With the development of the Internet and the increase of network applications, the limited IPv4 public addresses have become a bottleneck restricting the network development. Enterprise intranets usually use private IP addresses, and the Internet uses public IP addresses. Network Address Translation (NAT) technology is required for computers using private addresses to access the Internet (public network).

NAT technology is mainly used to enable hosts of intranet to access extranet. On the one hand, NAT alleviates the shortage of IPv4 addresses; and on the other hand, NAT technology makes it impossible for the extranet to directly communicate with the intranet that uses private addresses, which enhances the security of the intranet.

NAT is divided into static NAT, dynamic NAT, Network Address and Port Translation (NAPT), easy IP and NAT server. When the intranet of an enterprise actively accesses the extranet, it usually uses static NAT, dynamic NAT, NAPT and easy IP. If the server of an enterprise is deployed in the enterprise intranet (private network) and you intend to allow computers on the Internet to access the intranet server, you need to configure NAT server on the router connected to the Internet.

10.1 Public Addresses and Private Addresses

As the number of Internet users grows, public IP address resources become increasingly scarce. At the same time, IPv4 public addresses are distributed unevenly, which leads to a serious shortage of available public IPv4 addresses in some areas. To address this problem, it is essential to use transition technologies to solve the shortage of public IPv4 addresses.

Public network refers to the Internet, and public IP addresses refer to the globally unified and planned IP addresses on the Internet. Address blocks of network segments cannot overlap. Routers on the Internet are able to forward packets whose destination addresses are public addresses.

In the IP address space, each of the three types of addresses, A, B and C, retains a portion of the addresses as private addresses, and private addresses cannot appear on the public network, but can only be used in the intranet. Routers in the Internet do not have routes to private addresses.

The range of private addresses reserved for Class A, B, and C addresses are as follows.

Class A addresses: 10.0.0.0 to 10.255.255.255.

Class B addresses: 172.16.0.0 to 172.31.255.255.

Class C addresses: 192.168.0.0 to 192.168.255.255.

The intranets of enterprises or schools can choose appropriate private addresses segment according to the number of computers and the size of the network. Networks of small enterprises or homes can choose the reserved Class C private addresses, and networks for medium and large enterprises can choose the reserved Class B or Class A private addresses. As shown in Fig. 10.1, School A chooses 10.0.0.0/8 as its intranet address, and School B also chooses 10.0.0.0/8 as its intranet address. Anyway, the networks of these two schools do not need to communicate with each other now and do not intend to access each other in the future, so it does not matter if they use the same network segment or overlapping addresses. If the networks of School A and School B need to communicate with each other in the future, they cannot use overlapping addresses so both schools will need to replan their intranet addresses.

Fig. 10.1
figure 1

Private addresses

Full size image

The enterprise intranet uses private addresses, which reduces the use of public addresses. NAT is typically used in border routers, such as the company’s router that connects the Internet. NAT has the following typical advantages.

  • By using NAPT technology, an enterprise private network can use a public address when accessing the Internet, which saves public IP addresses.

  • When ISP is changed, intranet address does not have to be changed, which makes the Internet connection more flexible.

  • The private network is not directly accessible on the Internet, which improves the security of the intranet.

However, NAT also has the following disadvantages.

  • Configuring NAT or NAPT on the router requires modifying the network layer and transport layer of the packet, as well as keeping and recording the port address translation correspondence in the router, which generates a longer switching delay compared to routing packets, and consumes more resources in the router.

  • A private address is used to access the Internet, and the source address is replaced with a public address. If a student from a school posts a message on a forum, the forum can only record that the IP address of the poster is the public address of the school, and there is no way to track which intranet address it is, which means that end-to-end IP tracking is not possible.

  • The public network cannot access the private computers, and port mapping is required if access is needed.

  • Certain applications cannot run in a NAT network, for example, IPSec does not allow intermediate packets to be modified.

10.2 NAT Types

NAT can be divided into five types: static NAT, dynamic NAT, NAPT, easy IP, and NAT server.

10.2.1 Static NAT

Static NAT is configured on the router connecting to the private network and the public network. Each private address has a corresponding and fixed public address, that is, a one-to-one mapping from a private address to a public address, and this type of NAT does not save public IP addresses.

Static NAT supports two-way inter-access. When the private address accesses the Internet, it will be converted to the corresponding public address by the outbound device’s NAT translation. At the same time, when the extranet accesses the intranet, the public address (destination address) carried in its message is also converted into the corresponding private address by the NAT device.

