Security using NAT/PAT
Okapi > Traffic engineering > Security using NAT/PAT

 

Introduction

 

Network address translation (NAT) is designed for IP address simplification and conservation. It enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT is configured on Okapi router that connects two networks together, and translates the private (inside local) addresses in the internal network to public addresses (outside local) before packets are forwarded to another network. As a result of this only one address is advertised for the entire network to the outside world. This effectively hides the internal network from the world and therefore, it provides additional security. NAT is one of the key components of today's corporate networks attached to the Internet.The most popular use for NAT is to connect an internal network to the Internet. In the case of S-NAT the access-list should be applied for the source address that we have before the translation, as the tranlation occurs after the access-lists are applied for filtering. The following configuration demonstrates this aspect.

 

Network Diagram

 

 

Configuration

 

Okapi is an interface between internal network 192.168.1.0/24 and ISP. The public IP provided by ISP to Okapi router is 122.160.77.22. The nexthop address provided is 122.160.77.1.

Lets start cofiguring NAT/PAT on Okapi router.

Okapi router is connected to internal LAN through interface fastethernet-1. Configure this interface as "ip nat inside".


Okapi(config)# Interface fastethernet 1
Okapi(config-if-eth)# ip address 192.168.1.19/24
Okapi(config-if-eth)# ip nat inside
Okapi is connected to internet cloud through interface fastethernet-0. Configure this interface as "ip nat outside".
Okapi(config)# interface FastEthernet 0
Okapi(config-if-eth)# ip address 122.160.77.22 255.0.0.0
Okapi(config-if-eth)# ip nat outside

The default route is configured to be the next hop address as provided by ISP. 

Okapi(config)# Ip route 0.0.0.0 0.0.0.0 122.160.77.1

The access-list defines the range of address on which NAT is to be applied. Here that is defined to be entire address range of internal LAN.

Okapi(config)# Access-list 1 permit 192.168.1.0  0.0.0.255

And finally, we define the NAT rule which says, any source address matching access list 1, should be translated to IP address of interface fastethernet 0, which in turn is a public IP. Thus any packet traveling from internal LAN to outside world, will have its source address appearing as 122.160.77.22 to the external world.

Okapi(config)# Ip nat inside source list 1interface fastethernet 0 overload
NATing can be verified with "show ip nat translation" command.

Okapi# show ip nat translations

 

Pro         Inside local                Inside global              Outside local          Outside global
UDP      192.168.1.30:63     122.160.77.22:4097              ---                           ---
UDP      192.168.1.23:63      22.160.77.22::4096              ---                           ---