Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
4. IPv4 Problem
0 Whatever connects directly into Internet must have public (globally unique) IP
address.
0 There is a shortage of public IPv4 address.
0 The solutions:
0 Long term solution is IPv6.
0 short term solution is CIDR (Classless Inter Domain Routing ).
0 NAT.
By Joud Khattab 4
5. Private Network
0 Private IP network is an IP network that is not directly connected to the Internet.
0 IP addresses in a private network can be assigned arbitrarily.
0 Not registered and not guaranteed to be globally unique.
0 Three address ranges are reserved for private usage (non-routable addresses):
0 Class A : 10.0.0.0/8
0 Class B : 172.16.0.0/16 to 172.31.0.0/16
0 Class C : 192.168.0.0/24 to 192.168.255.0/24
0 A private IP is mapped to a Public IP, when the machine has to access the Internet
By Joud Khattab 5
7. Solution with NAT
0 Its short term to Network Address Translation, and its known as network masquerading or IP-
masquerading.
0 NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are
replaced at the boundary of a private network.
0 NAT is a method that enables hosts on private networks to communicate with hosts on the
Internet.
0 NAT run on routers that connect private networks to the public Internet, to replace the IP
address-port pair of an IP packet with another IP address-port pair.
0 NAT device has address translation table.
By Joud Khattab 7
8. Solution with NAT
0 NAT can transparently change a network internal, private address
to a public address
0 a new mapping is dynamically created when the first packet for a connection
passes the NAT.
0 return traffic can use the same mapping to the other direction.
0 allows normally only outbound connections.
0 often use TCP/UDP ports for multiplexing.
0 NAT always checks translation table for entry before access lists.
0 NAT provides some shields for the internal network.
By Joud Khattab 8
10. Simple NAT
NAT
(Private IP addresses)
(Public IP addresses)
Main
Internet
(Public IP addresses)
By Joud Khattab 10
11. Multiple NAT
ISP
NAT
(Private IP addresses)
(Public IP addresses)
Main
Internet
ISP
network
Home
NAT
Home
network
10.0.0.12
192.168.2.12
192.168.2.99
156.148.70.32
By Joud Khattab 11
12. NAT Terminology
Local Global
Inside An IP address not
routable on the
internet and refers to a
device inside our
network
An IP address that is
routable on the
internet and refers to a
device inside our
network
Outside An IP address not
routable on the
internet and refers to a
device outside our
network
An IP address that is
routable on the
internet and refers to a
device outside our
network
By Joud Khattab 12
13. Translation Modes
1. Static Translation.
0 a block external addresses are translated to a same size block of internal addresses.
2. Dynamic Translation (IP Masquerading):
0 large number of internal users share a single or pool of external addresses.
3. PAT (Port Address Translation).
By Joud Khattab 13
14. Translation Modes
Inside Local Address (10.1.1.100 ) Private IP address that is being
translated into public IP Address
Inside Global Address (4.4.4.4 ) The public IP that the Private IP
address is being translated to
Outside Global Address (3.3.3.3 ) The Destination’s IP Address
Outside Local Address The Destination’s Private IP Address
By Joud Khattab 14
15. Static Translation
0 Map a range of external address to the same size block of internal addresses
0 Firewall just does a simple translation of each address.
0 Port forwarding - map a specific port to come through the Firewall rather than
all ports; useful to expose a specific service on the internal network to the
public network.
By Joud Khattab 15
16. Static Translation
0 Static translation are entered directly into the configuration and are always
in the translation table:
0 ip nat inside source static 10.6.1.20 171.69.68.10
By Joud Khattab 16
17. Static Translation
Source Address 10.1.1.100
Destination Address 3.3.3.3
We statically tell the Router to translate a single Inside local address
into a single Inside Global Address
10.1.1.100 will be mapped to 4.4.4.2 ( one of the Inside Global Address
provided by our ISP )
Inside Global Inside Local
4.4.4.2 10.1.1.100
By Joud Khattab 17
18. Dynamic Translation
0 Individual hosts inside the Firewall are identified based on of each connection flowing
through the firewall.
0 Since a connection doesn’t exist until an internal host requests a connection through
the firewall to an external host, and most Firewalls only open ports only for the
addressed host only that host can route back into the internal network
0 IP Source routing could route back in; but, most Firewalls block incoming source
routed packets.
