When NAT is used.

[Petrucciowns]

So guys,

I'm posting this under CCNA, because it is a CCNA topic. Is NAT only used for DSL and Cable connections where the outside interface is a public IP? I mean in the case of Frame Relay, Private Lines, and ATM, public IP's are usually used throughout the network including the serial interface subinterfaces. This is because these technologies emulate point to point connectivity between remote sites.

I have access to many different companies networks, and I've been checking out configurations from home via my works VPN, and I've noticed that NAT is absent on many configs.

Also another question. What happens when a private IP requests public information. Does the frame relay or ATM switch somehow perform NAT and send it towards the correct destination or what?


Thanks

[spaldo1973]

Well Petrucci you're in luck!

I deal with this on a daily basis. I'm using over 20 diff. ISPs, including Insight btw, for over 350 VPN connections. Of course, they're all different.

NAT isn't based on the IP, it's based on the device that communicates w/ the ISP. Some will have modem/routers. Even though their is a public IP addy, the router part of the device NATs all traffic to the private side. Those setups are a pain in the a$$.

Others will use a bridge or a modem that you have to bridge. This is where you have to put the public addy on the WAN interface of your router. Your router does all the NAT stuff.

HTH,

Aaron

[Petrucciowns]

Spaldo,

Thanks for the response. I had a hard time following what you were saying. So in the case of a spoke with no NAT configured on the device, and public IP's on the spokes outside interfaces, where is NAT done? Is it done on the ISP's side or what?

Thanks,

Daniel

[tech_airman]

Petrucciowns,

So guys,

I'm posting this under CCNA, because it is a CCNA topic. Is NAT only used for DSL and Cable connections where the outside interface is a public IP? I mean in the case of Frame Relay, Private Lines, and ATM, public IP's are usually used throughout the network including the serial interface subinterfaces. This is because these technologies emulate point to point connectivity between remote sites.

That type of NAT would be of the NAT Overload situation where you've got a single unknown IP address (because it's assigned by the ISP to the router/switch interface through DHCP) is linked to a whole network behind it.

I have access to many different companies networks, and I've been checking out configurations from home via my works VPN, and I've noticed that NAT is absent on many configs.

Also another question. What happens when a private IP requests public information. Does the frame relay or ATM switch somehow perform NAT and send it towards the correct destination or what?


Thanks

The way NAT works is to create NAT mappings of inside IP address and port with outside IP address and port. Let's say we've got the following network...

[PC]----[Switch]----[Router]---z----[ISP Router]

So the network to the left of the Router is considered the "NAT inside" side and the network to the right of the router is considered the "NAT outside" side. Now, let's say you launch your favorite web browser on the PC. Let's say the PC has the IP address of 192.168.0.3. Let's say the web browser is trying to reach http://www.networkingboards.com . Let's say a DNS resolution has occured to determine the destination IP address. So now we've got two pieces of the IP packet which are: 1) source IP address 2) destination IP address. In this case, the source IP address si 192.168.0.3 and the destination IP address is the IP address for http://www.networkingboards.com . So that packet is sent off from the PC to the Router. Now, once the packet reaches the Router that does the NAT translation of the packet, what NAT does is to SUBSTITUTE the source IP address of 192.168.0.3 to the public IP address assigned to the Router interface on the right side by the ISP. Now, the way the NAT router keeps track of which traffic is for which internal network host, is to keep a NAT mapping of actual source IP address and TCP/UDP port and substitute source IP address and TCP/UDP port. In this case, this is outgoing web traffic so it will be a TCP port. So here's the packet transformed...

[PC] -> [Source IP Address: 192.168.0.3, Destination IP address: xxx.xxx.xxx.xxx] -> [Router]

[Router]
[Source IP address: 192.168.0.3, Destination IP address: xxx.xxx.xxx.xxx]
|
v
[Source IP address: [public IP address of Router], Destination IP address: xxx.xxx.xxx.xxx]

As mentioned previously, NAT uses both IP address and TCP/UDP port number pairs to keep track of the traffic flows, so let's add that factor in..

