nat technology. What is nat in a router? Selecting a ZyXEL Router Redirect Object

Internet router, access server, firewall. The most popular is Source NAT(SNAT), the essence of the mechanism of which is to replace the source address (source) when the packet passes in one direction and reversely replace the destination address ( destination ) in the response packet. Along with the source/destination addresses, the source and destination port numbers can also be substituted.

In addition to SNAT, i.e. providing users of the local network with internal addresses to access the Internet, is often also used Destination NAT when calls from outside are broadcast by the firewall to a server on the local network that has an internal address and is therefore inaccessible from external network directly (without NAT).

The figures below show an example of the operation of the NAT mechanism.


Rice. 7.1.

User corporate network sends a request to the Internet, which arrives at the internal interface of the router, access server or firewall (NAT device).

The NAT device receives the packet and makes an entry in the connection tracking table that manages address translation.

It then replaces the source address of the packet with its own external public IP address and sends the packet to its destination on the Internet.

The destination host receives the packet and sends a response back to the NAT device.

The NAT device, in turn, after receiving this packet, looks up the sender of the original packet in the connection tracking table, replaces IP address destination to the corresponding private IP address and forwards the packet to source computer. Since the NAT device sends packets on behalf of all internal computers, it changes the original network port and this information stored in the connection tracking table.

There are 3 basic concepts of address translation:

  • static (SAT, Static Network Address Translation),
  • dynamic (DAT, Dynamic Address Translation),
  • masquerade (NAPT, NAT Overload, PAT).

Static NAT maps local IP addresses to specific public addresses on a one-to-one basis. Used when the local host must be accessible from the outside using fixed addresses.

Dynamic NAT maps a set of private addresses to a set of public IP addresses. If the number of local hosts does not exceed the number of available public addresses, each local address will be guaranteed to match a public address. Otherwise, the number of hosts that can simultaneously access external networks will be limited by the number of public addresses.

Masquerade NAT(NAPT, NAT Overload, PAT, masquerading) is a form of dynamic NAT that maps multiple private addresses to a single public IP address using different ports. Also known as PAT (Port Address Translation).

Mechanisms of interaction between the internal local network and the external public network there may be several - it depends on the specific task of providing access to the external network and back and is prescribed by certain rules. 4 types of network address translation are defined:

  • Full Cone
  • Restricted Cone
  • Port Restricted Cone
  • Symmetric (Symmetric)

In the first three types of NAT, the same external port is used to communicate with different IP addresses of the external network with addresses from the local network. The fourth type - symmetrical - uses a separate external port for each address and port.

Full Horse, the external port of the device (router, access server, firewall) is open for requests coming from any address. If a user from the Internet needs to send a packet to a client located behind NAT, then he only needs to know the external port of the device through which the connection is established. For example, a computer behind a NAT with an IP address of 192.168.0.4 sends and receives packets on port 8000 that map to the external IP address and port as 10.1.1.1:12345. Packets from the external network arrive at the device with the IP address:port 10.1.1.1:12345 and are then sent to the client computer 192.168.0.4:8000.

In incoming packets, only the transport protocol is checked; destination address and port, source address and port do not matter.

When using NAT that works like Restricted Cone, the external port of the device (router, access server, firewall) is open for any packet sent from the client computer, in our example: 192.168.0.4:8000. And a packet that came from an external network (for example, from computer 172.16.0.5:4000) to a device with address:port 10.1.1.1:12345 will be sent to computer 192.168.0.4:8000 only if 192.168.0.4:8000 previously sent a request to the IP address of the external host (in our case, to the computer 172.16.0.5:4000). That is, the router will only forward incoming packets with specific address source (in our case, the computer is 172.16.0.5:4000), but the source port number can be anything. Otherwise, NAT blocks packets from hosts that 192.168.0.4:8000 has not sent a request to.

NAT mechanism Port Restricted Cone almost similar to the NAT Restricted Cone mechanism. Only in this case, NAT blocks all packets coming from hosts to which the client computer 192.168.0.4:8000 did not send a request to any IP address and port. The router pays attention to matching the source port number and does not pay attention to the source address. In our example, the router will broadcast incoming packets with any source address, but the source port must be 4000. If the client sent requests to the external network to several IP addresses and ports, then they will be able to send packets to the client on the IP address: port 10.1 .1.1:12345.

Symmetric NAT differs significantly from the first three mechanisms in the way it maps an internal IP address:port to an external address:port. This mapping depends on the IP address:port of the computer to which the sent request is intended. For example, if a client computer at 192.168.0.4:8000 sends a request to computer #1 (172.16.0.5:4000), then it might be displayed as 10.1.1.1:12345, at the same time if it sends from the same port (192.168. 0.4:8000) to a different IP address, it is displayed differently (10.1.1.1:12346).

  • Allows you to prevent or restrict external access to internal hosts, leaving the possibility of access from the internal network to the external. When a connection is initiated from within the network, a translation is created. Reply packets coming from outside match the created translation and are therefore skipped. If there is no corresponding translation for packets coming from the external network (and it can be created when the connection was initiated or static), they are not skipped.
  • Allows you to hide certain internal services of internal hosts/servers. In essence, the same translation as above is performed on a specific port, but it is possible to change the internal port of an officially registered service (for example, TCP port 80 (HTTP server) to external port 54055). Thus, from the outside, on the external IP address, after address translation to the site (or forum) for knowledgeable visitors, it will be possible to get to the address http://dlink.ru:54055 , but on the internal server behind NAT, it will work on normal port 80.

    • However, the disadvantages of this technology should also be mentioned:

    1. Not all protocols can "surpass" NAT. Some fail to work if there is an address translation on the path between communicating hosts. Defined firewalls IP address translators can remedy this deficiency by appropriately replacing IP addresses not only in IP headers, but with more high levels(for example, in commands of the FTP protocol).
    2. Due to the many-to-one address translation, there are additional difficulties with user identification and the need to store full translation logs.
    3. DoS attack by a host performing NAT - if NAT is used to connect many users to the same service, this can give the illusion of a DoS attack on the service (many successes and failures). For example, an excessive number of ICQ users behind NAT leads to a problem with connecting to the server for some users due to exceeding the allowed connection speed.

