Professional Documents
Culture Documents
NAT Project Report
NAT Project Report
NAT Project Report
1. INTRODUCTION
2. OPERATION
3. SYSTEM REQUIREMENTS
4. CONFIGURATION
5. SCOPE OF PROJECT
6. REFERENCES
1
Chapter no. 1
INTRODUCTION
Note: In this document, when the internet, or an internet device is referred to, it
means a device on any external network.
Overview-
2
About Project
In today’s Internet the two main problems related to the IP protocol are
shortage of IP addresses and scaling in routing. Long-term solutions to these
problems are being developed, like Ipv6, but they will take their time to be widely
accepted. Meanwhile, short-term solutions are proposed and used, that help to
delay the problems for some time. One of these solutions is Network Address
Translation (NAT), implementation of which is the subject of our project.
The principle of NAT is IP address reuse that can be used in small and mid-
range local networks. NAT uses the fact that in these environments a very small
percentage of hosts are communicating outside their local domain at any given
time. That is to say, almost all TCP/TP packets on the local network are destined to
hosts in this local network, and thus these hosts can have IP addresses that are not
globally unique. The NAT module placed at the border router of the domain
performs IP address translation inside IP datagrams passing through it in both
directions. When an IP datagram is sent from a local host to the Internet with local
IP address that is not globally unique, the NAT module substitutes it with a
globally unique IP address taken from a pool, and sends the datagram out. In
reverse direction the reverse translation is needed.
3
Checksum in IP header because of changes in the header; also a TCP Checksum,
because it reflects changes in IP address, and all places in the data portion of TCP,
UDP, ICMP and other packets, where source or destination IP addresses are stored.
Undoubtedly, it is impossible to do the right translation needed in all possible
TCP/IP applications. So our implementation of NAT will support the general set of
protocols and applications, such as FTP, Telnet, HTTP, ICMP and others.
Types of NAT
Static NAT –
In this, a single unregistered (Private) IP address is mapped with a legally
registered (Public) IP address i.e one-to-one mapping between local and global
addresses. This is generally used for Web hosting. These are not used in
organizations as there are many devices that will need Internet access and to
provide Internet access, a public IP address is needed.
Suppose, if there are 3000 devices that need access to the Internet, the organization
has to buy 3000 public addresses that will be very costly.
Dynamic NAT –
In this type of NAT, an unregistered IP address is translated into a registered
(Public) IP address from a pool of public IP addresses. If the IP address of the pool
is not free, then the packet will be dropped as only a fixed number of private IP
addresses can be translated to public addresses.
4
Suppose, if there is a pool of 2 public IP addresses then only 2 private IP addresses
can be translated at a given time. If 3rd private IP address wants to access the
Internet then the packet will be dropped therefore many private IP addresses are
mapped to a pool of public IP addresses. NAT is used when the number of users
who want to access the Internet is fixed. This is also very costly as the organization
has to buy many global IP addresses to make a pool.
NAT Terminology
Specific terms are used to identify the various NAT addresses:
•Inside Local –
An IP address that is assigned to a host on the Inside (local) network. The address
is probably not an IP address assigned by the service provider i.e., these are private
IP addresses. This is the inside host seen from the inside network.
• Inside Global –
5
The address that identifies an inside host to the outside world (usually a public
address). Essentially, this is the dynamically or statically-assigned public address
assigned to a private host.
• Outside Global
– The address assigned to an outside host (usually a public address).
• Outside Local
– The address that identifies an outside host to the inside network. Often, this is the
Same
Address as the Outside Global.
However, it is occasionally necessary to translate an outside (usually
Public) address to an inside (usually private) address.
6
Chapter NO. 2
Operation
Generally, the border router is configured for NAT i.e the router which
has one interface in the local (inside) network and one interface in the global
(outside) network. When a packet traverse outside the local (inside) network, then
NAT converts that local (private) IP address to a global (public) IP address. When a
packet enters the local network, the global (public) IP address is converted to a
local (private) IP address.
If NAT runs out of addresses, i.e., no address is left in the pool configured then the
packets will be dropped and an Internet Control Message Protocol (ICMP) host
unreachable packet to the destination is sent.
7
SYSTEM REQUIREMENTS
Hardware
1. Monitor
2. Keyboard
3. Mouse
Software
1. Windows 7 or more
2. Cisco Packet Tracer 7.0 or higher
8
S/W & H/W Requirement specification
The information in this document was created from the devices in a specific lab
environment. All of the devices used in this document started with a cleared
(default) configuration. If your network is live, make sure that you understand the
potential impact of any command.
Windows xp
And also this document is not restricted to specific software and hardware
versions.
9
Protocol Used
In case SYN flag is on, it means that a TCP connection is being established.So we
must trace the TCP 3-way handshake to be sure that a connection has been
established, and then raise flag in the Translation Table telling that there is an
active TCP connection in this entry. In case FIN flag is on, it means that a TCP
connection is being terminated.So we must trace the TCP connection shutdown
mechanism to be sure that the connection has been closed. Then we clear the flag,
and this entry can be cleared in case of global IP addresses shortage.
