT64 is now recommended.
9.3 Troubleshooting NAT
Troubleshooting NAT Configurations
- Troubleshooting NAT: show commands
clear ip nat statistics clear ip nat translations * show ip nat statistics Show ip nat translations
- Troubleshooting NAT: debug commands
debug ip nat
9.4 Chapter Summary
- How NAT is used to help alleviate the depletion of the IPv4 address space.
- NAT conserves public address space and saves considerable administrative overhead in managing adds, moves, and changes.
- NAT for IPv4, including:
- NAT characteristics, terminology, and general operations
- Different types of NAT, including static NAT, dynamic NAT, and NAT with overloading
- Benefits and disadvantages of NAT
- The configuration, verification, and analysis of static NAT, dynamic NAT, and NAT with overloading.
- How port forwarding can be used to access an internal devices from the Internet.
- Troubleshooting NAT using showand debugcommands.
- How NAT for IPv6 is used to translate between IPv6 addresses and IPv4 addresses.
Section 9.1
New Terms and Commands
- Dynamic Network Address Translation (Dynamic NAT)
- Global Address
- Inside Address
- Inside Global Address
- Inside Local Address
- Local Address
- Network Address Translation (NAT)
- Outside Address
- Outside Global Address
- Outside Local Address
- Port Address Translation (PAT)
- Private Address
- Public Address
- RFC 1918
- Static Network Address Translation (Static NAT)
Section 9.2
New Terms and Commands
- show ip nat statistics command
- clear ip nat statistics command
- clear ip nat translation * command
- ip nat inside source command
- ip nat inside source list access-list-number pool name command
- ip nat pool command
- ip nat translation timeout command
- NAT64
- Overload
- Port Forwarding
- show ip nat statistics command
- show ip nat translations command
- Unique Local Address (ULA)
Section 9.3
New Terms and Commands
- debug ip nat command
- debug ip nat detailed command
Download Slide PowerPoint (pptx):