    2 32 or 4 294 967 296 IPv4 are there too many addresses? It seems so. However, with the proliferation of personal computing, mobile devices, and the rapid growth of the Internet, it soon became clear that 4.3 billion IPv4 addresses would not be enough. The long term solution was IPv6, but needed a faster solution to address the shortage of addresses. And that decision was NAT (Network Address Translation).

    What is NAT

    Networks are usually designed using private IP addresses. These are the addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 . These private addresses are used within an organization or site to allow devices to communicate locally and are not routable on the Internet. To allow a device with a private IPv4 address to access devices and resources outside the local network, the private address must first be translated to a public public address.

    And that's just NAT translates private addresses into public ones. This allows a device with a private IPv4 address to access resources outside of its private network. NAT combined with private IPv4 addresses proved to be useful method maintaining public IPv4 addresses. One public IPv4 address can be used by hundreds, even thousands of devices, each with a private IPv4 address. NAT has the added benefit of adding a degree of privacy and security to a network because it hides internal IPv4 addresses from external networks.

    NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are called a NAT pool. When a device on the internal network sends traffic from the network to the outside, the NAT-enabled router translates the device's internal IPv4 address to the public address in the NAT pool. To external devices, all traffic entering and exiting the network appears to have a public IPv4 address.

    A NAT router usually works at the edge Stub-networks. A stub network is a stub network that has one connection to a neighboring network, one entry and exit from the network.

    When a device inside the Stub network wants to communicate with a device outside its network, the packet is forwarded to the edge router, and it performs a NAT process, translating the device's internal private address to a public, external, routable address.

    NAT terminology

    In NAT terminology, an internal network is a set of networks to be translated. The external network refers to all other networks.

    When using NAT, IPv4 addresses have different designations based on whether they are on a private network or on a public network (on the Internet), and whether the traffic is incoming or outgoing.

    NAT includes four types of addresses:

    • Inside local address;
    • Inside global address;
    • Outside local address;
    • Outside global address;

    When determining which type of address is being used, it is important to remember that NAT terminology is always applied from the point of view of the device with the translated address:

    • Inside address- address of the device that is translated by NAT;
    • Outside address- destination device address;
    • Local address- this is any address that is displayed in the internal part of the network;
    • Global address- this is any address that is displayed in the external part of the network;

    Let's look at this with a diagram example.


    In the figure, the PC has an internal local ( inside local) address 192.168.1.5 and from his point of view the web server has an external ( outside) address 208.141.17.4. When packets are sent from the PC to the global address of the web server, the internal local ( inside local) the PC address is translated to 208.141.16.5 ( inside global). The external device address is usually not translated because it is a public IPv4 address.

    It is worth noting that the PC has different local and global addresses, while the web server has the same public IP address. From his point of view, the traffic outgoing from the PC comes from the internal global address 208.141.16.5. A router with NAT is a demarcation point between internal and external networks and between local and global addresses.

    terms, inside and outside, merged with terms local and global to refer to specific addresses. In the figure, the router is configured to provide NAT and has a pool of public addresses to assign to internal hosts.

    The figure shows how traffic is sent from an internal PC to an external web server, through a NAT-enabled router, and is sent out and translated back.


    Internal local address ( inside local address) is the source address as seen from the internal network. In the figure, the address 192.168.1.5 is assigned to the PC - this is its internal local address.

    Internal global address ( inside global address) - source address visible from the external network. In the figure, when traffic from the PC is sent to the web server at 208.141.17.4, the router translates the internal local address ( inside local address) to an internal global address ( inside global address). In this case, the router changes the IPv4 source address from 192.168.1.5 to 208.141.16.5.

    External global address ( outside global address) - address of the destination, visible from the external network. This is a globally routable IPv4 address assigned to a host on the Internet. In the diagram, the web server is available at 208.141.17.4. Most often, external local and external global addresses are the same.

    External local address ( outside local address) is the recipient's address as seen from the internal network. In this example, the PC sends traffic to the web server at 208.141.17.4

    Consider the entire path of the packet. The PC with the address 192.168.1.5 is trying to communicate with the web server 208.141.17.4. When a packet arrives at a NAT-enabled router, it reads the packet's destination IPv4 address to determine if the packet matches the criteria specified for translation. In this example, the source address matches the criteria and is translated from 192.168.1.5 ( inside local address) at 208.141.16.5. ( inside global address). The router adds this local-to-global address mapping to the NAT table and sends the packet with the translated source address to the destination. The web server responds with a packet addressed to the PC's internal global address (208.141.16.5). The router receives a packet with a destination address of 208.141.16.5 and checks the NAT table for an entry for this mapping. It uses this information and translates back the internal global address (208.141.16.5) to the internal local address (192.168.1.5) and the packet is forwarded towards the PC.

    Types of NATs

    There are three types of NAT translation:

    • Static address translation (Static NAT)- one-to-one address mapping between local and global addresses;
    • Dynamic Address Translation (Dynamic NAT)- many-to-many address matching between local and global addresses;
    • Port Address Translation (NAT)- multicast address mapping between local and global addresses using ports. This method is also known as NAT Overload;

    Static NAT uses a one-to-one mapping between local and global addresses. These mappings are configured by the network administrator and remain constant. When devices send traffic to the Internet, their internal local addresses are translated to the configured internal global addresses. For external networks, these devices have public IPv4 addresses. Static NAT is especially useful for web servers or devices that need to have a consistent address accessible from the Internet, such as a company's web server. Static NAT requires enough public addresses to satisfy the total number of concurrent user sessions.