Local_IP
10
The local IP address of the local host
Global_IP
Conn Protocol
Timestamp
TCP_State
ICMP
11
contains the IP header + the first 8 bytes of data of original IP datagram that
generated the problem. We need to fix the IP address in this header, (inside the
ICMP data field) and the ICMP checksum as well.The rest of the protocols need no
changes in their headers and data
12
Configuring Static NAT
Router(config)#
ip nat inside source static 172.16.1.1 158.80.1.40
This command performs a static translation of the source address
172.16.1.1(located on the inside of the network), to the outside address of
158.80.1.40.
When configuring Dynamic NAT , the inside and outside interfaces must first be
identified:
13
communicating outside the local network:
Router(config)#
ip nat pool POOLNAME 158.80.1.1 158.80.1.50 netmask 255.255.255.0
The above command specifies that the pool named POOLNAME contains a range
of public addresses from 158.80.1.1 through 158.80.1.50.
Finally, a list of private addresses that are allowed to be dynamically translated
must be specified:
The first command states that any inside host with a source that matches access- list
10 can be translated to any address in the pool named POOLNAME.
The access-list specifies any host on the 172.16.1.0 network.
Recall that NAT Overload (or PAT ) is necessary when the number of internal
clients exceeds the available global addresses. Each internal host is translated to a
unique port number off of a single global address.
Any inside host with a source that matches access- list 10 will be translated with
overload to the IP address configured on the Serial0/0 interface.
14
When you configure NAT, it is sometimes difficult to know where to begin,
especially if you are new to NAT. These steps guide you to define what you want
NAT to do and how to configure it:
Each of the following NAT examples guides you through steps 1 through 3 of the
Quick Start Steps above. These examples describe some common scenarios in
which Cisco recommends you deploy NAT.
The first step in deploying NAT is to define NAT inside and outside interfaces.
You may find it easiest to define your internal network as inside, and the external
network as outside. However, the terms internal and external are subject to
arbitration as well. The figure below shows an example of this.
15
Example: Allowing Internal Users to Access the Internet
You may want to allow internal users to access the internet, but you may not have
enough valid addresses to accommodate everyone. If all communication with
devices in the internet will originate from the internal devices, you need a single
valid address or a pool of valid addresses.
The figure below shows a simple network diagram with the router interfaces
defined as inside and outside:
16
In this example, we want NAT to allow certain devices (the first 31 from each
subnet) on the inside to originate communication with devices on the outside by
translating their invalid address to a valid address or pool of addresses. The pool
has been defined as the range of addresses 172.16.10.1 through 172.16.10.63.
Now you are ready to configure NAT. In order to accomplish what is defined
above, use dynamic NAT. With dynamic NAT, the translation table in the router is
initially empty and gets populated once traffic that needs to be translated passes
through the router. (As opposed to static NAT, where a translation is statically
configured and is placed in the translation table without the need for any traffic.)
In this example, we can configure NAT to translate each of the inside devices to a
unique valid address, or to translate each of the inside devices to the same valid
address. This second method is known as overloading. An example of how to
configure each method is given below.
NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
17
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
18
access-list 7 permit 10.10.20.0 0.0.0.31
Note: Cisco highly recommends that you do not configure access lists referenced
by NAT commands with permit any. Using permit any can result in NAT
consuming too many router resources which can cause network problems.
Notice in the above configuration that only the first 32 addresses from subnet
10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are permitted by
access-list 7. Therefore, only these source addresses are translated. There may be
other devices with other addresses on the inside network, but these won't be
translated.
NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
interface serial 0
19
ip address 172.16.10.64 255.255.255.0
ip nat outside
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 will have the source address
!--- translated to an address out of the NAT pool named ovrld.
!--- Translations will be overloaded which will allow multiple inside
!--- devices to be translated to the same valid IP address.
Note in the second configuration above, the NAT pool "ovrld"only has a
range of one address. The keyword overload used in the ip nat inside source list 7
pool ovrld overload command allows NAT to translate multiple inside devices to
the single address in the pool.
20
Configuring NAT for Use During a Network Transition
NAT Router
interface ethernet 0
ip address 172.16.10.1 255.255.255.0
ip nat outside
interface ethernet 1
ip address 172.16.50.1 255.255.255.0
ip nat inside
interface serial 0
ip address 200.200.200.5 255.255.255.252
!--- States that any packet received on the inside interface with a
!--- source IP address of 172.16.50.8 will be translated to 172.16.10.8.
21
Note that the inside source NAT command in this example also implies that
packets received on the outside interface with a destination address of 172.16.10.8
will have the destination address translated to 172.16.50.8.
Dynamic NAT is useful when fewer addresses are available than the actual
number of hosts to be translated. It creates an entry in the NAT table when the host
initiates a connection and establishes a one-to-one mapping between the addresses.
But, the mapping can vary and it depends upon the registered address available in
the pool at the time of the communication. Dynamic NAT allows sessions to be
initiated only from inside or outside networks for which it is configured. Dynamic
NAT entries are removed from the translation table if the host does not
communicate for a specific period of time which is configurable. The address is
then returned to the pool for use by another host.
