By 2021, 35 billion IoT devices will be installed worldwide”. IoT technology is an umbrella term that refers to connected physical and digital components. IPv4, which is still in use today are 32-bits long. This allows for a maximum of 4,294,967,296 (2³²) unique addresses, just a little above 4 billion.

So, the question to you CCNA students will be

“How come we have more than 4 billion devices that are connected to the internet when we have just a little over 4 billion ipv4 addresses?

The Answer is NAT (Network Address Translation)

In the early stages of the internet, large network blocks were assigned to organizations and after a while the engineers started realizing that as many people connected to the internet, the IP addresses will soon be exhausted and so, they developed the RFC 1918 which then established the common network blocks that should never be seen on the internet but can be used internally by organizations and classified as private IP addresses. Another range of private IP addresses is 169.254.0.0 to 169.254.255.255, but those are for Automatic Private IP Addressing (APIPA) use only, used by the systems. After this, they soon discovered that now we have this private ip addresses that we can use in our local networks but how do we get them to reach the internet and that’s where and how NAT came into the picture.

Basically, NAT enables internal IP networks to appear as a publicly routed external networks. A router /firewall is a NAT device modifies the source or destination ip addresses in the packet’s header as the packet is received on the inside or outside interface.

Four important terms are related to NAT and they are;

1. Inside Local   -Actual private IP address assigned to a deice on the inside networks.
2. Inside Global – The actual public IP address that represent one or more internal IP addresses
3. Outside Local -Ip address of an outside host as it appears to the inside network.
4. Outside Global – The public IP address assigned to a host on the outside Network.

3 Types of Network Address Translation(NAT)

(1) Static NAT

This involves the translation of global ip address to a local ip address based on a static mapping of a global ip address to a local IP. This is the original network address translation which was a manual one-to-one mapping of a local IP address to a public IP address.

There are two (2) types of static NAT

(1) Inside static NAT  – Involves the mapping of inside local (Private) to an inside global (public) ip address

Configuring Inside static NAT, there are three (3) steps

1. Configure outside interface
2. Configure inside interface
3. Configure inside static NAT

• • R1(config)#interface f0/0
  • R1(config-if) #ip nat inside
  •  
  • R1(config)#interface S0/0
  • R1(config-if) #ip nat outside
  • R1(config-if) #exit
  •  
  • R1(config) #ip nat inside source static 10.78.9.7 10.45.1.7 

Scenario A (one -to -one )

Assume a host A has decided to go to amazon.com, Techvillaonline.com, cnn.com using 192.168.1.13 local ip, the router R1 will translate directly the local ip to the 200.1.1.1 public ip address and no other host will be able to use that public IP address simply because it has been mapped the local IP address.

It means host B and C cannot go to the internet. The response from amazon.com and other sites browsed by host A comes back to router R1 on 200.1.1.1and once it reaches R1 which is the enterprise external facing router on S0/0 interface, it looks in to its internal table and sees 200.1.1.1 mapped to 192.168.1.13 and the packet is forwarded directly to host A. So, if you need 5 hosts to get to the internet, you will have to map 5 public IP addresses to each of the host. With the over 26 billion devices, still growing, still counting and the limited supply of IPv4 addresses, this will not be feasible, mapping each device to individual public ip addresses, so PAT was created but before we go in to PAT, let’s see the configuration of Static NAT below;

Configuration of static NAT -One-to-one (2 Ways)

• R1(config)#ip nat inside source static 192.168.1.12 200.1.1.5

Done! This a one -to-one static mapping between inside ip to single public IP. This means that for this one host, it’s always going to go out on that public IP address, no other host can have access to that public IP.