    The static NAT table looks like this:


    Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When an internal device requests access to an external network, dynamic NAT assigns an available public IPv4 address from the pool. Like static NAT, dynamic NAT requires enough public addresses to satisfy the total number of concurrent user sessions.

    Dynamic NAT table looks like this:


    Port Address Translation (PAT)

    PAT translates multiple private addresses to one or more public addresses. This is what most home routers do. The ISP assigns one address to the router, but multiple family members can access the Internet at the same time. This is the most common form of NAT.

    With PAT, multiple addresses can be mapped to one or more addresses, since each private address is also tracked by a port number. When the device initiates a session TCP/IP, it generates the source port value TCP or UDP to uniquely identify the session. When a NAT router receives a packet from a client, it uses its source port number to uniquely identify a particular NAT translation. PAT ensures that devices use a different TCP port number for each session. When a response is returned from the server, the source port number, which becomes the destination port number on the return path, determines which device the router is forwarding the packets to.

    The picture illustrates the PAT process. PAT adds unique numbers source ports to the inside global address to distinguish between translations.


    As the router processes each packet, it uses the port number (1331 and 1555, in this example) to identify the device from which the packet was sent.

    source address ( source address) is the internal local address with an appended port number assigned by TCP/IP. destination address ( Destination address) is the external local address with the service port number appended. In this example, service port 80: HTTP.

    For the source address, the router translates the inside local address to the inside global address with the port number appended. The destination address does not change, but is now referred to as the external global IP address. When the web server responds, the path is reversed.

    In this example, client port numbers 1331 and 1555 were not changed on the NAT router. This is not a very likely scenario because there is a good chance these port numbers have already been attached to other active sessions. PAT tries to keep the original source port. However, if the original source port is already in use, PAT assigns the first available port number, starting at the beginning of the corresponding port group. 0-511, 512-1023 or 1024-65535 . When there are no more ports and there is more than one external address in the address pool, PAT moves to the next address to try to allocate the original source port. This process continues until there are no available ports or external IP addresses.

    That is, if another host can choose the same port number 1444. This is acceptable for an internal address because hosts have unique private IP addresses. However, on a NAT router, the port numbers must be changed - otherwise packets from two different hosts will exit it with the same source address. So PAT assigns the next available port (1445) to the second host address.

    Let's summarize the comparison of NAT and PAT. As you can see from the tables, NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4 addresses. However, PAT changes both the address itself and the port number. NAT redirects incoming packets to their internal address based on the incoming source IP address given by the host on the public network, and with PAT there is usually only one or very few publicly exposed IPv4 addresses and incoming packets are redirected based on the router's NAT table.

    What about IPv4 packets containing data other than TCP or UDP? These packets do not contain a layer 4 port number. PAT translates the most common protocols carried by IPv4 that do not use TCP or UDP as the transport layer protocol. The most common of these are ICMPv4. Each of these protocol types is handled differently by PAT. For example, ICMPv4 request messages, echo requests, and responses include a request identifier Query ID. ICMPv4 uses Query ID. to identify the echo request with the corresponding response. The request ID is incremented with each echo request sent. PAT uses a request ID instead of a layer 4 port number.

    Advantages and disadvantages of NAT

    NAT provides many benefits, including:

    • NAT preserves the registered addressing scheme, allowing the privatization of intranets. With PAT, internal hosts can share one public IPv4 address for all external communications. This type of configuration requires very few external addresses to support many internal hosts;
    • NAT increases the flexibility of connecting to a public network. Numerous pools, pools Reserve copy and load balancing pools can be implemented to provide reliable public network connections;

      • NAT provides consistency for the network's internal addressing schemes. On a network that does not use private IPv4 addresses and NAT, changing general scheme IPv4 addresses require all hosts to be forwarded to existing network. The cost of host forwarding can be significant. NAT allows the existing IPv4 private address scheme to remain while allowing the new public address scheme to be easily changed. This means that an organization can change providers and does not need to change any of its internal customers;

    • NAT provides network security. Because private networks do not advertise their addresses or internal topology, they remain reasonably reliable when used in conjunction with NAT to gain controlled external access. However, you need to understand that NAT does not replace firewalls;

    But NAT has some drawbacks. The fact that hosts on the Internet appear to be talking directly to a NAT-enabled device rather than to an actual host inside the private network creates a number of problems:

    • One of the disadvantages of using NAT has to do with network performance, especially for real-time protocols such as VoIP. NAT increases switching delays because translation of each IPv4 address in packet headers takes time;
    • Another disadvantage of using NAT is that end-to-end addressing is lost. Many Internet protocols and applications rely on end-to-end addressing from source to destination. Some applications do not work with NAT. Applications that use physical addresses rather than qualified Domain name, do not reach destinations that are translated through a NAT router. Sometimes this problem can be avoided by implementing static NAT mappings;
    • End-to-end IPv4 tracing is also lost. More difficult to trace packets that undergo multiple packet address changes over multiple NAT hops, making troubleshooting more difficult;
    • The use of NAT also makes tunneling protocols such as IPsec difficult because NAT changes values ​​in headers that interfere with integrity checks performed by IPsec and other tunneling protocols;
    • Services that require TCP connections to be initiated from the external network, or stateless protocols such as those using UDP, may be broken. If the NAT router is not configured to support these protocols, incoming packets cannot reach their destination;

    Is this article helpful to you?

    Please tell me why?

    We are sorry that the article was not useful to you: (Please, if it’s not difficult, indicate for what reason? We will be very grateful for a detailed answer. Thank you for helping us become better!

    NAT (derived from the English term Network Address Translation, which translates as "network address translation") with this function in TCP / IP networks, the IP addresses of transit packets are converted. All routers have it, it is called port forwarding.

    The advantage of this technology is that it is not necessary to change the configuration of routers and final nodes of the internal network. These technologies are not used where many internal nodes are involved in working with external networks.

