Scaling the

Network
with NAT
and PAT
Address Space Management
 What is NAT ?

 The Internet has grown larger than anyone ever imagined it could be. With the
explosion of the Internet and the increase in home networks and business networks,
the number of available IP addresses is simply not enough. The obvious solution is
to redesign the address format to allow for more possible addresses. This is being
developed (called IPv6), but will take several years to implement because it requires
modification of the entire infrastructure of the Internet.
 NAT(Network Address Translation ) and
CIDR (Classless Inter Domain Routing) was developed as a interim solution for
prevention to exahusition of ip address

 With NAT an internal network has been set up with IP addresses that were not
specifically allocated to any company (Private Address) ,
by IANA (Internet Assigned Numbers Authority), the global authority that hands out IP
addresses. These addresses should be considered non-routable since they are not
unique.
 Private Addressing Space
Class RFC 1918 Internal Address Range CIDR Prefix
A 10.0.0.0 - 10.255.255.255 10.0.0.0/8
B 172.16.0.0 - 172.31.255.255. 172.16.0.0/12
C 192.168.0.0 - 192.168.255.255 192.168.0.0/16

These addresses are for private, internal network use only.

Packets containing these addresses are not routed over the
Internet. Private IP addresses are reserved and can be used by
anyone. That means two networks, or two million networks, can
each use the same private address. A routers should never route
RFC 1918 addresses. So, ISPs typically configure the border
routers to prevent privately addressed traffic from being
forwarded.
Think about : How our PC reach the outside and also ip packet
can come back to us, if Routers doesn’t route these ip
packets.???
Translation?
Introducing NAT and PAT
 NAT (Network Addres Translation) is designed to conserve IP
addresses and enable networks to use private IP addresses on
internal networks.
 In practice, NAT is used to allow hosts that are
privately addressed to access the Internet. Their
private addresses are translated to public addresses.

 NAT translations can occur dynamically or statically.

 NAT, as defined by RFC 1631, is the process of swapping one

address for another in the IP packet header.

 The most powerful feature of NAT routers is their capability to use

port address translation (PAT), which allows multiple inside
addresses to map to the same global address. This is sometimes
called a many-to-one NAT.
Introducing NAT

A INSIDE OUTSIDE
Web Server
212.10.1.3
192.168.0.3
E0 S0
B PUBLIC NETWORK
NAT (Internet)

192.168.0.5

IP packet IP packet
SRC DST SRC DST
192.168.0.3 212.10.1.3 NAT 85.18.3.1 212.10.1.3

Usually, NAT change source address of the ip packets from

private adreess to public (routable) address.
What about come back?
NAT Table
Router should keep a some
kind of table about who was
translated to whom.
Its need this info, because
when packet come back to
router it needs forward packet
to appropriate host at the inside

Router’s NAT TABLE

Inside Local Add. Inside Global Add. Ouside Local Add. Ouside Global Add.
192.168.0.3 85.18.3.1 212.10.1.3 212.10.1.3

What is Inside Local, inside global etc.?

NAT Terminology
Inside local address - The IP address assigned to a host on the inside
network. The address is likely not a legitimate IP address assigned by
the Network Information Center (NIC) or service provider.(Private
address)
Inside global address - A legitimate IP address assigned by the NIC
or service provider that represents one or more inside local IP
addresses to the outside world.(Public address)
Outside local address - The IP address of an outside host as it
appears to the inside network. Not necessarily a legitimate address, it's
allocated from an address space routable on the inside.
Outside global address - The IP address assigned to a host on the
outside network by the host's owner. The address is allocated from a
globally routable address or network space.

