NAT
NAT stands for Network Address Translation. It is a technique used in computer networking to allow devices in a private network to access resources on a public network, such as the Internet. NAT modifies the source IP addresses of outgoing packets and the destination IP addresses of incoming packets, allowing them to be properly routed between private and public networks.
NAT works by mapping private IP addresses to public IP addresses. When a device in the private network sends a packet to a device on the public network, the NAT device replaces the source IP address of the packet with its own public IP address. When a packet is sent from a device on the public network to a device in the private network, the NAT device replaces the destination IP address with the private IP address of the destination device.
NAT can be used to allow multiple devices in a private network to share a single public IP address. This is known as NAT overload or Port Address Translation (PAT). In this scenario, the NAT device keeps track of the source ports of outgoing packets and the destination ports of incoming packets, allowing multiple devices to use the same public IP address at the same time.
NAT can also be used to provide security by hiding the private IP addresses of devices in a network from the public network. This is known as NAT hiding or NAT firewalling. In this scenario, the NAT device only allows incoming packets that are in response to outgoing packets from devices on the private network. This prevents unsolicited incoming traffic from reaching devices in the private network.
SoodarOS uses PNAT variation, which changes Port and Address.
NAT Static Mapping
A static NAT mapping is a one-to-one mapping of a public IP address to a private IP address, allowing an internal host to be accessible from the public network with a public IP address. With a static NAT mapping, any incoming traffic destined for the public IP address is automatically forwarded to the corresponding private IP address.
Static NAT mappings can also be configured to translate specific TCP or UDP ports, allowing multiple internal hosts to share a single public IP address.
Address only NAT
In this mode, only the address is translated to the given address. Depending on the flow direction( whether in2out or out2in), the source or destination of the packet is changed.
When a packet containing a source same as local address passes through an input interface, its source is replaced with global address. When a packet containing a destination similar to global address passes through an output interface, its destination is replaced with local address.
- ip nat inside source static A.B.C.D A.B.C.D
Add a new static map entry to the NAT static table. The first IP is a local address, and the second is a global address.
Example :
soodar(config)# ip nat inside source static 192.168.1.10 85.20.1.1 soodar(config)# interface ge0 soodar(config-if)# ip nat inside soodar(config)# interface ge1 soodar(config-if)# ip nat outside
Define a static map entry that translates every ingress traffic from ge0 sourced from 192.168.1.10 to 85.20.1.1 ( Also known as Source NAT). Every packet coming from ge1, which is destined to 85.20.1.1, is also translated to 192.168.1.10
soodar(config)# ip nat inside source static 85.20.1.1 192.168.1.10 soodar(config)# interface ge0 soodar(config-if)# ip nat outside soodar(config)# interface ge1 soodar(config-if)# ip nat inside
Define a static map entry that translates every ingress traffic from ge0 destined to 192.168.1.10 to 85.20.1.1 ( Also known as Destination NAT). Every packet coming from ge1, which is sourced from 85.20.1.1, is also translated to 192.168.1.10
Protocol NAT
Sometimes we need to be more specific about our NAT and translate a specified protocol on a defined port. So when defining an entry, we introduce the protocol and desired ports. All other aspects of this entry( including behavior) are simple Address only NAT.
- ip nat inside source static <tcp|udp> A.B.C.D (1-65535) A.B.C.D (1-65535)
Add a new static map entry to the NAT static table. The first IP is a local address, and the number following is its port. The second IP is a global address, and the number following is its port.
Example :
soodar(config)# ip nat inside source static tcp 192.168.1.10 444 85.20.1.1 666 soodar(config)# interface ge0 soodar(config-if)# ip nat inside soodar(config)# interface ge1 soodar(config-if)# ip nat outside
Define a static map entry that translates every ingress traffic from ge0 sourced from 192.168.1.10:444 to 85.20.1.1:666 ( Also known as Source NAT). Every packet coming from ge1, which is destined to 85.20.1.1:666, is also translated to 192.168.1.10:444
soodar(config)# ip nat inside source static tcp 85.20.1.1 666 192.168.1.10 444 soodar(config)# interface ge0 soodar(config-if)# ip nat outside soodar(config)# interface ge1 soodar(config-if)# ip nat inside
Define a static map entry that translates every ingress traffic from ge0 destined to 192.168.1.10:444 to 85.20.1.1:666 ( Also known as Destination NAT). Every packet coming from ge1, which is sourced from 85.20.1.1:666, is also translated to 192.168.1.10:444
Dynamic NAT
In dynamic NAT, every packet’s source outgoing from an input interface and destined to an output interface is translated to an IP provided by an IP pool.
