🌐 NAT (Network Address Translation)

 

🌐 NAT (Network Address Translation)


🧠 Top 6 Key Points

  1. Translates Private IPs to Public IPs:
    NAT converts internal (private) IP addresses into a single or multiple public IPs so that devices inside a LAN can access the Internet.

  2. Conserves Public IP Addresses:
    NAT allows multiple internal hosts to share one public IP, saving global address space.

  3. Improves Security:
    Internal IPs remain hidden from the outside world, reducing attack exposure.

  4. Types of NAT:

    • Static NAT: One-to-one mapping (internal ↔ public).  ( Server)

    • Dynamic NAT: Many-to-many mapping (pool of public IPs).  ( 

    • PAT (NAT Overload): Many-to-one mapping (most common). 

  5. Configured on Routers:
    NAT runs on routers at the boundary between private and public networks, translating IPs for outbound/inbound traffic.

  6. NAT Type
    Used Today6
    Common Use
    Static NAT
    ✅ Yes  (limited use7
    Publishing internal servers with a dedicated public IP
    Dynamic NAT
    ⚠️ Rarely
    Legacy environments or when a pool of public IPs is available
    PAT (NAT Overload)
    ✅ Very common
    Internet access for users
  7. 💬 Teaching Tip

    “NAT is like a receptionist — many employees (private IPs) talk to outsiders (public IPs) through one phone number (public IP), but the receptionist knows who’s who internally.”

                    Internet


    Web Server
    Public IP: 8.8.8.8
    |
    -------------------
    |
    Router (NAT)
    G0/0: 192.168.1.1
    G0/1: 200.1.1.1 (Public)
    |
    -------------------
    |
    PC1
    192.168.1.10

    Suppose:

    • PC1 = 192.168.1.10  ( Inside local )
    • Router Public IP = 200.1.1.1  ( Inside Global )
    • Google Server = 8.8.8.8  ( Outside Global & Outside local ) 
    • INSIDE = Your network
      OUTSIDE = Internet
      LOCAL = Before NAT
      GLOBAL = After NAT


    TermMeaning
    Inside LocalPrivate IP of an inside host (before NAT)
    Inside GlobalPublic IP representing the inside host (after NAT)
    Outside GlobalActual public IP of the outside host
    Outside local        Same as Outside Global.

192.168.0.128:54805
│ │
│ └── Source or destination port
└───────────────── IP address
  • 192.168.0.128 is the device's private IP address.
  • 54805 is an ephemeral (dynamic) source port chosen by the operating system for a particular connection.


How Does the Router Know Which Private Host to Send It To?

The router does not guess.

It keeps a NAT translation table.

Example:

Inside Local        Inside Global
192.168.10.10 200.1.1.1
192.168.10.20 200.1.1.1

With PAT, the port numbers make each session unique:

Inside Local              Inside Global
192.168.10.10:50000 -> 200.1.1.1:30001
192.168.10.20:50001 -> 200.1.1.1:30002

When replies arrive:

  • 200.1.1.1:30001192.168.10.10:50000
  • 200.1.1.1:30002192.168.10.20:50001

This is how many devices can share one public IP address.


⚙️ Technical Summary

FeatureDescription
OSI LayerNetwork Layer (Layer 3)
Main FunctionTranslate IP addresses
TypesStatic, Dynamic, PAT
Common Commandip nat inside / ip nat outside
Use CaseLAN-to-Internet communication

🧰 Packet Tracer Lab – NAT Configuration


🎯 Goal:

Use PAT / (NAT Overload) to allow multiple internal hosts to share one public IP for Internet access.


🖥️ Network Topology

[PC1][PC2]---[Switch]---[Router1]---[ISP Router] (Internet)






IP Plan

DeviceInterfaceIP AddressDescription
Router (R1)G0/0192.168.10.1Inside (LAN)
G0/1200.0.0.1Outside (Public)
PC5NIC192.168.10.10Inside Host
PC6NIC192.168.10.20Inside Host
ISP RouterG0/0200.0.0.2Public (Next Hop)

🪜 Step-by-Step Configuration

🔹 1. Configure Router Interfaces

enable conf t interface g0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside no shutdown exit interface g0/1 ip address 200.0.0.1 255.255.255.0 ip nat outside no shutdown exit

🔹 2. Create Access List to inform router which address should be translated.