As shown in Fig. 10.2, static mapping is configured on router R1, and the source IP address is replaced with public address 12.2.2.2 when intranet 192.168.1.2 accesses the Internet, and the source IP address is replaced with public address 12.2.2.3 when intranet 192.168.1.3 accesses the Internet. Figure 10.2 shows the source and destination addresses of the packets on the intranet when PC1 and PC2 access the Web server, and the source and destination addresses of the packet after it is sent to the Internet; it also displays the source and destination addresses on the Internet of the packet sent by the Web server to PC1 and PC2, as well as the source and destination addresses after it enters the intranet.

Fig. 10.2
figure 2

Static NAT illustration

Full size image

PC3 cannot access the Internet because there is no public address specified on router R1 to replace IP address 192.168.1.4. With static NAT configured, computers on the Internet can access PC1 on the intranet by accessing 12.2.2.2 and PC2 on the intranet by accessing 12.2.2.3.

10.2.2 Dynamic NAT

Static NAT strictly enforces one-to-one address mapping, so the corresponding public address will be in use even if the intranet host is offline or does not send data for a long time. To avoid address waste, dynamic NAT introduces the concept of address pool, which is formed by all available public addresses.

When an internal host accesses the extranet, it is temporarily assigned an unused address in the address pool and the address is marked as “In Use”. When the host no longer accesses the extranet, the assigned address is recycled and remarked “Not Use”.

Dynamic NAT is configured on the router that connects the private and public networks, creating a public address (address segment) pool on the router, using ACLs to define which addresses need to be translated, and not specifying which public address to replace which private address. When an intranet computer accesses the Internet, the router randomly selects an unused public address from the public address pool to replace the source address. Dynamic NAT only allows the intranet to actively access the Internet, while computers on the Internet is not allowed to actively access computers on the intranet by public address. This is different from static NAT.

As shown in Fig. 10.3, there are four computers in the intranet, and three public IP addresses in the public address pool, so only three computers in the intranet are allowed to access the Internet. Then which computer can access the Internet in the end depends on which is online first. PC4 in the figure has no public address available so it cannot access the Internet .

Fig. 10.3
figure 3

Dynamic NAT

Full size image

10.2.3 NAPT

With dynamic NAT, a public address is still mapped to a private address, which cannot improve the utilization of the public address. In contrast, when NAPT selects addresses from the address pool for address translation, it not only translates IP addresses but also port numbers, thus realizing a one-to-many mapping from public to private addresses so as to effectively improve the utilization of public addresses.

If the number of public addresses used for NAT is less than that of computers on the intranet, the intranet computers use the IP addresses in the public address pool to access the Internet, and the outbound packets have to replace the source IP address and source port. There is a table in the router for recording address-port translation, as shown in Fig. 10.4.

Fig. 10.4
figure 4

Illustration of network address port translation

Full size image

Source ports (public ports in Fig. 10.4) are uniformly assigned by routers and will not be duplicated. When router R1 receives the returned packet, it can determine which computer in the intranet the packets should be given to based on the destination port. This is network address port translation (NAPT), and the application of NAPT can save public addresses.

NAPT only allows computers on the intranet to initiate access to the Internet, but computers in the Internet cannot initiate communication to computers on the intranet, which makes the intranet invisible to the Internet.

10.2.4 Easy IP

Easy IP implements the same principle as NAPT, translating IP addresses and transport layer ports at the same time. The difference is that easy IP does not have the concept of address pools and it uses port addresses as the public addresses for NAT translation.

Easy IP is suitable for scenarios where fixed public addresses are not available. For example, network egresses using DHCP and PPPoE dial-up to obtain addresses can directly use the dynamic addresses obtained for translation.

As shown in Fig. 10.5, easy IP does not need to establish a public IP address pool, because it only uses one public address, which is the IP address of interface GE 0/0/1 of router R1. Easy IP also creates and maintains a dynamic address and port mapping table, and binds the public IP address in this table to be the IP address of interface GE 0/0/1. If the IP address of interface GE 0/0/1 of R1 is changed, the public IP address in this table will be automatically changed accordingly. The IP address of interface GE 0/0/1 can be manually configured or dynamically assigned.

Fig. 10.5
figure 5

Easy IP

Full size image

In other aspects, easy IP is exactly the same as NAPT, so it is not repeated here.

