NAT: Local and Global Definitions Term Definitions Inside local address The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider. Inside global address A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world. Outside local address The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside. Outside global address The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space. Packets sourced on the inside portion of the network have an inside local address as the source address and an outside local address as the destination address of the packet, while the packet resides on the inside portion of the network. When that same packet gets switched to the outside network, the source of the packet is now known as the inside global address and the destination of the packet is known as the outside global address. Conversely, when a packet is sourced on the outside portion of the network, while it is on the outside network, its source address is known as the outside global address. The destination of the packet is known as the inside global address. When the same packet gets switched to the inside network, the source address is known as the outside local address and the destination of the packet is known as the inside local address.• Static Address Translation The user can establish a one-to-one mapping between local and global addresses, Users can also configure Static address translations to the port level, and use the remainder of the IP address for other translations. Typically where you are performing Port Address Translation (PAT).In this configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.10, the source address is translated to 1.1.1.1. This also means that when the NAT router receives a packet on its outside interface with a destination address of 1.1.1.1, the destination address is translated to 10.10.10.10 ip nat inside source static 10.10.10.10 1.1.1.1 Inside host is known by the outside host as 1.1.1.1 interface s 1 ip nat inside interface s 0 ip nat outside This is what the packets look like when they are on the inside network and outside network.You can issue the show ip nat translations command in order to verify the NAT translations in the router. In the Below configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.10, the source address is translated to 1.1.1.1. The interface corresponding to IP address 10.10.10.10 is the Inside Local Address, whereas the interface corresponding to IP address 1.1.1.1 is the Inside Global Address. When the NAT router receives a packet on its outside interface with a source address of 11.11.11.11, the source address is translated to 192.168.1.1. This also means that when the NAT router receives a packet on its outside interface with a destination address of 1.1.1.1, the destination address is translated to 10.10.10.10. Also, when the NAT router receives a packet on its inside interface with a destination address of 192.168.1.1, the destination address is translated to 11.11.11.11. ip nat inside source static 10.10.10.10 1.1.1.1 Inside host is known to the outside host as 1.1.1.1 ip nat outside source static 11.11.11.11 192.168.1.1 Outside host is known to the inside host as 192.168.1.1 interface s 0 ip nat inside interface s 1 ip nat outside The local addresses are addresses that appear on the inside cloud, and the global addresses are addresses that appear on the outside cloud. Because of how NAT is configured in this case, both the inside addresses and the outside addresses are translated. Therefore, the inside local addresses are different from the inside global addresses and the outside local addresses are different from the outside global addresses. This is what the packets look like when they are on the inside network and outside network.In summary, the terms local and global are actually very straight forward when you think of them in terms of where they appear in the network. Local addresses appear on the inside portion of the network while global addresses appear on the outside portion of the network. • Dynamic Address Translation The user can establish dynamic mapping between the local and global addresses. This is done by describing the local addresses to be translated and the pool of addresses from which to allocate global addresses, and associating the two. Configuring translation timeouts ip nat translation timeout <seconds> Dynamic translations time out after a period of non-use. When port translation is not configured, translation entries time out after 24 hours. This time can be adjusted with the above command or the following variations: ip nat translation udp-timeout <seconds> ip nat translation dns-timeout <seconds> ip nat translation tcp-timeout <seconds> ip nat translation finrst-timeout <seconds> Non-DNS UDP translations time out after 5 minutes; DNS times out in 1 minute. TCP translations time out after 24 hours, unless a RST or FIN is seen on the stream, in which case it times out in 1 minute. • Port Address Translation (PAT) Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as "overload", a subset of NAT functionality. PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses. Enabling translation of inside source addresses ip nat pool [name] [start-ip] [end-ip] {netmask [netmask] | prefix-length [prefix-length]} ip nat inside source { list [acl] pool [name] [overload] } access-list 1 permit 10.10.10.0 0.0.0.255 ip nat pool net-1 1.1.1.1 1.1.1.1 netmask 255.255.255.255 ip nat inside source list 1 pool net-1 In this example the source address 10.10.10.0/24 in Inside interface will be translated to 1.1.1.1 when accessing the IP address in Outside interface. Enabling translation of outside source addresses ip nat pool [name] [start-ip] [end-ip] {netmask [netmask] | prefix-length [prefix-length]} ip nat outside source { list [acl] pool [name] } access-list 1 permit 0.0.0.0 255.255.255.255 ip nat pool net-1 10.10.10.10 10.10.10.10 netmask 255.255.255.255 ip nat outside source list 1 pool net-1 In this example the source address "ANY" in the Outside interface will be translated to 10.10.10.10 when accessing the IP address in the Inside interface. In both the situation "Enabling translation of inside source addresses" & "Enabling translation of outside source addresses" the respective interface should be defined as "ip nat inside" & "ip nat outside"
.jpg)
+(Destination).jpg)
 |
| Leave your comment below |
No comments:
Post a Comment