The command ip nat pool has two other options. First, instead of using the netmask syntax,
you can use the prefix-length command followed by the number of bits in the mask, which
indicates how many bits are ones. In this case, 24 indicates your netmask. You can also use
type rotary after the netmask to enable TCP load distribution. This indicates that the IP
addresses in the pool are real inside hosts that can be used for TCP load distribution. Second,
you can use the parameter match-host, which attempts to match the host portion of the IP
address to be translated to the same host number in the translated IP address. This is useful for
quickly finding which internal host a translated IP address belongs to, but you must have at
least a one-to-one relationship between local and global addresses.
IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
Configuring Dynamic NAT, Inside Global Address
Configuring Dynamic NAT, Inside Global Address
Overloading, and TCP Load Distribution
This section explains how to configure dynamic NAT using inside global address overloading
as well as TCP load distribution.
Dynamic NAT maps an illegal inside IP address to any legally registered, globally routable
IP address from an identified pool of addresses. Before trying to configure dynamic NAT, you
should enable IP routing on your router and configure the appropriate IP addresses and subnet
masks on each interface.
Again, let’s start the configuration process in global configuration mode, assuming you have
only one interface on the router connected to your inside network and one connected to your
outside network. In this example, a PC using the illegal inside IP address of 10.1.2.25 needs to
access data on the Internet. When the NAT border router receives a packet going to the outside
network from IP address 10.1.2.25, the NAT border router will choose an available globally
routable IP address from the address pool and translate the source IP address to the legally
usable address of 200.1.1.26. Do this by following these steps:
1. NAT translations from the inside local network to the inside global network take place
after routing. Therefore, any access lists or policy routing will have been applied before the
translation occurs. You will create an access list to specify the IP addresses to translate. In
this example, you have a rather large network using the 10.1.0.0/16 IP address range, so the
following command will be used to create a standard IP access list that contains a wildcard
mask for the last two octets:
BorderRouter(config)#access-list 2 permit 10.1.0.0 0.0.255.255
2. Now that you have an access list, which defines that packets coming from 10.1.2.25 will
be translated, you need to define the actual pool of addresses that are routable on the
Internet. This is the range of legal IP addresses that your ISP allocated to you for your use.
You might have been given only 254 IP addresses for your 1,000 PCs and servers in the
network, but because all your PCs aren’t on the Internet at any given time, this might be
enough. If it isn’t, you need to use another solution, such as configuring inside global
address overloading. Before you begin configuring your pool of addresses, you need to
decide on a name. In this case, you will call your address pool InternetIPPool. To
define the 254 IP addresses your ISP gave you (200.1.1.1 to 200.1.1.254 with the subnet
mask 255.255.255.0), use the following command:
BorderRouter(config)# ip nat pool InternetIPPool 200.1.1.1 200.1.1.254
➥netmask 255.255.255.0
To configure the router to utilize individual TCP ports, thus enabling an IP
address to be used more than once, add the parameter overload after the NAT
pool name.
3. At this point, you need to associate access list 2 (which you created in step 1) with the IP
NAT pool InternetIPPool you created in step 2. To do this, use the following command:
BorderRouter(config)#ip nat inside source list 2 pool InternetIPPool
4. To enable NAT, you must first select the interface that connects your inside network to the
router or internal route processor. To configure Ethernet 0 as a NAT inside interface, use
the following commands from global configuration mode:
BorderRouter(config)#interface ethernet0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
5. Next, you need to configure serial 0 as the NAT interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface serial0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
There is another option when configuring dynamic NAT. You can use an
interface instead of a pool of IP addresses. This is useful when you might not
know the IP address of the outside interface—for example, when using DHCP
on the outside interface. You still configure an access list that defines the traffic
to NAT and defines which interfaces are inside and outside, but there is no
ip nat pool command. In addition, the command to configure the NAT is
slightly different: ip nat inside source list list-number interface
outside-interface overload. The overload parameter is not required but is
highly recommended because many inside hosts will be using the outside
interfaces’ IP address for their link to the outside network.
