Network Address Translation
Network Address Translation
Understanding NAT ( Network Address Translation )
In this Blog, we will study Network Address Translation and its concepts.
NAT is classified into 4 broad categories listed below, which we will cover in this blog.
Static NAT
Dynamic NAT
Static PAT
Dynamic PAT
Twice NAT
LAB Setup
You can set the lab either on GNS3 Or EVE-NG or CML ( Cisco Modelling Labs ) or any public clouds - Azure/AWS/GCP etc.
GNS3/EVE-NG - Free, but high-end machines are required ( 16GB at least for moderate/basic labs ).
CML - Free, but you need to reserve the Lab before use, and you can use a maximum of four hrs per reservation. You can reserve again when your 4-hour slot expires. You need not install anything on your local machine, lab is accessible remotely over an internet connection.
I will show you the Demonstration on GNS3 in this blog, but you can spin your lab on whatever tool/platform you are comfortable with.
LAB Diagram
The Diagram below shows the Lab diagram we will use to implement NAT.
The Topology is divided into three parts:
First Part - The XYZ corporation Network which is enclosed inside Blue dotted line box. The XYZ corporation could be any big company or Educational institute campus or Financial Institution Or any entity that owns its network of 100s of computers and devices. The XYZ corporation consists of FTP-Server and a Web-Server WS-1.
Second Part - The Second part of the Topology is a single standalone device called ASAv Firewall. This is a security appliance that most organizations prefer to install at the boundary of their private networks to protect it from open internet unregulated or unauthorised access.
Third part - The Third part of the topology represents the open insecure internet (the grey portion). Now that the internet has millions of machines on it, to represent it we use a single router named ISP. There are some users connected to the open internet which Public host user PUB-H1, PUB-H2 and external public web-server WS-2 represent.
Devices Used in LAB
Firewall / NAT device - Cisco ASAv Firewall ( any version you can use from the internet )
The rest of the nodes in the topology are nothing but Cisco c7200 routers. I use the same c7200 device to represent the Web-Server ( WS-1, WS-2), FTP-Server or end-hosts ( H1, R2 ) etc. But in reality, these are different types of devices connected all over the intranet or internet depending on their use. For the NAT Demo and keeping the topology simple, I represent every other device in the topology using c7200 routers only.
Switches - These Switches are GNS3 inbuilt switches.
Hubs - These devices are provided by GNS3 GUI itself. Used to model the wiring of the topology effectively. You may completely Omit to use Hubs but that would tend to give an ugly picture to our topology.
Base Configuration
Let’s discuss the base configuration to be done on all devices of this LAB. We have to do this config only once and would work for all our exercises.
Cisco ASAv Configuration
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 100.0.0.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 0
ip address 10.0.0.1 255.255.255.0
!
same-security-traffic permit inter-interface
route outside 0.0.0.0 0.0.0.0 100.0.0.2 1
ISP Configuration
The purpose of ISP Router is to route the traffic between networks. For example, PUB-H1 is a public host and he should be able to ping any other public host ( PUB-H2 or WS-2 ). Since, all Networks shown in the LAB diagram are directly connected to ISP, ISP router can route traffic on all direct subnets without any explicit route installation. All we need to do is to configure IP addresses on its interfaces.
interface GigabitEthernet0/0
ip address 100.0.0.2 255.255.255.0
interface GigabitEthernet1/0
ip address 128.0.0.2 255.255.255.0
interface GigabitEthernet2/0
ip address 129.0.0.2 255.255.255.0
interface GigabitEthernet3/0
ip address 130.0.0.2 255.255.255.0
ISP#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 100.0.0.2 YES NVRAM up up
GigabitEthernet1/0 128.0.0.2 YES NVRAM up up
GigabitEthernet2/0 129.0.0.2 YES NVRAM up up
GigabitEthernet3/0 130.0.0.2 YES NVRAM up up
GigabitEthernet4/0 unassigned YES NVRAM administratively down down
End-Host Machines/Servers
All End-host machines need an Ip address on their interfaces and a default route that points to their respective gateway device which is capable of doing routing.
PUB-H1 :
interface GigabitEthernet0/0
ip address 128.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 128.0.0.2
PUB-H2 :
interface GigabitEthernet0/0
ip address 129.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 129.0.0.2
WS-2 :
interface GigabitEthernet0/0
ip address 130.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 130.0.0.2
FTP-Server :
interface GigabitEthernet0/0
ip address 10.0.0.20 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
WS-1 :
interface GigabitEthernet0/0
ip address 10.0.0.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Verify the Configuration
After this point, All public hosts (H1, H2 and WS-2) must be able to ping the rest of the other public hosts. All Private hosts ( FTP-Server and WS-1 ) should be able to ping each other. Private hosts cannot ping public hosts and vice-versa. Give it a try.
So this is the base configuration LAB Setup.
Static NAT
Used when an organisation wants to provide access to its internal resources to the public. For example, Google provides access to its DNS Servers to the general public all over the world. Google’s DNS Servers are running somewhere in Google’s Private Network, yet any public machine can use them for domain name resolution.
