Lack of Legal IP Addresses

Organizations are facing two related challenges. First, the depletion of registered IP addresses means that getting blocks of “real” addresses larger than class C is virtually impossible. Second, trying to scale larger organizations with a hodge-podge of class C addresses will reduce routing efficiency. The following private address pools (RFC 1918) provide the only logical solution, but they can’t go out on the Internet.

Network Address Translation (NAT) is a mechanism that allows private addresses to be translated to real addresses, so they can travel through the Internet. NAT allows an organization with unregistered “private” addresses to connect to the Internet by translating those addresses into globally registered IP addresses. Incoming traffic is translated back for delivery within the inside network.

NAT can save an organization the hassle of readdressing its network when it changes ISPs. The real addresses leased from the original ISP can continue to be used, but must be translated at the perimeter to addresses that will summarize to the new ISP. This can be a real sanity saver when an ISP fails without notice to clients.

NAT can also provide a limited level of network privacy by hiding internal IP addresses from external networks. The external hosts will see the assigned “real” address and respond to that address.

This chapter covers Cisco IOS NAT and how to configure it, typically on a perimeter router. You must understand NAT technology and concepts because these are revisited in the Firewall chapters (6–8 and 17–20) and IPSec chapters (9–16 and 21) and can be on any of the exams. In some form, NAT is available on personal routers (cable and DSL connections), firewall devices like the PIX devices, and proxy servers working as firewalls. This section covers basic NAT operations and the following NAT implementations:

• Static NAT

• Dynamic NAT

• Dynamic NAT with overloading (PAT)