NAT

Takeaway: Network address translation (NAT) has become one of the key components of today's corporate networks attached to the Internet. See how to set up and manage NAT using the Cisco Internetwork operating system.

Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we're going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).

Understanding NAT
Using NAT to connect to the Internet allows you to:

·Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
·Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
·Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.

The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:

·Inside Local—This is the local IP address of the private host on your network (i.e., your PC’s IP address).
·Inside Global—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.
·Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
·Outside Global—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).

Figure A
My first reaction after reading Cisco’s definitions for these terms was nearly total confusion, so don’t feel bad if you feel the same thing. But after seeing a diagram of these terms, it started to click for me. Take a look at Figure A for a logical diagram of these terms.

Figure B
·Configure your pool of legal, public IP addresses that the router can use to represent your local addresses on the Internet. This pool can contain as few as one or as many addresses as you would like to provide. For a small to medium-size network, one address is typically fine. The syntax is:
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

·Define an access-list to specify what range of IP addresses is allowed to be translated from your local network to the remote network. This is, basically, a security feature asking you, “Who (what range of IP addresses) can use the NAT service?” The syntax is:
access-list access-list-number permit source [source-wildcard]

·Specify that you want a dynamic translation from the source IP address to the pool and that you want to overload the pool address (or addresses). The syntax is:
ip nat inside source list access-list-number pool name overload

·Specify which of the router’s interfaces will be the “inside” address. The syntax for the Ethernet 0 interface is:
int en0

ip nat inside

·Specify which of the router’s interfaces will be the “outside” address. The syntax for the Serial 0 interface is:
int s0

ip nat outside

·Add a static route to your router to send any traffic not destined for your local network to the Internet interface. (In our case, I will use a default route to send traffic out the serial interface.) Here’s the syntax:
ip route 0.0.0.0 0.0.0.0 serial0

Configuring NAT
To configure the standard NAT scenario I mentioned in the opening paragraph, refer to Figure B and then look at the simple steps that need to be taken if you are using a Cisco router between your local network and the Internet.

Listing A shows the resulting configuration for the router. One way to examine this on your router would be to issue the command show run.

Listing A
int en0
! This is the Ethernet 0 interface on the Router- attached to the local network
ip address 10.10.10.10 255.0.0.0
ip nat inside

int s0
! This is the Serial 0 interface on the Router- attached to the Internet
ip address 11.11.11.254 255.255.255.128
ip nat outside

ip nat pool mypool 11.11.11.1 11.11.11.127 netmask 255.255.255.128
! Above is the pool of real Internet addresses which will be overloaded

access-list 1 permit 10.0.0.0 0.255.255.255
! Above is the access list which allows who from the local network can use the NAT service

ip nat inside source list 1 pool mypool overload
! Above is the command that brings all the other configs together- it says to DO IT

ip route 0.0.0.0 0.0.0.0 serial0
!the default route to the Internet