Network Address Translation Protocol (NAT) and Its Application Examples

1. The meaning of NAT

When some hosts within a private network have been assigned local IP addresses (i.e., private addresses used only within the private network), but now want to communicate with hosts on the Internet (without encryption), the NAT (Network Address Translation) method can be used.

This method requires the installation of NAT software on the router that connects the private network to the Internet. A router with NAT software installed is called a NAT router, and it has at least one valid external global IP address. In this way, all hosts using local addresses must convert their local addresses into global IP addresses on the NAT router when communicating with the outside world before they can connect to the Internet.

Additionally, this approach will help slow the depletion of available IP address space by using a smaller number of public IP addresses to represent a larger number of private IP addresses.

[[287151]]

2. The role of NAT protocol

Hiding the identity of internal clients, concealing the design of private networks, and minimizing the cost of leasing public IP addresses can all be conveniently accomplished by using Network Address Translation (NAT), a mechanism that translates internal IP addresses in packet headers into public IP addresses for transmission over the Internet.

NAT was developed to allow private networks to use any set of IP addresses without conflicting or clashing with public Internet hosts that have the same IP addresses. In effect, NAT translates the IP addresses of internal clients into leased addresses in the external environment.

NAT provides many advantages, including:

• Ability to connect your entire network to the Internet using just one (or a few) leased public IP addresses;
• Finally, it is possible to use the private IP addresses defined in RCF1918 for private networks while communicating with the Internet;
• NAT hides the IP address scheme and network topology across the Internet;
• NAT also provides protection by limiting connections so that only connections from the internal protected network are allowed back to the network from the Internet. Therefore, most intrusion attacks are automatically repelled.

3. IP address classification

IP is divided into five categories: A, B, C, D, and E, as shown in the table. Class D subnets are used for multicast, and Class E subnets are reserved for future use. An IP address consists of four segments, each of which is one byte of eight bits.

(1) Class A: (1.0.0.0-126.0.0.0) The first byte is the network number, and the last three bytes are the host number. The first byte of this type of IP address is "0", so the network number of the address is between 1 and 126. It is generally used in large networks.

Default subnet mask: 255.0.0.0 or 0xFF000000

The private address range is: 10.0.0.0～10.255.255.255

(2) Class B: (128.0.0.0-191.255.0.0) The first two bytes are the network number, and the last two bytes are the host number. The first byte of this type of IP address is "10", so the network number of the address is between 128 and 191. It is generally used in medium-sized networks.

Default subnet mask: 255.255.0.0 or 0xFFFF0000

The private address range is: 172.16.0.0～172.31.255.255

(3) Class C: (192.0.0.0-223.255.255.0) The first three bytes are the network number, and the last byte is the host number. The first byte of this type of IP address is "110", so the network number of the address is between 192 and 223. It is generally used for small networks.

Subnet mask: 255.255.255.0 or 0xFFFFFF00

The private address range is: 192.168.0.0～192.168.255.255

(4) Class D: It is a multicast address. The first character of this type of IP address is "1110", so the network number of the address is between 224 and 239. It is generally used for multicast users.

(5) Class E: Reserved addresses. The first digit of this type of IP address is "1111", so the network number of the address is between 240 and 255.

The total number of IP addresses is 2^32=4 294 967 296, or about 4.3 billion. The proportion of each type of address is shown in Figure 1.

Figure 1. The proportion of each type of IP address

4. NAT mode

By definition, NAT maps an internal IP address to an external IP address. However, Port Address Translation (PAT) maps an internal IP address to a combination of an external IP address and port number. Therefore, PAT can theoretically support 65536 (2^16) simultaneous communications from internal clients on a single external leased IP address. If NAT is used, the number of leased public IP addresses must be the same as the number of simultaneous communications expected; if PAT is used, fewer public IP addresses can be leased, and the appropriate ratio of internal clients to external leased IP addresses is 100:1. NAT can be found in many hardware devices and software products, including firewalls, routers, gateways, and proxies. NAT can only be used in IP networks and works at the network layer (layer 3) of the OSI model.