    Types of NATs

    Static NAT

    Usually, not used by individuals for their needs, but is used by companies that have a lot of IP addresses with the need for them to remain constant for some servers and be accessible from outside. To open any service (mail, website, etc.) you need to know 2 parameters: IP address ( DNS name) and port. In this case, the port is usually not entered (if it has not been changed), since the programs enter it automatically and, therefore, the user does not even think about its presence. In order for other users of the global web to be able to work with specific computer, they need to know its IP (DNS name) and service port.

    If a person has a static Network Address Translation and one computer on the network, then knowing the port is not necessary, knowledge of IP will be enough. To limit access, you need to install a firewall.

    To make it clearer, we can draw the following analogy: an IP address is someone's house, and a port is their apartment. To find a person, you need to know both.

    How it works. Let's say the provider issued 4 IPs for 3 servers. The router is assigned the first one, and the rest goes to the servers. In order to be able to get to them, it is enough to specify external IPs, for example, the second one, and the router is still redirect to the first server. A person gets to the server, works on it, but does not know that his address is different. An entry will be kept about this in the NAT table.

    There are some positives: User addresses are not visible, but he himself is visible from the Internet. Cons: It will be easy for any other user to try to hack into his computer.

    Dynamic NAT

    Unlike static, it has one exception: from the global web no way to see servers to work with. The client receives several IPs, but here they are distributes the router. When the client is on the Internet, the router itself selects one address among the received ones, issues it and enters it into the Network Address Translation table. But the record itself is not stored for a long time, when the user left the Internet, it is wiped from the table.

    The big disadvantage is that the required number of inputs to the global web can't be more the number of IP addresses issued by the provider. Until there are free ones, new users will not be able to connect to the computer. But compared with the first type, there is a great advantage, other users will not be able to free to go to HDD computer, because the addresses are constantly changing. Also, the clients themselves do not need to distribute IP addresses, they will be distributed by the router.

    Port Address Translation (PAT), NAT Overload and Masquerading

    This type is more relevant to an individual, since a single external address is given, and the user only assigns a port to any server. Let's say someone needs to be able to access a torrent, this will require not only internal, but also external ports. The program uses internal port only on the computer on which it is installed. From other machines, they will connect to external port located on the router. Very often, but not always they coincide.

    At this method there is an advantage: access is open for a certain program, everything else is closed. And the disadvantage is that very often ports are needed adjust manually.

    How to change NAT type

    Need . To do this, in the browser we type 192.168.1.1 or 192.168.0.1 (or another combination depending on the router). Enter login and password. There we look at our IP and network settings.

    Then you need to contact your Internet connection provider, report the data that you looked at in the router, and he will reconfigure everything.

    NAT terminology

    For NAT, it is important to distinguish between an internal and an external network. The internal includes all networks that are needed in the transformation, the external - all other networks.

    The system has 4 types of addresses:


    AT internal includes the conversion of NAT mechanisms, external serves the address of the device where you want to log in. Local is understood as the one that happens in internal networks, and global - in external networks.

    How to check if a computer is behind NAT

    To do this, it is enough to determine the IP of the user's computer. If some address falls within the ranges (only used for local networks):

    • 10.0. 0. 0 — 10. 255.255.255;
    • 172.X. 0. 0 - 172. X.255.255 (X takes a value from 16 to 31);
    • 192.168. X.0 - 192.168.X.255 (X is most often 0 or 1, takes values ​​from 0 to 255).

    It means that this computer is on the local network and the user is in NAT.

    NAT settings, how to make it open

    To configure NAT in the router, you need to go to the browser, type 192.168.1.1 or 192.168.0.1 (router address), after which you will need enter login with password(usually Admin/Admin). Then there is the field Configuration(settings), then network(network) and Routing(routes or routing). Select in a new window Policy Routing(new rule). Routing conditions are set here. You can select by various properties, such as: users, interfaces, source or destination IP address, destination port.

    We set traffic conditions, there are several assignments: Auto will redirect traffic to the global interface, which is specified by default, Gateway to the address available in the settings, Trunk- multiple interfaces Interface– to the interface specified.

    Configured on the server in the following way: at the beginning is Server Manager, which is clicked with the mouse, then in a new window on add roles and features, then further, install remote access, then add components and continue. Then select role services and mark routing, click on next. At the very end to close.

    After connecting the computer to the server, you need to configure it in NAT. In the start menu there is an administration window - routing and remote access. To activate, click on enable routing and remote access. Then on "next" and select network address translationNAT. Then we click on the Internet and turn on the basic destination services. We continue to click on “next” several times and the last time on “finished”.

    The provider with whom the client has concluded an agreement for the supply of Internet services can help make NAT open, you just need to contact him with this question.

    NAT loopback and NAT Traversal technology

    The essence of NAT loopback is that if a packet gets from the internal network to the IP address of the router, then such a packet will be accepted as external and it will be subject to firewall rules for external connections. After the packet successfully passes through the firewall, Network Address Translation will start working, which will be an intermediary for two intranet machines. It turns out the following:

    • outside the local network, you can learn about network service settings;
    • go to the server by the name of the domain, which is located on the local network. Without the loopback (or hairpinning) function, these actions would be impossible, it would be necessary to configure the hosts file for any domain;
    • main disadvantage - load increase on a router with a hub.

    NAT Traversal is the ability for network applications to determine what they are located outside the device. In this case, Network Address Translation assists in determining the external IP address this device and map ports so that NAT forwards packets used by applications from an external port to an internal one. All these processes are performed automatically. Without them, the user would have to manually map port settings and make changes to various settings. But there are also disadvantages - you need to be careful for such applications - they have the ability to widely control devices, and therefore vulnerabilities can appear.

    Network Address Translation (NAT) is a way of remapping one address space to another by changing information. That is, packet headers are changed while they are in transit through a traffic routing device. This method was originally used to easily redirect traffic on IP networks without renumbering each host. It has become a popular and important tool for conserving and allocating global address space in the face of scarcity of IPv4 addresses.