Lets look previous slide again

 NAT Terminology cont.
1. Static NAT
 Static NAT is designed to allow one-to-one
mapping of local and global addresses. This is
particularly useful for hosts which must have a
consistent address that is accessible from the
Internet.
2. Dynamic NAT
 Dynamic NAT is designed to map a private IP
address to a public address. Any IP address
from a pool of public IP addresses is assigned
to a network host. Overloading, or Port Address
Translation (PAT), maps multiple private IP
addresses to a single public IP address.
Multiple addresses can be mapped to a single
address because each private address is
tracked by a port number.
 NAT Terminology

A INSIDE OUTSIDE
Web Server
212.10.1.3
192.168.0.3
E0 S0
B PUBLIC NETWORK
NAT (Internet)

192.168.0.5
IP packet IP packet
SRC DST SRC DST
192.168.0.3 212.10.1.3 85.18.3.1 212.10.1.3
Inside local addr Outside local addr Inside global addr Outside global addr
 NAT Table
How is NAT table if Host B
communicate with same server at
the outside , same time with A?

Inside Global address should be

different?
YES

Inside Local Add. Inside Global Add. Ouside Local Add. Ouside Global Add.
A 192.168.0.3 85.18.3.1 212.10.1.3 212.10.1.3
B 192.168.0.5 85.18.3.2 212.10.1.3 212.10.1.3

NAT still limits the number of hosts you can have access the
Internet at the same time (depending upon the number of hosts
in your public network mask.) Because its one-to-one.
For example; You can use /24 subnet mask at the inside, to
define 254 host. But, if you have a /28 Public address pool, only
14 host can be translated at the same time.
Solution :PAT
 NAT with PAT
PAT (Port Address Translation) allows you to use a single Public IP
address to represent many inside hosts.
 PAT use TCP/UDP source port to track inside Host addresses. Also can
modifies port numbers Why can ? Later

PAT can translate it up to 65,536 inside hosts

(approximately 4,000 is more realistic).
Tracks and translates SA, DA and SP (which uniquely identifies each
connection) for each stream of traffic.
Router’s NAT (PAT) TABLE

Inside Local Add. Inside Gobal Add. Ouside Local Add. Ouside Global Add.
A 192.168.0.3 : 1453 85.18.3.1 : 1453 212.10.1.3 : 80 212.10.1.3 : 80
B 192.168.0.5 : 1200 85.18.3.1 : 1200 212.10.1.3 : 80 212.10.1.3: 80
!!!!!TCP & UDP port numbers was added to NAT table
PAT (Port Address Translation)
INSIDE OUTSIDE
A
Web Server
212.10.1.3
192.168.0.3
E0 S0
B PUBLIC NETWORK
NAT (Internet)

192.168.0.5

SA DA NAT SA DA
192.168.0.3 : 1453 212.10.1.3 : 80 85.18.3.1 : 1453 212.10.1.3 : 80

SA DA NAT SA DA
192.168.0.5 : 1200 212.10.1.3 : 80 85.18.3.1 : 1200 212.10.1.3 : 80
PAT (Port Address Translation)
INSIDE OUTSIDE
A
Web Server
212.10.1.3
192.168.0.3
E0 S0
B PUBLIC NETWORK
NAT (Internet)

192.168.0.5

Router’s NAT TABLE

Inside Local Add. Inside Gobal Add. Ouside Local Add. Ouside Global Add.
A 192.168.0.3 : 1453 85.18.3.1 : 1453 212.10.1.3 : 80 212.10.1.3 : 80

B 192.168.0.5 : 1200 85.18.3.1 : 1200 212.10.1.3 : 80 212.10.1.3: 80

 Why its name is PAT ?
Think about, what if host A and B try to reach same server, and also
open same source port by accident . If router doesn’t change the
source port. Following situaitons occur when packet come back from
Public network ....
Inside Local Add. Inside Gobal Add. Ouside Local Add. Ouside Global Add.
A 192.168.0.3 : 1453 85.18.3.1 : 1453 212.10.1.3 : 80 212.10.1.3 : 80

B 192.168.0.5 : 1453 85.18.3.1 : 1453 212.10.1.3 : 80 212.10.1.3: 80

I have to forward this

A packet to somebody.
BUT WHO IS ??? DA SA
85.18.3.1 : 1453 212.10.1.3 : 80
192.168.0.3
B E0 S0
PUBLIC NETWORK
192.168.0.5 NAT (Internet)

Solution: Translate (change) Port number if they same and remember? (PAT)
Why its name is PAT ?
For previous scenario, actually router changes
source port of the packet. The previous example for
just demonstrating.So real NAT table for previous
example look like that;

Inside Local Add. Inside Gobal Add. Ouside Local Add. Ouside Global Add.

