Using IP Network Address Translation (NAT)
This document describes Network Address Translation (NAT) and provides configuration and monitoring information. It includes the following sections:
NAT Overview
How NAT Works
Sample NAT Configuration
Using Fixed IP Address Mappings
Translating Port Numbers
Displaying NAT Prompts
Configuring NAT
NAT Commands
NAT Overview
NAT lets a router represent an entire LAN to the Internet as a single, global IP address. The Internet sees all traffic from the local network as originating from the global IP address. Likewise, all traffic coming into the local network from the Internet is addressed to the global IP address. This allows your ISP to assign one IP address to your LAN, instead of allocating a block of IP addresses, one for each computer on the network.
NAT provides added security for network connections because it hides internal IP addresses from the Internet side of the NAT router. Also, like a firewall, NAT only accepts packets that are in response to internal requests or packets destined for officially published services.
This implementation of NAT is compliant with RFC 1631, The IP Network Address Translator (NAT).
IP Addressing
Since the outside world cannot see the inside network, you do not need to use registered IP addresses on the inside network. You can use any IP address range that does not exist in the outside network. The Internet Assigned Numbers Authority (IANA) has reserved the following blocks of IP addresses for private networks.
For more information, see RFC 1597, Address Allocation for Private Internets.
If you are unfamiliar with IP addressing, see IP Addresses.
Terminology
This discussion of NAT uses the following terminology.
How NAT Works
A basic NAT application consists of an inside network, such as a LAN in a small office, and an outside network, such as the Internet.
Figure 1 Basic NAT Configuration
The NAT interface uses a global registered IP address. It can use a dynamic IP address or you can assign a fixed IP address. The NAT interface cannot use an unnumbered IP address.
In this basic configuration, when a user on the
To set up this basic configuration, you simply enable NAT on an interface. NAT uses a dynamic cache to perform the address translations.
To do one of the following, you need to set up service table entries or fixed IP address mappings.
The next sections explain each of the components of the NAT software.
Dynamic Cache
When an inside user generates packets for the outside network,
- 1. The NAT interface translates the user's IP address and the source port number of the packet to the global IP address and a unique port number and forwards the packet to the outside network.
- 2. The NAT interface stores the translation information in a cache.
- 3. When response packets for the inside user arrive from the outside network, the NAT interface translates them back to the original address and protocol port using the information stored in the cache.
The NAT interface also creates a cache entry when it receives a packet that matches a Service Table entry.
Service Table
A NAT interface lets only packets that are in response to internal requests into the inside network. To let outside users access services on your inside network, you specifically allow each service by adding entries to the NAT service table or you set up Fixed IP Address Mapping.
Service table entries consist of the inside IP address of the device that provides the service and the protocol over which the service runs. TCP and UDP entries must also include a port number or range of port numbers. ICMP entries can include a packet type number.
For example, you can add a service table entry that causes the NAT interface to send all FTP packets to a particular server on the inside network. Using service table entries, only one device on the inside network can provide a service on a particular port number because the NAT interface cannot tell one from the other. To offer a service on more than one device, you need to use Fixed IP Address Mapping or Port Number Translation, or you need to set up different port numbers for the service.
All NAT interfaces in the router use the service table.
Fixed IP Address Mapping
Fixed IP address mapping lets you have more than one outside IP address visible to the outside network. You can use fixed IP address mapping to offer a service on more than one inside device.
To use fixed IP address mapping, you set up a table where one outside address corresponds to one inside address. For example, each of the following outside addresses has a corresponding inside address.
Outside Inside Mask
128.185.22.16 10.1.5.1 255.255.255.255
128.185.22.34 10.1.5.2 255.255.255.255
128.185.22.92 10.1.5.3 255.255.255.255
When the NAT interface receives a packet from the outside destined for 128.185.22.16, it forwards the packet to inside address 10.1.5.1. Likewise, when the NAT interface receives a packet from inside address 10.1.5.1 that is destined for the outside, it changes the packet's source IP address to 128.185.22.16. Therefore, anyone on the outside who is communicating with 10.1.5.1 sees only the outside address of 128.185.22.16.