access-list 1 permit 192.168.10.0 0.0.0.255

PartMeaning
access-list 1        ACL number 1 (Standard ACL)
permitAllow traffic
192.168.10.0Network address
0.0.0.255Wildcard mask

🔹 3. Configure NAT Overload

ip nat inside source list 1 interface g0/1 overload

PartExplanation
ip nat inside source   NAT for inside (private) devices going out
list 1ACL 1 defines which private IPs are allowed
interface g0/1Uses G0/1 public IP as NAT outside address
overloadEnables PAT (Port Address Translation) → many PCs share 1 IP

Translate the source IP addresses that match ACL 1 to the IP address of interface G0/1

🔹 4. Configure Default Route (Internet routes to reach ISP )

ip route 0.0.0.0 0.0.0.0 200.0.0.2

🔹 5. Verify NAT Configuration

show ip nat translations show ip nat statistics

💡 Testing NAT

  1. On PC5 and PC6, set:

    IP Address: 192.168.10.10 / 192.168.10.20 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.10.1
  2. Ping from PC5 or PC6 → 200.0.0.2
    ✅ Should succeed.

  3. On Router (R1), run:

    show ip nat translations

    You’ll see private IPs mapped to 200.0.0.1 (public IP).


🧠 Learning Summary

ConceptDescription
NAT FunctionTranslates private IPs to public
PATMany-to-one mapping (most used)
Inside InterfaceConnected to LAN
Outside InterfaceConnected to Internet
Verificationshow ip nat translations

Why would we not translate some private IPs?

Scenario 1: Guest Network (Most Common)

A company has two networks:

  • Employees: 192.168.10.0/24
  • Guest Wi-Fi: 192.168.20.0/24

Only employees should access the Internet through the corporate router.

Employees (192.168.10.x) ----+
|
R1 ---- Internet
|
Guests (192.168.20.x) -------+

NAT ACL:

access-list 1 permit 192.168.10.0 0.0.0.255

Result:

  • ✅ Employees are translated.
  • ❌ Guests are not translated, so they cannot access the Internet through this NAT rule.

Scenario 2: Server Network

Suppose the company has:

192.168.10.0/24  Users
192.168.20.0/24 Servers

Users need Internet access.

Servers should only be accessed internally.

NAT:

access-list 1 permit 192.168.10.0 0.0.0.255

The servers remain private and are not translated because they don't need outbound Internet access.


Scenario 3: VPN Traffic (Very Common)

Imagine two offices.

Branch A                    Branch B

192.168.10.0 10.1.1.0
\ /
\_____ VPN _____/

Traffic going through the VPN should not be NATed.

If it were translated:

192.168.10.5
↓ NAT
200.0.0.1

VPN

Branch B expects traffic from 192.168.10.x, not 200.0.0.1, so the VPN communication would fail.

This is why administrators configure NAT exemption, allowing VPN traffic to bypass NAT while still translating Internet-bound traffic. 



🧪 Static NAT Lab – Basic Setup

🖧 Topology

PC1 ---- SW1 ---- R1 ---- (Public Network / ISP) ---- Server/PC2
LAN Outside Network

📌 IP Addressing Plan

LAN (Inside)

  • PC1 → 192.168.10.10 /24
  • R1 G0/0 → 192.168.10.1

WAN (Outside)

  • R1 G0/1 → 200.0.0.1 /24
  • Server (Public) → 200.0.0.100 /24

🎯 Goal of Static NAT

We will map:

Inside Local (Private IP)
192.168.10.10 → 200.0.0.50 (Static Public IP)

So external users access PC1 using 200.0.0.50.


⚙️ Configuration Steps (R1)

1. Configure Interfaces

enable
conf t

interface g0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
no shutdown

interface g0/1
ip address 200.0.0.1 255.255.255.0
ip nat outside
no shutdown

2. Configure Static NAT Mapping

ip nat inside source static 192.168.10.10 200.0.0.50

3. Verify NAT Table

show ip nat translations

Expected output:

Inside local     Inside global
192.168.10.10 200.0.0.50

4. Test Connectivity

From External PC (200.0.0.100):

ping 200.0.0.50

If correct → it reaches PC1 (192.168.10.10)

Comments

Post a Comment

Popular posts from this blog

🖧 VLAN (Virtual Local Area Network)

🛰️ OSPF (Open Shortest Path First)