Overloading, and TCP Load Distribution
This section explains how to configure dynamic NAT using inside global address overloading
as well as TCP load distribution.
Dynamic NAT maps an illegal inside IP address to any legally registered, globally routable
IP address from an identified pool of addresses. Before trying to configure dynamic NAT, you
should enable IP routing on your router and configure the appropriate IP addresses and subnet
masks on each interface.
Again, let’s start the configuration process in global configuration mode, assuming you have
only one interface on the router connected to your inside network and one connected to your
outside network. In this example, a PC using the illegal inside IP address of 10.1.2.25 needs to
access data on the Internet. When the NAT border router receives a packet going to the outside
network from IP address 10.1.2.25, the NAT border router will choose an available globally
routable IP address from the address pool and translate the source IP address to the legally
usable address of 200.1.1.26. Do this by following these steps:
1. NAT translations from the inside local network to the inside global network take place
after routing. Therefore, any access lists or policy routing will have been applied before the
translation occurs. You will create an access list to specify the IP addresses to translate. In
this example, you have a rather large network using the 10.1.0.0/16 IP address range, so the
following command will be used to create a standard IP access list that contains a wildcard
mask for the last two octets:
BorderRouter(config)#access-list 2 permit 10.1.0.0 0.0.255.255
2. Now that you have an access list, which defines that packets coming from 10.1.2.25 will
be translated, you need to define the actual pool of addresses that are routable on the
Internet. This is the range of legal IP addresses that your ISP allocated to you for your use.
You might have been given only 254 IP addresses for your 1,000 PCs and servers in the
network, but because all your PCs aren’t on the Internet at any given time, this might be
enough. If it isn’t, you need to use another solution, such as configuring inside global
address overloading. Before you begin configuring your pool of addresses, you need to
decide on a name. In this case, you will call your address pool InternetIPPool. To
define the 254 IP addresses your ISP gave you (200.1.1.1 to 200.1.1.254 with the subnet
mask 255.255.255.0), use the following command:
BorderRouter(config)# ip nat pool InternetIPPool 200.1.1.1 200.1.1.254
➥netmask 255.255.255.0
To configure the router to utilize individual TCP ports, thus enabling an IP
address to be used more than once, add the parameter overload after the NAT
pool name.
3. At this point, you need to associate access list 2 (which you created in step 1) with the IP
NAT pool InternetIPPool you created in step 2. To do this, use the following command:
BorderRouter(config)#ip nat inside source list 2 pool InternetIPPool
4. To enable NAT, you must first select the interface that connects your inside network to the
router or internal route processor. To configure Ethernet 0 as a NAT inside interface, use
the following commands from global configuration mode:
BorderRouter(config)#interface ethernet0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
5. Next, you need to configure serial 0 as the NAT interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface serial0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
There is another option when configuring dynamic NAT. You can use an
interface instead of a pool of IP addresses. This is useful when you might not
know the IP address of the outside interface—for example, when using DHCP
on the outside interface. You still configure an access list that defines the traffic
to NAT and defines which interfaces are inside and outside, but there is no
ip nat pool command. In addition, the command to configure the NAT is
slightly different: ip nat inside source list list-number interface
outside-interface overload. The overload parameter is not required but is
highly recommended because many inside hosts will be using the outside
interfaces’ IP address for their link to the outside network.
Configuring Static NAT
Configuring Static NAT
Static NAT maps an illegal inside IP address to a legal global IP address so that the data can be sent
through the Internet. Before trying to configure static NAT, IP routing should be enabled on your
router, and the appropriate IP addresses and subnet masks should be configured on each interface.