[Source IP address: [public IP address of Router]:5555, Destination IP address: xxx.xxx.xxx.xxx:80]

So when the Router receives the web reply from the remote web server, the Router will recognize that the destination address for the reply packet is [Source IP address: xxx.xxx.xxx.xxx:80, Destination IP address: [public IP address of Router]:5555] which then the NAT router substitutes the [public IP address of Router]:5555 for [Destination IP address: 192.168.0.3:80] . Then that packet is routed to the PC and the webpage starts loading in the web browser window.

Now, when do you use the three types of NAT which are: 1) Static NAT 2) Dynamic NAT 3) NAT Overload (aka PAT).

Static NAT might be used when routing from the public interface to the DMZ leading to specific web servers by some web hosting company. Let's say the web hosting company has the fictional Class C IP address block of 192.168.3.0/24. That means the web hosting company has 254 valid public IP addresses that can lead to 254 web servers inside the DMZ. So let's say the "public" IP address of 192.168.3.1 leads to the first web server with the internal IP address of 10.0.0.1/24. So you'd set up a static NAT translation from 192.168.3.1 <-> 10.0.0.1.

A dynamic NAT situation might be where you have a bunch of clients connecting into another network on the other side of the nearest networking device (e.g. a switch). Since it doesn't really matter which client requested outbound traffic first, the dynamic NAT mappings will keep track of which client requested what outbound traffic. For example, you've got like 10 client computers but only 3 are currently on.

The NAT Overload or "PAT" case is when you've only got one single public IP address to work with and a whole bunch of clients behind that Router with that single public IP address. An example would be a home network.

Does my reply help?

[darenmatthews]

Petru,

Here's a nice explanation from Cisco which reinforces what tech said:
http://www.cisco.com/en/US/tech/tk648/t ... 4831.shtml

Also, you mentioned point-to-point leased lines. The old "traditional" managed WAN solution. If your company has a privately addressed internal network and you rent leased lines between two locations, the ISP will most likely use one of their public address range on the interface to their network. If they didn't do this they might overlap with a private IP block on your network or another network on the managed WAN. In other words, they will have their managed WAN numbered with public addresses.

Now is NAT used? Not necessarily. You are routing across a managed WAN, not out to the internet. It's only where you break out to the internet, wherever that may be, that NAT is required, because private addresses are not routed out onto the internet.

The newer method of managed WANs is MPLS, where you'll connect to the CE router and set up a tunnel (MPLS VPN) to your remote office(s), in this case the connection is "transparent" to the manage WAN (now using label switching rather than routing) and so private addresses may be used. No NAT would be required.

Nat's enough for now.
- Daren

[spaldo1973]

I love how you guys over complicate an issue.

This right here is the very reason it's so hard for an old guy like me to learn new technologies. I'm a simple guy. I try to boil it down to the least common denominator. I was assuming since Daniel already has his CCNA that he doesn't need a refresher as to what NAT is and does.

Maybe I underanalyzed the question at hand. I took this as a simple question of what device does the NATting on a subscriber's connection. Clearly, there has to be an intermediary device that translates private addresses into public ones.

There's a little concept, again covered in the CCNA curriculum, that's called a demarc. It is the demarcation point at which the ISP is no longer responsible for the connection. At that point, the end user is responsible for the connection and traffic.

I am going to make another assumption here. It sounds like that Daniel is looking at configs of equipment at his workplace. Unless he has special permission, which I highly doubt, the only thing he's going to be able to see is obviously his company's gear and the gear that is directly communicating with said gear. Therefore, even in an ATM or Frame Relay situation, he's only going to see public addresses b/c customer device has to communicate with ISP. In this case, all the NATting is done on the private side, which he isn't going to be privy to.

There aren't enough public IP addresses available for there not to be NAT going on somewhere, even if it's not visible to you from the ISP side.