See Using Fixed IP Address Mappings for some examples.
All NAT interfaces in the router use the fixed IP address mapping table.
How NAT Handles IP Packets
The following figures show how the NAT interface handles packets it receives from
Figure 2 How the NAT Interface Handles Packets It Receives from the Outside Network Destined to the Global IP Address
Figure 3 How the NAT Interface Handles Packets It Receives from the Outside Network That Are Not Destined to the Global IP Address
Figure 4 How the NAT Interface Handles Packets It Receives From the Inside Network
Using Routing Protocols with NAT
You can enable RIP to run on the NAT router so that it learns routes in the inside network. However, the NAT interface does not forward RIP packets from the inside network to the outside network. The NAT interface also does not advertise OSPF routes from the inside network to the outside network.
Sample NAT Configuration
Figure 5 is a small office setup using NAT. In this example, the inside network has two users (clients) and an FTP server.
Figure 5 Sample NAT Configuration
To set up the NAT configuration in Figure 5,
The ISP assigns an IP address of 50.19.2.1 to the NAT interface.
The following list describes what happens when Client 1 and Client 2 in Figure 5 browse the same outside Web site, which has an IP address of 128.185.5.6.
- 1. The NAT interface receives a packet from Client 1 and creates a cache entry that associates the Client 1 inside IP address and a unique port number (1025) with the Web server IP address and the port number of the service (80). The interface then forwards the packet to the Web server.
- 2. The NAT interface receives a packet from Client 2 and creates a cache entry that associates the Client 2 inside IP address to the same Web server IP address and port number (80), but associates a different port number with the inside address (1026). The interface then forwards the packet to the Web server.
- 3. The Web server sends response packets for both clients to the same IP address (50.19.2.1), but to different port numbers (1025 and 1026). The NAT interface associates the unique port number with the inside IP address in the cache and sends the packet to the correct client.
When an outside user in Figure 5 runs FTP to the inside FTP server, the NAT interface does the following:
- 1. It compares the destination address to the outside addresses in the fixed IP address mapping table.
- 2. It compares the packet's protocol and port number to entries in the cache.
- 3. The NAT interface compares the packet's protocol and port number to entries in the service table.
Using Fixed IP Address Mappings
You can set up fixed IP address translations, each from one outside IP address to one inside IP address.
This section gives some examples of situations where you might want to use fixed IP address mapping and how to set it up.
Fixed IP address mappings apply to all NAT interfaces on the router.
Allowing Multiple Servers on the Inside Network
In Figure 6, there are three servers on the inside network, each offering multiple services. Using fixed IP address mapping, you can allow
Figure 6 Multiple Servers on the Inside Network
To set up this fixed address mapping, add a mapping for each outside and each inside address. For example:
NAT Config>add fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.142.6
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 10.1.5.1
Mapping a Subnet
Another way to use the fixed IP address mapping feature is to map all computers on an inside subnet to a range of corresponding outside addresses. This is useful if you have servers on a subnet, and you want all of the servers visible to the outside.
For example, to map all addresses on the inside subnet of 10.2.1.0 through 10.2.1.254 to a corresponding outside address in the outside subnet of 128.185.227.0 through 128.185.227.254, enter the following command.
NAT Config>add fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.227.0
Mask [255.255.255.255]? 255.255.255.0
Private inside address [0.0.0.0]? 10.2.1.0
By specifying a subnet mask, you can set up a fixed mapping translation of an entire subnet of outside addresses to an entire subnet of inside addresses using only one command.
Allowing a Subnet to be Visible to the Outside Network
Another use for fixed IP addressing is to allow a group of users on a subnet to have their addresses visible to the outside. For example, to cause addresses in the range of 128.185.228.x to have their address visible to the outside, enter
NAT Config>add fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.228.0
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 128.185.228.0
By setting the outside and inside addresses to the same value, you essentially cause NAT to not translate certain ranges of IP addresses. This lets you partially run NAT, where NAT translates some, but not all, of your inside network addresses.