Let’s start the configuration process in global configuration mode, assuming that you have
only one interface on the router connected to your inside network. In this example, the PC using
the illegal inside IP address of 10.1.2.25 needs to access data on the Internet. When the NAT
border router receives a packet going to the outside network from the IP address of 10.1.2.25,
you will configure it to translate the source address to a legally usable address of 200.1.1.25. Do
this by using the following command:
BorderRouter(config)#ip nat inside source static 10.1.2.25 200.1.1.25
To enable NAT, you must first select the interface that connects your inside network to the
router or internal route processor. There is at least one interface on the router connected to
the inside network and at least one interface connected to the outside network. You need
to identify each and enable NAT on both with different commands. In this example, the router’s
inside network interface is Ethernet 0, and the outside interface is serial 0. To configure
Ethernet 0 as a NAT inside interface, use the following steps from global configuration mode:
1. Enter the interface configuration mode, enable NAT, and identify whether you would like
NAT to translate inside or outside addresses. In this example, you will have NAT translate
inside addresses to outside addresses:
BorderRouter(config)#interface ethernet0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
2. Next, you need to configure serial 0 as the interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface serial0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
3. You should see the following when displaying the router configuration. The IP addresses
of 10.1.2.254 and 200.1.1.1 are the IP addresses configured on the physical interfaces on
the router:
!
interface Ethernet0
ip address 10.1.2.254 255.255.0.0
ip nat inside
!
interface Serial0
ip address 200.1.1.1 255.255.0.0
ip nat outside
Static NAT maps an illegal inside IP address to a legal global IP address so that the data can be sent
through the Internet. Before trying to configure static NAT, IP routing should be enabled on your
router, and the appropriate IP addresses and subnet masks should be configured on each interface.
Let’s start the configuration process in global configuration mode, assuming that you have
only one interface on the router connected to your inside network. In this example, the PC using
the illegal inside IP address of 10.1.2.25 needs to access data on the Internet. When the NAT
border router receives a packet going to the outside network from the IP address of 10.1.2.25,
you will configure it to translate the source address to a legally usable address of 200.1.1.25. Do
this by using the following command:
BorderRouter(config)#ip nat inside source static 10.1.2.25 200.1.1.25
To enable NAT, you must first select the interface that connects your inside network to the
router or internal route processor. There is at least one interface on the router connected to
the inside network and at least one interface connected to the outside network. You need
to identify each and enable NAT on both with different commands. In this example, the router’s
inside network interface is Ethernet 0, and the outside interface is serial 0. To configure
Ethernet 0 as a NAT inside interface, use the following steps from global configuration mode:
1. Enter the interface configuration mode, enable NAT, and identify whether you would like
NAT to translate inside or outside addresses. In this example, you will have NAT translate
inside addresses to outside addresses:
BorderRouter(config)#interface ethernet0
BorderRouter(config-if)#ip nat inside
BorderRouter(config-if)#
2. Next, you need to configure serial 0 as the interface connected to your outside network.
From global configuration mode, use the following commands:
BorderRouter(config)#interface serial0
BorderRouter(config-if)#ip nat outside
BorderRouter(config-if)#
3. You should see the following when displaying the router configuration. The IP addresses
of 10.1.2.254 and 200.1.1.1 are the IP addresses configured on the physical interfaces on
the router:
!
interface Ethernet0
ip address 10.1.2.254 255.255.0.0
ip nat inside
!
interface Serial0
ip address 200.1.1.1 255.255.0.0
ip nat outside
Overlapping Networkss
Let’s say your network uses an IP addressing scheme that is valid and globally usable, but another
company is using it or you are no longer authorized to use it. Now imagine your ISP thinks it has
you locked in because it’s providing your IP address scheme, and it suddenly doubles your prices.
Rather than pay the higher prices, you shop for a new ISP with a different IP address range.
You finally find this terrific new ISP that is going to supply you with terrific Internet speeds
at a third of the cost of your other ISP. Unfortunately, it’s also going to supply you with a terrific
new IP address scheme that you must apply to your network. Even in a mid-sized network, you
would spend many hours changing your IP address scheme—and waiting for this would affect
your users tremendously. The solution is to implement a NAT overlapping address translation.
In this section, you will learn how to translate IP addresses that are not legally usable on an
outside network such as the Internet into the new officially assigned IP addresses from your ISP
For now, we will cover only the steps NAT uses to translate overlapping addresses. We will
cover configuring overlapping address translation later in this chapter, in the section “Configuring
NAT to Perform Overlapping Address Translation.”
