dissolved
asked on
two questions on NAT
1. What is the difference between the "port forwarding" feature on low end routers, and "static nat" on cisco routers? Are they the same thing but with different names? Does Cisco have a "port forwarding" type command?
2. Instead of static NAT, couldn't you accomplish the same thing with static routes? Or do static routes only route you to networks, not hosts? Whereas static NAT gets you to specific hosts?
3. Please dont answer question #3 if you dont feel like it, I'm just trying to get a grip on this stuff. What is going on in certain parts of this config (i marked the three areas I didnt understand)?
--------------------------
2500a#
interface Ethernet 0
ip add 192.168.1.40 255.255.255.0
ip nat outside <-------------------------
interface serial 0
ip add 192.168.0.5 255.255.255.0
ip nat inside <-------------------------
ip nat inside source static 192.168.2.3 192.168.1.41 (what significance does this have?)
ip route 192.168.2.0 255.255.255.0 192.168.0.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
--------------------------
Thanks
2. Instead of static NAT, couldn't you accomplish the same thing with static routes? Or do static routes only route you to networks, not hosts? Whereas static NAT gets you to specific hosts?
3. Please dont answer question #3 if you dont feel like it, I'm just trying to get a grip on this stuff. What is going on in certain parts of this config (i marked the three areas I didnt understand)?
--------------------------
2500a#
interface Ethernet 0
ip add 192.168.1.40 255.255.255.0
ip nat outside <-------------------------
interface serial 0
ip add 192.168.0.5 255.255.255.0
ip nat inside <-------------------------
ip nat inside source static 192.168.2.3 192.168.1.41 (what significance does this have?)
ip route 192.168.2.0 255.255.255.0 192.168.0.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
--------------------------
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. Port forwarding on soho routers uses one and only one public IP address and you can forward different individual ports to different inside hosts. Static nat, on the other hand, allows you to provide a complete 1-to-1 map from 1 public IP to 1 private IP, multiple times. And yes, there is also an equivelent of port forwarding where you only nat specified ports. In other words, you can map 200 public IP's to 400 different hosts using a varity of 1-1 and port forwarding. Additionally on a Cisco router, the inside address is not limited to only a local LAN ip, it can be any IP address anywhere on the inside of the network- behind several other routers if necessary.
2. Not at all. NAT changes the source IP address to the "outside" address as it passes from the "inside" through the "outside" defined interfaces (more about that in #3). Since it changes the source IP, then it also must keep a table on who really sent that packet so that the response goes back to the appropriate host. Routing never changes the source IP address, so there must be routing all the way to and back, every router in the patch must maintain the source/destination pair. Especially if you are using Private IP addresses, these addresses are not routeable on the Internet, so you have no choice except to NAT them to a public IP address.
3. When using NAT, you must designate which interfaces are "outside" and which ones are "inside", then you define the ip nat "inside" rules. As traffic passes from an inside interface through the outside designated interface, the nat rules are examined. In the example above, only the one rule is defined that says any traffic from host 192.168.2.3 as it passes out interface E0, the source IP will change to 192.168.1.41. Now anything beyond that router will see the incomming packet as being from 192.168.1.41. It does not have to know anything about the 192.168.2.x network, does not have to have a route to it or anything. There are many ways to define and apply rules to the nat process.
Example of a 1-1 static nat rule:
ip nat inside source static 192.168.2.33 12.34.56.7
ip nat inside source static 192.168.2.34 12.34.56.8
ip nat inside source static 192.168.2.35 12.34.56.9
Add in some static port forwarding (single public, multiple private, specified ports):
ip nat inside source tcp 192.168.2.37 25 12.34.56.6 25
ip nat inside source tcp 192.168.2.39 80 12.34.56.6 80
ip nat inside source tcp 192.168.2.22 110 12.34.56.6 110
ip nat inside source tcp 192.168.2.222 3389 12.34.56.6 3389
Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface Ethernet0 overload
Add in a dynamic NAT pool to use .78 - .99 as "rotary" 1-1 nat as needed
access-list 2 permit 192.168.3.0 0.0.0.255
ip nat pool POOL1 12.34.56.78 12.34.56.99 netmask 255.255.255.0
ip nat inside source list 2 pool POOL1
2. Not at all. NAT changes the source IP address to the "outside" address as it passes from the "inside" through the "outside" defined interfaces (more about that in #3). Since it changes the source IP, then it also must keep a table on who really sent that packet so that the response goes back to the appropriate host. Routing never changes the source IP address, so there must be routing all the way to and back, every router in the patch must maintain the source/destination pair. Especially if you are using Private IP addresses, these addresses are not routeable on the Internet, so you have no choice except to NAT them to a public IP address.
