Instructor Planning Guide

Activities

What activities are associated with this chapter?

Assessment

Students should complete Chapter 9, “Assessment” after completing Chapter 9.

Quizzes, labs, Packet Tracers and other activities can be used to informally assess student progress.

Sections & Objectives

9.1 NAT Operation

Explain how NAT provides IPv4 address scalability in a small to medium-sized business network

Explain the purpose and function of NAT.

Explain the operation of different types of NAT.

Describe the advantages and disadvantages of NAT.

9.2 Configure NAT

Configure NAT services on the edge router to provide IPv4 address scalability in a small to medium-sized business network.

Configure static NAT using the CLI.

Configure dynamic NAT using the CLI.

Configure PAT using the CLI.

Configure port forwarding using the CLI.

9.3 Troubleshoot NAT

Troubleshoot NAT issues in a small to medium-sized business network.

Troubleshoot NAT

Chapter 9: NAT for IPv4

9.1 – NAT Operation

9.1.1 – NAT Characteristics

9.1.1.1 – IPv4 Private Address Space

Private IP addresses are used within an organization and home networks.

9.1.1.2 – What is NAT?

Private IP addresses cannot be routed over the Internet.

NAT is used to translate private IP addresses used inside a company to public addresses that can be routed over the Internet.

NAT hides internal IPv4 addresses from outside networks.

• Companies use the same private IPv4 addresses so outside devices cannot tell one company’s 10.x.x.x network from another company’s 10.x.x.x network.

A NAT-enabled router can be configured with a public IPv4 address.

A NAT-enabled router can be configured with multiple public IPv4 addresses to be used in a pool or NAT pool for internal devices configured with private addresses.

9.1.1.3 –NAT Terminology

Four types of addresses: inside, outside, local, and global

• Always consider the device that is having its private address translated to understand this concept.
• Inside address – address of the company network device that is being translated by NAT
• Outside address – IP address of the destination device
• Local address – any address that appears on the inside portion of the network
• Global address – any address that appears on the outside portion of the network

9.1.1.4 –NAT Terminology  (Cont.)

9.1.1.5 – How NAT Works

9.1.1.5 – How NAT Works (Cont.)

9.1.2 – Types of NAT

9.1.2.1 – Static NAT

Static address translation (static NAT) assigns one public IP address to one private IP address

Commonly used for servers that need to be accessed by external devices or for devices that must be accessible by authorized personnel when offsite

One-to-one address mapping between local and global addresses

9.1.2.2 – Dynamic NAT

Dynamic NAT assigns a public IP address from a pool of addresses to each packet that originates from a device that has a private IP address assigned when that packet is destined to a network outside the company.

• Addresses are assigned on a first-come, first serve basis
• The number of internal devices that can transmit outside the company is limited to the number of public IP addresses in the pool.

9.1.2.3 – Port Address Translation (PAT)

PAT (otherwise known as NAT overload) can use one public IPv4 address to allow thousand of private IPv4 addresses to communicate with outside network devices.

Uses port numbers to track the session

9.1.2.4 – Next Available Port

PAT tries to preserve the original source port number.

If that port number is already use, PAT will assign the first available port number for the appropriate port group

• 0 – 511
• 512 – 1023
• 1024 – 65,535

When there are no more port numbers available, PAT moves to the next public IP address in the pool if there is one.

9.1.2.5 – Comparing NAT and PAT

Static NAT translates address on a 1:1 basis

PAT uses port numbers so that one public address can be used for multiple privately addressed devices

• PAT can still function with a protocol such as ICMP that does not use TCP or UDP

9.1.2.6 – Packet Tracer – Investigating NAT Operation

9.1.3 – NAT Advantages

9.1.3.1 – Advantages of NAT

Conserves the legally registered addressing scheme

• Every company can use the private IP addresses

Increases the flexibility of connections to the public network

• Multiple NAT pools, backup pools, and load-balancing across NAT pools

Provides consistency for internal network addressing schemes

• Do not have to readdress the network if a new ISP or public IP address is assigned

Provides network security

• Hides user private IPv4 addresses

9.1.3.2 – Disadvantages of NAT

Performance is degraded.

• The NAT-enabled border device must track and process each session destined for an external network.

End-to-end functionality is degraded.

• Translation of each IPv4 address within the packet headers takes time.

End-to-end IP traceability is lost.

• Some applications require end-to-end addressing and cannot be used with NAT.
• Static NAT mappings can sometimes be used.
• Troubleshooting can be more challenging.

Tunneling becomes more complicated.

Initiating TCP connections can be disrupted.

9.2 – Configure NAT

9.2.1 – Configuring Static NAT

9.2.1.1 – Configure Static NAT

9.2.1.2 – Analyzing Static NAT

1.Client opens a web browser for a connection to a web server.

2.R2 receives the packet on the outside interface and checks the NAT table.

3.R2 replaces the inside global address with inside local address of 192.168.10.254 (the server’s address).

4.Web server responds to the client.

5.(a) R2 receives the packet from the server on the inside address.
(b) R2 checks NAT table and translates the source address to the inside global address of 209165.201.5 and forwards the packet.

6.The client receives the packet.

9.2.1.3 – Verifying Static NAT

9.2.1.4 – Packet Tracer – Configuring Static NAT

9.2.2 – Configure Dynamic NAT

9.2.2.1 – Dynamic NAT Operation

Remember that dynamic NAT uses a pool of public IPv4 addresses.

Use the same concepts of inside and outside NAT interfaces as static NAT.

