NAT
1. NAT (Network Address Translation) can be broadly classified as below:
1. Static NAT: Static NAT maps an unregistered IP address to registered IP (globally unique) addresses on one-to-one basis.
The command used for this purpose is: ip nat inside source static <local-ip> <global-ip>,
where, <local-ip> is the local IP address assigned to a host on the inside network.
<global-ip> is the globally unique IP address of an inside host as it appears to the outside world.
2. Dynamic NAT: Maps an unregistered IP address to a registered (globally unique) IP address from a group of registered (globally unique) IP addresses.
3. Overloading - A special case of dynamic NAT that maps multiple unregistered IP addresses to a single registered (globally unique) IP address by using different port numbers. Dynamic NAT with overloading is also known also as PAT (Port Address Translation).
4. Overlapping - This occurs when your internal IP addresses belong to global IP address range that belong to another network. In such case, the internal IP addresses need to be hidden from the outside network to prevent duplication. NAT overlapping allows the use of internal global addresses by mapping them to globally unique IP addresses using static or dynamic NAT.
2. 1. NAT allows several hosts be connected to Internet by using fewer globally unique IP addresses. This in turn results in conserving the scarce public IP addresses. The terms public / global is used in the sense that the IP addresses are globally unique and officially registered.
2. NAT supports load sharing on inside machines. The inside machines are accessed in a round robin fashion, thus sharing load.
3. NAT offers some degree of security since IP addresses are not easily traceable. This is because, the actual host IP that is accessing the Internet is translated into outside IP address and vice versa. Thus, NAT offers protection against hacking.
4. One disadvantage of NAT is that it increases delay. This is obvious since address translation is involved.
5. Another disadvantage of NAT is that, when an application uses physical IP address, it may not function properly. This is because the physical IP address is changed by NAT.
3. When you are configuring NAT, NAT should be enabled on at least one inside and one outside interface. The command for enabling NAT on inside interface is:
R(config-if)#ip nat inside
The command for enabling NAT on the outside interface is:
R(config-if)#ip nat outside
Remember to enter into appropriate configuration modes before entering the commands. Usually, the inside NAT will be configured on an Ethernet interface, whereas the outside NAT is configured on a serial interface.
The command, ip nat inside source static <local ip> <global ip>configures address translation for static NAT.
The command, ip nat inside source list <access-list-number> pool <name>
is used to map the access-list to the IP NAT pool during the configuration of Dynamic NAT.
4. The following command configures a static NAT translation by mapping inside local address to the inside global address.
ip nat inside source static 192.168.0.100 88.248.153.137
Here, 192.168.0.100 is the inside local address, and 88.248.153.137 is the inside global address. A packet’s source address 192.168.0.100 is changed to 88.248.153.137 by the NAT device.
5. Enable dynamic NAT on an interface include the following:
1. Defining a standard IP access-list using the command:
access-list <access-list-number> {permit | deny} <local-ip-address>
2. Defining an IP NAT pool for the inside network using the command:
ip nat pool <pool-name> <start-ip> <end-ip> {netmask <net-mask> | prefix-length <prefix-length>} [type-rotary]
Note that type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed.
3. Mapping the access-list to the IP NAT pool by using the command:
ip nat inside source list <access-list-number> pool <pool-name>
4. Enabling NAT on at least one inside and one outside interface using the command:
ip nat {inside | outside}
6. The syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:
ip nat inside source list <access-list-number> pool <pool-name> overload
where <access-list-number> is the standard access list number, and <pool-name> is the pool name.
Note that the option 'overload' specifies many to one relationship.
This configuration is typically used when many hosts with private IP addresses need to access Internet through a specified globally unique IP address.
7. The following two statements are true about dynamic NAT translations:
1. The inside IP addresses eligible for address translation are defined in a standard IP access-list.
2. Only packets moving between inside and outside networks will get translated. This is true even for static NAT. If a packet is destined for another host, but does not require to cross the NAT boundary, the packet source /destination addresses are not translated. This is understandable, since the packet is not crossing the inside network boundary.