    NAT - what is it?

    The original use of network address translation is to map each address in one address space to the corresponding address in another space. For example, this is necessary if the ISP has changed and the user does not have the ability to publicly announce a new route to the network. With the foreseeable global depletion of the IP address space, NAT technology has been increasingly used since the late 1990s in combination with IP encryption (which is a method of moving multiple IP addresses into one space). This mechanism is implemented in a routing device that uses stateful translation tables to map "hidden" addresses to a single IP address, and forwards outgoing IP packets on the way out. Thus, they are displayed as coming out of the routing device. In reverse, responses are mapped to the source IP address using rules stored in translation tables. Translation table rules are in turn cleared after a short period if new traffic does not update its state. This is the basic mechanism of NAT. What does this mean?

    This method only allows communication through the router when the connection is on an encrypted network, as this creates translation tables. For example, a web browser inside such a network can view a site outside of it, but, being installed outside it, it cannot open a resource hosted in it. However, most NAT devices today allow you to configure translation table entries for permanent use. This feature is often referred to as static NAT or port forwarding, and it allows traffic originating on the "outside" network to reach designated hosts on the encrypted network.

    Due to the popularity of this method, used to conserve IPv4 address space, the term NAT (what it actually is - mentioned above) has become almost synonymous with an encryption method.

    Because network address translation changes the address information of IP packets, it has serious consequences for the quality of the Internet connection and requires close attention to the details of its implementation.

    NAT implementations differ from each other in their specific behavior in various cases regarding the impact on network traffic.

    Basic NAT

    The simplest type of Network Address Translation (NAT) provides one-to-one translation of IP addresses. RFC 2663 is the main type of this translation. In this type, only IP addresses and check sum IP headers. The basic translation types can be used to connect two IP networks that have incompatible addressing.

    NAT - what is it in a one-to-many connection?

    Most flavors of NAT are capable of mapping multiple private hosts to a single publicly designated IP address. In a typical configuration, the LAN uses one of the subnet's assigned "private" IP addresses (RFC 1918). A router on this network has a private address in this space.

    The router also connects to the Internet using a "public" address assigned by the ISP. Since the traffic passes from the source local network in each packet, it is translated on the fly from a private address to a public one. The router keeps track of basic information about each active connection (in particular, the destination address and port). When the response is returned to it, it uses the connection data that is stored during the outbound leg to determine the private address of the internal network to which the response should be routed.

    One advantage of this feature is that it serves as a practical solution to the impending IPv4 address space exhaustion. Even large networks can be connected to the Internet with a single IP address.

    All packet datagrams on IP networks have 2 IP addresses - source and destination. Typically, packets traveling from a private network to a network common use, will have the source address of the packets changing during the transition from the public network back to the private network. More complex configurations are also possible.

    Peculiarities

    NAT setup may have some peculiarities. Further modifications are required to avoid difficulties in how to translate the returned packages. The vast majority of Internet traffic goes through the TCP and UDP protocols, and their port numbers are changed in such a way that the combination of IP address and port number begins to match when data is sent back.

    Protocols not based on TCP and UDP require other translation methods. The Message Control Protocol (ICMP) generally correlates the transmitted data with an existing connection. This means that they must be displayed using the same IP address and number as originally set.

    What should be taken into account?

    Setting up NAT on the router does not give it end-to-end connectivity. Therefore, such routers cannot participate in some Internet protocols. Services that require the initiation of TCP connections from an external network or non-protocol users may not be available. If the NAT router does not make much effort to support such protocols, incoming packets cannot reach their destination. Some protocols can be hosted in the same translation between participating hosts ("passive mode" FTP, for example), sometimes with the help of an application layer gateway, but the connection will not be established when both systems are separated from the Internet by NAT. The use of NAT also complicates "tunneling" protocols such as IPsec because it changes values ​​in headers that interact with request integrity checks.

    Existing problem

    End-to-end connectivity has been a core principle of the Internet since its inception. The current state of the network shows that NAT is a violation of this principle. There is a serious concern among experts about the ubiquitous use of network address translation in IPv6, and the issue of how to effectively eliminate it is being raised.

    Due to the short-lived nature of the translation state tables in NAT routers, internal network devices lose their IP connection, typically within a very short period of time. Speaking about what NAT is in a router, we must not forget about this circumstance. This seriously reduces the operating time of compact devices powered by batteries and accumulators.

    Scalability

    In addition, when using NAT, only ports that can be quickly depleted are monitored. internal applications, which use multiple simultaneous connections (for example, HTTP requests for web pages with a large number of embedded objects). This problem can be mitigated by tracking the destination IP in addition to the port (thus one local port is shared by many remote hosts).

    Some difficulties

    Since all internal addresses are masqueraded as a single public address, it becomes impossible for external hosts to initiate a connection to a particular internal host without special configuration on the firewall (which must forward connections to a specific port). Applications such as IP telephony, video conferencing, and similar services must use NAT traversal methods to function properly.

    Reverse address and port translation (Rapt) allows a host whose real IP address changes from time to time to remain available as a server using a fixed IP address home network. Basically, this should allow the servers setup to keep the connection. Even though this is not perfect solution problems, this can be another useful tool in the network administrator's arsenal when solving the problem of how to configure NAT on a router.

    Port Address Translation (PAT)

    Cisco Rapt's implementation is Port Address Translation (PAT), which maps multiple private IP addresses as a single public IP address. Multiple addresses can be displayed as an address because each one is tracked by a port number. PAT uses unique source port numbers on the inside global IP to distinguish between the direction of data transfer. These numbers are 16-bit integers. The total number of internal addresses that can be translated to one external can theoretically reach 65536. The actual number of ports to which a single IP address can be assigned is about 4000. As a rule, PAT tries to keep the original port of the "original". If it is already in use, Port Address Translation assigns the first available port number, starting from the beginning of the appropriate group - 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address, PAT moves on to the next one to try to allocate the source port. This process continues until the available data runs out.

