Nat translation is separate with the routing process

 Nat translation is separate with the routing process

Private IP addressing is defined in RFC1918 according which the following IP address blocks can be used with in an organization for private use:

 

•      Class A network: 10.0.0.0 to 10.255.255.255
• Class B network: 172.16.0.0 to 172.31.255.255
• Class C network: 192.168.0.0 to 192.168.255.255

 

what is NAT?

 

•      The NAT protocol is used when connecting multiple devices on internal private networksto a public network such as the Internet using a limited number of public IPv4 addresses. It was originally designed for conserving IPv4 address space because the IPv4 address space is not big enough to uniquely identify all devices that need Internet connectivity.

 

when can you use NAT?

 

typically NAT is used when a private IP address needs to be routed in a public network, let's say internet. but it could also be used when there is an overlap between intranets.

 

NAT uses the terms inside and outside, what do these means? and what their types?

 

•      Inside means internal to your network, and
outside means external to your network. NAT includes the following four types of
addresses:
• Inside local address: The IPv4 address assigned to a device on the internal network.
• Inside global address: The IPv4 address of an internal device as it appears to the external network. This is the address to which the inside local address is translated.
• Outside local address: The IPv4 address of an external device as it appears to the
internal network. If outside addresses are being translated, this is the address to
which the outside global address is translated.
• Outside global address: The IPv4 address assigned to a device on the external network.

 

what are the three types of NAT?

 

•      Static NAT: Static NAT is one-to-one translation. Static NAT is particularly useful
when a device must be accessible from outside the network. (For example, when
a server with a static IPv4 address needs to be accessible from the Internet, that
server's private address can be translated to a public address.)
• Dynamic NAT: Dynamic NAT is many-to-many translation, using a pool of addresses.
When an inside device accesses an outside network, it is assigned an available
IPv4 address from the pool on a first-come, first-serve basis. When using dynamic
NAT, you need to ensure that there are enough addresses available in the pool to
satisfy the total number of user sessions. An example of when this type of NAT
could be used is when two companies that are using the same private address space
merge; dynamic NAT readdressing could be used as a temporary measure until the
entire network is readdressed.
• Port Address Translation (PAT): PAT is many-to-one translation; for example,
it maps multiple inside local IPv4 addresses to a single inside global IPv4 address
by tracking port numbers. PAT is also known as NAT overloading. It is a form of
dynamic NAT and is the most common type of NAT. PAT is used in business and
home routers, allowing multiple devices to access the Internet, even though only
one public IPv4 address is available.

 

 

what is the command used to verify which addresses are currently being translated?

 

•      The show ip nat translations command is used to verify which addresses are currently
being translated.

 

how do you configure static NAT?

 

•      You first define inside and outside interfaces, using the ip nat inside and ip nat outside interface configuration commands.
You next specify which inside local address should be translated to which inside global
address, using the ip nat inside source static local-ip global-ip global configuration
command

Router(config)# interface Ethernet 0/1
Router(config-if)# ip address 209.165.201.1 255.255.255.240
Router(config-if)# ip nat outside
Router(config-if)# exit
Router(config)# interface Ethernet 0/0
Router(config-if)# ip address 172.16.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit
Router(config)# ip nat inside source static 172.16.1.10 209.165.201.5

 

how do you configure dynamic NAT?

 

•      Like static NAT, you first identify each interface as an inside or outside interface.
You then define the set of inside local addresses to be translated, using an ACL. The next step is to define the set of inside global addresses to which the inside local addresses will be translated, using the ip nat pool name start-ip end-ip. Finally, the ACL-to-NAT pool mapping is defined by the following global configuration
command: ip nat inside source list {access-list-number | access-list-name} pool name

Router(config)# access-list 1 permit 172.16.1.0 0.0.0.255
Router(config)# ip nat pool NAT-POOL 209.165.201.5 209.165.201.10
netmask 255.255.255.240
Router(config)# interface Ethernet 0/1
Router(config-if)# ip address 209.165.201.1 255.255.255.240
Router(config-if)# ip nat outside
Router(config-if)# exit
Router(config)# interface Ethernet 0/0
Router(config-if)# ip address 172.16.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)#exit
Router(config)# ip nat inside source list 1 pool NAT-POOL

 

what is connection tracking mechanism in NAT?

 

•      Incoming packets from the outside network are delivered to the destination device on
the inside network by looking for a match in the NAT translations table and translating
IPv4 headers, both address and port number, accordingly.

 

 

how do you configure PAT?

 

•      To configure PAT, you again first identify each interface as an inside or outside interface, and define the set of inside local addresses to be translated, using an ACL. To configure PAT, you use the following global configuration command:
ip nat inside source list {access-list-number | access-list-name} {interface type
number} [overload]
This command translates all addresses permitted by the ACL to the address of the specified outside interface; the overload parameter does the PAT.

Router(config)# access-list 1 permit 172.16.1.0 0.0.0.255
Router(config)# interface Ethernet 0/0
Router(config-if)# ip address 172.16.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# interface Ethernet 0/1
Router(config-if)# ip address 209.165.201.1 255.255.255.240
Router(config-if)# ip nat outside
Router(config-if)# exit
Router(config)# ip nat inside source list 1 interface Ethernet 0/1 overload

 

 

what are the limitation of NAT

 

•      End-to-end visibility issues: Many applications depend on end-to-end functionality, with unmodified packets being forwarded from source to destination. By changingend-to-end addresses, NAT effectively blocks such applications. For example, some security applications, such as digital signatures, fail because the source IP
addresses change. Applications that use physical addresses rather than a qualified
domain name do not reach destinations that are translated across the NAT router.
Also, because of address changes along the way, the traceability of endpoints is lost,
which can make troubleshooting challenging. Another visibility problem is session initiation from the outside network; services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination.
• Tunneling becomes more complex: Using NAT can complicate tunneling protocols,
such as IPsec, because NAT modifies the values in the headers and thus interferes
with the integrity checks done by IPsec and other tunneling protocols.