3. When using NAT, you must designate which interfaces are "outside" and which ones are "inside", then you define the ip nat "inside" rules. As traffic passes from an inside interface through the outside designated interface, the nat rules are examined. In the example above, only the one rule is defined that says any traffic from host 192.168.2.3 as it passes out interface E0, the source IP will change to 192.168.1.41. Now anything beyond that router will see the incomming packet as being from 192.168.1.41. It does not have to know anything about the 192.168.2.x network, does not have to have a route to it or anything. There are many ways to define and apply rules to the nat process.
Example of a 1-1 static nat rule:
ip nat inside source static 192.168.2.33 12.34.56.7
ip nat inside source static 192.168.2.34 12.34.56.8
ip nat inside source static 192.168.2.35 12.34.56.9
Add in some static port forwarding (single public, multiple private, specified ports):
ip nat inside source tcp 192.168.2.37 25 12.34.56.6 25
ip nat inside source tcp 192.168.2.39 80 12.34.56.6 80
ip nat inside source tcp 192.168.2.22 110 12.34.56.6 110
ip nat inside source tcp 192.168.2.222 3389 12.34.56.6 3389
Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface Ethernet0 overload
Add in a dynamic NAT pool to use .78 - .99 as "rotary" 1-1 nat as needed
access-list 2 permit 192.168.3.0 0.0.0.255
ip nat pool POOL1 12.34.56.78 12.34.56.99 netmask 255.255.255.0
ip nat inside source list 2 pool POOL1
Damn! JFrederick29 beat me to the submit button!
Been doing that a little bit lately, eh? lrmoore :)
Great answer though, very detailed.
Great answer though, very detailed.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. So much good info, I had to read this page 7 times (not joking lol). Let me see if I am comrehending this accurately (bear with me) :
-PAT: "nats" a public IP to a private IP, with specific ports (ie: 80, 25)
-static NAT: translates one public IP, to one private IP..including all ports (unless of course a firewall is blocking certain ports)
-dynamic NAT: ???
-a NAT table is maintained in every router that NATs. NAT works by swapping L3 addresses. It maintains a table of "what it swapped."
question:
what is "dynamic NAT." Is that when EVERY address going through a NAT router is swapped. I'm guessing the configuration in the router would be very general as far as hosts go. We would specify a range to "NAT" instead of specifying individual hosts.
Am I on the right track?
thanks again.
-PAT: "nats" a public IP to a private IP, with specific ports (ie: 80, 25)
-static NAT: translates one public IP, to one private IP..including all ports (unless of course a firewall is blocking certain ports)
-dynamic NAT: ???
-a NAT table is maintained in every router that NATs. NAT works by swapping L3 addresses. It maintains a table of "what it swapped."
question:
what is "dynamic NAT." Is that when EVERY address going through a NAT router is swapped. I'm guessing the configuration in the router would be very general as far as hosts go. We would specify a range to "NAT" instead of specifying individual hosts.
Am I on the right track?
thanks again.
ASKER
woops: I now see lrmoore's example of dynamic NAT:
>> Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
>> access-list 1 permit 192.168.2.0 0.0.0.255
>> ip nat inside source list 1 interface Ethernet0 overload
i'm guessing the "overload" command must be used in conjunction with dynamic NAT?
>> Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
>> access-list 1 permit 192.168.2.0 0.0.0.255
>> ip nat inside source list 1 interface Ethernet0 overload
i'm guessing the "overload" command must be used in conjunction with dynamic NAT?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
whoa, just threw another term at me there ...dynamic pat :-)
I think I understand though.
so in your example:
>> Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
>> access-list 1 permit 192.168.2.0 0.0.0.255
>> ip nat inside source list 1 interface Ethernet0 overload
The above is dynamic PAT because all inside devices will be using e0s address to send packets to the internet.