[Petrucciowns]

Petru,

Here's a nice explanation from Cisco which reinforces what tech said:
http://www.cisco.com/en/US/tech/tk648/t ... 4831.shtml

Also, you mentioned point-to-point leased lines. The old "traditional" managed WAN solution. If your company has a privately addressed internal network and you rent leased lines between two locations, the ISP will most likely use one of their public address range on the interface to their network. If they didn't do this they might overlap with a private IP block on your network or another network on the managed WAN. In other words, they will have their managed WAN numbered with public addresses.

- Daren

I think spaldo misunderstood my question. I completely understand how NAT works, and is implemented.

Now is NAT used? Not necessarily. You are routing across a managed WAN, not out to the internet. It's only where you break out to the internet, wherever that may be, that NAT is required, because private addresses are not routed out onto the internet.

- Daren

Bingo, this is what I was looking for.What happens if a packet is destined to leave the mananged WAN, but NAT is not configured on the remote router like in the cases I mentioned initially. Where is the address translated, on the ISP's router? I've seen cases where NAT is not used on the remote end, but public addresses are still usable. How is this possible?

I haven't checked to see if this is the case, but is it possible that traffic from all the remote ends, for public destination are sent to the core, and then translated at the core so only one NAT configuration is necessary? I'll have a specific client in mind, so I'll check to see if this theory is valid.

[Petrucciowns]

I love how you guys over complicate an issue.

This right here is the very reason it's so hard for an old guy like me to learn new technologies. I'm a simple guy. I try to boil it down to the least common denominator. I was assuming since Daniel already has his CCNA that he doesn't need a refresher as to what NAT is and does.

Maybe I underanalyzed the question at hand. I took this as a simple question of what device does the NATting on a subscriber's connection. Clearly, there has to be an intermediary device that translates private addresses into public ones.

There's a little concept, again covered in the CCNA curriculum, that's called a demarc. It is the demarcation point at which the ISP is no longer responsible for the connection. At that point, the end user is responsible for the connection and traffic.

I am going to make another assumption here. It sounds like that Daniel is looking at configs of equipment at his workplace. Unless he has special permission, which I highly doubt, the only thing he's going to be able to see is obviously his company's gear and the gear that is directly communicating with said gear. Therefore, even in an ATM or Frame Relay situation, he's only going to see public addresses b/c customer device has to communicate with ISP. In this case, all the NATting is done on the private side, which he isn't going to be privy to.

There aren't enough public IP addresses available for there not to be NAT going on somewhere, even if it's not visible to you from the ISP side.

That's where you are wrong Spaldo,

I'm not talking about my Companies network. I'm talking about our clients networks. I have direct access to over 100 different companies networks. All remote devices, and cores. So yes I can see all ends of a connection. I can very easily access a companies core, enter config mode, and shut down the serial interface used for it's frame relay pvc's to all remote sites.You did underanalyze my question, because I wasn't asking how NAT works. I was asking in the above situations where a remote end has no public IP assigned on it anywhere where is NAT done? With a DSL or Cable connection a public IP is assigned to the interface attached to the modem, and therefore NAT is done on the remote router. What about with the case of frame-relay or other point-to-point topologies where public IP's are not needed or used on outside interfaces. Is NAT performed on the core router, where information destined for the internet is relayed to the core first before being translated?


Also with your statement on the Demarc, that is not always true.There is something called an extended DMARC where the Carrier not only manages the last mile, but from the smart jack to the CPE, and at some times, access to the router and its configurations.

[tech_airman]

Petrucciowns,

Now is NAT used? Not necessarily. You are routing across a managed WAN, not out to the internet. It's only where you break out to the internet, wherever that may be, that NAT is required, because private addresses are not routed out onto the internet.

- Daren

Bingo, this is what I was looking for.What happens if a packet is destined to leave the mananged WAN, but NAT is not configured on the remote router like in the cases I mentioned initially.

When you mention "managed WAN", what are you talking about? WAN that you manage? WAN that is managed by someone else?

Where is the address translated, on the ISP's router?

The address is tranlated by the first NAT router the outbound packet encounters. It may be a LAN router, the LAN/WAN router, the router on the other side of the WAN, the router on the border between the Enterprise/ISP, or anywhere in between where the router has NAT configured.

