One of the first things that you will have to configure on the new router is configuration of a service which is called NAT or to be more specified PAT in case if you got only one public IP address. This article explained what are public and private addresses and what is a difference between Network Address Translation and Port Address Translation and how to deploy them.
Private and Public addresses
When we are talking about NAT and PAT we have to be aware about 3 classes which are involved (especially with private addresses) to properly assign addresses to our LAN hosts.
Private addresses are being used on the LAN interface of the router and may be used by everyone. Those addresses are being called non-routable, cause you won’t be able get to the outside world (Internet) with these addresses
Public addresses are being used on the WAN interface and are handing out by Internet Service Provider, these addresses are fully routable, what means that you
may reach every other host in the Internet based on them.
NAT & PAT
For better understanding these services I will be using below diagram :
Before I go over the NAT & PAT I need to explained 4 kinds of addresses used in IP NAT world, which knowing is crucial when we deal with addresses translation.
INSIDE LOCAL – our Private IP address which is translated to our Public IP address (Outside Local)
INSIDE GLOBAL – remote Private IP address which is translated to remote Public IP address (Outside Global)
OUTSIDE GLOBAL – Destination remote Public IP address
OUTSIDE LOCAL – Our Public IP address
Ok, now when we are armed in the knowledge what Private and Public addresses are and their nomenclature regarding NAT and PAT let’s go over the core .
Netwok Address Translation – NAT
Network Address Translation – service which translates :
STATIC NAT – ONE private address to ONE public address
DYNAMIC NAT – MANY private addresses to MANY public addresses.
Static NAT ONE to ONE
commands syntax :
(config)# ip nat inside source static <private-ip-address> <public-ip-address>
enables translation Inside Local Address to Global Local Address
(config-if)#ip nat inside
LAN interface
(config-if)#ip nat outside
WAN interface
Dynamic NAT MANY to MANY
commands syntax :
(config)# ip nat pool <pool-name> <start-ip-range> <end-ip-range> netmask <subnet-mask> | prefix-length <prefix-length>
defines a pool of Inside Global dynamic addresses to use for dynamic translation
(config)# access-list <access-list-number> permit <source> <wildcard-mask>
defines Standard ACL to specify which Private Network is allowed to be translated
(config)# ip nat inside source list <access-list-number> pool <pool-name>
enables translation of the Inside Local Addresses <access-list-number> into Inside Global Addresses <pool-name>
(config-if)#ip nat inside
LAN interface
(config-if)#ip nat outside
WAN interface
IP NAT table looks in this way, as you can see I used all 3 addresses, gave us by ISP in order to provide communication with outside world, notice that ports are being translated also 1:1.
Port Address Translation – PAT
Port Address Translation – service which only dynamically translates IP addresses using IP address+port number (socket)
Dynamic PAT – MANY private addresses to ONE public address
Dynamic PAT – MANY private addresses to MANY public addresses (NAT + overloading)
IP NAT table in case of PAT looks in this way, as you can see I used only one IP address from the pool of addresses gave us by ISP
Dynamic PAT MANY to ONE
(config)# access-list <access-list-number> permit <source> <wildcard-mask>
defines Standard ACL to specify which Private Network is allowed to be translated
(config)# ip nat inside source list <acces-list-number> interface <interface> overload
enables translation of the Inside Local Addresses to the IP address of the specified interface – overload enables PAT
(config-if)#ip nat inside
LAN interface
(config-if)#ip nat outside
WAN interface
Dynamic PAT MANY to MANY
(config)# ip nat pool <pool-name> <start-ip-range> <end-ip-range> netmask <subnet-mask> | prefix-length <prefix-length>
defines a pool of Inside Global dynamic addresses to use for dynamic translation
(config)# access-list <access-list-number> permit <source> <wildcard-mask>
defines Standard ACL to specify which Private Network is allowed to be translated
(config)# ip nat inside source list <acces-list-number> pool <pool-name> overload
enables translation of the Inside Local Addresses to the IP pool Inside Global Addresses – overload enables PAT
(config-if)#ip nat inside
LAN interface
(config-if)#ip nat outside
WAN interface