Network Address Translation NAT Tutorial
To go to the Internet we need to get an public IP address and it is unique all over the world. If each host in the world required a unique public IP address, we would have run out of IP address years ago. But by using Network Address Translation (NAT) we can save tons of IP addresses for later uses. We can understand NAT like this:
“NAT allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet”
For example your computer is assigned a private IP address of 10.0.0.9 and of course this address can not be routed on the internet but you can still access the internet. This is because your router (or modem) translates this address into a public IP address, 123.12.23.1 for example, before routing your data into the internet.
Of course when your router receives a reply packet destined for 123.12.23.1 it will convert back to your private IP 10.0.0.9 before sending that packet to you.
Maybe you will ask “hey, I don’t see any difference of using NAT to save tons of IP addresses because you still need a public IP address for each host to access the Internet and it doesn’t save you anything, why you need to use NAT?”
Ok, you are right :), in the above example we don’t see its usefulness but you now understand the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but your Internet Service Provider (ISP) only gives you 50 public IP addresses. It means that you can only allow 50 hosts to access the internet at the same time. Here NAT comes to save your life!
One thing you should notice that in real life, not all of your employees uses internet at the same time. Say, maybe 50 of them use internet to read newspaper at the morning; 50 others use internet at noon for checking mail… By using NAT you can dynamically assign these 50 public IP addresses to those who really need them at that time. This is called dynamic NAT.
But the above NAT solution does not solve our problem completely because in some days there can be more than 50 people surfing web at the morning. In this case, only the first 50 people can access internet, others must wait to their turns.
Another problem is, in fact, your ISP only gives you much lesser IP addresses than the number 50 because each public IP is very precious now.
To solve the two problems above, another feature of NAT can be used: NAT Overload or sometimes called Port Address Translation (PAT)
PAT permits multiple devices on a local area network (LAN) to be mapped to a single public IP address with different port numbers. Therefore, it’s also known as port address translation (PAT). When using PAT, the router maintains unique source port numbers on the inside global IP address to distinguish between translations. In the below example, each host is assigned to the same public IP address 123.1.1.1 1 but with different port numbers (from 1000 to 1002).
Note: Cisco uses the term inside local for the private IP addresses and inside global for the public IP addresses replaced by the router.
The outside host IP address can also be changed with NAT. The outside global address represents the outside host with a public IP address that can be used for routing in the public Internet.
The last term, outside local address, is a private address of an external device as it is referred to by devices on its local network. You can understand outside local address as the inside local address of the external device which lies at the other end of the Internet.
Maybe you will ask how many ports can we use for each IP? Well, because the port number field has 16 bits, PAT can support about 216 ports, which is more than 64,000 connections using one public IP address.
Now you has learned all the most useful features of NAT but we should summary all features of NAT:
There are two types of NAT translation: dynamic and static.
Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor requires you to have one real Internet IP address for every host on your network.
Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as in static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT router with more IP addresses in the inside local address list than in the inside global address pool. When being defined in the inside global address pool, the router allocates registered public IP addresses from the pool until all are allocated. If all the public IP addresses are already allocated, the router discards the packet that requires a public IP address.
PAT (NAT Overloading): is also a kind of dynamic NAT that maps multiple private IP addresses to a single public IP address (many-to-one) by using different ports. Static NAT and Dynamic NAT both require a one-to-one mapping from the inside local to the inside global address. By using PAT, you can have thousands of users connect to the Internet using only one real global IP address. PAT is the technology that helps us not run out of public IP address on the Internet. This is the most popular type of NAT.
Besides NAT gives you the option to advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the public world really well, giving you some additional security for your network.
NAT terms:
* Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.
To learn how to configure NAT please read my Configure NAT GNS3 Lab tutorial
9TUT I love you
hi,
going to give ccna xam today……
Really Great, Simple and Clear Explanation
Thank You good Explaination !!!!
Thanks for this. Today is my day. I will let you know the score.
outstanding tnx great job!!!!!!!!!!!!!!
i love the tutorial
what is your score mustafe ? i think u fail,,
Very useful…thanx
Hi the video link cannot be opened?