    The address and port mapping is done by a Cisco service that combines the translation port address with IPv4 packet tunneling information over the internal IPv6 network. It is essentially an unofficial alternative to CarrierGrade NAT and DS-Lite that supports IP address/port translations (and thus NAT setup is supported). Thus, it avoids problems in establishing and maintaining a connection, and also provides a transition mechanism for IPv6 deployment.

    Translation methods

    There are several ways to implement translation network address and port. In some application protocols that use IP address applications running on an encrypted network, it is necessary to determine the external NAT address (which is used at the other end of the connection), and in addition, it is often necessary to study and classify the type of transmission. This is usually done because it is desirable to create a direct communication channel (either to keep data transfers through the server uninterrupted, or to improve performance) between two clients, both of which are behind separate NATs.

    For this purpose (how to set up NAT), a special protocol RFC 3489 was developed in 2003, which provides a simple bypass of UDP over NATS. Today it is obsolete, since such methods are not sufficient today to correctly evaluate the performance of many devices. The new methods were standardized in RFC 5389, which was developed in October 2008. This specification is now known as SessionTraversal and is a utility for running NAT.

    Creating a two-way link

    Each TCP and UDP packet contains the source IP address and its port number, as well as the coordinates of the destination port.

    For public services such as mail server functionality, the port number is important. For example, connects to software web server, and 25 to SMTP mail server. The IP address of the public server is also significant, like a postal address or a phone number. Both of these parameters must be reliably known to all nodes that intend to establish a connection.

    Private IP addresses only matter in local networks where they are used, as well as for host ports. Ports are unique communication endpoints on a host, so NAT connectivity is supported using a combined port and IP address mapping.

    PAT (Port Address Translation) resolves conflicts that can occur between two different hosts using the same source port number to establish unique connections at the same time.

    About the principles of the protocol NAT (Network Address Translation) and now it's time to consider setting it up on the hardware Cisco.

    Configuring Static NAT (Static NAT)

    Recall that the static NAT is a one-to-one mapping of internal and external addresses. It allows external devices initiate connections to internals using a statically assigned public address.

    For example, an internal web server can be mapped to a specific internal global address so that it can be reached from external networks.

    The diagram shows an internal network containing a web server with a private IPv4 address. The router is configured with static NAT to allow devices on the outside network to access the web server. A client from an external network accesses a web server using a public IPv4 address. Static NAT translates a public IPv4 address into a private one.

    When configuring static NAT translations, there are two main tasks:

    1. Creating a mapping between inner local ( inside local) address and internal globals ( inside global) addresses. For example, the inside local address 192.168.1.5 and the inside global address 208.165.100.5 are configured as static NAT translation in the diagram.
    2. Once the mapping is configured, the interfaces participating in the translation must be configured as internal ( inside) and outer ( outside) relative to NAT. In the diagram, the router interface Serial 0/0/0 is internal, and Serial 0/1/0 is external.

    Packets arriving on the router's internal Serial 0/0/0 interface from the configured internal IPv4 localhost address (192.168.1.5) are translated and then forwarded to the external network. Packets arriving on the external interface Serial 0/1/0 destined for the configured internal global IPv4 address (208.165.100.5) are translated to the internal local address (192.168.1.5) and then forwarded inside the network.

    The setup takes place in several steps:

    1. Create a static translation between the inside local and outside global addresses. For this we use the command ip nat inside source static [local_IP global_IP]. To delete the broadcast, you need to enter the command no ip nat inside source static. If we need to translate not an address to an address, but an address to an interface address, then the command is used ip nat inside source static [local _IP interface_type interface_num].
    2. Let's define an internal interface. First, enter the interface configuration mode using the command interface[type number] and enter the command ip nat inside
    3. In the same way, define the external interface using the command ip nat outside

    Router(config)# ip nat inside source static 192.168.1.5 208.165.100.5 Router(config)# interface serial0/0/0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

    As a result, the broadcast will go like this:

    1. The client wants to open a connection to the web server. The client sends a packet to the web server using the public IPv4 destination address 208.165.100.5. This is the internal global address of the web server.
    2. The first packet the router receives from the client on the outside NAT interface causes it to check its NAT table. The IPv4 address of the destination is in the NAT table it is being translated.
    3. The router replaces the internal global destination 208.165.100.5 with the internal local 192.168.1.5 and forwards the packet to the web server.
    4. The web server receives the packet and replies to the client using the internal local source address 192.168.1.5.
    5. The router receives a packet from the web server on its internal NAT interface with the source address of the web server's internal local address, 192.168.1.5. It checks the NAT table to translate the internal local address to the internal global address, changes the source address from 192.168.1.5 to 208.165.100.5 and sends it from the Serial 0/1/0 interface to the client side
    6. The client receives the packet and the packet exchange continues. The router performs the previous steps for each packet.

    Checking Static NAT

    A useful command to check if NAT is working is the command show ip nat translations. This command shows active NAT translations. Static translations, unlike dynamic translations, are always in the NAT table.

    Router#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 208.165.100.5 192.168.1.5 208.165.100.70 208.165.100.70

    Another useful command is show ip nat statistics. It displays information about the total number of active transfers, NAT configuration settings, the number of addresses in the pool, and the number of addresses that have been allocated.

    Router#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Peak translations: 2, occurred 00:00:21 ago Outside interfaces: Serial0/1/0 Inside interfaces: Serial0/0/0 Hits :7 Misses:0

    To make sure the NAT translation is working, it's best to clear the statistics from any past translations using the command clear ip nat statistics before testing.

    Configuring Dynamic NAT (Dynamic NAT)

    While static NAT is a persistent mapping between an inside local address and an inside global address, dynamic NAT allows automatic mapping between inside local and global addresses (which are usually public IP addresses). Dynamic NAT uses a group or pool of public IPv4 addresses for translation. Dynamic NAT, like static NAT, requires configuration of the internal and external interfaces involved in NAT.