Translating Port Numbers
Using service table entries, only one device on the inside network can provide a service on a particular outside port number. To offer a service on more than one device, you need to set up different outside port numbers for the service, use fixed IP address mapping, or set up the NAT interface to translate port numbers. Translating port numbers instead of using fixed IP address mapping, allows you to have only one IP address visible to the outside.
For example, in Figure 7 there are two Web servers. Web Server 1 runs on port 80, and Web Server 2 runs on port 81. The service table entries cause the NAT interface to send all packets destined for port 80 to Web Server 1 and all packets destined for port 81 to Web Server 2. The NAT interface does not translate port numbers.
Figure 7 Publishing the Same Service Using Different Port Numbers
Alternatively, in Figure 8, there are two Web servers that both run on port 80. In this case, you need to set up the NAT interface to translate port numbers. One service table entry offers Web Server 1 on port 80 and another entry offers Web Server 2 on port 81. However, before the NAT interface sends packets to Web Server 2, it translates the port number from 81 to 80.
Figure 8 Publishing the Same Service Using Port Number Translation
Displaying NAT Prompts
NAT commands are available at the NAT Config> prompt and the NAT> prompt.
At the NAT Config> prompt, changes that you make are saved in the router's configuration memory. These changes take effect when you restart the router.
Display the NAT Config> prompt as follows:
*config
Config>protocol ip
Internet protocol user configuration
IP config>nat
Network Address Translation Configuration
NAT Config>
At the NAT> prompt, changes that you make take effect immediately. Unless you explicitly save your changes using the save command, they are not saved when you restart the router.
Display the NAT> prompt as follows:
*monitor
+protocol ip
IP>nat
Network Address Translation Console
NAT>
Configuring NAT
Follow these steps to configure NAT.
- 1. Display either the NAT Config> prompt or the NAT> prompt as described in Displaying NAT Prompts. This example uses the NAT Config> prompt.
- 2. Enable NAT on each interface over which you want to run NAT.
NAT Config>enable nat
Interface # [0]? 1
NAT enabled on interface 1
- 3. (Optional.) To offer inside services to outside users, add a service table entry for each inside service that you want to offer. See Service Table and the add service command.
NAT Config>add service
Service name([CR] to get a list of well-known-services)? ftp
Server's IP address [0.0.0.0]? 10.12.2.1
Server's local port (0 = no port translation) [0]?
- 4. (Optional.) Set up fixed IP address mappings. See Fixed IP Address Mapping and the add fixed-ip-mappings command.
- 5. If you set up NAT at the configuration prompt, restart the router for your configuration to take effect.
NAT Config>exit
IP config>exit
Config> Ctrl P
*restart
If you set up NAT at the monitoring prompt, the configuration takes effect immediately. To make the changes permanent, enter save.NAT>save
When to Set a Global IP Address
The NAT global IP address is key to the way your NAT setup works. For an outgoing packet, NAT translates the packet's source IP address to the global IP address, unless there is a matching fixed IP translation. For an incoming packet destined for the global IP address, NAT either translates the packet using a cache entry or translates the packet using service table entries.
If you do not explicitly set the NAT global IP address, the NAT interface uses the IP address of the interface on which NAT is enabled. It does not matter whether you assigned an IP address to the interface or are using a dynamically assigned address.
You can explicitly assign another outside address as the NAT global IP address by using the set nat-interface ip-address command.
Set a global IP address in the following situations.
Notes:
NAT Commands
This section describes NAT commands.
Press Space twice after you type a command to display the available options for each command. Enter help for information about using the command line interface.
[C] means the command is available at the NAT Config> prompt.
[M] means the command is available at the NAT> prompt.
Add [C] [M]
Adds fixed IP address mappings and service table entries to your NAT configuration.
fixed-ip-mappings
Adds fixed IP address mappings. See Fixed IP Address Mapping. Fixed IP address mappings apply to all NAT interfaces in the router.