 

what is NVI?

 

•      As of Cisco IOS Software Release 12.3(14)T Cisco introduced a new feature, NAT virtual interface (NVI), which removes the requirement to configure an interface as inside or outside. The NVI order of operations is also slightly different than NAT. Recall that classic NAT first performs routing and then translation when going from an inside interface to an outside interface, and vice versa when the traffic flow is reversed. NVI, however, performs routing, translation, and routing again; NVI performs the routing operation twice, before and after translation, before forwarding the packet to an exit interface. The whole process
is symmetrical, no matter which way the traffic is flowing. Because of the added routing step, packets can flow, in classic NAT terms, from an inside to an inside interface; as described in the previous section, this scenario fails if classic NAT is used.

 

NVI Configuration example?

 

•      R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)# ip nat pool TEST1 209.165.201.5 209.165.201.10 prefix-length 27
R1(config)# ip nat source list 10 pool TEST1
R1(config)# ip nat source static 172.16.10.10 209.165.201.2

Note Notice that there are no inside or outside keywords used in these commands.
Because NVI does not require that you define inside or outside interfaces, those
keywords are also not used in the translation commands

 

how to verify nvi?

 

•      When NAT is configured, an NVI0 interface is created; it is used when translating IPv4 addresses. To verify this, issue the show ip interface brief command.
• To observe NVI translations, you can issue the show ip nat nvi translations command;
• To configure interfaces to use NVI and to participate in the translation process, use the
ip nat enable interface configuration command

 

how to show the NVI statistics?

 

•      The show ip nat nvi statistics command can be used to display NVI statistics and to
indicate which interfaces are participating in NAT.
The Hits and Misses count in this command output provide you with valuable information. The Hits counter increases every time a translation is found in the translations table. If no translation is found, a new translation is inserted in the table, and the Misses counter is increased. If NAT is operating normally, these counters should increase over time.

 

 

what is the NAT order of operations?

 

•      On the inside
- packets are first router and the have sources translated
-destination addresses are global so this is OK
• On the outside
- packets have destinations un-translated first
- routing occurs after translation
- allows proper routing for returning packets with translated sources

 

the newer way of enabling NAT in an interface, regardless of inside and outside?

 

•      ip nat enable

 

how to debug nat?

 

•      debug ip nat [detailed]

 

clearing existing nat translation?

 

•      clear ip nat translation *

 

the nat translation is separate with the routing process, you must ensure that :

 

•      that you have a route to the destination, and the destination back to you.

 

to ensure the destination has a route going back to you, you could do the following

 

•      When a NAT pool is configured, the add-route option can be used for automatic route injection. and then a static route will be created for that subnet, and you can advertised it through IGP or EGP. ( you will not have a static route in the running-config)

another way, is to manually install the static route and advertise it.

another way, is to create a loopback and assign an

 

Can Cisco IOS NAT be applied to subinterfaces?

 

•      Yes. Source and/or destination NAT translations can be applied to any interface or subinterfaces having an IP address (including dialer interfaces). NAT cannot be configured with Wireless Virtual Interface. Wireless Virtual Interface does not exist at the time of writing to NVRAM. Thus, after reboot, the router looses NAT configuration on the Wireless Virtual Interface.

 

What is meant by the term NAT overloading; is this PAT?

 

•      Yes. NAT overloading is PAT, which involves using a pool with a range of one or more addresses or using an interface IP address in combination with the port. When you overload, you create a fully extended translation. This is a translation table entry containing IP address and source/destination port information, which is commonly called PAT or overloading.
PAT (or overloading) is a feature of Cisco IOS NAT that is used to translate internal (inside local) private addresses to one or more outside (inside global, usually registered) IP addresses. Unique source port numbers on each translation are used to distinguish between the conversations.

 

When a traceroute is done through a NAT router, should traceroute show the NAT-Global address or should it leak the NAT-Local address?

 

•      Traceroute from outside should always return the global address.

 

NAT F.A.Q Site

 

•      http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

 

what is NAT64?

 

•      NAT Protocol Translation (NAT-PT) was the initial translation scheme for facilitating communication
between IPv6 and IPv4. NAT-PT has been deprecated and replaced by NAT64. NAT64 is described in RFC 6146, Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. With NAT64, one or multiple public IPv4 addresses are shared by many IPv6-only devices, using overloading. IPv6 address assignmentcan be any of those discussed earlier in this chapter. NAT64 performs both address and IP header translation. An example use of NAT64 is to provide IPv4 Internet connectivity to IPv6 devices, during the transition to a full IPv6 Internet.

 

what is NPTv6?

 

•      NPTv6 is described in RFC 6296, IPv6-to-IPv6 Network Prefix Translation. (Note that at
the time of this writing this RFC has an "experimental," not "standard," status.) NPTv6 is
a one-to-one stateless translation; one IPv6 address in an inside network, such as an organization's LAN, is translated to one IPv6 address in an outside network, the IPv6 Internet.
The idea for NPTv6 is that an organization's internal IPv6 addressing can be independent
of its ISP's address space, making it easier to change ISPs. NPTv6 provides only network
layer translation; port numbers are not translated.
One use of NPTv6 is when an organization has connections to two ISPs. In this multihomed
case, NPTv6 translates to either of the ISP's address space. RFC 6296 has been
updated (as documented in draft-bonica-v6-multihome-0; see the "References" section
for the link to this document) to also maintain transport layer sessions if a connection to
one ISP fails, which would be useful in this case.