Chapter 11

๐Ÿท๏ธ NAT - The Name Tag Changer

By Sys-Metricsยท ยท 45 min chapter

๐ŸŽฏ Meet the Network's Master of Disguise

If routers are postal workers and ACLs are security guards, then NAT (Network Address Translation) is like a professional disguise artist who changes people's name tags at the door. NAT lets your private network hide behind public IP addresses, translating between internal and external identities seamlessly.

๐ŸŽฏ Chapter Goals: Master Network Address Translation fundamentals, configure static and dynamic NAT, understand PAT (Port Address Translation), learn inside/outside interfaces, and connect private networks to the internet like a networking magician!

๐ŸŽญ What is NAT and Why Do We Need It?

Network Address Translation is like having a receptionist who changes visitor badges at a company entrance. It translates private IP addresses to public ones and vice versa:

The IP Address Shortage Problem

IPv4 Limitation

Only 4.3 billion possible IPv4 addresses for entire world

Internet Growth

Billions of devices need internet connectivity

Private Networks

Companies use private IP ranges internally

NAT Solution

Allows multiple private IPs to share few public IPs

RFC 1918 Private IP Address Ranges

Class A Private
10.0.0.0/8
10.0.0.0 - 10.255.255.255
Class B Private
172.16.0.0/12
172.16.0.0 - 172.31.255.255
Class C Private
192.168.0.0/16
192.168.0.0 - 192.168.255.255

How NAT Works - The Name Tag Analogy

Company Party with Name Tag Changes
๐Ÿข
Internal employees have company badges (private IPs)
๐Ÿšช
Receptionist at door changes badges to visitor passes (public IPs)
๐ŸŒ
Outside world sees only visitor passes, not employee badges
๐Ÿ“
Receptionist keeps translation table of who has which pass
๐Ÿ”„
Return traffic gets badges changed back to employee IDs
๐ŸŽฏ
Internal network remains hidden and secure

NAT Benefits

๐Ÿ”’ Security Benefits

  • Network Hiding: Internal structure invisible from outside
  • Access Control: Inbound connections must be explicitly allowed
  • Topology Hiding: Real network layout concealed
  • Host Protection: Direct access to internal hosts blocked

๐Ÿ’ฐ Economic Benefits

  • IP Conservation: Many private IPs share few public IPs
  • Cost Savings: Fewer public IPs needed from ISP
  • Flexibility: Internal addressing independent of ISP
  • ISP Independence: Can change ISPs without renumbering
๐Ÿง  Memory Trick: NAT = Network Address Translation = Name And Title transformation!

๐Ÿ”ข Types of NAT: Different Disguise Strategies

Just like there are different types of disguises, there are different types of NAT for different situations:

Static NAT - The Permanent Name Change

One-to-One Mapping

Each private IP gets permanently mapped to specific public IP

Bidirectional

Works for both outbound and inbound connections

Server Access

Perfect for web servers that need consistent public identity

Resource Intensive

Requires one public IP per internal host

Dynamic NAT - The Temporary Badge System

Pool of Public IPs

Multiple public IPs shared among internal hosts

First Come, First Served

Public IPs assigned as needed from available pool

Outbound Only

Typically only allows outbound connections

More Efficient

Fewer public IPs needed than static NAT

PAT (Port Address Translation) - The Smart Multiplexer

Many-to-One

Many private IPs share single public IP

Port Numbers

Uses different port numbers to distinguish connections

Most Common

What home routers typically use

Highly Efficient

Thousands of internal hosts can share one public IP

NAT Types Comparison

Static NAT
1:1 permanent mapping
Dynamic NAT
Many:Few temporary mapping
PAT
Many:1 with port numbers
No NAT
Direct public IP assignment

PAT in Detail - The Port Magic

Internal Connections:
192.168.1.10:1024 โ†’ Google.com:80
192.168.1.20:1025 โ†’ Yahoo.com:80
192.168.1.30:1026 โ†’ Facebook.com:443

After PAT Translation:
203.0.113.5:2048 โ†’ Google.com:80
203.0.113.5:2049 โ†’ Yahoo.com:80
203.0.113.5:2050 โ†’ Facebook.com:443

NAT Table Tracks:
Inside Local โ†’ Inside Global
192.168.1.10:1024 โ†” 203.0.113.5:2048
192.168.1.20:1025 โ†” 203.0.113.5:2049
192.168.1.30:1026 โ†” 203.0.113.5:2050