A 192.168.0.3 : 1453 85.18.3.1 : 1453 212.10.1.3 : 80 212.10.1.3 : 80

B 192.168.0.5 : 1453 85.18.3.1 : 1800 212.10.1.3 : 80 212.10.1.3: 80

Change Source
Port number

Now router can make a decision about “who is destination” when

packet come back. So Port Address Tranlation (PAT ) deserve its
name by this way 
 Configuring Static NAT
10.10.10.0/24
10.10.10.2
HTTP SERVER OUTSIDE
E0 S0 PUBLIC NETWORK
GW 85.18.3.0/28
(Internet)

interface s0
ip address 85.18.3.1 255.255.255.0
ip nat outside
!
interface e0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
ip nat inside source static 10.10.10.2 85.18.3.2

RouterX# show ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 85.18.3.2 10.10.10.2 --- ---
 Configuring Dynamic NAT
10.10.10.0/24

INSIDE OUTSIDE
E0 S0 PUBLIC NETWORK
GW (Internet)

ip
ipnat
natpool
poolnathavuzu
nathavuzu85.18.3.1
85.18.3.1 85.18.3.14
85.18.3.14 netmask
netmask255.255.255.240
255.255.255.240
ip nat inside source list 1 pool nathavuzu
ip nat inside source list 1 pool nathavuzu
access-list
access-list11permit
permit10.10.10.0
10.10.10.0 0.0.0.255
0.0.0.255
!!
interface
interfaceethernet0
ethernet0
ip
ip address10.10.10.254
address 255.255.255.0 The
10.10.10.254 255.255.255.0 Thenetwork
networkaddress
address
ip nat inside
ip nat inside you
you have receivedfrom
have received from
!! your ISP is 85.18.3.0/28
your ISP is 85.18.3.0/28
interface serial0
interface serial0
ip
ipaddress
address90.20.3.1
90.20.3.1 255.255.255.252
255.255.255.252
ip nat outside
ip nat outside

Note: Max. 14 host (limited with the pool) can reach outside at the same time.
Configuring Dynamic NAT
with overload keyword (PAT)
10.10.10.0/24

INSIDE OUTSIDE
E0 S0 PUBLIC NETWORK
GW (Internet)

ip
ipnat
natpool
poolnathavuzu
nathavuzu85.18.3.1
85.18.3.1 85.18.3.14
85.18.3.14 netmask
netmask255.255.255.240
255.255.255.240
ip
ipnat
natinside
insidesource
sourcelist
list11pool nathavuzuoverload
poolnathavuzu overload
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
!!
interface
interfaceethernet0
ethernet0
ip Every
Everyhost
host can
canreach
ip address10.10.10.254
address 10.10.10.254 255.255.255.0
255.255.255.0 outside
reach
ip
ipnat
natinside
inside outside at the sametime.
at the same time.
!! By using overload
By using overload
interface keyword
interfaceserial0
serial0 keyword
ip
ipaddress
address90.20.3.1
90.20.3.1 255.255.255.252
255.255.255.252
ip nat outside
ip nat outside
NAT to interface’s address (PAT)
10.10.10.0/24

INSIDE OUTSIDE
E0 S0 PUBLIC NETWORK
GW (Internet)

ip
ipnat
natinside
insidesource
sourcelist
list11interface
interfaceserial
serial00overload
overload
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
!!
interface
interfaceethernet0
ethernet0 By
Bythis
thisway
wayyou youcan
canuse
use
ip address 10.10.10.254 255.255.255.0
ip address 10.10.10.254 255.255.255.0 Interface’s ip address
Interface’s ip address
ip nat inside
ip nat inside for
forNAT
NATitsitssuitable
suitablefor
for
!! where interface address
where interface address
interface serial0 changes
changes.For .Forexample;
example;
interface serial0 ADSL
ip
ipaddress
address90.20.3.1
90.20.3.1255.255.255.252
255.255.255.252 ADSL
ip
ipnat
natoutside
outside