You can always clear the nat translation in the table by using the command

• R1#clear ip nat translation *     (* ..Meaning all entries)

Scenario B (Incoming traffic ONLY)

When you have a server on the inside of your organization that is expected to accept incoming connections from the public like your email server, gaming server, webserver, you will need to have public IP addresses for those servers so that the public can reach the servers. Your organization then pays for extra public IP addresses (200.1.1.2 and 200.1.1.3) aside the external facing (200.1.1.1) on the router R1 as shown in the above diagram1.

Once the IPs are assigned to your organization,

• the ISP at their end will setup at static routes pointing to all public IPs assigned to your organization, so it can be reached from the internet. Thus, for any traffic coming into the ISPs network and going to 200.1.1.1, 200.1.1.2 and 200.1.1.3 which they already assigned to your organization, that traffic is forwarded from their router to your router- Their router on interface S0/1  to  your router on interface s0/0 as shown in the diagram above.
• A static route (usually for incoming traffic only) will be also be setup on the R1 pointing to the internal servers you have.

Configuration of static NAT – Incoming traffic ONLY

The email server on 192.168.1.30 and the web server on 192.168.1.40.

Now to translate these specific services like the smtp uses port 25 for email, web services using http on port 80 and 443 https.

• R1(config)#ip nat inside source static tcp 192.168.1.30 25 200.1.1.5 25
• R1(config)#ip nat inside source static tcp 192.168.1.40 80 200.1.1.5 80
• R1(config)#ip nat inside source static tcp 192.168.1.40 443 200.1.1.5 443

1. First line is the email server NAT mapping
2. Second line is the http NAT mapping
3. Third line is the https NAT mapping
4. Done!

(2) Outside static NAT  – Involves the mapping of outside local (Public) to an outside local(private) ip address.(This configuration is not very common..)

Configuring Outside static NAT, there are three (3) steps

1. Configure outside interface
2. Configure inside interface
3. Configure Outside static NAT

• • R1(config)#interface f0/0
  • R1(config-if) #ip nat inside
  •  
  • R1(config)#interface S0/0
  • R1(config-if) #ip nat outside
  • R1(config-if) #exit
  •  
  • R1(config) #ip nat outside source static 10.123.4.2 10.123.4.222

Also remember that we can statically NAT things, but static rules do not go away until we tell them to.

(2) Dynamic NAT (using a pool of public IP addresses)

Unlike static NAT, where you had to manually define a static mapping between a private IP address and public address, dynamic NAT does the mapping of a local address to a pool of global addresses dynamically. This means that the router dynamically picks an address from the global address pool that is not currently assigned and use.

The dynamic entry stays in the NAT translations table as long as the traffic is exchanged . The entry times out after a period of inactivity. The unused global IP address can be returned to the pool and be used again for new translations. Pooled NAT can operate as inside NAT or Outside NAT and in this section of the training, we shall focus on Inside NAT.

Configuration steps for inside pooled NAT

1. Configure outside interface
2. Configure inside interface
3. Specify which by using standard or extended ACL referenced by number or name (using a user-friendly name may be the simplest from the operational support perspective)
4. Define global pool of ip
5. Configure the inside pooled NAT

#Create the inside  and outside 

• • R1(config)#interface f0/0
  • R1(config-if) #ip nat inside
  •  
  • R1(config)#interface S0/0
  • R1(config-if) #ip nat outside
  • R1(config-if) #exit
• #Create the access list for 192.168.1.0/24
  • R1(config)#ip access-list standard NAT_ADDRESSES
  • R1(config-std-nacl) #permit 192.168.1.0 0.0.0.255
  • R1(config-std-nacl) #exit
  • R1(config)#

• #Create the Pool

• • R1(config)#ip nat pool NAT_POOL 200.1.1.10 200.1.1.15 prefix-length 24

#Create the inside Pooled NAT

• • R1(config)#ip nat inside source list NAT_ADDRESSES pool NAT_POOL

Done! 