1. NAT (Network Address Translation) can be broadly classified as below:
1. Static NAT: Static NAT maps an unregistered IP address to registered IP (globally unique) addresses on one-to-one basis.
The command used for this purpose is: ip nat inside source static <local-ip> <global-ip>,
where, <local-ip> is the local IP address assigned to a host on the inside network.
<global-ip> is the globally unique IP address of an inside host as it appears to the outside world.
2. Dynamic NAT: Maps an unregistered IP address to a registered (globally unique) IP address from a group of registered (globally unique) IP addresses.
3. Overloading - A special case of dynamic NAT that maps multiple unregistered IP addresses to a single registered (globally unique) IP address by using different port numbers. Dynamic NAT with overloading is also known also as PAT (Port Address Translation).
4. Overlapping - This occurs when your internal IP addresses belong to global IP address range that belong to another network. In such case, the internal IP addresses need to be hidden from the outside network to prevent duplication. NAT overlapping allows the use of internal global addresses by mapping them to globally unique IP addresses using static or dynamic NAT.
2. 1. NAT allows several hosts be connected to Internet by using fewer globally unique IP addresses. This in turn results in conserving the scarce public IP addresses. The terms public / global is used in the sense that the IP addresses are globally unique and officially registered.
2. NAT supports load sharing on inside machines. The inside machines are accessed in a round robin fashion, thus sharing load.
3. NAT offers some degree of security since IP addresses are not easily traceable. This is because, the actual host IP that is accessing the Internet is translated into outside IP address and vice versa. Thus, NAT offers protection against hacking.
4. One disadvantage of NAT is that it increases delay. This is obvious since address translation is involved.
5. Another disadvantage of NAT is that, when an application uses physical IP address, it may not function properly. This is because the physical IP address is changed by NAT.
3. When you are configuring NAT, NAT should be enabled on at least one inside and one outside interface. The command for enabling NAT on inside interface is:
R(config-if)#ip nat inside
The command for enabling NAT on the outside interface is:
R(config-if)#ip nat outside
Remember to enter into appropriate configuration modes before entering the commands. Usually, the inside NAT will be configured on an Ethernet interface, whereas the outside NAT is configured on a serial interface.
The command, ip nat inside source static <local ip> <global ip>configures address translation for static NAT.
The command, ip nat inside source list <access-list-number> pool <name>
is used to map the access-list to the IP NAT pool during the configuration of Dynamic NAT.
4. The following command configures a static NAT translation by mapping inside local address to the inside global address.
ip nat inside source static 192.168.0.100 88.248.153.137
Here, 192.168.0.100 is the inside local address, and 88.248.153.137 is the inside global address. A packet’s source address 192.168.0.100 is changed to 88.248.153.137 by the NAT device.
5. Enable dynamic NAT on an interface include the following:
1. Defining a standard IP access-list using the command:
access-list <access-list-number> {permit | deny} <local-ip-address>
2. Defining an IP NAT pool for the inside network using the command:
ip nat pool <pool-name> <start-ip> <end-ip> {netmask <net-mask> | prefix-length <prefix-length>} [type-rotary]
Note that type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed.
3. Mapping the access-list to the IP NAT pool by using the command:
ip nat inside source list <access-list-number> pool <pool-name>
4. Enabling NAT on at least one inside and one outside interface using the command:
ip nat {inside | outside}
6. The syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:
ip nat inside source list <access-list-number> pool <pool-name> overload
where <access-list-number> is the standard access list number, and <pool-name> is the pool name.
Note that the option 'overload' specifies many to one relationship.
This configuration is typically used when many hosts with private IP addresses need to access Internet through a specified globally unique IP address.
7. The following two statements are true about dynamic NAT translations:
1. The inside IP addresses eligible for address translation are defined in a standard IP access-list.
2. Only packets moving between inside and outside networks will get translated. This is true even for static NAT. If a packet is destined for another host, but does not require to cross the NAT boundary, the packet source /destination addresses are not translated. This is understandable, since the packet is not crossing the inside network boundary.
No comments:
Post a Comment