Network Address Translation

What is NAT?

We’ve run out of public IPv4 addresses to assign!

• So lots of networks use private addresses instead
• 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

But private address are not routable on the Internet!

Network Address Translation (NAT)

NAT is a method of remapping one IP address space into another.

We do this by modifying network address information in IP packet headers while they are in transit across a router.

The general rule: Clients make outbound connections, so they can share public IPs.

A NAT router will track these translations to make sure reply packets go to the right place.

NAT can also provide some security!

• Hosts using private IPs cannot typically be directly accessed from outside the network.

What is a NAT Router actually doing?

Based on what we know about networking, what functions must the NAT Router provide?

Rewrite Layer 3 header:

• Source IP rewrite for outbound packets

e.x. 192.168.3.100 to 216.93.145.200

• Destination IP rewrite for inbound packets

e.x. 216.93.145.200 to 192.168.3.100

And, keep track of those translations in a table so it knows how to send inbound packets back to the right client

• This may also require rewriting the Layer 4 headers
• Source port TCP/UDP often used to track translations (more on that later)

NAT and the OSI Model

Devices performing NAT:

• Are in-between the sender and receiver
• Will rewrite the layer 3 (and often layer 4) headers as a packet travels between the sender and receiver

IP Masquerading

In Cyber Labs, we use IP Masquerading for our NAT setup.

In IP masquerading, the Private Source IP address that is changed into a Public address as the "new" source address of the outgoing IP packet.

• This enables communication through the router only when the conversation originates inside the masqueraded network.

Masquerading routers keep stateful translation tables of each conversation to "remember" the original source address when packets return during this conversation.

The translation tables are flushed after a defined period unless new traffic refreshes their state to prevent port exhaustion and free state table resources.

Types of NAT

Static NAT

Allows the network administrator to configure translation table entries for permanent use.

This feature is often referred to as port forwarding and allows traffic originating in the "outside" network to reach designated hosts in the masqueraded network.

Simple to configure

Useful to allow access to a few servers, hosts, or applications

Does not scale well – as each entry has to be manually configured

Dynamic NAT

Maps unregistered private IP address to registered public IP address by selecting public IP from a pool of of registered IP address.

Dynamic NAT is used when PAT is not supported

• Some hardware and protocols don’t support PAT

Dynamic NAT has limitations:

• Public pool is smaller than # of private IP’s
• So – pool can get used up
• Clients have to wait for a public IP
• Also, can still use many public IP’s

Port Address Translation (PAT)

Port Address Translation (PAT) is a common implementation of IP Masquerading NAT.

• It permits multiple devices on a local area network (LAN) to be mapped to a single public IP Address.

PAT devices use the Source TCP port number as a way to keep track of different sessions.

• It's usually picked randomly anyway

Our table tracks the mapping between the original IP/port and the new IP/port.

Configuring NAT in Cisco

Define the “inside” and “outside” interfaces

• Typically inside is the interface connected to the Private Addresses
• Outside is the interface connected to the Public address
• Ex:

#interface serial 0/0/0

(config-if)#ip nat outside

Set NAT Rules

• Static mappings
• PAT/Dynamic pool assignments

Wildcard Subnet Masks

Another way to write a subnet mask:

Basically, switch the ones and zeroes

So:

• 255.255.255.0 (11111111.11111111.11111111.00000000) becomes

• 0.0.0.255 (00000000.00000000.00000000.11111111) or

• 255.255.255.252 becomes 0.0.0.3

• 255.255.240.0 becomes 0.0.15.255