A new session is created for every source translation, and its state is kept. So the packets coming from an output interface and having a matched session, its destination is changed concerning the session’s information.
IP pool
An IP NAT (Network Address Translation) pool is a collection of public IP addresses that can map private IP addresses to public IP addresses. When a private IP address needs to communicate with a device outside of its local network, NAT is used to translate the private IP address to a public IP address, allowing communication to take place.
A NAT pool contains a range of public IP addresses that are used for NAT translations. The router selects an IP address from the pool for each translation. The selection is performed using random selection methods.
IP NAT pools are commonly used in network environments that use private IP addresses internally, such as those using RFC 1918 address space. They are also used in cases where multiple devices need to share a limited number of public IP addresses, such as in a small office or home network. By using an IP NAT pool, many devices can use a single public IP address to communicate with external networks.
- ip nat pool PNAT44 A.B.C.D [ A.B.C.D ] [type <normal|lb>]
Add an IP( or an IP range if the second IP is provided) to a nat pool named PNAT44 Creates a pool containing an IP( or a range of IPs). There are two types of pools: normal and load-balanced. The normal type is the default and provides a simple pool of IP addresses for NAT translations. The lb (load-balanced) type creates a pool of IP addresses that can be used for load balancing between multiple servers or hosts.
Example :
soodar(config)# ip nat pool p1 1.1.1.1 soodar(config)# ip nat pool p2 2.1.1.1 2.1.1.10
The first command is to create p1 nat pool and add IP 1.1.1.1 to it. the second one adds 2.1.1.1 to 2.1.1.10 to p2 nat pool.
Configuring dynamic NAT
- ip nat inside source list ACL4 pool PNAT44 [<match-in-vrf|vrf VRF>]
The ip nat inside source command is used to configure NAT to translate inside source IP addresses to public IP addresses from a NAT pool.
The list ACL4 part of the command specifies the access control list (ACL) to identify the inside source traffic to translate. The ACL should be configured to match the flows that need to be translated.
The PNAT44 specifies the NAT pool to use for the translation. This pool should have been previously created using the ip nat pool command.
The
match-in-vrf
orvrf VRF
is an optional parameter that allows you to specify a VRF instance to match for the after translation outgoing traffic. If thematch-in-vrf
keyword is specified, the VRF of the inside interface will be used. If thevrf VRF
keyword is specified, the VRF specified will be used.
Configuring dynamic NAT using interface
- ip nat inside source list ACL4 interface IFNAME [<match-in-vrf|vrf VRF>]
The ip nat inside source command is used to configure NAT to translate inside source IP addresses to the first IP addresses of the specified interface.
The list ACL4 part of the command specifies the access control list (ACL) to identify the inside source traffic to translate. The ACL should be configured to match the flows that need to be translated.
The IFNAME specifies the interface to use its IP for the translation.
The
match-in-vrf
orvrf VRF
is an optional parameter that allows you to specify a VRF instance to match for the after translation outgoing traffic. If thematch-in-vrf
keyword is specified, the VRF of the inside interface will be used. If thevrf VRF
keyword is specified, the VRF specified will be used.
Load balancing with NAT
NAT load balancing is a technique that is used to distribute incoming traffic across multiple servers in a network. It is achieved by configuring a router to perform NAT with load balancing.
NAT load balancing works by assigning a public IP address to a group of private IP addresses on the network. When incoming traffic arrives at the router, the router examines the destination IP address and port number. It maps it to one of the private IP addresses in the pool using a round-robin algorithm. The router then performs NAT, replacing the destination IP address in the packet header with the selected private IP address, and forwards the packet to the appropriate server.
NAT load balancing can be used for various applications, such as web servers, email servers, and other applications that require high availability and scalability. It also allows traffic from external networks to access specific devices on your network that are hidden behind a NAT router.
- ip nat inside destination <tcp|udp> A.B.C.D (1-65535) pool PNAT44
The command is used to configure load balancing and destination translation for Network Address Translation (NAT). This command allows you to specify a protocol (TCP or UDP), a public IP address, a destination port number, and a pool of private servers’ IP addresses to which traffic should be forwarded.