0 NAT only prevents external hosts from making connections to internal hosts.
0 Some protocols won’t work; protocols that rely on separate connections back into the
local network
By Joud Khattab 18
19. Dynamic Translation
0 Dynamic translations use access lists to identify IP addresses that NAT should
create translations for:
0 ip nat inside source list 1 pool nat-pool
0 access-list 1 permit 10.0.0.0 0.255.255.255
By Joud Khattab 19
20. Dynamic Translation
A type of NAT in which an Inside Local Address is mapped to Inside Global
Address drawing from a pool of registered (public) IP addresses.
Typically, the router in a network will keep a table of registered IP addresses, and
when a private IP address requests access to the Internet, the router chooses an IP
address from the table that is not at the time being used by another private IP
address
Inside Local Address Inside Global Address Outside Global Address
10.1.1.101 4.4.4.2 3.3.3.3
10.1.1.102 4.4.4.3 3.3.3.3
By Joud Khattab 20
21. Static vs. Dynamic Translations
0 Static translations:
0 When you need to be able to initiate a connection from both the inside and outside
interfaces (e.g. SMTP, Web).
0 Or you want a specific host to be translated to a specific IP address.
0 Dynamic translations:
0 When you want to initiate a connection from only the inside or only the outside.
By Joud Khattab 21
22. PAT Translation
If we have a multiple number of Inside Local addresses and one
Inside Global Address !!
In this case we use PAT
PAT keep Track of Port Numbers
- 10.1.1.101:44252 4.4.4.4:4096
- 10.1.1.102:17115 4.4.4.4:4097
Source Address 10.1.1.101:44252
Destination Address 3.3.3.3:80
Inside Local Address Inside Global Address Outside Global Address
10.1.1.101:44252 4.4.4.4:4096 3.3.3.3:80
10.1.1.102:17115 4.4.4.4:4097 3.3.3.3:80
By Joud Khattab 22
23. Compare between NAT & PAT
0 NAT changes the IP addresses in the IP header
My
Network Internet
10.6.1.20 Internet Host
NATBefore NAT
Outbound Packet
Src Addr
10.6.1.20
Dest Addr
Internet Host
After NAT
Outbound Packet
Src Addr
171.69.68.10
Dest Addr
Internet Host
After NAT
Return Packet
Src Addr
Internet Host
Dest Addr
10.6.1.20
Before NAT
Return Packet
Src Addr
Internet Host
Dest Addr
171.69.68.10
By Joud Khattab 23
24. Compare between NAT & PAT
0 Port Address Translation (PAT) extends NAT from “one-to one” to
“many-to-one” by associating the source port with each flow.
PAT
My
Network
10.6.1.20
10.6.1.6
Before PAT
Outbound Packet
Dest Port
Any Port
Dest Addr
10.6.1.6
Src Port
1506
Dest Addr
Host 2
After PAT
Outbound Packet
Dest Port
Any Port
Src Addr
171.69.68.10
SRC Port
1506
Dest Addr
Host 2
After PAT
Outbound Packet
Dest Port
Any Port
Src Addr
171.69.68.10
SRC Port
2031
Dest Addr
Host 1
Before PAT
Outbound Packet
Dest Port
Any Port
Src Addr
10.6.1.20
Src Port
2031
Dest Addr
Host 1
Internet
By Joud Khattab 24
25. Compare between NAT & PAT
0 Port Address Translation (PAT) extends NAT from “one-to one” to
“many-to-one” by associating the source port with each flow.
PAT
My
Network
10.6.1.20
10.6.1.6
Before PAT
Outbound Packet
Dest Port
Any Port
Dest Addr
10.6.1.6
Src Port
1506
Dest Addr
Host 2
Before PAT
Outbound Packet
Dest Port
Any Port
Src Addr
10.6.1.20
Src Port
2031
Dest Addr
Host 1
Internet
Before PAT
Return Packet
Dest Addr
171.69.68.10
Dest Port
1506
Src Addr
Host 2
Src Port
Any Port
By Joud Khattab 25
26. NAT Kinds
1. Full cone NAT.
2. Restricted cone NAT.
3. Port Restricted cone NAT.
4. Symmetric NAT.
By Joud Khattab 26
27. Full cone NAT
0 Full cone is NAT where all requests from the same internal IP address and port
are mapped to the same public IP address and port.
0 Once a mapping is created, all incoming traffic to the public address is routed to
the internal host without checking the address of the remote host.