Syntax: add fixed-ip-mappings
Example: add fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.2.45
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 10.34.34.2
service
Adds a service table entry to the NAT configuration. Service table entries apply to all NAT interfaces in the router.
Add an entry for each service that the inside network offers to the outside network. You must also add services that the NAT interface itself offers, such as Telnet or Web authentication. See Service Table.
You can change service table entries using the set service commands.
The following services apply to SKIP (Simple Key-Management for Internet Protocols).
If NAT in running on a router that has IP Tunnels, the NAT software automatically creates services necessary to run SKIP: Discard, SKIP, SKIPCDP.
Syntax: add service name server-address local-port protocol
starting-port ending-port
Service name ([CR] to get a list of well-known-services)? http
Server's IP address [0.0.0.0]? 10.12.1.1
Server's local port (0 = no port translation) [0]?
Example: add service
Service name ([CR] to get a list of well-known-services)? admin
Server's IP address [0.0.0.0]? 10.1.2.1
Server's local port (0 = no port translation) [0]?
Enter protocol [TCP]?
Enter starting port number ([CR] for all) [-1]? 90
Enter ending port number [1]?90
|
Service name
|
You can enter a well-known service name from the list below or you can define your own service name. If you enter a well-known service name, the software fills in the protocol and port range. |
|
|
Service Name Protocol Port RangeDEFAULT ANY 0-65535 DISCARD UDP 9-9DNS UDP 53DNS-ZONE TCP 53FTP TCP 20-21HTTP TCP 80NFS UDP 0-65535NNTP TCP 119PING ICMP 0-65535POP2 TCP 109POP3 TCP 110RLOGIN TCP 513SKIP SKIP 0-65535SKIPCDP UDP 1639-1640SMTP UDP 25SNMP UDP 161SNMP-TRAP UDP 162TELNET TCP 23TIME UDP 37
|
|
Server's IP Address
|
The IP address of the host in the inside network that provides the service. If the NAT router provides the service, enter one of the router's own IP addresses. |
|
Server's local port
|
You can set up NAT to translate the destination port number that it receives from the outside network. When the NAT interface forwards the packet to the server, it sends the packet to this port number.
The default is 0 (zero), which means the NAT interface does not translate the port number. |
|
Protocol
|
The protocol associated with this service. Enter ICMP, UDP, TCP, or All.
OpenROUTE Networks recommends that you do not use All because All causes the NAT interface to send all IP packets that it receives to this server. |
|
Starting Port number
|
The lowest port number associated with this service.
For protocol ICMP, this value represents the packet type. The default is 8, which is an ICMP Echo Request. You can change the default using the set service port-range command. |
|
Ending Port number
|
The highest port number associated with this service. To match a single port, enter the same number for the starting port and the ending port.
For protocol ICMP, this value represents the packet type. The default is 8, which is an ICMP Echo Request. You can change the default using the set service port-range command. |
Clear [C] [M]
Clears NAT configuration information. At the NAT> prompt, you can also clear the NAT cache.
Syntax: clear
- all
- cache
- fixed-ip-mappings
- nat-interfaces
- services
all
Clears all NAT configuration information including service table entries and fixed IP address mappings.
Example: clear all
cache
Clears the cache of a NAT interface. This command is available only at the NAT> prompt.
Example: clear cache
Interface number [0]? 1
fixed-ip-mappings
Clears all fixed IP address mappings.
Example: clear fixed-ip-mappings
All fixed mappings have been cleared
nat-interfaces
Clears all NAT configuration information except the service table entries. This command is available only at the NAT Config> prompt.
Example: clear nat-interfaces
services
Clears all service table entries.
Example: clear services
Delete [C] [M]
Deletes fixed IP address mappings, service table entries, or NAT interface configurations. At the NAT> prompt, also deletes cache entries.
Syntax: delete
- cache-entry
- fixed-ip-mappings
- nat-interface
- service
cache-entry interface# id#
Deletes cache entries. This command is available only at the NAT> prompt. Enter list cache at the NAT> prompt to display a list of ID numbers.