The following steps are used when translating overlapping addresses:
1. The host on the inside network tries to open a connection to a host on the outside network
by using a fully qualified domain name (FQDN) by requesting a name-to-address lookup
from an Internet Domain Name Server (DNS).
2. The NAT border router intercepts the Internet DNS’s reply and begins the translation process
with the returned address if there is an overlapping address that is residing illegally in
the inside network.
3. To translate the returned address, the NAT border router creates a simple translation entry.
This entry maps the overlapping legal outside address to an address from an outside local
address pool of addresses legally usable on the outside network
4. The NAT border router replaces the source address with the new inside global address,
replaces the destination address with the outside global address, and forwards the packet.
This translation is for new outgoing traffic to the newly DNS-Learned IP Address.
5. The host on the outside network receives the packet and continues the conversation.
6. For each packet sent from the outside to the inside host, the router will perform a NAT
table lookup, replace the inside global destination address with the inside local address, and
replace the outside global source address with the outside local address. Conversely, for
each packet sent from the inside to the outside host, the router will perform a NAT table
lookup, replace the outside local destination address with the outside global address, and
replace the inside local source address with the inside global address.
company is using it or you are no longer authorized to use it. Now imagine your ISP thinks it has
you locked in because it’s providing your IP address scheme, and it suddenly doubles your prices.
Rather than pay the higher prices, you shop for a new ISP with a different IP address range.
You finally find this terrific new ISP that is going to supply you with terrific Internet speeds
at a third of the cost of your other ISP. Unfortunately, it’s also going to supply you with a terrific
new IP address scheme that you must apply to your network. Even in a mid-sized network, you
would spend many hours changing your IP address scheme—and waiting for this would affect
your users tremendously. The solution is to implement a NAT overlapping address translation.
In this section, you will learn how to translate IP addresses that are not legally usable on an
outside network such as the Internet into the new officially assigned IP addresses from your ISP
For now, we will cover only the steps NAT uses to translate overlapping addresses. We will
cover configuring overlapping address translation later in this chapter, in the section “Configuring
NAT to Perform Overlapping Address Translation.”
The following steps are used when translating overlapping addresses:
1. The host on the inside network tries to open a connection to a host on the outside network
by using a fully qualified domain name (FQDN) by requesting a name-to-address lookup
from an Internet Domain Name Server (DNS).
2. The NAT border router intercepts the Internet DNS’s reply and begins the translation process
with the returned address if there is an overlapping address that is residing illegally in
the inside network.
3. To translate the returned address, the NAT border router creates a simple translation entry.
This entry maps the overlapping legal outside address to an address from an outside local
address pool of addresses legally usable on the outside network
4. The NAT border router replaces the source address with the new inside global address,
replaces the destination address with the outside global address, and forwards the packet.
This translation is for new outgoing traffic to the newly DNS-Learned IP Address.
5. The host on the outside network receives the packet and continues the conversation.
6. For each packet sent from the outside to the inside host, the router will perform a NAT
table lookup, replace the inside global destination address with the inside local address, and
replace the outside global source address with the outside local address. Conversely, for
each packet sent from the inside to the outside host, the router will perform a NAT table
lookup, replace the outside local destination address with the outside global address, and
replace the inside local source address with the inside global address.
Using TCP Load Distribution
TCP load distribution is a dynamic form of destination IP address translation that can be configured
for certain outside network traffic to be mapped to a valid inside network for IP traffic
destined for more than one node. After a mapping scheme is created, destination IP addresses
matching an access list are replaced with an address from a rotary pool on a round-robin basis.
When a new connection is established from the outside network to the inside network, all
non-TCP traffic will be passed without being translated, unless another translation type is
applied to the interfaces. Figure 31.4 illustrates TCP load distribution, which is explained in further
detail next.
Let’s look at the process NAT uses to map one virtual host to several real hosts:
1. In Figure 31.4, the PC using global IP address 206.2.2.25 opens a TCP connection to a virtual
host at 200.1.1.25.
2. The NAT border router receives this new connection request and creates a new translation,
which allocates the next real host of 10.1.2.25 for the inside local IP address and adds this
information to the NAT table.
3. The NAT border router replaces the destination IP address with the selected real host IP
address and then forwards the packet.