Consider the same LAB as below :
Let's say in this Example, the Internal Host WS-1 represents the WebServer that hosts the Organisation's website, to be accessible by the public.
Let's say the Organisation is XYZ Corporation for example.
The organisation assigns a Pvt address to the Webserver WS-1: 10.0.0.10
XYZ Announces to the rest of the world ( DNS system ) that’s its web server WS-1 is reachable by public Address: 100.0.0.10
So, the rest of the world ( a.k.a H1/H2/WS-2) uses address 100.0.0.10 to reach XYZ's Webserver WS-1
Internet will route all traffic with Destination address = 100.0.0.10 to XYZ’s Gateway device - NAT-device ASAv
Configuration
on NAT-device :
Step 1 : Create a Object Network that represents the XYZ web-server
ciscoasa# config terminal
ciscoasa(config)# object network web-server
ciscoasa(config-network-object)# host 10.0.0.10
Step2 : Configure NAT rule to translate Src ip address 10.0.0.10 to 100.0.0.10 for all traffic from Inside Network to Outside Network
ciscoasa(config-network-object)# nat (inside,outside) static 100.0.0.10
that’s it.
With the above configuration, we would accomplish the following :
Nat-Device Converts Destination address in the pkt from 100.0.0.10 to 10.0.0.10 ( Untranslation )
All the reply traffic generated by WS-1 will have its Src address translated from 10.0.0.10 --> 100.0.0.10 ( Translation )
Verification
Ping from External Host PUB-H1 the internal Host WS-1. It will be similar to like somebody on the public internet trying to access XYZ’s private Web-Server.
On H1, issue ping 100.0.0.10 repeat 1. It should succeed. It will send exactly 1 ICMP echo request packet. Default is 5 if we omit repeat .
Use show xlate command to see the translational of IP addresses performed by the device.
Packet Capture
Let us see the Src and Dst ip addresses in all Four packets as below :
ICMP Echo Requests from PUB-H1 to NAT-device The ICMP echo pkt generated by H1 has src and Dst ip address as shown in pkt capture. Src address is set to 128.0.0.1, a public IP address of H1 and the Destination address is whatever was specified in ping i.e. 100.0.0.10 |  |
ICMP echo request (forwarded) from NAT-device to WS-1 NAT-device intercepts the echo request and change the destination address from 100.0.0.10 to 10.0.0.10 as per the NAT-rule. This is called Untranslation because mapped address is being converted to real address - opposite of what our NAT rule dictates. |  |
ICMP echo reply from WS-1 to NAT-device Just swap the Src and Dst address of the ICMP echo request pkt that was recvd by WS-1 |  |
ICMP echo reply (forwarded) from NAT-device to PUB-H1 NAT-device intercept the echo reply and change source address from 10.0.0.10 to 100.0.0.10 as per the NAT-rule. This is called translation because real address is being converted to mapped address - exactly what our NAT rule dictates. |  |
So, STATIC NAT works in both directions. As an administrator, static NAT is configured by keeping in mind to translate internal pvt addresses to public addresses. This is called Translation. But the rule takes effect in both directions. The translation of IP Addresses that occurs in the opposite direction of what NAT rule dictates ( in this case from outside to inside network ) is called Untranslation.
Show commands
ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static web-server 100.0.0.10
translate_hits = 11, untranslate_hits = 140
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:10.0.0.10 to outside:100.0.0.10
flags s idle 0:00:04 timeout 0:00:00
Verification using Packet Tracer
Without setting up the end-hosts / ISPs etc, we can do all NAT labs by using the ASAv Firewall alone using packet-tracer tool.
For example , trigger the below CLI on ASAv prompt. This CLI prepares the pseudo ICMP echo request packet and push it into the outside interface of ASAv. The ASAv will process this packet the same way as it would process the real icmp echo request packet with Src address 128.0.0.1 and Dest Address 100.0.0.10. 8 and 0 are ICMP echo request codes. Thus how simple it is, you dont need to setup entire topology to practice NAT. But then you would not have understood the real use case and benefits of NAT.
ciscoasa# packet-tracer input outside icmp 128.0.0.1 8 0 100.0.0.10 << ICMP echo request
Showing the usage of the packet tracer below :
ciscoasa# packet-tracer input outside icmp 128.0.0.1 8 0 100.0.0.10
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network web-server
nat (inside,outside) static 100.0.0.10
Additional Information:
NAT divert to egress interface inside
Untranslate 100.0.0.10/0 to 10.0.0.10/0 << The packet is subjected to Untranslation
Thanks.
Dynamic NAT
Used in Scenarios where XYZ organisation wants to restrict the maximum number of internal users accessing the public internet at the same time. For example, organizations do not want that more than 20 employees access the public internet simultaneously at any point of time. This scheme works well when employees access public machines using short-lived connections OR even better, being connectionless. For example, watching YouTube video is an example where you need to establish a connection with YouTube servers for a prolonged period of time. Hence, Dynamic NAT would restrict the maximum number of employees to , say 20, watching YouTube ( or similar ) at the same time.