    Let's take this circuit as an example. Here we have an internal network with two subnets 192.168.1.0/24 and 192.168.2.0/24 and a border router configured with dynamic NAT with a pool of public addresses 208.165.100.5 - 208.165.100.15.

    Public address pool ( inside global address pool) is available to any device on the internal network on a first-come, first-served basis. With dynamic NAT, one internal address translates to one external address. With this type of transfer, there must be enough addresses in the pool to simultaneously provide for all internal devices that need access to an external network. If all addresses in the pool have been used up, then the device must wait for an available address before it can access the external network.

    Consider the tincture in steps:

    1. Define the pool that will be used for translation using the command ip nat pool [name start_ip end_ip]. This address pool is usually a group of public public addresses. The addresses are defined by specifying the start IP address and end IP address of the pool. Keywords netmask or prefix length indicate the mask.
    2. You need to set the default access-list (ACL) to define only those addresses that will be broadcast. Let's enter the command. You can read about standard access-lists in this one (and about extended ones in ). An ACL that allows a lot of addresses can lead to unpredictable results, so there is a command at the end of the list deny all.
    3. It is necessary to bind an ACL to the pool, and for this the command is used ip nat inside source list [ACL_number] number pool [pool_name]. This configuration is used by the router to determine which devices (list) receive addresses (pool).
    4. Determine which interfaces are inside, with respect to NAT, that is, any interface that is connected to the internal network.
    5. Determine which interfaces are outside, in relation to NAT, that is, any interface that is connected to the outside network.

    Router(config)# ip nat pool MerionNetworksPool 208.165.100.5 208.165.100.15 netmask 255.255.255.0 Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255 Router(config)#ip nat inside source list 1 pool MerionNetworksPool Router( config)# interface serial0/0/0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

    How it will work on our scheme:

    1. Computers with addresses 192.168.1.10 and 192.168.2.10 send packets towards the server at the public address 208.165.100.70
    2. The router receives the first packet from host 192.168.1.10. Since this packet was received on an interface configured as an internal NAT interface, the router checks the NAT configuration to determine if this packet should be translated. The ACL allows this packet and the router checks its NAT table. Since there is no translation entry for this IP address, the router determines that the source address 192.168.1.10 must be translated dynamically. R2 selects an available global address from the pool dynamic addresses and creates a transfer record, 208.165.200.5. The original source IPv4 address (192.168.1.10) is the inside local address, and the translated address is the inside global address (208.165.200.5) in the NAT table. For the second host 192.168.2.10, the router repeats this procedure, choosing the next available global address from the pool of dynamic addresses, creating a second translation record - 208.165.200.6.
    3. After replacing the inside local source address in packets, the router forwards the packet.
    4. The server receives the packet from the first PC and responds using the destination address 208.165.200.5. When the server receives a packet from the second PC, the destination address will be 208.165.200.6 in the response.
    5. When the router receives with a destination address of 208.165.200.5, it does a lookup in the NAT table and translates the destination address to the internal local address 192.168.1.10 and forwards towards the PC. The same happens with the packet directed to the second PC.
    6. Both PCs receive packets and packet exchange continues. For each next package, the previous steps are performed.
    Checking Dynamic NAT

    The command is also used to check show ip nat displays all static translations that have been configured and any dynamic translations that have been generated by traffic. Adding a keyword verbose displays Additional information about each transfer, including how long ago the entry was created and used. By default, transfer data expires after 24 hours unless the timers have been reconfigured using the command ip nat translation timeout [time_in_seconds] in global configuration mode.

    To clear dynamic records before the timeout expires, you can use the command clear ip nat translation. It is useful to clean up dynamic entries when testing a NAT configuration. This command can be used with keywords and variables to control which entries are cleared. Specific entries can be cleared so as not to interrupt active sessions. Only dynamic translations are removed from the table. Static translations cannot be removed from a table.

    You can also use the command show ip nat statistics which displays information about the total number of active transfers, NAT configuration settings, the number of addresses in the pool, and the number of translated addresses.

    Since we are using ACLs here, we can use the command to check them show access-lists.

    Configuring Port Address Translation (PAT)

    PAT (also called NAT overload) stores addresses in the internal global address pool, allowing the router to use one internal global address for many internal local addresses. In other words, one public IPv4 address can be used for hundreds or even thousands of internal private IPv4 addresses. When multiple inside local addresses are mapped to a single inside global address, the port numbers TCP or UDP each internal node is distinguished by local addresses.

    The total number of internal addresses that can be translated to one external address could theoretically be 65,536 per IP address. However, in practice, the number of internal addresses that can be assigned one IP address is about 4000.

    There are two ways to set up PAT, depending on how the ISP allocates public IPv4 addresses. In the first case, the ISP allocates more than one public IPv4 address to the organization, and in the other, it allocates one public IPv4 address that the organization needs to connect to the ISP.

    Configuring PAT for a public IP address pool

    If more than one public IPv4 address is available to us, then these addresses may be part of the pool that is used by PAT. This is similar to dynamic NAT, except that in this case there are not enough public addresses to match internal addresses. A small pool of addresses is shared across a large number of devices.

    The main difference between this configuration and the dynamic NAT configuration is that it uses keyword overload, which includes PAT.