๐ŸŒ NAT Terminology: Understanding the Language

NAT uses specific terms to describe different types of addresses. Think of it like different areas in our name tag changing facility:

NAT Address Types

IL
Inside Local
Private IP address used inside your network
IG
Inside Global
Public IP address representing inside host to outside world
OL
Outside Local
Outside host's IP as seen from inside network
OG
Outside Global
Real public IP address of outside host

Real-World Example

PC accessing Google.com through NAT router
๐Ÿ’ป
Inside Local: 192.168.1.100 (PC's private IP)
๐ŸŒ
Inside Global: 203.0.113.5 (Router's public IP)
๐Ÿ”
Outside Local: 8.8.8.8 (Google's IP as seen by PC)
โ˜๏ธ
Outside Global: 8.8.8.8 (Google's actual public IP)

Inside vs Outside Interfaces

Inside Interface

Connected to private network (ip nat inside)

Outside Interface

Connected to public network/internet (ip nat outside)

NAT Boundary

Translation occurs between inside and outside interfaces

Multiple Interfaces

Can have multiple inside interfaces, typically one outside

NAT Table Entries

show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.5:2048 192.168.1.10:1024 8.8.8.8:80 8.8.8.8:80
tcp 203.0.113.5:2049 192.168.1.20:1025 172.217.9.46:443 172.217.9.46:443
--- 203.0.113.5 192.168.1.30 --- ---

Translation Explanation:
Inside Local โ†’ Inside Global (outbound translation)
Outside Global โ†’ Outside Local (inbound translation)
Pro = Protocol (tcp, udp, icmp)
--- = No active connection

โš™๏ธ NAT Configuration Examples

Static NAT Configuration

Scenario: Web server 192.168.1.100 needs permanent public IP 203.0.113.10

Router(config)# ip nat inside source static 192.168.1.100 203.0.113.10
# Create permanent 1:1 mapping

Router(config)# interface fastethernet 0/0
# Inside interface (LAN)
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface serial 0/0/0
# Outside interface (WAN)
Router(config-if)# ip nat outside
Router(config-if)# exit

Dynamic NAT Configuration

Scenario: Pool of public IPs 203.0.113.10-203.0.113.20 for internal network

Router(config)# ip nat pool PUBLIC-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
# Define pool of public IP addresses

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
# Define which internal IPs can be translated

Router(config)# ip nat inside source list 1 pool PUBLIC-POOL
# Link ACL to NAT pool

Router(config)# interface fastethernet 0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface serial 0/0/0
Router(config-if)# ip nat outside

PAT Configuration (Most Common)

Scenario: Entire internal network shares single public IP (typical home/office setup)

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
# Define internal network for PAT

Router(config)# ip nat inside source list 1 interface serial 0/0/0 overload
# PAT using outside interface IP (overload keyword enables PAT)

Router(config)# interface fastethernet 0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface serial 0/0/0
Router(config-if)# ip nat outside

Port Forwarding (Static PAT)

Scenario: Forward external HTTP requests to internal web server

Router(config)# ip nat inside source static tcp 192.168.1.100 80 203.0.113.5 80
# Forward port 80 traffic to internal web server

Router(config)# ip nat inside source static tcp 192.168.1.200 22 203.0.113.5 2222
# Forward port 2222 to SSH server on port 22

Router(config)# ip nat inside source static tcp 192.168.1.150 443 interface serial 0/0/0 443
# Forward HTTPS to internal server using interface IP
๐Ÿ”ง Key Point: The "overload" keyword enables PAT (Port Address Translation) - this is what allows many devices to share one public IP!

๐Ÿ” NAT Verification and Troubleshooting

Essential NAT Show Commands

Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.5:2048 192.168.1.10:1024 8.8.8.8:80 8.8.8.8:80
tcp 203.0.113.5:2049 192.168.1.20:1025 172.217.9.46:443 172.217.9.46:443
--- 203.0.113.10 192.168.1.100 --- ---
Router# show ip nat statistics
Total active translations: 3 (1 static, 2 dynamic; 2 extended)
Peak translations: 15, occurred 00:25:40 ago
Outside interfaces:
Serial0/0/0
Inside interfaces:
FastEthernet0/0
Hits: 1547 Misses: 0
CEF Translated packets: 1547, CEF Punted packets: 0
Expired translations: 12
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool PUBLIC-POOL refcount 0
pool PUBLIC-POOL: netmask 255.255.255.0
start 203.0.113.10 end 203.0.113.20
type generic, total addresses 11, allocated 2 (18%), misses 0
Router# show running-config | include nat
ip nat inside source static 192.168.1.100 203.0.113.10
ip nat inside source list 1 pool PUBLIC-POOL
ip nat pool PUBLIC-POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
interface FastEthernet0/0
ip nat inside
interface Serial0/0/0
ip nat outside
Router# debug ip nat
IP NAT debugging is on
*Sep 17 14:25:10.123: NAT: s=192.168.1.10->203.0.113.11, d=8.8.8.8 [47]
*Sep 17 14:25:10.127: NAT: s=8.8.8.8, d=203.0.113.11->192.168.1.10 [47]