All routers and communication control devices are configured not to forward communications from or to these private IP addresses by default. In other words, private IP addresses are not routed by default. Therefore, they cannot be used directly for communications on the Internet. However, they can be easily used in private networks that may not use routers or may have only minor changes to the router configuration. Using private IP addresses in conjunction with NAT can greatly reduce the cost of connecting to the Internet by allowing fewer public IP addresses to be leased from ISPs.

There are two NAT modes that can be used: static NAT and dynamic NAT:

• Static NAT: Static mode NAT is used when a specific internal client IP address is permanently mapped to a specific external public IP address;
• Dynamic NAT: Dynamic mode NAT allows multiple internal clients to use fewer leased public IP addresses. Therefore, even with fewer leased public IP addresses, larger internal networks can still access the Internet. This mode minimizes the abuse of public IP addresses and keeps Internet access costs to a minimum.

In a dynamic mode NAT implementation, the NAT system maintains a mapping database so that all responses from Internet services are correctly routed to the original internal requesting client. NAT is often combined with a proxy server or proxy firewall to provide additional Internet access and content caching capabilities.

Because NAT changes the packet header, and IPSec relies on the packet header to prevent security violations, NAT is not directly compatible with IPSec. However, some versions of NAT proxy are designed to support IPSec over NAT. IPSec is a standards-based mechanism that provides encryption protection for point-to-point TCP/IP communications.

5. NAT Application Examples

Below we use the simulation software Cisco Packet Tracer to demonstrate the actual network deployment. The download address of the software and the simulation project file are as follows:

Link: https://pan.baidu.com/s/1DLJVuXu5kRmpgCCr7Czfpg

Extraction code: w5og

The network topology and IP address configuration are shown in Figure 2. The internal network address is 192.168.1.*, and the external network server address is 2.2.2.2

Figure 2. Network topology and addresses

For ease of explanation, we first define the scope of four types of addresses to define internal and external addresses of an enterprise:

• Internal local address: a private address within the enterprise
• Internal global address: The public address converted from a private address
• External global address: a public address on the internet
• External local address: The public address on the Internet is converted into a private address within the enterprise.

(1) Configuring the IP address

Configure the address of router R1, the address of f0/0 is 192.168.1.200, 255.255.255.0, and the address of f0/1 is 12.1.1.1 255.255.255.0. The configuration commands are as follows:

 R1 > en
 R1#conf t
 Enter configuration commands, one perline. End with CNTL/Z.
 R1(config)#int f0/0
 R1(config-if)#ip add 192.168.1.200 255.255.255.0
 R1(config-if)#no sh
 R1(config-if)#
 R1(config-if)#int f0/1
 R1(config-if)#ip add 12.1.1.1 255.255.255.0
 R1(config-if)#no sh

Configure the addresses of router R2. The address of f0/0 is 12.1.1.2 255.255.255.0, and the address of f0/1 is 2.2.2.200 255.255.255.0.

 R2 > en
 R2#conf t
 Enter configuration commands, one perline. End with CNTL/Z.
 R2(config)#int f0/0
 R2(config-if)#ip add 12.1.1.2 255.255.255.0
 R2(config-if)#no sh
 R2(config-if)#
 R2(config-if)#int f0/1
 R2(config-if)#ip add 2.2.2.200 255.255.255.0
 R2(config-if)#no sh

The configuration result is shown in Figure 3.

Figure 3. IP configuration results

Configure router R1. The configuration content is that interface f0/0 is connected to the private address within the enterprise, and f0/1 is connected to the public address on the Internet. The configuration commands are as follows:

 R1 > en
 R1#conf t
 Enter configuration commands, one perline. End with CNTL/Z.
 R1(config)#int f0/0
 R1(config-if)#ip nat inside
 R1(config-if)#exit
 R1(config)#int f0/1
 R1(config-if)#ip nat outside
 R1(config-if)#exit