DISADVANTAGE of using Pooled NAT

• When the pool is exhausted, no other translation can occur until the global ip addresses are returned to the pool. The default time out period by default is 24hours and you can change the time with the command #ip nat  translation timeout seconds. The translation can also be cleared by issuing the command #clear ip nat translation {ip address | * } which removes the translation for an ip or all the translations in the table.

(2) Port Address Translation (PAT)    

PAT means Port Address Translation, this allows you to OVERLOAD a single public IP address so it can service multiple internal private IP addresses.

How does it work?

When a program on your computer sends, or receives data over the Internet, it sends that data to an ip address and a specific port on the remote computer and receives the data on a random port on its own computer.

Example

• Hosts A on IP 192.168.1.13 is going to amazon.com
• Hosts B on IP 192.168.1.12 is going to techvillaonline.com
• Hosts C on IP 192.168.1.14 is going to facebook.com

The ports on the inside addresses are randomly selected by the system and the 3 hosts are going to be sharing the single public IP address as shown in the diagram above. The translation from a private ip to a public IP address is done on the router R1and the packet is sent out to the ISP. The response from amazon, Techvilla and Facebook is sent back through the ISP to the externally facing Router R1 and it is translated back to the internal IP addresses based on the ports attached to it, so response from amazon.com goes back to host A, Techvillaonline to host B and Facebook to host C respectively.

NOTE: use “C:\>Netstat” command to see the ports on your computer.

Overload Configuration

There are three (3) steps to configure NAT overload;

• Step1-Create an access control list to identify source IP addresses to be translated. Standard ACL is used for this
• Step2-Identify the inside and the outside interfaces
• Step3-Define NAT operations with a single command.

Step1 -Access list of all IP in the 192.168.1.0/24 network

• R1(config)#ip access-list standard NAT_ADDRESSES
• R1(config-std-nacl) #permit 192.168.1.0 0.0.0.255
• R1(config-std-nacl) #exit
• R1(config)#

Here, you have created an access control list named NAT_ADDRESSES that will contain all the IP addresses to be mapped.

Step2 – Identification of Inside interface  and outside 

Inside is F0/0

• R1(config)#interface f0/0
• R1(config-if) #ip nat inside
• R1(config-if) #exit

outside is S0/0

• R1(config)#interface S0/0
• R1(config-if) #ip nat outside
• R1(config-if) #exit

Here, you have defined both the inside and outside interfaces

Step3 – Defining NAT operation with the word OVERLOAD

• R1(config)#ip nat inside source list NAT_ADDRESSES interface s0/0 overload
• R1(config-if) #exit

With this, the local IP addresses should be able to ping any public domain 8.8.8.8 or 4.2.2.2.

What the step3 is saying is this; you are “natting” all the IP in the source list named NAT_ADDRESSES to the ip address defined on the interface s0/0 and you will overload that ip address using the ports.

The overload command allows it to use PAT and without that Overload command, only one IP address will be translated and it’s on first come first serve basis.

Verification of PAT 

Once you can get to the internet with your local IP, it means PAT is in operation and the way to view or verify pat is by issuing the command

R1#sh ip nat translations

• Pro Inside global Inside local Outside local Outside global
• tcp 192.168.1.120:49851 192.168.2.12:49851 172.253.62.188:5228 172.253.62.188:52 28
• tcp 192.168.1.120:49858 192.168.2.12:49858 23.212.251.148:443 23.212.251.148:443
• tcp 192.168.1.120:49862 192.168.2.12:49862 104.21.60.232:443 104.21.60.232:443
• tcp 192.168.1.120:52997 192.168.2.12:52997 104.18.20.226:80 104.18.20.226:80
• tcp 192.168.1.120:52998 192.168.2.12:52998 216.114.206.103:80 216.114.206.103:80
• tcp 192.168.1.120:52999 192.168.2.12:52999 172.253.63.188:5228 172.253.63.188:52 28
• tcp 192.168.1.120:65202 192.168.2.12:65202 52.230.222.68:443 52.230.222.68:443
• !
• More