Be careful; Without overload keyword only one host can reach outside.
Interface’s ip address can be staticaly defined or dynamically obtanied from provider
Clearing the NAT Translation Table
RouterX# clear ip nat translation *
 Clears all dynamic address translation entries

RouterX# clear ip nat translation inside global-ip

local-ip [outside local-ip global-ip]
 Clears a simple dynamic translation entry that contains an inside
translation or both an inside and outside translation

RouterX# clear ip nat translation outside

local-ip global-ip
 Clears a simple dynamic translation entry that contains an outside The
translation Tower
of Pisa
is the
RouterX# clear ip nat translation protocol inside global-ip bell
global-port local-ip local-port [outside local-ip tower
local-port global-ip global-port] of the
Cathed
 Clears an extended dynamic translation entry (PAT entry) ral
 Issues with NAT/PAT
ADVANTAGES OF NAT
Conserves the legally registered addressing scheme
by allowing the privatization of intranets.

Increases the flexibility of connections to the public network.

Multiple pools, backup pools, and load balancing pools can be
implemented to assure reliable public network connections.

Consistency of the internal network addressing scheme. On a

network without private IP addresses and NAT, changing public
IP addresses requires the renumbering of all hosts on the
existing network. The costs of renumbering hosts can be
significant. NAT allows the existing scheme to remain while
supporting a new public addressing scheme. Also NAT adds
some security, because host at the inside not accessible directly
from public network
 Issues with NAT/PAT

DISADVANTAGES OF NAT
NAT is not without drawbacks. Enabling address translation
will cause a loss of functionality, particularly with any protocol or
application that involves sending IP address information inside the IP
payload. This requires additional support by the NAT device.

One significant disadvantage when implementing and using NAT is the loss of
end-to-end IP traceability. It becomes much more difficult to trace packets that
undergo numerous packet address changes over multiple NAT hops.

NAT also forces some applications that use IP addressing to stop functioning
because it hides end-to-end IP addresses. Applications that use physical
addresses instead of a qualified domain name will not reach destinations that
are translated across the NAT router. Sometimes, this problem can be avoided
by implementing static NAT mappings.
Clearing the NAT Translation Table

RouterX# clear ip nat translation *

 Clears all dynamic address translation entries

RouterX# clear ip nat translation inside global-ip

local-ip [outside local-ip global-ip]
 Clears a simple dynamic translation entry that contains an inside
translation or both an inside and outside translation

RouterX# clear ip nat translation outside

local-ip global-ip
 Clears a simple dynamic translation entry that contains an outside
translation

RouterX# clear ip nat translation protocol inside global-ip

global-port local-ip local-port [outside local-ip
local-port global-ip global-port]
 Clears an extended dynamic translation entry (PAT entry)
Translation Not Occurring:
Translation Not Installed in the Table

Verify that:
 There are no inbound ACLs that are denying the packets entry to
the NAT router
 The ACL referenced by the NAT command is permitting all
necessary networks
 There are enough addresses in the NAT pool
 The router interfaces are appropriately defined as NAT inside or
NAT outside
Displaying Information with show and
debug Commands
RouterX# debug ip nat

NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]

NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23312]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]

RouterX# show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
…
Summary

 There are three types of NAT: static, dynamic, and

overloading (PAT).
 Static NAT is one-to-one address mapping. Dynamic NAT
addresses are picked from a pool.
 NAT overloading (PAT) allows you to map many inside
addresses to one outside address.
 Use the show ip nat translation command to display the
translation table and verify that translation has occurred.
 To determine if a current translation entry is being used, use
the show ip nat statistics command to check the hits counter.