🌐 NAT (Network Address Translation)
🌐 NAT (Network Address Translation)
🧠 Top 6 Key Points
-
Translates Private IPs to Public IPs:
NAT converts internal (private) IP addresses into a single or multiple public IPs so that devices inside a LAN can access the Internet. -
Conserves Public IP Addresses:
NAT allows multiple internal hosts to share one public IP, saving global address space. -
Improves Security:
Internal IPs remain hidden from the outside world, reducing attack exposure. -
Types of NAT:
-
Static NAT: One-to-one mapping (internal ↔ public). ( Server)
-
Dynamic NAT: Many-to-many mapping (pool of public IPs). (
-
PAT (NAT Overload): Many-to-one mapping (most common).
-
-
Configured on Routers:
NAT runs on routers at the boundary between private and public networks, translating IPs for outbound/inbound traffic. NAT Type Used Today6
Common Use Static NAT ✅ Yes (limited use7
Publishing internal servers with a dedicated public IP Dynamic NAT ⚠️ Rarely
Legacy environments or when a pool of public IPs is available PAT (NAT Overload) ✅ Very common
Internet access for users 💬 Teaching Tip
“NAT is like a receptionist — many employees (private IPs) talk to outsiders (public IPs) through one phone number (public IP), but the receptionist knows who’s who internally.”
Internet
Web Server
Public IP: 8.8.8.8
|
-------------------
|
Router (NAT)
G0/0: 192.168.1.1
G0/1: 200.1.1.1 (Public)
|
-------------------
|
PC1
192.168.1.10Suppose:
- PC1 = 192.168.1.10 ( Inside local )
- Router Public IP = 200.1.1.1 ( Inside Global )
- Google Server = 8.8.8.8 ( Outside Global & Outside local )
- INSIDE = Your network
OUTSIDE = Internet
LOCAL = Before NAT
GLOBAL = After NAT
Term Meaning Inside Local Private IP of an inside host (before NAT) Inside Global Public IP representing the inside host (after NAT) Outside Global Actual public IP of the outside host Outside local Same as Outside Global.
192.168.0.128:54805
│ │
│ └── Source or destination port
└───────────────── IP address
-
192.168.0.128is the device's private IP address. -
54805is an ephemeral (dynamic) source port chosen by the operating system for a particular connection.
How Does the Router Know Which Private Host to Send It To?
The router does not guess.
It keeps a NAT translation table.
Example:
Inside Local Inside Global
192.168.10.10 200.1.1.1
192.168.10.20 200.1.1.1
With PAT, the port numbers make each session unique:
Inside Local Inside Global
192.168.10.10:50000 -> 200.1.1.1:30001
192.168.10.20:50001 -> 200.1.1.1:30002
When replies arrive:
-
200.1.1.1:30001→192.168.10.10:50000 -
200.1.1.1:30002→192.168.10.20:50001
This is how many devices can share one public IP address.
⚙️ Technical Summary
| Feature | Description |
|---|---|
| OSI Layer | Network Layer (Layer 3) |
| Main Function | Translate IP addresses |
| Types | Static, Dynamic, PAT |
| Common Command | ip nat inside / ip nat outside |
| Use Case | LAN-to-Internet communication |
🧰 Packet Tracer Lab – NAT Configuration
🎯 Goal:
Use PAT / (NAT Overload) to allow multiple internal hosts to share one public IP for Internet access.
🖥️ Network Topology
IP Plan
| Device | Interface | IP Address | Description |
|---|---|---|---|
| Router (R1) | G0/0 | 192.168.10.1 | Inside (LAN) |
| G0/1 | 200.0.0.1 | Outside (Public) | |
| PC5 | NIC | 192.168.10.10 | Inside Host |
| PC6 | NIC | 192.168.10.20 | Inside Host |
| ISP Router | G0/0 | 200.0.0.2 | Public (Next Hop) |
🪜 Step-by-Step Configuration
🔹 1. Configure Router Interfaces
🔹 2. Create Access List to inform router which address should be translated.
🔹 3. Configure NAT Overload
🔹 4. Configure Default Route (Internet routes to reach ISP )
🔹 5. Verify NAT Configuration
💡 Testing NAT
-
On PC5 and PC6, set:
-
Ping from PC5 or PC6 → 200.0.0.2
✅ Should succeed. -
On Router (R1), run:
You’ll see private IPs mapped to 200.0.0.1 (public IP).
🧠 Learning Summary
| Concept | Description |
|---|---|
| NAT Function | Translates private IPs to public |
| PAT | Many-to-one mapping (most used) |
| Inside Interface | Connected to LAN |
| Outside Interface | Connected to Internet |
| Verification | show ip nat translations |
Why would we not translate some private IPs?
Scenario 1: Guest Network (Most Common)
A company has two networks:
-
Employees:
192.168.10.0/24 -
Guest Wi-Fi:
192.168.20.0/24
Only employees should access the Internet through the corporate router.
Employees (192.168.10.x) ----+
|
R1 ---- Internet
|
Guests (192.168.20.x) -------+
NAT ACL:
access-list 1 permit 192.168.10.0 0.0.0.255
Result:
- ✅ Employees are translated.
- ❌ Guests are not translated, so they cannot access the Internet through this NAT rule.
Scenario 2: Server Network
Suppose the company has:
192.168.10.0/24 Users
192.168.20.0/24 Servers
Users need Internet access.
Servers should only be accessed internally.
NAT:
access-list 1 permit 192.168.10.0 0.0.0.255
The servers remain private and are not translated because they don't need outbound Internet access.
Scenario 3: VPN Traffic (Very Common)
Imagine two offices.
Branch A Branch B
192.168.10.0 10.1.1.0
\ /
\_____ VPN _____/
Traffic going through the VPN should not be NATed.
If it were translated:
192.168.10.5
↓ NAT
200.0.0.1
↓
VPN
Branch B expects traffic from 192.168.10.x, not 200.0.0.1, so the VPN communication would fail.
This is why administrators configure NAT exemption, allowing VPN traffic to bypass NAT while still translating Internet-bound traffic.
🧪 Static NAT Lab – Basic Setup
🖧 Topology
PC1 ---- SW1 ---- R1 ---- (Public Network / ISP) ---- Server/PC2
LAN Outside Network
📌 IP Addressing Plan
LAN (Inside)
-
PC1 →
192.168.10.10 /24 -
R1 G0/0 →
192.168.10.1
WAN (Outside)
-
R1 G0/1 →
200.0.0.1 /24 -
Server (Public) →
200.0.0.100 /24
🎯 Goal of Static NAT
We will map:
Inside Local (Private IP)
192.168.10.10 → 200.0.0.50 (Static Public IP)
So external users access PC1 using 200.0.0.50.
⚙️ Configuration Steps (R1)
1. Configure Interfaces
enable
conf t
interface g0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
no shutdown
interface g0/1
ip address 200.0.0.1 255.255.255.0
ip nat outside
no shutdown
2. Configure Static NAT Mapping
ip nat inside source static 192.168.10.10 200.0.0.50
3. Verify NAT Table
show ip nat translations
Expected output:
Inside local Inside global
192.168.10.10 200.0.0.50
4. Test Connectivity
From External PC (200.0.0.100):
ping 200.0.0.50
If correct → it reaches PC1 (192.168.10.10)
Ethical Hacking Classes in Pune
ReplyDeleteEthical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune
Ethical Hacking Classes in Pune