NAT Translation Process

Outbound Connection: 192.168.1.10 accessing Google.com
๐Ÿ“ค
Packet arrives at router from inside interface
๐Ÿ”
Router checks if source IP needs translation
๐Ÿท๏ธ
Source IP 192.168.1.10 translated to 203.0.113.5:2048
๐Ÿ“
Translation recorded in NAT table
๐ŸŒ
Packet forwarded to internet with translated source
๐Ÿ”„
Return traffic matched to NAT table entry
๐Ÿ“ฅ
Destination translated back to 192.168.1.10

Common NAT Problems

Problem: NAT not working at all
Internal hosts cannot reach internet
Check These:
โœ“ Inside and outside interfaces configured correctly
โœ“ NAT statement syntax correct
โœ“ Access list permits internal networks
โœ“ Default route configured to ISP
โœ“ Public IP addresses available in pool
Problem: Some hosts work, others don't
Intermittent connectivity issues
Investigate:
โœ“ NAT pool exhaustion (all public IPs in use)
โœ“ Access list doesn't cover all internal subnets
โœ“ Translation timeouts too short
โœ“ Overlapping ACLs blocking traffic
Problem: Inbound connections fail
External users can't reach internal servers
Solutions:
โœ“ Configure static NAT for servers
โœ“ Set up port forwarding rules
โœ“ Verify inside/outside interface designation
โœ“ Check firewall/ACL blocking inbound traffic

NAT Troubleshooting Commands

Step 1: Check NAT configuration
show running-config | include nat

Step 2: Verify interface designations
show ip nat statistics

Step 3: Check active translations
show ip nat translations

Step 4: Clear NAT table if needed
clear ip nat translation *

Step 5: Enable debugging for live troubleshooting
debug ip nat
undebug all (when finished)

๐Ÿ› ๏ธ Hands-On NAT Labs

Lab 1: Basic PAT Configuration

  1. Topology Setup:
    • Create router with internal network and ISP connection
    • Configure internal network 192.168.1.0/24
    • Add multiple PCs for testing
    • Set up internet connection via ISP router
  2. PAT Configuration:
    • Configure basic PAT using outside interface IP
    • Set inside and outside interface designations
    • Create ACL to define internal network
    • Test internet connectivity from multiple PCs
  3. Verification:
    • Monitor NAT translations table
    • Verify different port numbers for each host
    • Test simultaneous connections
    • Check NAT statistics

Lab 2: Static NAT and Port Forwarding

  1. Server Setup:
    • Add web server to internal network
    • Configure FTP server and email server
    • Set up different services on different ports
    • Document all internal server addresses
  2. Static NAT Configuration:
    • Configure static NAT for web server
    • Set up port forwarding for different services
    • Map external ports to internal services
    • Test both NAT types working together
  3. External Testing:
    • Test inbound connections from outside network
    • Verify port forwarding works correctly
    • Confirm static NAT provides consistent access
    • Monitor translation tables during tests

Lab 3: Dynamic NAT Pool

  1. Pool Configuration:
    • Create pool of multiple public IP addresses
    • Configure dynamic NAT using address pool
    • Set up different pools for different internal networks
    • Test pool allocation behavior
  2. Pool Exhaustion Testing:
    • Create more internal hosts than pool addresses
    • Test what happens when pool is exhausted
    • Monitor pool utilization statistics
    • Configure pool overflow handling
  3. Advanced Configuration:
    • Combine static, dynamic, and PAT
    • Set up NAT for multiple internal networks
    • Configure different policies for different users
    • Test complex NAT scenarios

Lab 4: NAT Troubleshooting

  1. Create Problems:
    • Misconfigure inside/outside interfaces
    • Create incorrect ACLs
    • Set up conflicting NAT statements
    • Configure overlapping address pools
  2. Troubleshooting Practice:
    • Use systematic troubleshooting approach
    • Analyze NAT statistics and translations
    • Use debug commands effectively
    • Fix problems and verify solutions
  3. Performance Testing:
    • Test NAT under high load conditions
    • Monitor translation table growth
    • Optimize NAT configuration for performance
    • Document best practices discovered
๐ŸŽฏ Real-World Challenge: Build a complete enterprise NAT solution with DMZ servers, internal networks, and internet access. Include redundancy and load balancing!