The
tcp|udp
part of the command specifies the incoming traffic is using the TCP or UDP protocol.The
A.B.C.D
part of the command is the public IP address to which traffic is destined. It is the public IP address of the device on your network that you want to receive the traffic.The (1-65535) part of the command is the destination port number on which traffic will be received.
The
PNAT44
is the name of the NAT pool that you want to use for the destination translation. This pool of private IP addresses will be used to forward traffic to servers.Example:
Let’s say we have two web servers in our private network, with IP addresses 192.168.1.10 and 192.168.1.11, and we want to load-balance incoming HTTP traffic to them using the public IP address 203.0.113.10. We can configure NAT with load-balancing on using the following commands:
First, we’ll create a NAT pool with the IP addresses of our web servers:
soodar(config)# ip nat pool web-servers 192.168.1.10 192.168.1.11 type lb
Then, we’ll configure NAT to translate the destination IP address of incoming HTTP traffic to the IP address of one of our web servers:
soodar(config)# ip nat inside destination tcp 203.0.113.10 80 pool web-servers
Put interface behind NAT
- ip nat inside
Define an interface as a NAT inside interface.
- ip nat outside
Define an interface as a NAT outside interface.
NAT Forwarding
When a packet arrives at an inside or an outside interface, Dataplane looks for a translation to use or create. If none is found, the packet is dropped. Admin can change this behavior and forward them like normal packets on non-NAT-enabled interfaces instead of dropping them.
- ip nat forwarding
Enable NAT forwarding feature on device.
Clearing Translations
- clear ip nat translation inside A.B.C.D [outside A.B.C.D]
This command is used to clear Network Address Translation (NAT) translations for a specific inside IP address and, optionally, a specific outside IP address.
Example:
soodar# clear ip nat translation inside 192.168.1.100
This command will clear all NAT translations for the inside IP address 192.168.1.100. If there are any active NAT translations for this address, they will be removed, allowing new translations to be established.
soodar# clear ip nat translation inside 192.168.1.100 outside 203.0.113.10
This command will clear all NAT translations for traffic originating from inside IP address 192.168.1.100 and being translated to outside IP address 203.0.113.10.
- clear ip nat translation *
This command is used to clear all Network Address Translation (NAT) translations on the router.
- clear ip nat translation tcp inside A.B.C.D [(1-65535) outside A.B.C.D (1-65535)]
The clear ip nat translation command is used to clear Network Address Translation (NAT) translations. The tcp keyword indicates that only TCP translations will be cleared.
Example:
If we want to clear TCP NAT translations for an inside IP address of 192.168.1.10 on port 80, communicating with an outside IP address of 203.0.113.10 on any port, we would use the following command:
soodar# clear ip nat translation tcp inside 192.168.1.10 80 outside 203.0.113.10
- clear ip nat translation udp inside A.B.C.D [(1-65535) outside A.B.C.D (1-65535)]
The clear ip nat translation command is used to clear Network Address Translation (NAT) translations. The tcp keyword indicates that only UDP translations will be cleared.
- clear ip nat translation icmp inside A.B.C.D [(1-65535) outside A.B.C.D (1-65535)]
The clear ip nat translation command is used to clear Network Address Translation (NAT) translations. The tcp keyword indicates that only ICMP translations will be cleared.
Debugging
Debugging logs can be set in case of need.
- debug nat44 event
log data plane installation processes and results
- show ip nat statistics
show statistics about translations and current NAT configuration
soodar# show ip nat statistics Total active translations: 4 (1 static, 3 dynamic) Outside interfaces: ge1 Inside interfaces: ge0 NAT Forwarding: Disabled
- show ip nat translations
Show current active translations
soodar# show ip nat translations Pro Inside Local Inside Global Outside Local Outside Global --------------------------------------------------------------------------- --- 1.1.1.10 200.2.3.3 --- --- ICMP 1.1.1.10:48 200.2.3.3:48 2.1.1.10:48 2.1.1.10:48 TCP 1.1.1.10:46122 200.2.3.3:46122 2.1.1.10:5201 2.1.1.10:5201 TCP 1.1.1.10:46120 200.2.3.3:46120 2.1.1.10:5201 2.1.1.10:5201 ICMP 1.1.1.10:45 200.2.3.3:63327 2.1.1.10:45 2.1.1.10:45 Total number of translations: 4
Example configuration
soodar(config)# int ge0
soodar(config-if)# ip nat outside
soodar(config)# int ge2
soodar(config-if)# ip nat inside
soodar(config)# ip nat pool nat1 200.1.2.1