9.2.2.2 – Configuring Dynamic NAT

9.2.2.3 – Analyzing Dynamic NAT

1.PC1 and PC2 open a web browser for a connection to a web server.

2.R2 receives the packets on the inside interface and checks if translation should be performed (via an ACL). R2 assigns a global address from the NAT pool and creates a NAT table entry for both packets.

3.R2 replaces the inside local source address on each packet with the translated inside global address from the pool.

4.The server responds to PC1 using the destination address of 209.165.200.226 (the NAT-assigned address) and to PC2 using the destination address of 209.165.200.227.

5.(a and b) R2 looks up each received packet and forwards based on the private IP address found in the NAT table for each of the destination addresses.

9.2.2.4 – Verifying Dynamic NAT

9.2.2.5 – Packet Tracer – Configuring Dynamic NAT

9.2.2.6 – Lab – Configuring Dynamic and Static NAT

9.2.3 – Configure PAT

9.2.3.1 – Configuring PAT: Address Pool

9.2.3.2 – Configuring PAT: Single Address

When a public address is assigned to the external interface on the border router, that public address can be used for PAT and translate internal private IP addresses to the public IP address.

9.2.3.3 – Analyzing PAT

1.PC1 and PC2 open a web browser for a connection to a web server.

2.R2 receives the packets on the inside interface and checks if translation should be performed (via an ACL). R2 assigns the IP address of the outside interface, adds a port number, and creates a NAT table entry for both packets.

3.R2 replaces the inside local source address on each packet with the translated inside global address.

4.Each server responds to PC1 and PC2 using the destination address of the public address assigned to the external interface on the border router.

5.R2 looks up the received packet and forwards to PC1 because that is the private IP address found in the NAT table for the destination address and port number.

6.R2 looks up the received packet and forwards to PC2 because that is the private IP address found in the NAT table for the destination address and port number.

9.2.3.4 – Verifying PAT

9.2.3.6 – Packet Tracer – Implementing Static and Dynamic NAT

9.2.3.7 – Lab – Configuring Port Address Translation (PAT)

9.2.4 – Configure Port Forwarding

9.2.4.1 – Port Forwarding

Port forwarding allows an external device to reach a device on a specific port number and the device is located on an internal (private) network.

• Required for some peer-to-peer file-sharing programs and operations such as web serving and outgoing FTP
• Solves the problem of NAT only allowing translations for traffic destined for external networks at the request of internal devices.

9.2.4.2 – Wireless Router Example

Port forwarding can be enabled for specific applications

• Must specify the inside local address that requests should be forwarded to

9.2.4.3 – Configuring Port Forwarding with IOS

9.2.4.4 – Packet Tracer – Configuring Port Forwarding on a Wireless Router

9.2.5 – NAT and IPv6

9.2.5.1 – NAT for IPv6?

IPv6 was developed with the intention of making NAT for IPv4 unnecessary

IPv6 does have its own form of NAT

• IPv6 has its own private address space

9.2.5.2 – IPv6 Unique Local Addresses

IPv6 unique local addresses (ULAs) are similar to IPv4 private addresses

ULAs are to provide IPv6 address space for communications within a local site.

First 64 bits of a ULA

• Prefix of FC00::/7 (FC00 to FDFF)
• Next bit is a 1 if the prefix is locally assigned
• Next 40 bits define a global ID
• Next 16 bits is a subnet ID

Last 64 bits of a ULA is the interface ID
or host portion of the address

Allows sites to be combined without
address conflicts

Allows internal connectivity

Not routable on the Internet

9.2.5.3 – NAT for IPv6

Provide access between IPv6-only and IPv4-only networks (not translating private address to public addresses as NAT for IPv4 was)

Techniques available

• Dual-stack – both devices run protocols for both IPv4 and IPv6
• Tunneling – Encapsulate the IPv6 packet inside an IPv4 packet for transmission over an IPv4-only network
• NAT for IPv6 (translation)
  • Should not be used as a long term strategy
  • The older Network Address Translation-Protocol
    Translation (NAT-PT)
  • NAT64

9.3 – Troubleshoot NAT

9.3.1 – NAT Troubleshooting Commands

9.3.1.1 – The show ip nat Commands

1.Determine what NAT is supposed to achieve and compare with configuration. This may reveal a problem with the configuration.

2.Verify translations using the show ip nat translations command.

3.Use the clear and debug commands to verify NAT.

4.Review what is happening to the packet and verify routing.

9.3.1.2 – The debug ip nat Commands

Common commands

• debug ip nat
• debug ip nat detailed

Output symbols and values

• * – The translation is occurring in the fast-switched path
• s= – Source IPv4 address
• a.b.c.d—>w.x.y.z – Source a.b.c.d is translated to w.x.y.z.
• d= – Destination IPv4 address
• [xxxx] – IPv4 identification number

Check the ACL to ensure the correct private addresses are designated.

9.3.1.3 – NAT Troubleshooting Scenario

Internal hosts cannot contact external servers.

9.3.1.4 – Packet Tracer – Verifying and Troubleshooting NAT Configurations

9.3.1.5 – Lab – Troubleshooting NAT Configurations

9.4 – Summary

9.4.1 – Conclusion

9.4.1.2 – Packet Tracer – Skills Integration Challenge

9.4.1.3 – NAT for IPv4

Explain how NAT provides IPv4 address scalability in a small to medium-sized business network.

Configure NAT services on the edge router to provide IPv4 address scalability in a small to medium-sized business network.

Troubleshoot NAT issues in a small to medium-sized business network.

Module 9 – New Terms and Commands