NAT OVERLOAD

Introduction 1 NAT Overload is the most common NAT method used throughout all networks that connect to the Internet. This is because of the way it functions and the limitations it can overcome, and we'll explore all of these in the next two pages. Whether you use a router, firewall appliance, Microsoft's Internet sharing ability or any 3rd party program that enables all your home computers to connect to the Internet via one connection, you're using NAT Overload. This NAT mode is also know by other names, like NAPT (Network Address Port Translation), IP Masquerading and NAT with PAT (Port Address Translation). The different names logically come from the way NAT Overload works, and you'll understand this by the time we're finished with the topic. NOTE: You should be familiar with TCP/IP & UDP communications, as well as how they use various Ports in order to identify the resources/applications they are trying to use. It's very important you understand them because NAT Overload is based on these Ports in order to identify sessions between hosts. What Exactly Does NAT Overload do? NAT Overload is a mix of Static & Dynamic NAT with a few enhancements thrown in (PAT- Port Address Translation) to make it work the way we need. By now you understand how both Static & Dynamic NAT work so we won't get into the details again. NAT Overload takes a Static or Dynamic IP Address that is bound to the public interface of the gateway (this could be a PC, router or firewall appliance) and allows all PCs within the private network to access the Internet. If you find yourself wondering how this is possible with one only IP Address, you will be happy to find that the answer lies within PAT. The diagram below shows you how a single session is handled by a NAT Overload enabled device:

So we have a host on a private network, its IP Address is 192.168.0.1 and it's sending a packet to the Internet, more specifically to IP Address 200.0.0.1, which we're assuming is a server. The Port, which is 23, tells us that it's trying to telnet to 200.0.0.1, since this is the default port telnet uses. As the original packet passes through the router, the Source IP Address field is changed by the router from 192.168.0.1 to 203.31.218.100. However, notice that the ports are not changed.
1

The reason the Source IP Address is changed is obvious: The router's public IP Address must be placed in the Source IP Address field of the packet so the server we're trying to telnet to knows where the request is coming from so it can then send the reply. That takes care of making sure the packet from the server we're telneting to finds its way back to the router's public interface. From there, the router needs to know which host on the private network it must send the reply to. For this, it uses the ports and we will be looking at that closer very soon. Some might think that this example is pretty much the way a Static NAT router would behave, and if you're thinking just that you're totally right! In order to understand how a NAT Overload enabled router is different from Static NAT, we must add at least one more host in the private network, which we'll do right now. With two or more hosts on the private network, in Static NAT mode we would require the equivalent number of public IP Addresses, right ? One for each private host, because Static NAT maps one public IP Address to each private host. NAT Overload overcomes this limitation by using one public IP Address for all private hosts, but utilising the thousands of ports available in order to identify each private host's session. Unleashing the True Power of NAT Overload To help cover all possibilities and questions that might come up from these examples, we're going to add another two private hosts in our internal network. We'll assume that: 1) The 2nd host in our private network is trying to telnet to the same server as the 1st host 2) The 3rd host in our private network is trying to telnet to a different server on the Internet So let's see how our example network looks:

Host 1 and 2 are telneting to the same server (203.31.218.100), the only difference between the two packets is their Source Port Numbers, the router uses these to keep track of which packet belongs to each host.
2

Let's examine what happens when Host 1's reply arrives:

A packet arrives on our router's public interface and is accepted. The packet's details are examined and show that it came from IP Address 200.0.0.1 Port 23 with a destination of 203.31.218.100 Port 3000. The router remembers that Host 1 and 2 just sent a packet to this IP Address and now, in order to determine to whom this response belongs, it carefully examines its Destination Port. It focuses on the Destination Port because in any reply, the Destination Port takes the value of the initial packet's Source Port. This means that this packet is a reply to one sent previously to IP Address 200.0.0.1 with Source Port 3000. The router refers to its NAT table and finds a matching entry for the described initial packet. It recognises that the reply is intended for Host 1 and will forward it to the host. The server to which Host 1 and 2 of our example private network are telneting uses the same logic to distinguish between the two separate sessions. Because this can also be a bit difficult to imagine, I've included a diagram which shows the server receiving Host 1's initial packet and then sending a reply:

The example on this page is intended to show you the idea behind NAT Overload and how it works. We saw our little NAT Overload enabled router doing wonders with one single public IP Address. If we wanted to use Static or Dynamic NAT in this same example, we would definitely require 3 public IP Addresses for our 3 private hosts but thanks to NAT Overload, we only need one IP Address. NAT Overload Configuration for Cisco Router Our Cisco Technical Knowledgebase contains detailed step-by-step instructions how to setup NAT Overload on a Cisco router. Please refer to our NAT Overload Configuration for Cisco Routers to read up more on its configuration. The next page will deal with a more detailed analysis of the packets as they traverse the router and take a look at a few more interesting parts of NAT Overload. Introduction 2 This page deals with the analysis of the packets that traverse a NAT Overload enabled device. We'll examine which fields of the packets are modified and how the NAT device, a router in our example, keeps track of them in its NAT Table. In order to keep things simple, we're going to use a few simple examples and then deal with a few more complicated ones, this should help make the complex stuff much easier to understand and digest. Time to grab something to drink or munch on, and prepare to download this information into your head! How NAT Translations Take Place When covering Dynamic and Static NAT, we saw that it was either the Source or Destination IP Address that had to be modified by the NAT device. No matter which mode was used, the Source and Destination ports were never altered in any way. NAT Overload on the other hand will use a single public IP Address for the routing process and change, in most cases, the Source or Destination port depending on whether it's an incoming or outgoing packet. In the next diagram we have two computers that have each sent a packet out to the Internet and are expecting a reply. We take a look at how the router deals with these packets individually and where the information required to identify the expected replies is stored:

You've got to agree that that's a very simple setup. To make life easy, I haven't included any additional information about the generated packets because we'll deal with them individually.

So it's time to take a look at how the router deals with this first packet which belongs to Workstation 1:

The packet Workstation 1 generated arrives at the router's private interface which has IP Address 192.168.0.1. The router accepts the packet and processes it. Once inside the router, the packet's Source IP Address, Destination IP Address, Source Port and Destination Port are examined and the router decides that this is a valid packet so it should be forwarded to the Internet. NAT is now about to take place (check NAT Table in the above diagram). The router will replace the Source IP Address (192.168.0.5) with its Public IP Address (200.0.0.1) and keep the rest of the information intact. Note that in most cases, the Source Port is not changed unless it has already been used by a previous packet from the private network but, since this is the first outgoing packet, this cannot be the case. Here's how the packet looked once it exited the router's public interface:

Time to check our second packet that will traverse the router, which is generated by Workstation 2 (the router has not yet received the reply to Workstation 1's packet). We're going to assume that Workstation 2 uses the same Source Port (2400) as Workstation 1's packet, so you can see how the router will react:

This packet is a very good example to show you how great NAT Overload is because the router will need to 'do' something to make sure it's able to successfully receive the reply. Let's look at what happens within the router as the packet arrives at its private interface:

As you can see, our second packet arrives at the router's private interface. It enters the router and since the packet is valid (it's not corrupt and contains a valid Destination IP Address in its IP Header) it's routed to the public interface and NAT is performed while a new entry is added into the router's NAT Table. Looking at the NAT entries, you will notice that both first and second packets have the same Source Port, which is 2400. Since the router already used port 2400 as a Source Port for the first packet's NAT Translation and hasn't yet received a reply, it cannot use it again for the second packet. If it did use it,
6

when a reply for any of the two packets came back the router wouldn't be able to distinguish whose it was. For this reason, the router assigns a new Source Port for the second packet (14500), ensuring that the reply will get to the internal host for which it is intended:

Usually most NAT Overload enabled devices will assign Source Ports in the range of 1025 to 65500. Keep in mind that when one host sends a packet to another, the Source Port it used in the packet will be substituted for the Destination Port in the reply packet. For example, Host A sends a packet to Host B and this packet has a Source Port of 200, then when Host B replies to Host A its packet will have a Destination Port of 200. This way, Host A knows this is a reply to the initial packet it sent. This is why it's important for the router to keep close track of Source Ports on outgoing packets and Destination Ports in all incoming packets.

Final Notes NAT Overload will work perfectly no matter which type of IP Address assignment you have. Whether it's Dynamic IP or Static, via dial up or a permanent connection, it makes no difference to the NAT device. You can now see how this particular NAT mode has helped preserve real (public) IP Addresses, because no matter how many internal hosts any private network has, it only requires one real IP Address in order to allow all internal hosts to access the Internet. Now you have a good idea why NAT is such a popular topic, simply cause it's made such a big difference ion how networks connect to the Internet.

Configuring NAT Overload On A Cisco Router

Introduction NAT (Network Address Translation) is a method that allows the translation (modification) of IP addresses while packets/datagrams are traversing the network. NAT Overload, also known as PAT (Port Address Translation) is essentially NAT with the added feature of TCP/UDP ports translation.

