Introduction to NAT and PAT

Hi Shawn,

If you are using PAT, you don’t need to assign all those public IP’s that you are getting from your ISP to your router. As explained by Rene in the lesson, using 1 Public IP which is assigned to the outside interface can be used to PAT your source address to the internet. Even-though, you can add more than 1 public IP to the interface as a secondary IP.

I recommend you to check this lab:

How to configure PAT on Cisco IOS Router

Hi, and thank you for the reply. I was talking about dynamic NAT, or Static NAT, where you would have a pool of Public IP addresses and a pool of private addresses. In order to use one of the public IP addresses as your new source address, it has to be configured on the router, right? Or can you just have your ISP route you the subnet and they will see the source ip as it get’s NAT’d and know what to do with it.

I hope this makes more sense, I am not talking about PAT (layer 4) at all.

Thanks

Hi Shawn,

If I understand your question correctly, you have a subnet of /24 public IP from your ISP and you want to use it in a Dynamic NAT by which your private internal IP’s can go to the internet. If this is the case, you don’t need to have a pool of private IP’s as you mentioned. What you need is to configure a pool of your public IP in the Dynamic NAT by which each internal host will reserve one Public IP to go to the internet.

For example: if you have configured in your router a pool of 5 public IP’s then only 5 internal private IP’s at a time can go to the internet. In other word, every private IP will reserve an available public IP from the pool.

I can refer you to this lesson for more information:
Configure Dynamic NAT

Please explain what is a bidirectional NAT

Hi Pavan,

In most NAT/PAT examples, we only translate the source IP address.

With bi-directional NAT, you can translate both the source and destination IP address at the same time.

Rene

I have a doubt about private address and public address

i perfect understand which ip address is public and private. But in the real world i’ve seen an ISP accepting RFC 1918 ip addresses in its inbound BGP filter (yes, it’s so unprofessional)

So, in the real world, we can announce any subnet, independently if its a public or private, despite all Cisco OCG mention “RFC 1918 ip address are not reacheable or routeable into internet”

I’d like to read your toughts about it

Hello Juan

The rule is that RFC1918 IP addresses are not reachable or routable on the internet. That is a rule that ISPs are responsible for adhering to and implementing. There is no technological inability to routing these addresses, but by definition, everyone is required to adhere to it and that is why you cannot do it. But even if an ISP does accept them, when they try to hand them off to other networks, the routers on the Internet at large are configured to drop any such traffic.

Cisco’s OCGs mention this because it is expected that all Internet networks are configured to adhere to this rule.

I hope this has been helpful!

Laz

1 Like

yes, it was i suspected, that is a rule but not a technological inability.

Thanks for your reply.

1 Like

Dear sir,

  How do verify in the Router the NATed translation have working correctly ? 

Thank you

Regards,
Mani

Hello Mani

There are two fundamental ways that you can check your NATting. The first is to use the show ip nat translations command which shows you how a NAT router is translating specific addresses. An example of the output can be found here:

NAT#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.10:4   192.168.123.1:4    192.168.23.3:4     192.168.23.3:4
--- 192.168.23.10      192.168.123.1      ---                ---
icmp 192.168.23.11:2   192.168.123.2:2    192.168.23.3:2     192.168.23.3:2
--- 192.168.23.11      192.168.123.2      ---                ---

Secondly, you can use the debug ip packet debug command that will show you the source and destination of packets that arrive and that are sent on particular interfaces. This helps in verifying that IPs have actually been translated, and you’re not just seeing regular routing taking place. An example of the output in such a situation can be seen below:

R1#
IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1

You can see both of these techniques in action in the following lessons:


I hope this has been helpful!

Laz

Dear sir,
Public web server have static PAT in our router . And Router forward the traffic after NAT to our firewall. Then firewall forward traffic to our internal server.
Suddenly the connection have dropped from public. Internal can see the page After 3 to 4 hours then connection is up. Why such behaviour is happened ? How to check the traffic during the downtime whether router NAT traffic correctly and forward to the next hop ? How to capture the logs to show the customer if it is not network issue ?

Public IP 137.132.22.163 443 Private IP 172.25.182.43 443

During the issue can see the request coming to the firewall . And response also leaving it. But the customer cant access it from internet.

Does the syslog which includes NAT translations also ? How to store the translation in the syslog ? pls advise

Please help.

Thanks
Regards,
Mani

Hello Mani

The above statement seems to indicate that traffic from the public Internet did indeed reach the web server, and the web server sent a response. This also tells us that the NAT router is working correctly since incoming requests reached the firewall. How do you prove that this took place? There are several ways in which you can use logs to show such traffic. One is syslog, about which you can learn more here for both IOS devices as well as ASA firewalls:


If you had your devices configured to collect logs locally, you may be able to show these logs using the appropriate commands as mentioned in the lessons above. In general, however, it’s a good idea to set up a syslog server that will collect and store these messages.

NAT translations can indeed be recorded using syslog. You can find out more information about how to monitor NAT translations and connections at this Cisco documentation:

You should be able to monitor all sessions as well by installing some monitoring software/system on the web server, the router, as well as the firewall, using tools such as SNMP or Netflow or Cisco Performance Monitor.

I hope this has been helpful!

Laz

Hi dear, when we use PAT for connection intertet users.if ports end other users cannot reach internet?

Hello Cemil

Yes, that is correct. If there are no more available ports, and no more IP addresses in the NAT pool for use on the outside interface, then the next device that will attempt to access the internet will not be able to.

However, this limitation will rarely happen. Remember that there are over 65000 TCP/UDP ports available for use. A NAT router will first run out of CPU and memory resources if too many translations take place before it ever runs out of available ports.

I hope this has been helpful!