One interface for many clients
Dynamic NAT on the otherhand would pull from a predefined "pool" of addresses. Then, when the last address in the pool is used, it will PAT on the last address for any additional addresses that want to send out to the internet.
static PAT is just port forwarding (stuff you can do in low end cable routers)
static NAT is just public IP to private IP translating (at layer 3). Using static NAT exposes all of the private IPs ports to the internet (if a firewall isnt blocking it somewhere along the way).
Are my interpretations correct?
ps:
"This is just the tip of the iceburg as to what we can do with NAT/PAT...at least on Cisco routers.."
yikes!
I think I understand though.
so in your example:
>> Add in a rule for dynamic NAT for inside hosts (all will use the public IP assigned to Eth0)
>> access-list 1 permit 192.168.2.0 0.0.0.255
>> ip nat inside source list 1 interface Ethernet0 overload
The above is dynamic PAT because all inside devices will be using e0s address to send packets to the internet.
One interface for many clients
Dynamic NAT on the otherhand would pull from a predefined "pool" of addresses. Then, when the last address in the pool is used, it will PAT on the last address for any additional addresses that want to send out to the internet.
static PAT is just port forwarding (stuff you can do in low end cable routers)
static NAT is just public IP to private IP translating (at layer 3). Using static NAT exposes all of the private IPs ports to the internet (if a firewall isnt blocking it somewhere along the way).
Are my interpretations correct?
ps:
"This is just the tip of the iceburg as to what we can do with NAT/PAT...at least on Cisco routers.."
yikes!
Yes to all your questions.
Isn't this fun to learn all this new stuff?
Isn't this fun to learn all this new stuff?
ASKER
thanks!
yes it is. I cant believe some of the stuff you, jfrederick, and Dr. IP know (and remember). It's scary. You guys must scare yourselves sometimes lol
Thanks for the help guys!
yes it is. I cant believe some of the stuff you, jfrederick, and Dr. IP know (and remember). It's scary. You guys must scare yourselves sometimes lol
Thanks for the help guys!
Hey everyone,
I have a NAT question as well. I am trying to configure a cisco 2611 to do NAT. Here is a snipet of the config that I am working in. This particular config is for a point-to-point private T1. I need to NAT all traffic going out of the fastethernet to be 192.168.35.6 / 255.255.255.0.
Please help,
Thanks
Greg
interface FastEthernet0/0
description ethernet side to Miami
ip address 192.168.37.78 255.255.255.252
no ip directed-broadcast
ip nat outside
duplex auto
speed 100
!
interface Serial0/0
bandwidth 1544
ip address 192.168.5.2 255.255.255.0
no ip directed-broadcast
service-module t1 timeslots 1-24
ip default-gateway 192.168.5.1
ip nat outside source static 192.168.37.78 192.168.35.6
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.5.1
no ip http server
I have a NAT question as well. I am trying to configure a cisco 2611 to do NAT. Here is a snipet of the config that I am working in. This particular config is for a point-to-point private T1. I need to NAT all traffic going out of the fastethernet to be 192.168.35.6 / 255.255.255.0.
Please help,
Thanks
Greg
interface FastEthernet0/0
description ethernet side to Miami
ip address 192.168.37.78 255.255.255.252
no ip directed-broadcast
ip nat outside
duplex auto
speed 100
!
interface Serial0/0
bandwidth 1544
ip address 192.168.5.2 255.255.255.0
no ip directed-broadcast
service-module t1 timeslots 1-24
ip default-gateway 192.168.5.1
ip nat outside source static 192.168.37.78 192.168.35.6
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.5.1
no ip http server
On a Cisco router, to emulate a SOHO router like a Linksys/Netgear, you can use the following command:
ip nat inside source list 1 interface ethernet0 overload
^^^^^^
The "overload" keyword is used for one-to-many translation (like a SOHO router).
Port forwarding compliments the above and is used to forward to inside hosts based on port.