4. The real host at IP address 10.1.2.25 receives the packet and responds.
5. The NAT border router receives the packet and performs another NAT table lookup by
using the inside local IP address and port number and the outside IP address and port number
as the key. The NAT border router then translates the source address to the virtual
host’s address and forwards the packet.
6. The next connection request to that inside global IP address causes the NAT border router
to allocate 10.1.2.26 for the inside local address.
TCP load distribution steps
200.1.1.0
NAT border
router
NAT Table
Inside IP
10.1.2.25:80
Inside global IP
200.1.1.25:80
Outside global IP
206.2.2.25:3058
200.1.1.25
PC
206.2.2.25
10.1.2.25
4 1
2
3
Internet
for certain outside network traffic to be mapped to a valid inside network for IP traffic
destined for more than one node. After a mapping scheme is created, destination IP addresses
matching an access list are replaced with an address from a rotary pool on a round-robin basis.
When a new connection is established from the outside network to the inside network, all
non-TCP traffic will be passed without being translated, unless another translation type is
applied to the interfaces. Figure 31.4 illustrates TCP load distribution, which is explained in further
detail next.
Let’s look at the process NAT uses to map one virtual host to several real hosts:
1. In Figure 31.4, the PC using global IP address 206.2.2.25 opens a TCP connection to a virtual
host at 200.1.1.25.
2. The NAT border router receives this new connection request and creates a new translation,
which allocates the next real host of 10.1.2.25 for the inside local IP address and adds this
information to the NAT table.
3. The NAT border router replaces the destination IP address with the selected real host IP
address and then forwards the packet.
4. The real host at IP address 10.1.2.25 receives the packet and responds.
5. The NAT border router receives the packet and performs another NAT table lookup by
using the inside local IP address and port number and the outside IP address and port number
as the key. The NAT border router then translates the source address to the virtual
host’s address and forwards the packet.
6. The next connection request to that inside global IP address causes the NAT border router
to allocate 10.1.2.26 for the inside local address.
TCP load distribution steps
200.1.1.0
NAT border
router
NAT Table
Inside IP
10.1.2.25:80
Inside global IP
200.1.1.25:80
Outside global IP
206.2.2.25:3058
200.1.1.25
PC
206.2.2.25
10.1.2.25
4 1
2
3
Internet
Overloading Inside Global Addresses
You can conserve addresses in the inside global address pool by enabling the router to use one
global address for many local addresses. When NAT overloading is enabled, the router maintains
higher level (layer 4) protocol information in the NAT table for TCP and UDP port numbers
to translate the global address back to the correct inside local address. When multiple local
addresses map to one global address, NAT uses the TCP or UDP port number of each inside
host to make unique, distinguishable outside network addresses.
Figure 31.3 shows the NAT operation when one inside global address represents multiple
inside local addresses. The TCP port number is the portion of the global IP network address that
differentiates between the two inside local addresses on the network.
When the router processes multiple nonroutable inside IP addresses to one globally routable
global IP address, it performs the following steps to overload inside global addresses:
1. The host at the inside IP address of 10.1.2.25 opens a connection to a host at IP address
205.1.1.25 on an outside network.
FIGURE 3 1 . 3 NAT overloading inside global addresses
1
10.1.2.25
10.1.2.26
Internet data
to 205.1.1.25
Internet data
to 130.77.116.4
NAT border
router
200.1.2.26:1723
200.1.2.26:1024
Reply
NAT table
Inside local
IP address & port
10.1.2.25:1723
10.1.2.26:1723
Inside global
IP address & port
200.1.2.26:1723
200.1.2.26:1024
Outside global
IP address & port
205.1.1.25:80
130.77.116.4:80
2. The first packet that the NAT border router receives from the host at 10.1.2.25 causes the
router to check its NAT table. Because no translation entry exists, the router determines
that address 10.1.2.25 must be translated and configures a translation to the inside global
address of 200.1.2.25. If overloading is enabled and another translation is active, the router
reuses the global IP address from that translation and saves enough information to translate
returning packets back. This type of entry is called an extended entry.
