Figure 10-4 Port Address Translation (PAT)
PAT allows overloading or the mapping of more than on inside local address to the same inside global address. But this also means that return packets would all have the same destination address as they reach the NAT router. How would the router know which inside local address each return packet belongs to? In order to deal with this scenario, the NAT entries in the translation table are extended entries; the entries not only track the relevant IP addresses, but also the protocol types and ports. By translating both the IP address and the port number of a packet, up to 65535 inside local addresses could theoretically be mapped to a single inisde global address (based on the 16-bit port number).
But keep in mind that a single NAT entry uses approximately 160 bytes of router memory, so 65535 entries would take more than 10 MB of memory and also large amounts of CPU power. In practical PAT configurations, nowhere near this number of addresses are mapped, but it is definitely a theoretical limit.
Here is a sample configuration for NAT overloading or PAT according to Figure 10-4.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat pool MyPool 67.210.97.1 67.210.97.1 ?
netmask Specify the network mask
prefix-length Specify the prefix length
R1(config)#ip nat pool MyPool 67.210.97.1 67.210.97.1 netmask 255.255.255.0
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)#ip nat inside source list 1 pool MyPool overload
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#ip nat inside
R1(config-if)#interface FastEthernet0/1
R1(config-if)#ip address 67.210.97.1 255.255.255.0
R1(config-if)#ip nat outside
R1(config-if)#end
R1#
The above configuration may appear very similar to the configuration for dynamic NAT, however there are important differences. First, the pool of IP addresses has been shrunk to a single IP address assigned to the outside interface of router R1.
Second, access list 1 matches the entire class C network 192.168.1.0/24 which means any inside local address from this network will be translated. If you want a specific host from this network not to be translated, you have to explicitly specify by adding a deny statement to the access list. Let’s assume we want to deny translation to a single host 192.168.1.2 while allowing all other hosts:
R1(config)#access-list 1 deny host 192.168.1.2
R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Also there is an addition of overload keyword with the ip nat inside source list 1 pool MyPool command.
Key Concept – NAT Overload is a special form of dynamic NAT that allows many-to-one mapping of local addresses to a smaller number global addresses from a pool of global addresses. The pool of global addresses may even consist of a single address. NAT Overload is also called Port Address Translation (PAT). These are a favorite type of scenario question on the CCNA exam.
Let’s start our usual verification by issuing the show ip nat translations command:
R1#show ip nat translations
R1#
There are no static mappings and hence the blank output above. Let’s generate some traffic from inside hosts to the server and issue the show ip nat translations command again:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 67.210.91.1:18 192.168.1.2:18 173.194.67.102:18 173.194.67.102:18
icmp 67.210.91.1:19 192.168.1.3:19 173.194.67.102:19 173.194.67.102:19
icmp 67.210.91.1:20 192.168.1.4:20 173.194.67.102:20 173.194.67.102:20
As you can see in the output above, all inside local addresses are translated into the same inside global address, which is the essence of NAT overload or PAT. You may have noticed that the router has preserved the source port numbers as inside local addresses were translated to inside global addresses. This is the usual behavior but when the router creates a new translation entry such that the source port number is already in use, the port number also gets translated to a different number. The occurrence of two inside hosts choosing the same source port number is not very common, but it still may happen especially when the number of connections from inside to outside is significant.
Let’s also issue the show ip nat statistics command:
R1#show ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
Serial1/0
Inside interfaces:
FastEthernet0/0
Hits: 135 Misses: 15
CEF Translated packets: 150, CEF Punted packets: 0
Expired translations: 12
Dynamic mappings:
— Inside Source
[Id: 2] access-list 1 pool MyPool refcount 3
pool MyPool: netmask 255.255.255.0
start 67.210.91.1 end 67.210.91.1
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
You should keep two things in mind. First, NAT overload is useful in any situation when the number of inside hosts is larger than public addresses you have. In many situations you only have a single public IP address that is assigned to the outside interface of your Internet facing router. In this case your pool would consist of a single IP address as the configuration above shows. However, you may have more than one public IP addresses available, one of which may be assigned to the Internet facing interface of your router. In such case, your NAT pool may consist of more than one IP addresses still using NAT overload to accommodate a larger number of inside hosts wanting to connect to the Internet. In short, you may have a single overloaded public address or you may have more than one overloaded public addresses.
NAT Overload or PAT is the most prevalent NAT configuration for the obvious reason that it is the flavor of NAT that actually preserves global IP addresses, the primary reason for NAT usage.
0 comments:
Post a Comment