NAT Facts
Network Address Translation (NAT) allows you to connect a private network to the Internet without obtaining registered addresses for every host. Private addresses are translated to the public address of the NAT router. NAT can be used to provide a measure of security for your private network, or to provide Internet connectivity with a limited number of registered IP addresses.
As you work with NAT, it's important to understand the following terminology.
Term | Definition |
Inside | The inside network is the private network. |
Outside | The outside network is the public network (the Internet). |
Inside local address | The inside local address is the IP address of the host on the inside network. |
Inside global address | The inside global address is the IP address of the host after it has been translated for use on the Internet. The term global refers to the registered IP address that identifies the inside host on the Internet. |
Outside global address | The outside global address is an IP address of an Internet host. For example, when you visit a Web site, your computer will use the global outside address to contact the Web server. |
Outside local address | An outside local address is an outside global address that has been translated for inside (or private) use. In other words, the NAT router translates an Internet host IP address into a private IP address. Instead of using the Web server address, the internal computer will use the translated address instead. |
When configuring NAT, you have the following options:
Method | Description |
Static | Use static translation to translate a single outside address to a single inside address. |
Overloaded with PAT | Use overloaded NAT with Port Address Translation (PAT) to translate multiple inside addresses to a single public address. Port numbers are used to identify specific inside local hosts. The port number associated with the private host is appended to the inside global IP address. Use this option to allow multiple inside hosts to access the Internet using a single public IP address. |
Dynamic | Use dynamic translation to translate a range of outside addresses to a range of inside addresses. Use this option when you have multiple public addresses for multiple private addresses. If the number of inside addresses is greater than the number of outside addresses, use the overloaded option with dynamic NAT. |
Configuring NAT on a Cisco router may be done through the command line interface (CLI) or the Security Device Manager (SDM). When using the SDM to configure NAT, you start a wizard that helps you choose the NAT configuration parameters.
- Choose Basic NAT to identify the inside and outside interfaces. Selecting this option configures overloaded NAT with PAT. The public address assigned to the public interface is used for all private hosts.
- Choose Advanced NAT to:
- Identify the outside interface.
- Configure additional public addresses that can be used for dynamic translation.
- Identify inside interfaces and additional network addresses that are not directly connected to the NAT router that will be translated. This option lets you configure a single NAT router for your entire private network, even when your network consists of multiple subnets accessible through other routers on the private network.
- Perform static mappings that translate a public IP address to a private host address. With this option, hosts on the private network are assigned a private IP address, and the private IP address is mapped to a public IP address. Incoming communications sent to the public IP address are translated and forwarded to the private host. The wizard calls these mappings NAT rules.
Note: To start the NAT wizard, the router must have at least two enabled interfaces.
When configuring a router for NAT, be sure to use an IP address in the private IP address ranges for the inside local IP addresses. Otherwise, hosts on your network might not be able to access outside hosts with the same IP address. A Cisco router can be configured to overcome this problem, but the configuration is difficult. Private IP addresses do not need to be registered, and fall within the following ranges:
- 10.0.0.0 to 10.255.255.255
- 172.16.0.0 to 172.31.255.255
- 192.168.0.0 to 192.168.255.255
Tidak ada komentar:
Posting Komentar