10.3 Implementation of NAT

As shown in Fig. 10.6, the private address of the enterprise intranet is 192.168.0.0/24, and the router AR1 is connected to the Internet with a default route pointing to the address of interface GE 0/0/0 of AR2, which represents the ISP’s router on the Internet and the router has no route to the private network. The ISP assigns three public addresses to the enterprise, 12.2.2.1, 12.2.2.2, and 12.2.2.3, among which 12.2.2.1 is assigned to AR1’s interface GE 0/0/1.

Fig. 10.6
figure 6

Configure static NAT

Full size image

Now it is required to configure static NAT on router AR1, and the IP address that PC1 uses to access the Internet is replaced with 12.2.2.2, while the IP address of PC2 to access the Internet is replaced by 12.2.2.3. Address 12.2.2.1 has been assigned to AR1’s interface GE 0/0/1, so this address can no longer be used for static mapping.

Before configuring static NAT, computers on the intranet cannot access computers on the Internet. Think about why that is. Is it because the packets cannot reach the destination address, or that the response packets sent by the computers on the Internet cannot be returned to the intranet?

There are two ways to configure static NAT: configuring it in the interface view and configuring it in the global view.

Here is an example of configuring static NAT on AR1 in the interface view.

[AR1]interface GigabitEthernet 0/0/1 [AR1-GigabitEthernet0/0/1]nat static global 12.2.2.2 inside 192.168.0.2  [AR1-GigabitEthernet0/0/1]nat static global 12.2.2.3 inside 192.168.0.3 

Here is an example of configuring static NAT mapping on AR1 in the system view.

[AR1]nat static global 12.2.2.2 inside 192.168.0.2 [AR1]nat static global 12.2.2.3 inside 192.168.0.3 [AR1]interface GigabitEthernet 0/0/1 [AR1-GigabitEthernet0/0/1]nat static enable --Enable static NAT in the interface view

View static NAT mapping in AR1.

<AR1>display nat static Static Nat Information: Interface  : GigabitEthernet0/0/1   Global IP/Port     : 12.2.2.2/----    Inside IP/Port     : 192.168.0.2/----   Protocol : ----        VPN instance-name  : ----                               Acl number         : ----   Netmask  : 255.255.255.255    Description : ----   Global IP/Port     : 12.2.2.3/----    Inside IP/Port     : 192.168.0.3/----   Protocol : ----        VPN instance-name  : ----                               Acl number         : ----   Netmask  : 255.255.255.255    Description : ----  Total :    2

After the configuration is complete, PC1 and PC2 can ping 20.1.2.2. PC3 cannot ping the IP address of computers on the Internet. PC4 on the Internet can access PC1 on the intranet through the address 12.2.2.2 and access PC2 on the intranet through the address 12.2.2.3.

After the test is complete, delete the static NAT settings. For the static NAT configured in the interface view, enter the following commands to delete the configuration.

[AR1-GigabitEthernet0/0/1]undo nat static global 12.2.2.2 inside 192.168.0.2  [AR1-GigabitEthernet0/0/1]undo nat static global 12.2.2.3 inside 192.168.0.3 

For the static NAT configured in system view, enter the following commands to delete the configuration.

[AR1]undo nat static global 12.2.2.2 inside 192.168.0.2 [AR1]undo nat static global 12.2.2.3 inside 192.168.0.3 [AR1]interface GigabitEthernet 0/0/1 [AR1-GigabitEthernet0/0/1]undo nat static enable

10.4 Implementation of NAPT

In this section, the network environment is shown in Fig. 10.6. The ISP assigns public addresses 12.2.2.1, 12.2.2.2 and 12.2.2.3 to the enterprise. 12.2.2.1 is assigned to interface GE 0/0/1 of router AR1, while the other two public addresses 12.2.2.2 and 12.2.2.3 are given to the intranet computers for NAPT.

Create a public address pool on router AR1.

[AR1]nat address-group 1 ?                                 --Specify the number of public address pool as 1  IP_ADDR<X.X.X.X>  Start address [AR1]nat address-group 1 12.2.2.2 12.2.2.3                  --Specify start address and end address

If there are multiple network segments on the enterprise intranet, perhaps only certain network segments are permitted to access the Internet. Define the intranet segments that are allowed to access the Internet through NAPT according to the definition of ACL. In this case, there is only one network segment on the intranet.

[AR1]acl 2000 [AR1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.0.255 [AR1-acl-basic-2000]rule deny  [AR1-acl-basic-2000]quit

Configure NAPT for interface GigabitEthernet 0/0/1 connected to the Internet on AR1.