THANKS FOR GUIDELINES………………………….
Thanks for this you guys awesome :)
WELL EXPLAINATION
It is relay very help full.
Amazing Explanation!!!
The following is incorrect
” last term, outside local address, is a private address of an external device as it is referred to by devices on its local network. You can understand outside local address as the inside local address of the external device which lies at the other end of the Internet.”
You have it correct here
Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
the Outside local address is the address of the REMOTE host is it appears inside YOUR network after any possible translation. Often this is the same as the Outside Global address but it *does not have to be*! you can NAT going out and coming into a network, for example if you have two networks that you are trying to route between but the use the same IP addressing scheme (say all are on 10.0.0.0/8 or something) we need to NAT both coming and going.
Check here for further study.
http://www.tcpipguide.com/free/t_IPNATAddressTerminology-2.htm
thank u very much 9tut …;;;;:
Thanks…really help full
Thanks for the clear explanation!!! :)
Hi All!
If you are trying to practice NAT on Packet tracer, you can do that using 2 routers and two computers.
Please take note of the numbers in step 1 which tells you the interface.
Steps as Below
1)setup will be laptop1—2router3—-4router5—6laptop.
2)give laptop(1) some 192.168.1.xxx 255.255.255.0and router interface also some (2)192.168.1.xx 255.255.255.0address.
3)after which at (3) IP 67.110.56.112 255.255.0.0 and (4)as 67.110.57.115 255.255.0.0
4)at interface (5) give some ip like 67.120.51.112 255.255.0.0 and for the laptop 67.120.52.115
Please note for the pc give the default gateway as those of router interfaces connected to them.
With this IP address are set, Now we need to set static routes on both the routers so that they can ping each other networks.You can also use rip,EIGRP or OSPF whichever you prefer.
Now, ping from one pc to other to verify connectivity.Once ok our set up is done.
Now comes NAT! Put an access-list on 4router5 as to allow only souce ip of 67.110.x.x
accesslist 3 permit 67.110.0.0 0.0.255.255 and give it to interface (4)router. This will only allow if source ip is 67.110.x.x and not 192.168.x.x .
Now try to ping from the PC it wont allow you!!!Try to ping from the router it allows you as the source add is 67.110.x.x.
Now we configure Nat on 2router3 . at (2) ip nat inside and (3) ip nat outside. we put an accesslist as to allow say anyform to NAT so conft# ip accesslist 3 any any.
and now just write the NAT code ip nat inside source list 3 interface fastEthernet (3)
Now you should be able to ping from one laptop to another. PLS post if you have any doubts
thank u……
Thanks for the explanations ….
my exam is tom. wish me luck! this site rocks any way! thanks a million!!
Thanka
marvellous illustration ;)
how to delete the pool ?
@kushal just negate it but be sure to be on the proper interface
ex.
R0#configure terminal
R0(config)#int loopback0
R0(config-if)#ip address 10.0.0.1 255.0.0.0
R0(config-if)#ip nat inside
to negate
R0(config-if)#no ip nat inside
@jef
thnx man !
Nice writeup.kip it up man
Thanks very much ……..it is very use full for me.
Thank u very much Sir…
Thank You very good expplaination
9tut.com is doing excellent job thank you very much.
thanks a lot use full help
hi, i have a question, how many days we should prepare for the exam before we go for it. actually i just finished ccna boot camp training three days ago n m planning to write the lab…
nice explanation
nice explaition thanks for all
yes i like your article keep it up????
with IP NATing feature, how can I setup a ACL to open port for exchange (port 25)? I setup a simple NATing but I don’t know how to do ACL to allow port 25 to open for Exchange.
@kevin
If you need to open up a port and block others, you need an extended access list.
Give the acl a number from 100-199 and from there you can only allow the port 25. You can then assign this acl to the nat.
this is very useful for me thank you very much…….
Thanks tut.com the god bless you
thanx this is very helpfull 4 me
This is a very helpful tutorial
thanks to 9tut
Good Job 9tut
Thank you soo much :)
goog job 9tut
gd job
helpful ….
It’s really helpful, nice job…
Really Help full, Simple and meaningful Thank u very much sir