    Consider setting up PAT for the address pool step by step:

    1. Define the address pool of global addresses to be used for PAT translation using the command ip nat pool [name start_ip end_ip] netmask [mask] | prefix-length [prefix_length].
    2. Create a standard access-list allowing addresses to be translated. The command is used access-list [ACL_number] permit source.
    3. Enable PAT using the magic word Overload. We enter the command ip nat inside source list [ACL_number] number pool [pool_name] overload.
    4. We determine which interfaces are inside, in relation to NAT, and which are outside. We use the command ip nat inside and ip nat outside

    An example configuration for the scheme that was used earlier, only now we will use PAT:

    Router(config)# ip nat pool MerionNetworksPool2 208.165.100.5 208.165.100.15 netmask 255.255.255.0 Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255 Router(config)#ip nat inside source list 1 pool MerionNetworksPool2 overload (config)# interface serial0/0/0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

    Configuring PAT for a Single Public IPv4 Address

    The diagram shows the topology of a PAT implementation for translation of a single IP public address. In this example, all hosts on the 192.168.0.0/16 network (matching ACLs) that send traffic through the router will be translated to the IPv4 address 208.165.99.225 (the IPv4 address of interface S0 /1/0). Traffic will be identified by the port numbers in the NAT table.

    Customization:

    1. Create an access-list allowing addresses to be translated - access-list [ACL_number] permit source.
    2. Configure the conversion of the source address to the interface address using the command ip nat inside source list [ACL_number] interface [type number] overload
    3. Define external and internal interfaces via commands ip nat inside and ip nat outside.

    The configuration is similar to dynamic NAT, except that instead of an address pool, we use the interface address with the external IP address. NAT pool is not defined.

    Example: Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255 Router(config)# ip nat source list 1 interface serial0/1/0 overload Router(config)# interface serial0/0/0 Router(config- if)#ip nat inside Router(config-if)#exit Router(config)# interface serial0/1/0 Router(config-if)#ip nat outside

    The PAT process will not change when using a single address, or a pool of addresses.

    Consider the PAT process step by step:

    1. In the diagram, two different PCs communicate with two different web servers. The first PC has a source address of 192.168.1.10 and uses TCP port 1444, and the second PC has a source address of 192.168.2.10 and coincidentally uses the same TCP port 1444
    2. The packet from the first PC first reaches the router and it uses PAT to change the source IPv4 address to 208.165.99.225 ( inside global address). There are no other devices in the NAT table with port 1444, so PAT uses the same port number and the packet is sent towards the server at 208.165.101.20.
    3. Next, the packet from the second computer enters the router, where PAT is configured to use one global IPv4 address for all transfers - 208.165.99.225. Similar to the transfer process for the first PC, PAT changes the outgoing address of the second PC to the internal global address 208.165.99.225. However, the second PC has the same source port number as the current PAT entry of the first PC, so PAT increments the source port number until it is unique in its table. In this case, the source port entry in the NAT table and the packet for the second PC receives port 1445. Although both PCs use the same internal global address 208.165.99.225 and the same source port number 1444, the changed port number for the second PC (1445) makes each entry in the NAT table unique. This will become apparent when sending packets from servers back to clients.
    4. Servers respond to requests from computers, and use the source port from the received packet as the destination port and the source address as the destination address. It may seem that they communicate with the same host at 208.165.99.225, however, this is not the case - they have different ports.
    5. When packets are returned to the router, it finds a unique entry in its NAT table using the destination address and destination port of each packet. In the case of a packet from the first server, the destination address 208.165.99.255 has several entries, but only one with a destination port of 1444. Using this entry in its table, the router changes the packet's destination IPv4 address to 192.168.1.10 without changing the destination port. The packet is then forwarded to the first PC
    6. When a packet from the second server arrives at the router, it performs a similar translation. The destination IPv4 address 208.165.99.225 has multiple entries, but using destination port 1445, the router can uniquely identify the translation entry. The destination IPv4 address will be changed to 192.168.2.10, in which case the destination port must also be changed to the original value of 1444, which is stored in the NAT table. After that, the package is sent to the second PC
    Check Port Address Translation (PAT)

    To check PAT, the same commands are used as for regular NAT. Team show ip nat translations displays translations of IP addresses along with ports and command show ip nat statistics shows information about the number and type of active transfers, NAT configuration parameters, the number of addresses in the pool, and the number of allocated addresses.

    Router#show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Peak translations: 2, occurred 00:00:07 ago Outside interfaces: Serial0/1/0 Inside interfaces: Serial0/0/0 Hits :4 Misses:0 CEF Translated packets: 4, CEF Punted packets:0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 1 pool MerionNetworksPool2 refcount 2 pool MerionNetworksPool2: netmask 255.255.255.0 start 208.165.100.5 end 208.165.100.15 type generic, total addressers 10, allocated 1(10%), misses 0 Total doors: 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0

    Also, to find problems, you can use the debug, which is launched by the command debug ip nat, which displays information about each packet that is broadcast by the router. You can also use the command debug ip nat detailed, which generates a description of each package. This command also provides information about various errors, such as failure to allocate a global address. However, this command is more demanding on device resources.

    Router#debug ip nat IP NAT debugging is on Router# *Aug 24 16:20:331:670: NAT*: s=192.168.1.10->208.165.99.225 d=208.165.101.20 *Aug 24 16:20:331: 682: NAT*: s=208.165.101.20 d=208.165.99.225 ->192.168.1.10 *Aug 24 16:20:331:698: NAT*: s=192.168.1.10->208.165.99.225 d=208.165.101 * Aug 24 16:20:331:702: NAT*: s=192.168.1.10->208.165.99.225 d=208.165.101.20 *Aug 24 16:20:331:710: NAT*: s=208.165.101.20 d=208.165 .99.225 ->192.168.1.10

    The output uses the following symbols and values:

    • * (asterisk) - an asterisk with NAT indicates that the translation occurs along the path from fast switching(fast-switched path). The first packet in a conversation is always slower, the rest of the packets go through a fast switching path.
    • s=- source IP address
    • a.b.c.d w.x.y.z- this value indicates that the source address a.b.c.d is translated to w.x.y.z.
    • d=- Destination IP address
    • - the value in brackets is the IP identification number.

    Is this article helpful to you?

    Please tell me why?

    We are sorry that the article was not useful to you: (Please, if it’s not difficult, indicate for what reason? We will be very grateful for a detailed answer. Thank you for helping us become better!