We will describe the whole process of deploying Internet access by adding services to your Internet router in the form of DHCP servers, and network address translation. You will be able to touch and feel the whole process by configuring these functions on a Cisco router.
Network Address Translation
The number of IP addresses allocated by the Internet service provider will typically be small. With today’s IP address space, it is impossible to provide a public Internet IP address to all of the devices. So most organizations, if not all, use a private addressing scheme inside of their network and will require network address translation for connectivity to the public network, and that device in the middle would implement the translation and it would translate back for return traffic into the private addressing scheme.
When talking about NAT, it is important to understand the terminology. You will have global and local addresses, global meaning public addresses that make sense out in the public Internet and local addresses which are related to the private addressing. Another concept is that of inside and outside devices. An inside device will be physically located in the internal network, whereas an outside device will be physically located somewhere else.
So you could have an inside device with a local address, but also an inside device with a global address after the device’s packets have been translated by NAT. Another concept is that of address assignments or mappings; they can be static or dynamic: static if manually created or dynamic if dynamically assigned by the NAT device.
Port Address Translation
Outbound traffic that is going toward the Internet typically uses dynamic assignment of public IP addresses. This means that one machine in the inside could be using a certain public address when going out today, but a different address when going out tomorrow. This allows for more flexibility in reusing the public address ranges. However, those public address ranges are typically very small. A lot of times it is only one public address that you can use and that address is already assigned to the public interface of the perimeter device. You will need to reuse that public IP address for all of the internal machines. That is why we have port address translation or PAT.
Multiple private addresses can reuse the same public address as indicated in that NAT table there, but the NAT device will include a port number to the translation. The port number is always different and it will be the tiebreaker to identify which private address is using which instance of the one public address.
Translating Inside Source Address
Here is how it works in a one-to-one translation environment.
The source machine will send a packet with the private address which will hit the NAT device. The NAT device will look up its NAT table and see if there is a static assignment as defined by the administrator. If there is one, it will use it; if there is none, then it will dynamically assign a public address and forward a packet. When the destination replies, the old source address becomes the destination address now; it will eventually hit the NAT device again. In this NAT device, we will look up the NAT table looking for an existing translation. When it finds it, it will simply translate that public address of the destination into a private address. It then forwards a packet back to the original source and this same thing happens for all the packets and all of the senders where each sender will use a different public IP.
Overloading an Inside Global Address
The previous example is not sustainable in an Internet scenario. That is why we need port address translation, sometimes known as NAT overload. The process is the same but now the path device will use an expanded NAT table that will include ports. Notice how the source ports are translated at the NAT device, which will control uniqueness of these ports to be able to know which private addresses are using which instance of the public address.
Since the source ports travel with the packet, return traffic will contain the same information and that is how the PAT device will know who to deliver the packet to.
Configuration and Commands
SDM simply hides the complexity of commands, but it will generate and create those commands and deliver them to the router. Here is a samble configuration with IP NAT overloading, which shpuld be applyed to the router from the image above.
description ### LOCAL LAN ###
ip address 10.1.1.10 255.255.255.0
ip nat inside
description ### Internet ###
ip address 126.96.36.199 255.255.255.0
ip ospf network broadcast
ip nat outside
ip nat inside source list InetNat interface GigabitEthernet0/1 overload
ip access-list extended InetNat
permit ip 10.1.1.0 0.0.0.255 any
You can monitor the operations of NAT and PAT from the router command-line interface by using these commands; show ip nat translation will display each of the inside local IP addresses and their corresponding outside global or public address. If there are static translations, then it will also show and those will not time out; dynamic translations typically disappear after a certain period of inactivity. You can also clear the NAT translations table, if you want to troubleshoot or if you changed the public address range and you want to reset connections and apply the new public range.
Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 188.8.131.52:1086 10.1.1.2:1025 184.108.40.206:11357 220.127.116.11:11357
tcp 18.104.22.168:1049 10.1.1.2:1031 22.214.171.124:6669 126.96.36.199:6669
tcp 188.8.131.52:1546 10.1.1.2:1040 184.108.40.206:34794 220.127.116.11:34794
tcp 18.104.22.168:1721 10.1.1.3:1044 22.214.171.124:61603 126.96.36.199:61603
tcp 188.8.131.52:1175 10.1.1.3:1054 184.108.40.206:6890 220.127.116.11:6890