By Joud Khattab 27
28. Full cone NAT
Host A Host C
Full
cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.5:4321,
D=192.168.2.2:4445)
Packet(S=1.1.1.6:1234,
D=1.1.1.4:10100)
Packet(S=1.1.1.6:1234,
D=192.168.2.2:4445)
By Joud Khattab 28
29. Full cone NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 Policy:
0 ALLOW ALL TO 1.1.1.4:10100
By Joud Khattab 29
30. Restricted cone NAT
0 Restricted cone like full cone all requests from the same internal IP address
and port are mapped to the same public IP address and port.
0 Unlike a full cone NAT, a remote host (with IP address X) can send a packet to
the internal host only if the internal host had previously sent a packet to IP
address X.
By Joud Khattab 30
31. Restricted cone NAT
Host A Host C
Restricted
cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.5:4321,
D=192.168.2.2:4445)
Packet(S=1.1.1.6:1234,
D=1.1.1.4:10100)
X
Packet(S=192.168.2.2:4445,
D=1.1.1.6:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.6:7777)
Packet(S=1.1.1.6:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.6:4321,
D=192.168.2.2:4445)
By Joud Khattab 31
32. Restricted cone NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 Policy:
0 ALLOW 1.1.1.5 TO 1.1.1.4:10100
0 ALLOW 1.1.1.6 TO 1.1.1.4:10100
By Joud Khattab 32
33. Port restricted cone NAT
0 Port restricted cone is like a restricted cone NAT, but the restriction includes
port numbers.
0 Specifically, an external host can send a packet, with source IP address X and
source port P, to the internal host only if the internal host had previously sent a
packet to IP address X and port P.
By Joud Khattab 33
34. Port restricted cone NAT
Host A Host C
Port - restr
cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.5:7777,
D=192.168.2.2:4445)
X
Packet(S=1.1.1.5:7777,
D=1.1.1.4:10100)
By Joud Khattab 34
35. Port restricted cone NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 Policy:
0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100
0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100
By Joud Khattab 35
36. STUN- Session Traversal Utilies for NAT
0 STUN is a standardized set of methods and a network protocol to allow an end
host to discover its public IP address if it is located behind a NAT.
0 It is used to permit NAT traversal for applications of real-time voice, video,
messaging, and other interactive IP communications.
0 STUN is intended to be a tool to be used by other protocols, such as ICE.
By Joud Khattab 36
37. Symmetric NAT
0 Symmetric NAT is a NAT where all requests from the same internal IP address
and port to a specific destination IP address and port are mapped to the same
external source IP address and port.
0 If the same internal host sends a packet with the same source address and port
to a different destination, a different mapping is used. Furthermore, only the
external host that receives a packet can send a UDP packet back to the internal
host.
By Joud Khattab 37
39. Symmetric NAT
Host A Host Csymmetric Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:7777,
D=192.168.2.2:4445)
Packet(S=1.1.1.5:7777,
D=1.1.1.4:10100)
Packet(S=192.168.2.2:4445,
D=1.1.1.6:7777)
Packet(S=1.1.1.4:10179,
D=1.1.1.6:7777)
Packet(S=1.1.1.6:7777,
D=192.168.2.2:4445)
Packet(S=1.1.1.6:7777,
D=1.1.1.4:10179)
Packet(S=1.1.1.6:7777,
D=1.1.1.4:10100)
X
By Joud Khattab 39
40. Symmetric NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 192.168.2.2:4445 <-> 1.1.1.4:10179
0 Policy:
0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100
0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179
By Joud Khattab 40
41. Binding timeout
0 When a NAT device creates a binding (a public-private IP address mapping), it
will associate a timer with it.
0 The timer is used to destroy the binding once there is no activity/traffic
associated with the binding.
0 Because of this, a NAT aware application that wishes to keep the binding open
must periodically send outbound packets, a mechanism known as keep-alive,
or otherwise it will ultimately loose the binding and unable to receive incoming
packets from Internet.
By Joud Khattab 41
42. NAT Scenario
1. Pooling of IP addresses.
2. Supporting migration between network service providers.
3. IP masquerading.
4. Load balancing of servers.
By Joud Khattab 42
43. Pooling of IP addresses
0 Scenario:
0 Corporate network has many hosts but only a small number of public IP addresses.
0 NAT solution:
0 Corporate network is managed with a private address space.
0 NAT device, located at the boundary between the corporate network and the public
Internet, manages a pool of public IP addresses.
0 When a host from the corporate network sends an IP datagram to a host in the
public Internet, the NAT device picks a public IP address from the address pool, and
binds this address to the private address of the host.