โšก NAT Best Practices and Advanced Topics

NAT Design Principles

Plan Address Space

Design internal addressing scheme before implementing NAT

Document Translations

Maintain clear documentation of all static NAT mappings

Monitor Pool Usage

Track dynamic NAT pool utilization

Security Integration

Combine NAT with ACLs and firewalls

Performance Considerations

Translation Table Size

More translations require more router memory

Connection Timeouts

Adjust timeouts based on application requirements

Pool Sizing

Size dynamic pools based on concurrent user count

Hardware Acceleration

Use routers with NAT acceleration features

NAT Limitations and Workarounds

Limitation: Some applications break with NAT
FTP, SIP, and other applications embed IP addresses
Solutions:
โœ“ Enable application-specific NAT fixes
โœ“ Use ALG (Application Layer Gateway)
โœ“ Configure static NAT for problematic servers
โœ“ Implement NAT traversal protocols
Limitation: No true end-to-end connectivity
External hosts can't initiate connections to internal hosts
Workarounds:
โœ“ Static NAT for servers requiring inbound access
โœ“ Port forwarding for specific services
โœ“ DMZ configuration for public servers
โœ“ VPN solutions for remote access

Advanced NAT Features

NAT Virtual Interface (NVI)
Router(config)# ip nat enable
# Enable NVI on interface (newer method)

NAT Timeout Adjustment
Router(config)# ip nat translation timeout 86400
# Set translation timeout to 24 hours

NAT with Route Maps
Router(config)# ip nat inside source route-map NAT-MAP pool PUBLIC-POOL
# Use route map for complex NAT policies

IPv6 and NAT Considerations

IPv6 Design Goal

IPv6 designed to eliminate need for NAT

Transition Period

NAT still needed during IPv4 to IPv6 transition

NAT64

Translation between IPv6 and IPv4 networks

Future Planning

Plan for eventual IPv6 migration to eliminate NAT

NAT Management Commands

Router# clear ip nat translation *
# Clear all dynamic NAT translations
Router# clear ip nat translation inside 192.168.1.10
# Clear translations for specific inside address
Router# show ip nat translations verbose
# Show detailed translation information
Router(config)# no ip nat inside source static 192.168.1.100 203.0.113.10
# Remove static NAT mapping

๐Ÿ“– Chapter Summary

  • NAT Purpose: Translate private IP addresses to public ones, conserving IPv4 addresses
  • NAT Types: Static (1:1), Dynamic (many:few), PAT (many:1 with ports)
  • Address Types: Inside Local/Global, Outside Local/Global
  • Interface Designation: ip nat inside/outside defines translation boundary
  • PAT Most Common: Port Address Translation allows many devices to share one public IP
  • Static NAT for Servers: Permanent mappings for inbound server access
  • Translation Table: Router maintains mappings between internal and external addresses
  • Troubleshooting: Use show commands, statistics, and debug for problem resolution
๐ŸŽฏ Translation Mastery Achieved! You now understand how the internet really works behind the scenes. NAT is the invisible magic that connects private networks to the public internet!

๐Ÿ“ NAT Mastery Quiz

1. What's the difference between NAT and PAT? NAT translates IP addresses; PAT (Port Address Translation) also uses port numbers to allow many devices to share one public IP

2. What does the "overload" keyword do in NAT configuration? Enables PAT (Port Address Translation), allowing multiple inside addresses to share a single outside address using different port numbers

3. What are the four NAT address types? Inside Local (private IP), Inside Global (public IP), Outside Local (external as seen inside), Outside Global (real external IP)

4. Where do you configure "ip nat inside" and "ip nat outside"? On router interfaces - inside on LAN interfaces, outside on WAN/internet interfaces

5. How does static NAT differ from dynamic NAT? Static creates permanent 1:1 mappings; Dynamic assigns public IPs from a pool as needed

6. What happens when a dynamic NAT pool is exhausted? New translation requests fail until existing translations timeout or are cleared

7. How do you allow external access to an internal web server? Use static NAT or configure port forwarding (static PAT) to map external requests to internal server

8. What command shows active NAT translations? show ip nat translations displays the current translation table with inside/outside address mappings

Comments