[AR1]interface GigabitEthernet 0/0/1 [AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 ? –Specify the public address pool to use  no-pat  Not use PAT      --If it has no-pat, it is dynamic NAT  <cr>    Please press ENTER to execute command  [AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 --If it does not have no-pat, it is NAPT

Ping PC4 on the Internet on PC1, PC2, and PC3 to test if the network is connected.

10.5 Implementation of Easy IP

As shown in Fig. 10.7, the enterprise intranet uses private address 192.168.0.0/24, and the ISP only assigns the enterprise one public address, 12.2.2.1/24. Configure NAPT on AR1 to allow computers on the intranet to use the public address of interface GE 0/0/1 of router AR1 for address translation so as to access the Internet.

Fig. 10.7
figure 7

Use an extranet interface address for NAPT

Full size image

If there are multiple network segments on the enterprise intranet, perhaps only certain network segments are permitted to access the Internet. Define the intranet segments allowed to access the Internet through NAPT according to the definition of ACL. In this case, there is only one network segment on the intranet.

[AR1]acl 2000 [AR1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.0.255 [AR1-acl-basic-2000]rule deny  [AR1-acl-basic-2000]quit

Configure NAPT for interface GigabitEthernet 0/0/1 connected to the Internet on AR1.

[AR1]interface GigabitEthernet 0/0/1 [AR1-GigabitEthernet0/0/1]nat outbound 2000    --Specify the ACL that allows NAPT

10.6 NAT Server

10.6.1 Application Scenarios of NAT Server

When a server in the private network needs to provide service to the public network, NAT server needs to be configured on the router to specify a one-to-one mapping between [public address: port] and [private address: port] to map the intranet server to the public network. The public host accesses [public address: port] so as to access the intranet server.

As shown in Fig. 10.8, Router RA connects the intranet to the Internet, planning to allow computers on the Internet to access the intranet Web server’s website. To enable the above function, you need to configure a NAT server on Router RA, which is essentially adding a static NAT mapping to the NAT mapping table to map port 80 of the TCP protocol to Port 80 of the intranet Web server.

Fig. 10.8
figure 8

NAT server

Full size image

In Fig. 10.8, a packet from PC4 on the Internet accesses TCP port 80 at address 12.2.2.8. After receiving the packet, Router RA looks up the NAT mapping table, finds the corresponding [private address: port] based on the [public address: port] information, then translates the destination address and port of the IP address data message, and sends the packet to the intranet Web server on the intranet.

Router RA receives the packet returned to PC4 from the Web server, and then sends the packet to PC4 after translating the source IP address and port according to the NAT mapping table.

10.6.2 Implementation of NAT Server

As shown in Fig. 10.9, a company’s intranet uses network segment 192.168.0.0/24 and is connected to the Internet via router AR1 whose public IP address is 12.2.2.1. The Web server in the company’s intranet needs to be accessible for computers on the Internet, and the employees of the company’s IT department have to use remote desktop to connect to Server1 and PC3 of the enterprise intranet after they return home from work.

Fig. 10.9
figure 9

Configure NAT server

Full size image

The HTTP protocol is used to access the website. This protocol uses TCP port 80 by default, and maps TCP port 80 of 12.2.2.8 to TCP port 80 of 192.168.0.2 on the intranet.

The remote desktop uses the RDP protocol. This protocol uses TCP port 3389 by default, and maps TCP port 3389 of 12.2.2.8 to TCP port 3389 of 192.168.0.3 on the intranet.

TCP port 3389 has been mapped to Server1 on the intranet, so when you use remote desktop to connect to PC3, you can no longer use port 3389, but can map TCP port 4000 of 12.2.2.8 to port 3389 of 192.168.0.4 on the intranet. By accessing TCP port 4000 of 12.2.2.8, you can access the remote desktop (port 3389) of PC3.

Configure easy IP on interface GE 0/0/1 of router AR1, and the source address of packets of intranet accessing the Internet is replaced by the public address of this interface. This example configures NAT server and uses another public address 12.2.2.8 as the NATServer address to allow Internet access to the Web server, Server1 and PC3’s remote desktop on the intranet.

Map the address of interface GigabitEthernet 0/0/1 of AR1 from TCP port 80 to port 80 of address 192.168.0.2 on the intranet.

[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.2.2.8 ?  <0-65535>  Global port of NAT             --It can be followed by port number  ftp        File Transfer Protocol (21)  pop3       Post Office Protocol v3 (110)  smtp       Simple Mail Transport Protocol (25)  telnet     Telnet (23)  www        World Wide Web (HTTP, 80)      --www is equivalent to port 80 [AR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.2.2.8 www inside 192.168.0.2 www Warning:The port 80 is well-known port. If you continue it may cause function failure. Are you sure to continue?[Y/N]:y    

Map the address of interface GigabitEthernet 0/0/1 on AR1 from TCP port 3389 o port 3389 of address 192.168.0.3 on the intranet.