By Joud Khattab 43
44. Pooling of IP addresses
H1
private address: 10.0.1.2
public address:
H5
Private
network
Internet
Source = 10.0.1.2
Destination = 213.168.112.3
Source = 128.143.71.21
Destination = 213.168.112.3
public address: 213.168.112.3
NAT
device
Private
Address
Public
Address
10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
By Joud Khattab 44
45. Migration between network service
providers
0 multiple internet connections are attached to a NAT Firewall that it chooses and uses
based on bandwidth, congestion and availability.
0 Can be used to provide automatic fail-over of servers or load balancing.
0 Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to
use based on client load
0 kind of like reverse load balancing.
0 a dead ISP will be treated as a fully loaded one and the client will be routed through another ISP.
By Joud Khattab 45
46. Migration between network service
providers
0 Scenario:
0 In CIDR, the IP addresses in a corporate network are obtained from the service provider.
Changing the service provider requires changing all IP addresses in the network.
0 NAT solution:
0 Assign private addresses to the hosts of the corporate network.
0 NAT device has static address translation entries which bind the private address of a host to the
public address.
0 Migration to a new network service provider merely requires an update of the NAT device. The
migration is not noticeable to the hosts on the network.
0 Note:
0 The difference to the use of NAT with IP address pooling is that the mapping of public and private
IP addresses is static.
By Joud Khattab 46
48. IP masquerading
0 Also called:
0 Network address and port translation (NAPT), port address translation (PAT).
0 Scenario:
0 Single public IP address is mapped to multiple hosts in a private network.
0 NAT solution:
0 Assign private addresses to the hosts of the corporate network.
0 NAT device modifies the port numbers for outgoing traffic.
By Joud Khattab 48
49. IP masquerading
H1
private address: 10.0.1.2
Private network
Source = 10.0.1.2
Source port = 2001
Source = 128.143.71.21
Source port = 2100
NAT
device
Private
Address
Public
Address
10.0.1.2/2001 128.143.71.21/2100
10.0.1.3/3020 128.143.71.21/4444
H2
private address: 10.0.1.3
Source = 10.0.1.3
Source port = 3020
Internet
Source = 128.143.71.21
Destination = 4444
128.143.71.21
By Joud Khattab 49
50. Load balancing of servers
0 Scenario:
0 Balance the load on a set of identical servers, which are accessible from a single IP address.
0 NAT solution:
0 Here, the servers are assigned private addresses.
0 NAT device acts as a proxy for requests to the server from the public network.
0 The NAT device changes the destination IP address of arriving packets to one of the private
addresses for a server.
0 A sensible strategy for balancing the load of the servers is to assign the addresses of the
servers in a round-robin fashion.
By Joud Khattab 50
51. Load balancing of servers
0 a single incoming IP address is distributed across a number of internal servers.
0 A firewall that will dynamically map a request to a pool of identical clone machines
0 often done for really busy web sites.
0 each clone must have a way to notify the Firewall of its current load so the Fire wall can choose a
target machine.
0 or the firewall just uses a dispatching algorithm like round robin.
0 Only works for stateless protocols (like HTTP).
By Joud Khattab 51
53. Concerns about NAT
1. Performance.
2. Fragmentation.
3. End-to-end connectivity.
4. IP address in application data.
By Joud Khattab 53
54. Performance
0 Modifying the IP header by changing the IP address.
0 requires that NAT boxes recalculate the IP header checksum.
0 Modifying port number requires that NAT boxes recalculate TCP checksum.
By Joud Khattab 54
55. Fragmentation
0 Care must be taken that a datagram that is fragmented before it reaches the
NAT device, is not assigned a different IP address or different port numbers for
each of the fragments.
By Joud Khattab 55
56. End-To-End Connectivity
0 NAT destroys universal end-to-end reachability of hosts on the Internet.
0 A host in the public Internet often cannot initiate communication to a host in a
private network.
0 The problem is worse, when two hosts that are in a private network need to
communicate with each other.
By Joud Khattab 56
57. IP address in application data
0 Applications that carry IP addresses in the payload of the application data
generally do not work across private public network boundary.
0 Some NAT devices inspect the payload of widely used application layer
protocols and, if an IP address is detected in the application-layer header or the
application payload, translate the address according to the address translation
table.
By Joud Khattab 57
58. Problems with NAT
0 Can’t be used with:
0 protocols that require a separate back-channel(FTP).
0 protocols that encrypt TCP headers.
0 embed TCP address info .
0 specifically use original IP for some security reason.
0 (the solutions).
By Joud Khattab 58
59. How Much Memory?
0 Needs 42 Kb of system memory to enable NAT.
0 160–200 bytes for each entry in the NAT translation table.
