NAT Configurations
You can configure NAT in several different ways. Each of the following configuration methods provides a solution for different configuration requirements:
Traditional NAT
Traditional NAT is the most common method of using address translation. Its primary use is translating private addresses to legal addresses for use in an external network. When configured for dynamic operation, hosts within a private network can initiate access to the external (public) network, but external nodes on the outside network cannot initiate access to the private network.Addresses on the private network and public network must not overlap. Also, route destination advertisements on the public network (for example, the Internet) can appear within the inside network, but the NAT router does not propagate advertisements of local routes that reference private addresses out to the public network.
There are two types of traditional NAT—basic NAT and NAPT.
Basic NAT
Basic NAT provides translation for IP addresses only (called a simple
translation) and places the mapping into a NAT table. In other words,
for packets outbound from the private network, the NAT router
translates the source IP address and related fields (for example, IP,
TCP, UDP, and ICMP header checksums). For inbound packets, the NAT
router translates the destination IP address (and related checksums)
for entries that it finds in its translation table.
NAPT
Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation). This method can translate the addresses and transport identifiers of many private hosts into a few external addresses and transport identifiers, to make efficient use of globally registered IP addresses.
Similar to basic NAT, for outbound packets NAPT translates the source IP address, source transport identifier, and related checksum fields. For inbound packets NAPT translates the destination IP address, destination transport identifier, and checksum fields.
Bidirectional NAT
Bidirectional (or two-way) NAT adds support to basic NAT for the Domain Name System (DNS) so public hosts can initiate sessions into the private network, usually to reach servers intended for public access.
When an outside host attempts to resolve the name of an inside host on a private network, the NAT router intercepts the DNS reply and installs an address translation to allow the outside host to reach the inside host by using a public address. When the outside host initiates a connection with the inside host on the private network, the NAT router translates that public destination address to the private address of the inside host and, on the return path, replaces the source address with the advertised public address.
You might need to perform some additional configuration to allow public access from the Internet to a DNS server that resides in the private domain.
The same address space requirements and routing restrictions apply to bidirectional NAT that were described for traditional NAT. The difference between these two methods is that the DNS exchange might create entries within the translation table.
Twice NAT
In twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router in either direction. For example, you would use twice NAT if you are connecting two networks in which all or some addresses in one network overlap addresses in another network, whether the network is private or public.
Network and Address TermsThe NAT implementation defines an address realm as either inside or outside, with the router that is running NAT acting as the defining boundary between the two realms.
From a NAT perspective, an inside network is the local portion of a network that uses private, not publicly routable IP addresses that you want to translate. An outside network is the public portion of a network that uses legitimate, publicly routable IP addresses to which you want private hosts to connect.
The addresses that are translated by NAT between address realms are labeled as inside or outside, and as local or global. When reading the terms in the following sections, keep the following definitions in mind:
- The terms inside and outside refer to the host that the address is associated with.
- The terms local and global refer to the network on which the address appears.
Inside Local Addresses
The inside local address is a configured IP address that is assigned to a host on the inside network. Addresses may be globally unique (not requiring translation), allocated from the private address space defined in RFC 1918, or officially allocated to some other organization.
Inside Global Addresses
The inside global address is the translated IP address of an inside host as seen by an outside host and network. Addresses may be allocated from a globally unique address space (often provided by the ISP, if the inside address is connected to the global Internet).
Outside Local Addresses
The outside local address is the translated IP address of an outside host as it appears to the inside network. Addresses may be globally unique (not requiring translation), allocated from the private address space defined in RFC 1918, or officially allocated to some other organization.
Outside Global Addresses
The outside global address is the configured, publicly routable IP address assigned to a host on the outside network.
Understanding Address TranslationInside Source Translation
Inside source translation is the most commonly used NAT configuration. When an inside host sends a packet to the outside network, the NAT router translates the source information (either the source address or the source address/port pair) and, in the inbound direction, restores the original information (this time operating on the destination address or address/port pair).
For outbound traffic, the NAT
router translates the inside local address (or address/port) into the
inside global address (or address/port), either through a statically
defined translation or dynamically created translation. For inbound
traffic, a translation must be found to revert the inside global
address (or address/port) into the inside local address (or
address/port), or the packet is not routed into the inside network.
NOTE: Dynamic inside source translations are established by outbound traffic. |
You use inside source translation in traditional and bidirectional NAT configurations.
Outside Source Translation
Outside source translation is used in NAT configurations only when addresses of external hosts might create a conflict on the private network. This complementary translation process is performed on the opposite addressing fields in the IP packet. When an outside host sends a packet to the inside network, the NAT router translates the source information (either the source address or the source address/port pair) and, in the outbound direction, restores the original information (this time operating on the destination address or address/port pair).
For inbound traffic, the NAT
router translates the outside global address (or address/port) into the
outside local address (or address/port), either through a statically
defined translation or dynamically created translation. For outbound
traffic, a translation must be found to revert the outside local
address (or address/port) into the outside global address (or
address/port), or the packet is not routed into the outside network.
NOTE: Dynamic outside source translations are established by inbound traffic. |
You use outside source translation along with inside source translation to configure twice NAT.
Address Assignment Methods
Static Translations
You enter static translations as direct configuration settings that remain in the translation table until you remove them. You use static translations when you must initiate connections from both the inside and outside interfaces, or when the translation is not subject to change.
Dynamic Translations
Dynamic translations use access list rules, to determine whether to apply NAT to incoming traffic, and NAT address pools, from which a NAT translation can obtain IP addresses. You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.
Order of OperationsInside-to-Outside Translation
Inside-to-outside translation occurs in the following order:
- Inside (privately addressed) traffic enters the router on an interface marked as inside.
- A route lookup is performed.
- If the next interface is marked as outside, the router sends the traffic to the server module.
- The server module performs the appropriate translation.
- The router forwards the packet to the appropriate egress line module.
- The line module sends the packet as outbound traffic using a globally unique source address (inside source translation), destination address (outside source translation), and ports (NAPT).
Outside-to-Inside Translation
Outside-to-inside translation occurs in the following order:
- Traffic from the outside, public domain enters the router.
- All traffic from an interface that is marked outside, whether or not it requires NAT, is sent to the server module.
- The server module searches for an associated NAT match.
- If the server module:
- Finds a NAT match, and the destination interface is marked as inside, the server module performs the appropriate translation and sends the packet to the appropriate destination.
- Does not find a NAT match, and the destination interface is marked as inside, the server module drops the packet.
- Does not find a NAT match, and the destination interface is not marked as inside, the server module processes the packet normally for its destination.
PPTP and GRE Tunneling Through NAT
NOTE: Neither port translation (NAPT) nor Firewall traversal for GRE packets is supported for GRE flows. |
When configured, the following types of translations are supported for GRE and PPTP tunnels:
- Inside source static simple translations (inbound and outbound)
- Outside source static simple translations (inbound and outbound)
- Inside source dynamic simple translations (inbound and outbound)
- Outside source dynamic simple translations (inbound and outbound)
- Combinations of the preceding translations (for example, twice NAT)
Comments are open
GM
|