Dynamic NAT with
Overloading (PAT)
Unless an organization has a large pool of global IP
addresses, it seems the basic dynamic NAT translations could prove too limiting
and cumbersome. Furthermore, having to maintain a large pool of global addresses
somewhat defeats the address preservation aspects of private addresses.
The alternative is to have the NAT router create a unique
identifier for every session by using a single global IP address and appending a
port number, such as 1.1.1.1:1540. While over 65,000 port numbers exist, the
effective limit is about 4,000. This means an organization could use and pay for
only one real IP address and allow up to 4,000 hosts out onto the Internet. Even
if NAT has a pool of two or more IP addresses to work with, the IOS version of
NAT chooses to continue using the first IP address in the pool for subsequent
translations.
This process is referred to as dynamic
overloading or as Port Address Translation (PAT). To implement the feature
requires adding only the one word overload to the ip nat inside source list command. An example would be as
follows:
Rtr1(config)#ip nat pool 3net-out 172.16.3.10 172.16.3.99 netmask
255.255.255.0
Rtr1(config)#ip nat inside source list 1 pool 3net-out overload
Rtr1(config)#access-list 1 permit 192.168.2.0 0.0.0.255
When the router receives the packet from an inside computer, it
saves the computer’s local IP address and port number to a NAT table. The router
replaces the local IP address with a global IP address and adds the same port
number. The translation table now has a mapping of the computer’s nonroutable IP
address and port number along with the router’s IP address. The show ip nat translation command displays the result.
Rtr1#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 172.16.2.5:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
tcp 172.16.2.5:1095 192.168.0.21:1095 10.0.0.19:21 10.0.0.19:21
tcp 172.16.2.5:1094 192.168.0.21:1094 10.0.0.45:23 10.0.0.45:23
Rtr1#
The first column (Pro), which has been blank before, now shows the
protocol used.
When a packet comes from the destination computer, the router
checks the destination port on the packet. The router then looks in the address
translation table to see which computer on the stub domain the packet belongs
to. It changes the destination address and the destination port to the one saved
in the address translation table and sends it to that computer. The NAT router
continues to use that same port number for the duration of the connection. The
timer is reset each time the router accesses an entry in the table. If the entry
isn’t accessed again before the timer expires, the entry is removed from the
table.
Sections
Comments (0 posted)
Syndication