LAB Setup
In this example, Let us assume that WS-2 represents an external public machine present in the public network. Using dynamic NAT, We want to allow no more than 100 internal users to access public machines at the same time. Internal users in this lab will be, WS-1 and FTP-Server ( Don’t go by name )
Configuration
In Dynamic NAT, we create Pools of Real and Mapped IP Addresses. During Translation, A Real IP Address which could be Src or Destination or both in a packet is mapped to one of the mapped ip addresses ( randomly picked up ). Packet is dropped if all ip addresses in a mapped pool are exhausted and translation is no more feasible.
ASAv Configuration
ciscoasa(config)# object network mapped-pool
ciscoasa(config-network-object)# range 100.0.0.10 100.0.0.100
ciscoasa(config-network-object)# end
ciscoasa# conf t
ciscoasa(config)# object network real-pool
ciscoasa(config-network-object)# subnet 10.0.0.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic mapped-pool
ciscoasa(config-network-object)# end
Thats it. This is all we need to implement Dynamic NAT. We created two pools - mapped-pool and real-pool.
As per the NAT rule configured above, A src ip address in an IP packet Entering firewall on interface inside , if at all belong to subnet 10.0.0.0/24, then Src ip address will be translated to one of the IP Address available in Mapped pool. The modified packet will be exited out of interface outside. Dynamic NAT is unidirectional, meaning, communication needs to be initiated only from inside.
Packet Capture
Lets ping a public server WS-2 from internal user WS-1. Let us see the Src and Dst ip addresses in all Four packets as below :
WS-1#ping 130.0.0.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 130.0.0.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 48/48/48 ms
ICMP Echo Requests from WS-1 to NAT-device The ICMP echo pkt generated by WS-1 has src and Dst ip address as shown in pkt capture. Src address is set to 10.0.0.10 and the Destination address 130.0.0.1 which is an IP Adress of ws-2. |  |
ICMP echo request (forwarded) from NAT-device to WS-2 NAT-device intercepts the echo request and change the Src IP address from 10.0.0.10 to 100.0.0.x where x >= 10 and <= 100 as per the NAT-rule. In this case, 100.0.0.35 is picked up from mapped pool. This is called translation because real address is being converted to mapped address - in the same direction as of NAT rule. |  |
ICMP echo reply from WS-2 to NAT-device Just swap the Src and Dst address of the ICMP echo request pkt that was recvd by WS-2 |  |
ICMP echo reply (forwarded) from NAT-device to WS-1 NAT-device intercept the echo reply and change address from 10.0.0.10 to 100.0.0.10 as per the NAT-rule. This is called translation because real address is being converted to mapped address - exactly what our NAT rule dictates. |  |
So to support Dynamic NAT, XYZ corp. has to purchase a set of public IP Addresses from ISP. A pool of mapped IP Addresses serves as a token for internal users to access public networks. When Mapped-Pool is exhausted, none of the internal user can communicate to any of the public machines. When internal user terminates its existing communication with public machines, the mapped IP address is returned back to the mapped pool which can be re-used again.
Show Output
ciscoasa# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:10.0.0.10 to outside:100.0.0.35 flags i idle 0:00:02 timeout 3:00:00
ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic real-pool mapped-pool
translate_hits = 2, untranslate_hits = 4
ciscoasa#
Combining STATIC + DYNAMIC NAT together
This is the Case in which the internal user of XYZ corporation is made to communicate with the public servers but using private IP Addresses. For Example, Internal User WS1 or FTP-Server can access public Server WS-2 using private IP Address , say, 10.0.0.130. Under the hood, of course to talk to WS-2, public IP 130.0.0.1 is required, but Internal users are actually fooled that they are talking to WS-2 using pvt address 10.0..0.130. In the diagram below, from Internal user Perspective, they think they are talking to some internal server whose IP address is 10.0.0.130 ( shown by pink path ). But NAT convert and routes the packet destine to 10.0.0.130 in such a way that, actually the communication is happening with WS-2 using public IP address 130.0.0.1 ( shown by Green path ).
To achieve the above behaviour, In addition to the Dynamic NAT configuration which we added on ASAv in prev section, all we need is to add one more static NAT rule.
Configuration
ciscoasa# conf t
ciscoasa(config)# object network so-server
ciscoasa(config-network-object)# host 130.0.0.1
ciscoasa(config-network-object)# nat (outside,inside) static 10.0.0.130
Thats it.
Verification
Let’s try to ping 10.0.0.130 from WS-1. The ping must go to WS-2. Remember there is no actual physical machine in XYZ network with this IP address.
ICMP echo Request and Reply on link WS-1 to ASAv :
ICMP echo Request and Reply on link ASAv to WS-2
Benefit: So, if tomorrow, the IP address of the public Server is changed from 130.0.0.1 to 130.0.0.2 ( for example ), None of the internal users of the organisation would ever come to know about this. All XYZ Coorp Admin has to do is to update the static NAT rule on ASAv. Internal users can continue to talk to WS-2 using the same internal ip address 10.0.0.130 happily ever after.
