Add Book to My BookshelfPurchase This Book Online

Chapter 17 - Cisco’s Network Address Translation

Cisco & IP Addressing
Louis D. Rossi, Louis R. Rossi and Thomas Rossi
  Copyright © 1999 The McGraw-Hill Companies, Inc.

Chapter 17: Cisco’s Network Address Translation
Objective
  Explain the concept of address translation.
  Configure Cisco’s network address translation (NAT).
Public Addressing
Public addresses are assigned by the InterNIC. These are addresses that can go out into the Internet and are assigned and registered to an organization.
Private Addressing
Private addresses are non-registered addresses.
The addresses in Table 17.1 have been set aside for private addressing. If an organization is not going to use the Internet, or an address translation solution will be used, these addresses are the suggested addresses that should be assigned as “inside” addresses.
Table 17.1  Private Addresses
Class A 10.0.0.0 (1 network)
Class B 172.16.0.0 – 172.31.0.0 (16 networks)
Class C 192.168.0.0 – 192.168.255.0 (256 networks)
Internet routers are programmed to toss any packets carrying these addresses in the bit bucket. There are no Internet police that will come and arrest you if you use a public address on the inside; but consider a packet that has a destination address to a “real” public address that happens to be the same address that your organization chose for the inside address.
How will that packet ever exit the network? The router will see the destination address and keep the packet local.
Cisco’s NAT solution is used when there is a pool of public addresses. The router will translate addresses from private to public when going out to the Internet, and translate public to private on the return.
Advantages of NAT
  Once a host has been configured with a private address, NAT can be configured without the need to change the host address. When the organization receives its pool of public addresses a few routers will be configured with these public addresses, while the host addresses remain the same.
  NAT conserves registered public addresses.
  NAT will also “hide” the host addresses, which in many cases can be a good thing.
Figure 17.1 presents a scenario in which the organization has received the public address of 200.200.200.0 255.255.255.0. The private address of 10.0.0.0 is being used on the inside.
Figure 17.1  NAT Topology
Our goal is to configure Router A to provide us with address translation to go from a private address to the public address. We also want to advertise this public address out to the world.
Configuring NAT
The configuration commands that accomplish these goals are presented in bold.
Current configuration:
!
version 11.3
no service password-encryption
!
hostname router_a
!
enable secret 5 $1$.s1R$iaEqZxLnYJo2QlZi8UNaO0
enable password guess
!
ip nat pool nat-example 200.200.200.1 200.200.200.254 prefix-length 24
ip nat inside source list 1 pool nat-example
!
interface Ethernet0/0
  ip address 200.200.200.1 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
!
interface Serial0/0
  ip address 150.100.10.72 255.255.255.0
  ip nat outside
  encapsulation frame-relay
!
interface TokenRing0/0
  no ip address
  shutdown
  ring-speed 16
!
interface FastEthernet1/0
  no ip address
  shutdown
!
router rip
  network 200.200.200.0
  network 150.100.0.0
!
ip classless
no logging buffered
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
line con 0
  exec-timeout 0 0
line aux 0
line vty 0 4
  login
!
end
Figure 17.2  NAT Configuration
Explanation of Router Commands
ip nat pool nat-example 200.200.200.1 200.200.200.254 prefix-length 24
This defines the pool name of “nat-example”; the first public address is  200.200.200.1 and the last address 200.200.200.254. The mask is 255.255.255.0 or /24.
ip nat inside source list 1 pool nat-example
This applies access list 1 to the pool “nat-example”.
ip address 200.200.200.1 255.255.255.0 secondary
This applies the public address to the e0/0 interface as a secondary address. Since we want to advertise the public address we must configure the address.
ip nat inside
This defines the e0/0 interface as the inside address.
ip nat outside
This defines serial 0 as the outside addresses.
router rip
network 200.200.200.0
Because we configured the 200.200.200.0 address as a secondary address we can advertise it with IP RIP.
Access-list 1 permit 10.10.10.0 0.0.0.0.255
This permits the private addresses on the 10.10.10.0 subnet to be translated to the public addresses.
Keep in mind that there is always the implicit “deny all” statement at the end of every access list.
Figure 17.3 illustrates an actual translation taken after the 10.10.10.1 interface of the router and the workstation 10.10.10.2 performed a ping of the serial interface of the ISP’s router.
Verifying NAT
router_a#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- 200.200.200.1      10.10.10.1             ---                    ---
--- 200.200.200.2      10.10.10.2             ---                    ---
Figure 17.3  Viewing the Translation Table
Figure 17.3 illustrates two translations. The first was the inside private address of 10.10.10.1 being translated to the inside global (public) address of 200.200.200.1; the second translation was from 10.10.10.2 to 200.200.200.2.
NAT can also be configured to “overload”. The translation does not need to be on a one-to-one basis. In the example above we are permitting the 254 addresses of the 10.10.10.0 subnet to be mapped to the 254 addresses of the 200.200.200.0 network.
With the overload option we could map many to few. In such a case upper-layer protocols would be used to distinguish traffic.
NAT may also be used in an “overlapping” situation. Overlapping occurs when an organization has chosen an inside local address that was not from the private address Table 17.1.

 


 
Books24x7.com, Inc © 2000 –  Feedback