The main purpose of NAT is to hide the IP address (usually private) of a client in order to reserve the public address space. For example a complete network with 100 hosts can have 100 private IP addresses and still be visible to the outside world (internet) as a single IP address. Other benefits of NAT include security and economical usage of the IP address ranges at hand. The following steps explain basic Cisco router NAT Overload configuration. NAT overload is the most common operation in most businesses around the world, as it enables the whole network to access the Internet using one single real IP address. If you would like to know more about the NAT theory, be sure to read our popular NAT articles, which explain in great depth the NAT functions and applications in today's networks. Example Scenario The diagram below represents our example network which consists of a number of internal clients and a router connected to our ISP via its serial interface. The company has been assigned the following Class C subnet: 200.2.2.0/30 (255.255.255.252). This translates to one usable real IP address - 200.2.2.1 - configured on our router's serial interface. IP address 200.2.2.2 will be used on the other end, that is, the ISP's router. Our ISP has also provided us with the necessary default gateway IP address (configured on our router - not shown) in order to route all traffic to the Internet. Our goal in this example is to configure NAT Overload (PAT) and provide all internal workstations with Internet access using one public IP address (200.2.2.1). Configure NAT Overload - PAT (Port Address Translation) 'Overloading' means that the single public IP assigned to your router can be used by multiple internal hosts concurrently. This is done by translating source UDP/TCP ports in the packets and keeping track of them within the translation table kept in the router (R1 in our case). This is a typical NAT configuration for almost all of today's networks. In addition, NAT Overload (PAT) is covered in great depth on Firewall.cx, please click here to read more.

The first step in any NAT configuration is to define the inside and outside interfaces. It is imperative that we define the these interfaces for NAT overload to function. Set the fast ethernet 0/0 interface as the inside interface: R1# configure terminal R1(config)# interface fastethernet0/0 R1(config-if)# ip nat inside

Next step is to set the serial interface S0/0 as the outside interface: R1(config-if)# interface serial0/0 R1(config-if)# ip nat outside R1(config-if)# exit We now need to create an Access Control List (ACL) that will include local (private) hosts or network(s). This ACL will later on be applied to the NAT service command, effectively controlling the hosts that will be able to access the Internet. You can use standard or extended access lists depending on your requirements: R1(config)# access-list 100 remark == [Control NAT Service]== R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any The above command instructs the router to allow the 192.168.0.0/24 network to reach any destination. Note that Cisco router standard and extended ACLs always use wildcards (0.0.0.255). All that's left now is to enable NAT overload and bind it to the outside interface previously selected: R1(config)# ip nat inside source list 100 interface serial 0/0 overload From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to the Internet. Verifying NAT Overload operation Viewing the NAT translation table can sometimes reveal a lot of important information on your network's activity. Here you'll be able to identify traffic that's not supposed to be routed to the Internet or traffic that seems suspicious. As packets start traversing the router it will gradually build up its NAT/PAT translation table as shown below: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 200.2.2.1:53427 192.168.0.6:53427 74.200.84.4:53 74.200.84.4:53 udp 200.2.2.1:53427 192.168.0.6:53427 195.170.0.1:53 195.170.0.1:53 tcp 200.2.2.1:53638 192.168.0.6:53638 64.233.189.99:80 64.233.189.99:80 tcp 200.2.2.1:57585 192.168.0.7:57585 69.65.106.48:110 69.65.106.48:110 tcp 200.2.2.1:57586 192.168.0.7:57586 69.65.106.48:110 69.65.106.48:110

As shown, the first 2 translations directed to 74.200.84.4 & 195.170.0.1 are DNS requests from internal host 192.168.0.6. The third entry seems to be an http request to a web server with IP address 64.233.189.99. Looking at the fourth and fifth translation entry, you should identify them as pop3 requests to an external server, possibly generated by an email client. Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time. Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc., you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections running through the router can put some serious stress on the CPU.

In these cases, we might need to clear the IP NAT table completely to free up resources. This is easily done using the following command: R1# clear ip nat translation * Assuming no request has been sent right after the command was entered, the NAT translation table should be empty: R1# show ip nat translations Pro Inside global ...........Inside local .....Outside local .......Outside global Lastly, you can obtain statistics on the overload NAT service. This will show you the amount of current translations tracked by our NAT table, plus a lot more: R1# show ip nat statistics Total active translations: 200 (0 static, 200 dynamic; 200 extended) Outside interfaces: Serial 0/0 Inside interfaces: FastEthernet0/0 Hits: 163134904 Misses: 0 CEF Translated packets: 161396861, CEF Punted packets: 3465356 Expired translations: 2453616 Dynamic mappings: -- Inside Source [Id: 2] access-list 100 interface serial 0/0 refcount 195 Appl doors: 0 Normal doors: 0 Queued Packets: 0 Article Summary In this article we've covered configuration of NAT Overload on Cisco routers. We also saw how you can control the NAT Overload service using ACLs and obtain detailed statistics on the NAT service. The configuration and commands presented here is compatible with all Cisco router models and IOS's. If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

10