Example: delete cache-entry
Interface # [0]? 1
Id number [0]?
fixed-ip-mappings
Deletes a fixed IP mapping that you added with the add fixed-ip-mappings command.
Example: delete fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.1.1
Mask [255.255.255.255]?
nat-interface interface#
Deletes a NAT interface configuration. If you enabled NAT on more than one interface, the software prompts you for the interface configuration to delete.
Example: delete nat-interface
Interface # [0]? 1
NAT deleted from interface 1
service name
Deletes a service from the service table. Enter the name of a service entry that you created with the add service command.
Example: delete service
Service name? http
Disable NAT [C] [M]
Disables a NAT interface, but leaves the configuration information intact. If you enabled NAT on more than one interface, the software prompts you for which interface to disable.
Syntax: disable nat interface#
Example: disable nat
Interface # [0]? 1
NAT is disabled
Enable NAT [C] [M]
Enables a NAT configuration on an interface. If you previously defined a NAT interface, this command enables it. Otherwise, this command adds a default NAT configuration to the interface and enables it. You can use the set nat-interface commands to change ageout timers and cache size.
Syntax: enable nat interface#
Example: enable nat
Interface # [0]? 1
Default NAT interface created
NAT enabled on interface 1
Exit [C] [M]
Returns to the previous prompt.
Syntax: exit
Example: exit
List [C] [M]
Displays the current NAT interface configuration, fixed IP address mappings, and service table entries. At the NAT> prompt, also displays a summary of the current cache entries.
Syntax: list
- all
- cache
- fixed-ip-mappings
- nat-interface
- services
all
Lists the complete NAT configuration.
Example: list all
NAT Enabled on interface 1
Address is Auto
Maximum # entries 500
Global ageout 1800 secs
TCP ageout 9000 secs, closed 30 secs
Name Protocol Port Range Server Address/Port Translation
---------- -------- ----------- --------------------------
HTTP TCP 80-80 10.1.2.1/None
FTP TCP 20-21 10.1.2.3/None
Fixed IP Address Translation mappings:
Outside Inside Mask
128.185.22.0 10.1.5.1 255.255.255.255
128.185.22.2 10.1.5.2 255.255.255.255
128.185.142.6 10.1.5.3 255.255.255.255
cache interface#
Shows a summary of all cache entries for a NAT interface. If you have NAT enabled on more than one interface, the software prompts you for an interface number. You can use the NAT ID numbers to delete individual cache entries. This command is available at the NAT> prompt. Note:
Cache entries for the ICMP protocol age out after 10 seconds regardless of the ageout time you have set. Otherwise ICMP traffic, such as PING and TRACEROUTE packets, could quickly fill the cache with unnecessary entries.
Example: list cache
NAT Cache - Interface 0
ID Proto Local Address Remote Address
---- ----- --------------------- ---------------------
1 TCP 10.2.3.202:80 50.2.95.217:1034
8 TCP 10.2.3.202:1033 128.185.209.101:23
15 TCP 10.2.3.213:21 50.2.95.214:11071
16 TCP 10.2.3.213:20 50.2.95.214:11072
17 TCP 10.2.3.213:21 50.2.95.214:11075
18 TCP 10.2.3.213:20 50.2.95.214:11076
fixed-ip-mappings
Lists the IP address mappings that you set up with the add fixed-ip-mappings command.
Example: list fixed-ip-mappings
Fixed IP Address Translation mappings:
Outside Inside Mask
128.185.23.23 10.10.50.1 255.255.255.255
At the NAT> prompt, this command also displays a count of how many times NAT used each mapping on packets from outside to inside and from inside to outside. Clear the usage counters using the zero command.
Fixed IP Address Translation mappings: Translation Usage Counts
Outside Inside Mask Out->In In->Out
128.185.23.23 10.10.50.1 255.255.255.255 0 0
nat-interface interface#
Lists a NAT interface configuration. If you configured more than one interface for NAT, the software prompts you for the interface configuration you want to display.