0 1,000 entries use approximately 205 Kb of memory (includes 42 Kb).
By Joud Khattab 59
60. NAT in IPv6
0 Network address translation is not commonly used in IPv6 as one of its aims is
to restore true host-to-host connectivity.
0 NAT loopback is not commonly needed. Although still possible, the large
addressing space of IPv6 obviates the need to conserve addresses and every
device can be given a unique globally routable address.
0 NAT loopback, when implemented, works as in IPv4.
By Joud Khattab 60
66. Configure Static NAT
0 As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never
know about it.
0 They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and
you will get replay.
0 Packet Tracer PC Command Line 1.0
0 PC>ping 50.0.0.1
0 Pinging 50.0.0.1 with 32 bytes of data:
Reply from 50.0.0.1: bytes=32 time=141ms TTL=126
Reply from 50.0.0.1: bytes=32 time=80ms TTL=126
Reply from 50.0.0.1: bytes=32 time=109ms TTL=126
Reply from 50.0.0.1: bytes=32 time=125ms TTL=126
0 Ping statistics for 50.0.0.1:
0 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
0 Approximate round trip times in milli-seconds:
0 Minimum = 80ms, Maximum = 141ms, Average = 113ms
By Joud Khattab 66
67. Configure Static NAT
0 Now ping from 10.0.0.2 and you will get destination host unreachable error.
0 PC>ping 10.0.0.2
0 Pinging 10.0.0.2 with 32 bytes of data:
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
0 Ping statistics for 10.0.0.2:
0 Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
By Joud Khattab 67
68. Configure Static NAT
0 This demonstration show how the companies use NAT to hide their internal network from the outside of
the world. Now open web browser from any PC in 30.0.0.0 network and brows the 50.0.0.1 site
By Joud Khattab 68
70. Configure Dynamic NAT
0 In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5
to use.
0 configure Router0 :
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
By Joud Khattab 70
71. Configure Dynamic NAT
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool test
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#exit
By Joud Khattab 71
73. Configure Dynamic NAT
0 For testing of NAT go R1 and enable debug for NAT from privilege
mode
0 R1#debug ip nat
0 Now go on pc and ping to 20.0.0.2
By Joud Khattab 73
74. Configure Dynamic NAT
0 When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this
packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will
check NAT pools for free address to translate with this address. Which you can check in the output of
debag command in R1
0 IP NAT debugging is on
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
By Joud Khattab 74
75. Configure Dynamic NAT
0 As you can see in output 192.168.0.5 is translate with
50.0.0.1 before leaving the router.
0 Now check for web access from any client pc
By Joud Khattab 75
76. Configure Dynamic PAT
0 In dynamics Nat translations is made IP to IP. so you need as much global IP
address as you have inside local address. That's an issue if you have few global
IP address and hundred of inside local address to translate. In such a situation
you need to use PAT.
0 For demonstration we are going to configure the same topology which we used
in dynamic NAT but this time we are using only one global IP address 50.0.0.1
By Joud Khattab 76
78. Configure Dynamic PAT
0 IP address of PC are already configured double click on R1 and configured it as given here
0 configure R1 :
0 Router>enable
0 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
0 Router(config)#hostname R1
0 R1(config)#interface fastEthernet 0/0
0 R1(config-if)#ip address 192.168.0.1 255.255.255.0
0 R1(config-if)#no shutdown
0 R1(config-if)#exit
0 R1(config)#interface serial 0/0/0
0 R1(config-if)#ip address 30.0.0.1 255.0.0.0
By Joud Khattab 78
79. Configure Dynamic PAT
0 R1(config-if)#clock rate 64000
0 R1(config-if)#bandwidth 64
0 R1(config-if)#no shutdown
0 R1(config-if)#exit
0 R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
0 R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0
0 R1(config)#ip nat inside source list 1 pool test overload
0 R1(config)#interface fastEthernet 0/0
0 R1(config-if)#ip nat inside
0 R1(config-if)#exit
0 R1(config)#interface serial 0/0/0
0 R1(config-if)#ip nat outside
0 R1(config-if)#exit
0 R1(config)#
By Joud Khattab 79
82. Configure Dynamic PAT
0 To verify PAT go on R1 and run show ip nat translations
0 R1#show ip nat translations
0 Pro Inside global Inside local Outside local Outside global
icmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1
icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2
icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3
icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4
0 As you can see this time address translation is done with port address instead
of IP
By Joud Khattab 82