22
1. Router(config)#ip nat pool MYPOOLEXAMPLE
2. 10.41.10.1 10.41.10.41 netmask 255.255.255.0
3. Create an access-list for the inside networks that has to be mapped
Router(config)#access-list100 permit ip 10.3.2.0 0.0.0.255 any
4. Associate the access-list 100 that is selecting the internal network
10.3.2.0 0.0.0.255 to be natted to the pool MYPOOLEXAMPLE and
then overload the addresses.
5. Router(config)#ip nat inside source list 100 pool
6. MYPOOLEXAMPLE overload
Once you've configured NAT, verify that it is operating as expected. You can do
this in a number of ways: using a network analyzer, show commands, or debug
commands. For a detailed example of NAT verification, refer to Verifying NAT
Operation and Basic NAT Troubleshooting.
23
TESTING
Troubleshooting NAT
To view the active NAT translations is used with the -s state option. This option
will list all the current NAT sessions:
# pfctl -s state
TCP 192.168.1.35:2132 > 24.5.0.5:53136 > 65.42.33.245:22
TIME_WAIT:TIME_WAIT
UDP 192.168.1.35:2491 > 24.5.0.5:60527 > 24.2.68.33:53
MULTIPLE:SINGLE
TCP
The IP address (192.168.1.35) of the machine on the internal network. The source
port (2132) is shown after the address. This is also the address that is replaced in
the IP header.
24
The IP address (24.5.0.5) and port (53136) on the gateway that packets are being
translated to.
The IP address (65.42.33.245) and the port (22) that the internal machine is
connecting to.
25
SNAP SHOTS
26
Dynamic Routing With Clock Rate In NAT:-
EIGRP In NAT:-
27
Inter V-Lan 1 In NAT:-
28
Inter V-Lan 2 In NAT:-
29
DHCP In NAT:-
FUTURE SCOPE
30
Telephony: Configuring Voice VLANs
31
The switch can also process tagged data traffic (traffic in IEEE 802.1Q or
IEEE 802.1p frame types) from the device attached to the access port on the Cisco
IP phone. You can con-figure layer 2 access ports on the switch to send CDP
packets that instruct the attached Cisco IP phone to configure the IP phone access
port in one of these modes:
In trusted mode, all traffic received through the access port on the Cisco IP
phone passes through the IP phone unchanged.
In untrusted mode, all traffic in IEEE 802.1Q or IEEE 802.1p frames
received through the access port on the IP phone receive a configured layer 2 CoS
value. The default layer 2 CoS value is 0. Untrusted mode is the default.
By default, the voice VLAN feature is disabled; you enable it by using the
interface command switchport voice vlan. When the voice VLAN feature is
enabled, all untagged traffic is sent according to the default CoS priority of the port.
The CoS value is not trusted for IEEE 802.1p or IEEE 802.1Q tagged traffic.
These are the voice VLAN configuration guidelines:
You should configure voice VLAN on switch access ports; voice VLAN isn’t
supported on trunk ports, even though you can actually configure it! The voice
VLAN should be present and active on the switch for the IP phone to correctly
communicate on it. Use the show vlan privileged EXEC command to see if the
VLAN is present—if it is, it’ll be listed in the display.
Before you enable the voice VLAN, it’s recommend that you enable QoS on the
switch by entering the mls qos global configuration command and set the port trust
state to trust by entering the mls qos trust cos interface configuration command.
You must make sure that CDP is enabled on the switch port connected to the Cisco
IP phone to send the configuration. This is on by default, so unless you disabled it,
you shouldn’t have a problem.
The PortFast feature is automatically enabled when the voice VLAN is
configured, but when you disable the voice VLAN, the PortFast feature isn’t
automatically disabled.
To return the port to its default setting, use the no switchport voice vlan interface
configuration command.
32
Configuring IP Phone Voice Traffic
You can configure a port connected to the Cisco IP phone to send CDP packets to
the phone to configure the way in which the phone sends voice traffic. The phone
can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a
layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a
higher priority as well as forward all voice traffic through the native (access)
VLAN. The IP phone can also send untagged voice traffic, or use its own
configuration to send voice traffic in the access VLAN. In all configurations, the
voice traffic carries a layer 3 IP precedence value—again, for voice the setting is
usually 5.
33
CONCLUSION
The examples in this document demonstrate quick start steps can help you
configure and deploy NAT. These quick start steps include:
In each of the examples above, various forms of the ip nat inside command were
used. You can also use the ip nat outside command to accomplish the same
objectives, keeping in mind the NAT order of operations. For configuration
examples using the ip nat outside commands, refer to Sample Configuration
Using the ip nat outside source list Command and Sample Configuration Using
the ip nat outside source static Command.
Command Action
34
Translates the source of the IP packets that
are traveling outside to inside.
ip nat outside source Translates the destination of the IP packets
that are traveling inside to outside.
35
BIBLIOGRAPHY
1. www.cisco.com
2. Wikipedia
3. CCNA E-Book
36