Example: list nat-interface
Interface # [0]? 1
NAT Enabled on interface 1
Address is Auto
Maximum # entries 500
Global ageout 1800 secs
TCP ageout 9000 secs, closed 30 secs
services
Lists the service table entries.
Example: list services
Name Protocol Port Range Server Address/Port Translation
---------- -------- ----------- --------------------------------
HTTP TCP 80-80 10.1.2.1/ 81
TELNET TCP 23-23 10.1.1.1/None
FTP TCP 20-21 10.1.2.3/None
Restore [M]
Restores the saved configuration after you make changes at the NAT> prompt.
Syntax: restore
Example: restore
This will overwrite your existing runtime configuration.
Continue? (Yes or [No]): yes
Restore complete
Save [M]
Saves changes you make at the NAT> prompt to permanent memory so they are still present after you restart the router.
Syntax: save
Example: save
This will overwrite your existing saved configuration.
Continue? (Yes or [No]): yes
Save complete
Set [C] [M]
Sets ageout timers for TCP and non-TCP cache entries, global IP address, and the maximum number of entries kept in the cache for each NAT interface. It also lets you make changes to entries in the service table.
Syntax: set
- nat-interface ageout
- nat-interface ip-address
- nat-interface max-entries
- nat-interface tcp-ageout
- service address
- service local-port
- service port-range
- service protocol
nat-interface ageout interface# #-of-seconds
Sets the ageout timer for non-TCP cache entries. The timer deletes non-TCP cache entries if they are idle for this time period. Setting this value too low causes the timer to close sessions prematurely. Setting this value too high causes the cache to have too many entries and impacts router performance. The range is 10 to 36000 seconds. The default of 1800 seconds (30 minutes) is ample for most applications.
Example: set nat-interface ageout
Interface # [0]?
Ageout time (secs) [1800]?
nat-interface ip address
Sets the global IP address and IP mask of a NAT interface. If you do not use this command to set a global IP address, NAT uses the IP address of the NAT interface, whether it's an address that you assigned to the interface or a dynamic IP address. See When to Set a Global IP Address.
This command is available at the NAT Config> prompt. Note:
You cannot use unnumbered IP on a NAT interface.
Example: set nat-interface ip-address
Interface number [1]?
NAT IP address (0.0.0.0 = use automatic default) [0.0.0.0]
nat-interface max-entries interface# value
Sets the maximum number of entries that the interface keeps in cache. The NAT cache is dynamically allocated so you can set this parameter quite high without tying up memory. However, if you set this parameter too high, it may affect router performance during times of heavy usage. The range is 20 to 1000. The default is 500.
Example: set nat-interface max-entries
Interface # [0]?
Maximum Cache Entries [500]?
nat-interface tcp-ageout interface# idle-time closed-time
Controls how long the NAT interface keeps TCP entries in its cache.
Example: set nat-interface tcp-ageout
Interface # [0]?
TCP Ageout time (secs) [9000]?
TCP Closed time (secs) [30]?
service address name address
Changes the inside IP address of a service table entry.
Example: set service address
Service name? database
Server's IP address [10.1.99.8]?
service local-port name port#
Changes the local port number of a service table entry.
Example: set service local-port
Service name? rtradmin
Server's local port [0]?
service port-range name starting-port ending-port
Changes the range of ports for a service table entry.
Example: set service port-range
Service name? http
Enter starting port number ([CR] for all) [-1]? 81
Enter ending port number [81]?
service protocol name protocol
Changes the protocol for a service table entry.
Example: set service protocol
Service name?
Enter protocol [TCP]?
Zero [M]
At the NAT> prompt, list fixed-ip-mappings displays a count of how many times NAT used each mapping on packets coming from outside to inside and from inside to outside. The zero command clears these counters.
Syntax: zero
Example: zero
docs@openroute.com
Copyright © 1998, OpenROUTE Networks, Inc. All rights
reserved.