Laz

  1. I have two ports 80 and 443 that when I scan my outside interface public ip, they come out as open.
    I have not nat anything at all from the outside interface ip to anywhere(all it does is just an overload NAT), but I Natted from other public valid IPs that are routed to the same interface on ports 80 443 but those ips are not the same IP as the outside interface IP.
    I checked the show udp(other than 18999 which is a cisco bug)
    and show tcp brief(other than the mgmt int which is on a different local subnet)
    nothing came up, it’s not listening to anything
    Output of show ip nat trans
    outside interface ip has no translations from 80 or 443(they are all overload nat translations)
    I can go ahead and put on an ACL for it, but I am afraid the router is doing something essential on these ports that I m not aware of(this edge router is in production)
    and aside from that I want to find out why those 2 ports are open at the first place?!
    I can telnet to those ports and they came out open on port scanner as well

  2. On ASR when I define two interfaces as INSIDE/OUTSIDE of the nat, is the nat by default also enable the ip virtual-reassembly on those interfaces?

  3. what is open by default on an ASR router/or a router in gerneral(regardless of having a firewall behind it ofc) that should be closed, as a device hardening best practice for a network edge device?

  4. I am curious, why a temporary overload translation on a random port e.g. 12234 when I try to telnet to that temp translation, the port won’t come out as open?, but there is a hole on router for that port mapped to a local ip and port

Thanks

Hello Erik

There may be several reasons for this. Ports may be open by various processes that are running on the router that may be using the internet-facing interface. Things like virtual templates, tunnels, VPN configurations, VTY lines, and NAT translation rules among other things, are capable of “opening” particular ports for an IP address that corresponds to the outside interface. You’ll have to do a bit of digging to see what else is running on the device.

You’re absolutely right that you shouldn’t try to block those ports since this is a production network. But keep in mind that conventional ACLs will only filter transient traffic, and not traffic destined to the router itself. If you want to filter such traffic, you must apply Control Plane Policing (CoPP). Now using CpPP, you can experiment during a maintenance window by temporarily blocking those ports. If you do this, first check if the ports are indeed blocked. If they are not, then it will give you a clue as to what kind of process may be keeping those ports open (as some processes take precedence as far as order of operations goes). If they are, then you may detect some other fault from the services using those ports, that may provide you with some valuable troubleshooting information. These are just thoughts that I hope will inspire you to troubleshoot and find the solution to the issue.

This command enables the Virtual fragmentation reassembly (VFR) feature. According to this Cisco documentation, when NAT is enabled on an interface, VFR is also automatically enabled. In some platforms, the ip virtual-reassembly command doesn’t actually appear in the interface configuration even if it is enabled. As stated in the same document, you do have the option of disabling it if you wish.

When we talk about closed ports, we’re talking about ports used not on transient traffic, but on traffic destined to the device itself. Ports are opened only if a feature is configured. For example, if you don’t configure SSH, port 22 will remain closed. If you don’t configure Telnet, or NAT, or SNMP, or any such features, all ports will refuse connection to the device itself. When these services are opened, then you can employ CoPP as mentioned before to be sure that you are securely providing access to them. As for hardening, you can take a look at the following documentation for best practices:

Such an overload translation will only allow return traffic from an already established traffic flow. Because such as translation was initiated from the inside, by a host requesting access to a resource on the internet, the router will only allow return traffic that matches the source and destination IP addresses and ports. Any attempt from another IP address/port combination, such as your attempt, will be rejected.

I hope this has been helpful!

Laz

Hi Rene and team,

Could you perhaps compare CGNAT to the standard NAT discussed in lesson?
What is the biggest difference?

Is CGNAT characterized by using 100.64.0.0/10 on CPE, and the actual NAT to a routable address happens on ISP router?

What does ISP do when we ask them to “turn off” CGNAT?

I do understand the purpose of CGNAT (to use as little public IPs as possible), but I was never able to understand if there are any differences in implementation.

Thank you for your time.

Best regards,
Ana

Hello Ana

Technologically, carrier-grade NAT (CGNAT) and regular NAT function the same way. The differences between CGNAT and regular NAT have to do with the way they are implemented as well as with the scale of implementation.

CGNAT is an approach to IPv4 network design that simply moves the location of NAT from the edge of the enterprise to somewhere within the ISP’s network. In this way, an ISP can provide NAT services centrally for all of its customers rather than employing NAT at each individual customer. In essence, this simply shifts the NAT function and configuration from the customer premises to the ISP network.

The implementation of CGNAT requires that the ISP design their network accordingly. CGNAT requires NAT routers that are specially designed to handle the large volume of NAT translations that would result from such a design. Also, ISPs will have to provide private IP addresses to their customers and any port forwarding or static translations would have to be managed by the ISP based on the requirements of each customer.

The implementation of CGNAT primarily affects network design principles and not technological implementation methods.

This depends on the definition that the ISP places on that statement. I would assume that if you don’t want to use the ISP’s CGNAT, they should then give you connectivity where you can perform your own NAT at the network edge, and be provided with a public IPv4 address.

I hope this has been helpful!

Laz

1 Like

What is the other option if we exhaust the all 65000 ports?
I suppose only other option is using a pool of Public IPs to PAT ?

Hello Tejas

As mentioned in my previous post, you will never run out of ports on a NAT router. This is because you will first run out of resources (CPU, memory) before you run out of the 65000 available ports.

If however you (theoretically) do run out of ports, then adding additional IP addresses to the address pool of the outside interface will give you more translation options. Remember, you have 65000 ports available for translations for each outside IP address. Another option is to transition to IPv6 which will eliminate the need for NAT completely.

I hope this has been helpful!

Laz

1 Like