(2) Create a NAT translation table

a. Static NAT

 R1(config)#ip nat inside source static?
 ABCD Inside local IP address
 tcpTransmissionControlProtocol
  udp User Datagram Protocol
 R1(config)#ip nat inside source static192.168.1.1?
 ABCD Inside global IP address
 R1(config)#ip nat inside source static192.168.1.1 12.1.1.11
 R1(config)#ip nat inside source static192.168.1.2 12.1.1.12
 R1(config)#end
 R1#
 %SYS-5-CONFIG_I: Configured from console byconsole 
 
 R1#show ip nat tr
 R1#show ip nat translations
 Pro Inside global Insidelocal Outside local Outside global
 --- 12.1.1.11 192.168.1.1 --- ---
 --- 12.1.1.12 192.168.1.2

Static NAT features: One-to-one correspondence, the outside world can actively access the internal address conversion

b. Dynamic NAT

Step 1: Delete the established static NAT

 R1#conf t
 Enter configuration commands, one perline. End with CNTL/Z.
 R1(config)#no ip nat inside source static192.168.1.2 12.1.1.12
 R1(config)#no ip nat inside source static192.168.1.1 12.1.1.11
 R1(config)#end
 R1#
 %SYS-5-CONFIG_I: Configured from console byconsole
 R1#show ip nat translations

Step 2: Match the data packets that need to be converted;

 R1(config)#access-list 1 permit 192.168.1.00.0.0.255

Step 3: Define the address pool to be converted;

 R1(config)#ip nat pool BB 12.1.1.1112.1.1.12 netmask 255.255.255.0

Step 4: Associate the data packet with the address pool;

 R1(config)#ip nat inside source list 1 poolBB
 R1#show ip nat translations
 Pro Inside global Insidelocal Outside local Outside global
 icmp 12.1.1.11:10 192.168.1.1:10 2.2.2.2:10 2.2.2.2:10
 icmp 12.1.1.11:11 192.168.1.1:11 2.2.2.2:11 2.2.2.2:11
 icmp 12.1.1.11:12 192.168.1.1:12 2.2.2.2:12 2.2.2.2:12
 icmp 12.1.1.11:9 192.168.1.1:9 2.2.2.2:9 2.2.2.2:9

Dynamic NAT features: one-to-one correspondence, NAT is triggered by the client, and the client cannot be actively accessed from the outside

c. PAT address reuse

 R1(config)#ip nat inside source list 1 poolBB overload
 R1#show ip nat translations
 Pro Inside global Insidelocal Outside local Outside global
 icmp 12.1.1.11:13 192.168.1.1:13 2.2.2.2:13 2.2.2.2:13
 icmp 12.1.1.11:14 192.168.1.1:14 2.2.2.2:14 2.2.2.2:14
 icmp 12.1.1.11:15 192.168.1.1:15 2.2.2.2:15 2.2.2.2:15
 icmp 12.1.1.11:16 192.168.1.1:16 2.2.2.2:16 2.2.2.2:16

Let's take static NAT as an example to verify whether PC1 can ping Server.

From the above figure, we can see that the connection between PC1 and Server is working. Let's look at the whole packet sending test process one by one:

Step 1: PC1 sends a packet, Src.IP=192.168.1.1, Dest.IP=2.2.2.2

Step 2: Switch forwarding, forwarding according to MAC address

Step 3: NAT conversion of router R1, the address changes from the original: Src.IP=192.168.1.1, Dest.IP=2.2.2.2 to Src.IP=12.1.1.11, Dest.IP=2.2.2.2. 192.168.1.1 and 12.1.1.11 are static address conversion protocols defined in the NAT table.

Step 4: Router routing forwarding Src.IP=12.1.1.11, Dest.IP=2.2.2.2

Step 5: The server receives the packet and replies to confirm that the destination address and source address are swapped. Src.IP = 2.2.2.2, Dest.IP = 12.1.1.11.

Step 6: Router R2 routes and forwards, Src.IP=2.2.2.2, Dest.IP=12.1.1.11

Step 7: Router R1 address conversion, the process is the reverse of step 3.

Step 8: Switch forwarding, based on MAC address

Step 9: PC receives confirmation, Src.IP=2.2.2.2, Dest.IP=192.168.1.1