[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.2.2.8 3389 inside 192.168. 0.3 3389

Map the address of interface GigabitEthernet 0/0/1 on AR1 from TCP port 4000 to port 3389 of address 192.168.0.4 on the intranet.

[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.2.2.8 4000 inside 192.168. 0.4 3389

View the NAT Server configuration of interface GigabitEthernet 0/0/1 on AR1.

<AR1>display nat server interface GigabitEthernet 0/0/1 Nat Server Information: Interface  : GigabitEthernet0/0/1   Global IP/Port     : 12.2.2.8/80(www)    Inside IP/Port     : 192.168.0.2/80(www)   Protocol : 6(tcp)      VPN instance-name  : ----                               Acl number         : ----   Description : ----   Global IP/Port     : 12.2.2.8/3389    Inside IP/Port     : 192.168.0.3/3389   Protocol : 6(tcp)      VPN instance-name  : ----                               Acl number         : ----   Description : ----   Global IP/Port     : 12.2.2.8/4000    Inside IP/Port     : 192.168.0.4/3389   Protocol : 6(tcp)      VPN instance-name  : ----                               Acl number         : ----   Description : ----  Total :    3

10.7 Exercises

  1. 1.

    As shown in Fig. 10.10, which NAT translation mode should be configured on router R1 so that Host A can access public networks and public network users can also actively access Host A? ( )

    1. A.

      Static NAT

    2. B.

      Dynamic NAT

    3. C.

      Easy IP

    4. D.

      NAPT

  2. 2.

    As shown in Fig. 10.11, RTA uses NAT technology and defines an address pool to enable many-to-many non-NAPT address translation so that private network hosts can access public networks. Suppose there are only two public IP addresses in the address pool that have been assigned to Host A and B, and address translation has been done. Then if Host C also wants to access public networks, which of the following descriptions is correct ( )

    1. A.

      RTA assigns the first public address to Host C, and Host A is kicked offline

    2. B.

      RTA assigns the last public address to Host C, and Host B is kicked offline

    3. C.

      Host C cannot be assigned a public address and cannot access the public network

    4. D.

      All hosts take turns to use the public address and all can access the public network

  3. 3.

    (Multi-selection) Which of the following descriptions of NAT is correct ( )

    1. A.

      NAT’s full name is Network Address Translation

    2. B.

      NAT is usually used to translate between private addresses and public addresses

    3. C.

      When a host on an intranet using a private address accesses an external public network, NAT is not used

    4. D.

      NAT technology has made great contribution to solving the problem of IP address shortage

  4. 4.

    If a company has 50 private IP addresses in its network, the network administrator uses NAT technology to access the public network, and the company has only one public address available, then which of the following NAT translation methods meets the requirements? ( )

    1. A.

      Static translation

    2. B.

      Dynamic translation

    3. C.

      Easy IP

    4. D.

      NAPT

  5. 5.

    NAPT allows multiple private IP addresses to be mapped to the same public IP address through different port numbers, then which of the following descriptions of the port numbers of NAPT is correct ( )

    1. A.

      You must manually configure the correspondence between the port number and the private address

    2. B.

      Only the range of port numbers needs to be configured

    3. C.

      There is no need to do any configuration regarding the port number

    4. D.

      The port number needs to be assigned using ACLs

  6. 6.

    Which of the following option is the necessary technology to enable a host whose IP address is 10.0.0.1 to access the Internet ( )

    1. A.

      Dynamic routing

    2. B.

      NAT

    3. C.

      Import-route

    4. D.

      Static routing

  7. 7.

    As shown in Fig. 10.12, the following static NAT command is run on router R1. When the PC accesses the Internet, the destination address in the packet does not change. Is this statement correct? ( )

    1. A.

      Correct

    2. B.

      Incorrect

  8. 8.

    When NAT uses dynamic address pools, the addresses in the pool can be reused, i.e., the same IP is mapped to multiple intranet IPs at the same time. Is this statement correct? ( )

    1. A.

      Correct

    2. B.

      Incorrect

Fig. 10.10
figure 10

Communication illustration (1)

Full size image
Fig. 10.11
figure 11

Communication illustration (2)

Full size image
Fig. 10.12
figure 12

Static NAT configuration

Full size image