NAT (Network Address Translation) is a mechanism for IP address translation used to:
- Hide private addresses when accessing the internet (static or dynamic NAT, PAT).
- Conserve public IP addresses using one external address for multiple internal devices (PAT).
- Map external and internal services through static address translation.
Types of NAT:
- Static NAT — 1:1 mapping of internal and external IP addresses.
- Dynamic NAT — dynamic mapping from internal addresses to a pool of external addresses.
- PAT (Port Address Translation) — all devices use one external address with different ports.
#NAT
#IP v4 private address ranges:
# 10.0.0.0/8 10.0.0.0 - 10.255.255.255 #Class A
# 172.16.0.0/12 172.16.0.0 - 172.13.255.255 #Class B
# 192.168.0.0/16 192.168.0.0 - 192.168.255.255 #Class C
#STATIC NAT (One to One)
#
#Inside local addresses are mapped to inside global public IP addresses
# 192.168.1.1 <-NAT One-to-One->100.0.0.1
| |
interface g0/1 | interface g0/0
ip nat inside | ip nat outside
exit | exit
ip nat inside source static 192.168.1.1 100.0.0.1
ip nat inside source static 192.168.1.2 100.0.0.2
exit
show ip nat translations
clear ip nat translations *
show ip nat statistics
#DYNAMIC NAT (ACL uses in it)
#An ACL is used to identify which traffic should be translated
# If the source IP address is permited by the ACL, the siurce IP address will be translated
# If the source IP address is deny by the ACL, the source IP address won`t be translated. Traffic won`t be dropped.
#A NAT Pool is used to define the avaliable global IP addresses
#Example ACL 1
# permit 192.168.0.0/24
# deny any
#POOL1: 100.0.0.1 to 100.0.0.10
#If the packet with the source IP address permited by ACL 1, thanslate the source IP address to an IP address from POOL1
#If the POOL1 has no free IP addresses, then the new request will be dropped, until any global IP address released. By timeout.
interface <clients interface>
ip nat inside
exit
interface <outside interface>
ip nat outside
exit
access-list 1 permit <local IP network wildcard mask>
ip nat pool POOL1 <Public IP start Public IP end> #can use mask prefix-length ie 24
ip nat inside source list 1 pool POOL1
show ip nat translations
show ip nat statistics
#PAT or NAT Overload
# Situation 1, then we have got some public IP addresses
# Situation 2, then we have only one public IP address
# For situation 1
interface g0/1
ip nat inside
exit
interface g0/0
ip nat outside
exit
access-list 1 permit 192.168.0.0 0.0.0.255
ip nat pool POOL1 100.0.0.1 100.0.0.255 #or use mask prefix-length 24
ip nat inside source list 1 pool POOL1 overload
# For situation 2
interface g0/1
ip nat inside
exit
interface g0/0
ip nat outside
exit
access-list 1 permit 192.168.0.0 0.0.0.255
ip nat pool POOL1 100.0.0.1 100.0.0.255 #or use mask prefix-length 24
ip nat inside source list 1 interface g0/0 overload
#PORT FORWARFING (Just add)
interface g0/1
ip nat inside
ip nat inside source static tcp 192.168.1.100 80 <WAN IP Address> 80
ip nat inside source static tcp 192.168.1.100 80 <WAN Interface> 80