gurfin / ENCOR #12 - NAT

Created Mon, 24 Mar 2025 13:16:00 +0100 Modified Mon, 24 Mar 2025 22:04:46 +0000
786 Words
ENCOR

In the beginning, God created IPv4

When the internet was first created, large public IPv4 address blocks were handed out and assigned to organizations. When the usage of the internet grew it became quite apparent that the available IPv4 address space would not be enough.
One of the most implemented solutions to this problem is Network Address Translation (NAT), which allows Layer 3 capable devices to rewrite source and/or destination addresses. Using private IP-addresses (defined in RFC1918) for internal network communication and then using NAT to translate those IP-addresses into public ones, anytime the devices needed to communicate over the internet.

Getting in with the lingo

In order to effectively communicate regarding NAT, we need to first establish some useful terms. The first concept you need to be familiar with is that of inside and outside. We have to remember that the core purpose of NAT is to allow the private addresses in our network to communicate with other devices on the internet.
For the purposes of NAT, inside would signify the IP-address that are in your internal network, such as an RFC1918 address. In contrast, outside would then signify the IP-address that you are trying to reach on the internet.

Once you are familiar with the concept of inside and outside, we can move on to local and global. There can be thought of as different viewpoints of the network. The local viewpoint can be thought of as the source and destination IP-addresses used on your internal network, while global would signify the source and destination IP-addresses used on the internet.

NAT lingo diagram

Types of NAT

There are a few different types of NAT. The two main categories are Source NAT (SNAT) and Destination NAT (DNAT). These refer to which part of the packet is being translated during the initial flow. The diagram above is an example of a SNAT operation being performed.

Static NAT

Again, when you’ve chosen which NAT to perform, there are multiple methods available. The simplest one is known as Static NAT, or commonly referred to as 1:1 NAT (pronounced as “one-to-one NAT”). Using this method, it simply statically translates one IP-address to another.
Here is an example of configuring this on a Cisco IOS XE device:

ip nat inside source static 10.44.0.101 8.8.8.8

Dynamic NAT

Another useful method for performing NAT is using a dynamic pool in something known as, you guessed it, Dynamic NAT. This allows for the NAT process to select an IP-address from a pool of available addresses. This then effectively creates the equivalent of a Static NAT using the chosen IP-address for a 24 hour period.
Usually this would be in place for an entire network, and not just a single inside address. This can be achieved using an ACL.
Here is the example configuration for setting this up on a Cisco IOS XE device:

ip nat pool public_ip_pool 8.8.8.8 8.8.8.9 prefix-length 28
ip access-list standard my_inside_networks
 permit 10.44.0.0 0.0.0.255
ip nat inside source list my_inside_networks pool public_ip_pool

NAT overload

If you want to connect a lot of device to the internet, then the most reasonable method for NAT:ing the addresses of those devices is to use something known as NAT Overload or commonly referred to as Port Address Translation (PAT). This allows the router to utilize the L4 source port of the flow to allow for multiple inside local addresses to share the same single inside global address. This is probably the most common setup for allowing branch office to connect via DIA circuits.
Here is an example on Cisco IOS XE:

ip nat inside source route-map NAT-ISP-PRIMARY interface GigabitEthernet0/0/0 overload
route-map NAT-ISP-PRIMARY permit 10
 match interface GigabitEthernet0/0/0

Useful show commands

Here are some useful show commands for NAT on Cisco IOS XE:

show ip nat statistics

router#show ip nat statistics
Total active translations: 2110 (0 static, 2110 dynamic; 2110 extended)
Outside interfaces:
  GigabitEthernet0/0/0, GigabitEthernet0/0/1, Cellular0/2/0
Inside interfaces:
  Vlan1, Vlan10, Vlan20, Vlan30, Vlan40, Vlan50, Vlan110, Vlan123
Hits: 8827481134  Misses: 36512524
Expired translations: 36510160
Dynamic mappings:
-- Inside Source
[Id: 1] route-map NAT-ISP-PRIMARY interface GigabitEthernet0/0/0 refcount 2105
[Id: 2] route-map NAT-ISP-SECONDARY interface Cellular0/2/0 refcount 5
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
longest chain in local hash: 0, average length 0, chains 0/2048
In-to-out drops: 5374742  Out-to-in drops: 1749635
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

show ip nat translations

router#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
tcp  x.x.x.x:11140  10.100.10.192:62614   y.y.y.y:443     y.y.y.y:443
tcp  x.x.x.x:10101  10.100.21.116:10101   169.254.136.10:60214  169.254.136.10:60214
tcp  x.x.x.x:10101  10.100.21.116:10101   169.254.136.10:33110  169.254.136.10:33110
udp  x.x.x.x:9056   10.100.10.192:51015   z.z.z.z:443       z.z.z.z:443
tcp  x.x.x.x:10101  10.100.21.116:10101   169.254.136.10:57682  169.254.136.10:57682
tcp  x.x.x.x:10101  10.100.21.116:10101   169.254.136.10:60632  169.254.136.10:60632
udp  x.x.x.x:8326   10.100.20.20:56381    a.a.a.a:9930    a.a.a.a:9930