What is NAT and PAT and why to use them?
Network Address Translation (NAT) in its most simple form is a method of translating a one IP address to another. For example a public IP address is translated to a private IP address and vice versa. Without NAT computers on private networks would be unable to reach any Internet resources as private IP addresses are not routable on the Internet. Hence the creation of NAT. Port Address Translation (PAT) on the other hand uses a single outside public address and maps multiple inside addresses to it using different port numbers. Both are extremely common and useful for establishing Internet connectivity and providing access from the Internet to systems on private networks.
In the network below there is a single router, one end-user computer, and two servers. We will be performing a total of three configurations: a NAT for computers to access the Internet using a single public IP address, a static one to one NAT translating all traffic from 126.96.36.199 to 10.1.0.2, and a PAT translating 188.8.131.52:2323 to 10.1.0.3:23. These configurations will provide Internet connectivity and make remote services accessible on the Internet. However, it is important to understand when a static one to one NAT is configured without any additional access list filtering traffic or ports the device is essentially directly connected to the Internet.
Steps to configure NAT and PAT
Step 1: Configure all applicable router interfaces. We are also going to assign a secondary IP address on FastEthernet0/0 which will be used later in one of the NAT configurations.
R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 184.108.40.206 255.255.255.248 secondary R1(config-if)#ip address 220.127.116.11 255.255.255.248 ! R1(config)#interface FastEthernet0/1 R1(config-if)#ip address 10.1.0.1 255.255.255.0 ! R1(config)#interface FastEthernet1/0 R1(config-if)#ip address 10.1.10.1 255.255.255.0
Step 2: Configure each interface as either an outside or inside NAT interface.
R1(config)#interface FastEthernet0/0 R1(config-if)#ip nat outside ! R1(config)#interface FastEthernet0/1 R1(config-if)#ip nat inside ! R1(config)#interface FastEthernet1/0 R1(config-if)#ip nat inside
Step 3: Configure a basic NAT so that inside computers can reach the Internet. This will include specifying a router interface as an overload interface which allows many to one NAT translations. E.g. many computer to one public IP address
R1(config)#ip nat inside source list 1 interface FastEthernet0/0 overload
Step 4: Configure a access list to specify which networks are allowed to make use of the NAT. End the access-list with a deny statement to ensure any traffic that is not matched is dropped.
R1(config)#access-list 1 permit 10.1.10.0 0.0.0.255 R1(config)#access-list 1 permit 10.1.0.0 0.0.0.255 R1(config)#access-list 1 deny any
Step 5: Configure a one to one NAT translating 18.104.22.168 to to 10.1.0.2.
R1(config)#ip nat inside source static 10.1.0.2 22.214.171.124
Caution: when a static one to one NAT is configured without any additional access list filtering traffic or ports the device is essentially directly connected to the Internet. If the device does not have a firewall the device is unprotected and vulnerable.
Step 6: Configure a PAT translating 126.96.36.199 port 2323 to 10.1.0.3 port 23.
R1(config)#ip nat inside source static tcp 10.1.0.3 23 188.8.131.52 2323 extendable
Verify the configuration
Now that the configuration is finished lets verify remote connectivity. Using the ping command you can verify the inside addresses will no longer respond. Use the telnet command to verify connectivity to Server2 and Server3. The Server3 device will only response to telnet request when using the defined port we are translating from the outside to the inside device.