3. The router replaces the inside local source address of 10.1.2.25 with the selected globally
routable address and a unique port number and forwards the packet. In this example, the
source address is now shown as 200.1.2.26:1723 in the NAT table.
4. The host at 205.1.1.25 receives the packet and responds to the host at 10.1.2.25 by using
the inside global IP address and port in the source address field of the packet received
(200.1.2.26:1723).
5. The NAT border router receives the packet from 205.1.1.25. It then performs a NAT
table lookup, using the inside global address and port, with the outside address and outside
port number. The router then translates the address back to the destination address
of 10.1.2.25. The NAT border router then forwards the packet to the host using the IP
address of 10.1.2.25 on the inside network.
Steps 2 through 5 are continued for all subsequent communications until the connection
is closed.
Both the host at IP address 205.1.1.25 and the host at IP address 130.77.116.4 think they are
talking to a single host at IP address 200.1.2.26. They are actually talking to different hosts,
with the port number being the difference that the NAT border router uses to forward the packets
to the correct host on the local inside network. In fact, with the port addressing scheme, you
use could allow approximately 4,000 hosts to share the same inside global IP address by using
the many available TCP and UDP port numbers.
global address for many local addresses. When NAT overloading is enabled, the router maintains
higher level (layer 4) protocol information in the NAT table for TCP and UDP port numbers
to translate the global address back to the correct inside local address. When multiple local
addresses map to one global address, NAT uses the TCP or UDP port number of each inside
host to make unique, distinguishable outside network addresses.
Figure 31.3 shows the NAT operation when one inside global address represents multiple
inside local addresses. The TCP port number is the portion of the global IP network address that
differentiates between the two inside local addresses on the network.
When the router processes multiple nonroutable inside IP addresses to one globally routable
global IP address, it performs the following steps to overload inside global addresses:
1. The host at the inside IP address of 10.1.2.25 opens a connection to a host at IP address
205.1.1.25 on an outside network.
FIGURE 3 1 . 3 NAT overloading inside global addresses
1
10.1.2.25
10.1.2.26
Internet data
to 205.1.1.25
Internet data
to 130.77.116.4
NAT border
router
200.1.2.26:1723
200.1.2.26:1024
Reply
NAT table
Inside local
IP address & port
10.1.2.25:1723
10.1.2.26:1723
Inside global
IP address & port
200.1.2.26:1723
200.1.2.26:1024
Outside global
IP address & port
205.1.1.25:80
130.77.116.4:80
2. The first packet that the NAT border router receives from the host at 10.1.2.25 causes the
router to check its NAT table. Because no translation entry exists, the router determines
that address 10.1.2.25 must be translated and configures a translation to the inside global
address of 200.1.2.25. If overloading is enabled and another translation is active, the router
reuses the global IP address from that translation and saves enough information to translate
returning packets back. This type of entry is called an extended entry.
3. The router replaces the inside local source address of 10.1.2.25 with the selected globally
routable address and a unique port number and forwards the packet. In this example, the
source address is now shown as 200.1.2.26:1723 in the NAT table.
4. The host at 205.1.1.25 receives the packet and responds to the host at 10.1.2.25 by using
the inside global IP address and port in the source address field of the packet received
(200.1.2.26:1723).
5. The NAT border router receives the packet from 205.1.1.25. It then performs a NAT
table lookup, using the inside global address and port, with the outside address and outside
port number. The router then translates the address back to the destination address
of 10.1.2.25. The NAT border router then forwards the packet to the host using the IP
address of 10.1.2.25 on the inside network.
Steps 2 through 5 are continued for all subsequent communications until the connection
is closed.
Both the host at IP address 205.1.1.25 and the host at IP address 130.77.116.4 think they are
talking to a single host at IP address 200.1.2.26. They are actually talking to different hosts,
with the port number being the difference that the NAT border router uses to forward the packets
to the correct host on the local inside network. In fact, with the port addressing scheme, you
use could allow approximately 4,000 hosts to share the same inside global IP address by using
the many available TCP and UDP port numbers.
Subscribe to:
Posts (Atom)