Let's take the basic home network...

[PC]---[Router]----z----[ISP router]

In this case, NAT would probably be occuring at the Router.

Let's take a two site network...

[PC]---[Router1]----z-----[Router2]---[PC]

----z---- = WAN link

For this network, the IP addressing may remain private.

Now let's take a branch, headquarters, and ISP network...

[BranchPC]----[BranchRouter]----z-----[HQCoreRouter]--[HQInternetRouter]----z-----[ISP Router]---z-----

In this case, the NAT would probably occur at the HQInternetRouter. So the whole network from the BranchPC through to the internal interface of the HQInternetRouter can use private IP addressing. The external interface of the HQInternetRouter must have at least a public IP address so, NAT might be used to translate the private IP address to the public IP address to be routed out into the Internet.

I've seen cases where NAT is not used on the remote end, but public addresses are still usable. How is this possible?

This is possible because maybe that company/Enterprise owns that public IP address being used on the local and remote end of the link/network.

I haven't checked to see if this is the case, but is it possible that traffic from all the remote ends, for public destination are sent to the core, and then translated at the core so only one NAT configuration is necessary? I'll have a specific client in mind, so I'll check to see if this theory is valid.

I think you're possibly getting confused between the difference of private IP addressing and public IP addressing for planning/addressing purposes and destination and source IP addressing for packets. What NAT does is substitute the source IP address from the internal private IP address with a public IP address for outbound IP packets (that is, going from NAT inside to NAT outside) and substitute the destination IP address from the public IP address to the internal private IP address for inbound IP packets (that is, going fom NAT outside to NAT inside).

Does this help?

[darenmatthews]

Blimey! This is getting a bit contentious.

What is a Managed WAN? http://www.google.co.uk/search?hl=en&sa ... =&gs_rfai=

But things are changing. Private MPLS VPN, Managed Services and more recently, Cloud Computing. All of these are shaping the future of the "WAN".

Seriously, NATs enough!

[spaldo1973]

So when you say "core" are you saying the border router or an internal router beyond what is directly connected to your network?

I am well aware of ISPs helping manage border routers. My local municipality does this for their fiber customers. I am aware that you may be able to look at the router on the edge of their network. Can you go beyond that? If you have access from the CO all the way to a customer's desktop then say so.

I go back to my original point, which tech re-enforced, there has to be NATting going on somewhere whether you can see it or not. As I mentioned in my second post, I know that you know what NAT is.

The only way I underanalized your question was in the fact that I didn't realize you had access to any of your customer's equipment.

The bottom line is that an office w/ more than a handful of devices is going to use NAT. There simply aren't enough public addresses going around for an entire office building's worth of computers to all have a public address. Simple logic would tell you this.

[Petrucciowns]

Ok, lets simplify my question. The only thing I want to know is... is it possible for all of a companies remote sites to be NATed through one HQ or core router? I know the theory of NAT, the difference between public, and private addresses, how to configure NAT etc.. Hell I configured NAT on my 3640 for my internet connection at home, but I'm only familiar with NAT that is performed on the edge router of the site itself, and not by another router at a different location such as the HQ router in a different state, country etc...

[jjamesge]

Ok, lets simplify my question. The only thing I want to know is... is it possible for all of a companies remote sites to be NATed through one HQ or core router? I know the theory of NAT, the difference between public, and private addresses, how to configure NAT etc.. Hell I configured NAT on my 3640 for my internet connection at home, but I'm only familiar with NAT that is performed on the edge router of the site itself, and not by another router at a different location such as the HQ router in a different state, country etc...

Basically your wanting to be able to VPN into your company's network, then have a proxy server at your company hide your initial public IP address and thus use your company's IP address. Also known as Anonomous Proxy.

http://en.wikipedia.org/wiki/Anonymous_proxy

[Petrucciowns]

Actually JJ, that's not what I'm asking at all. I already have VPN access to my works network, and other companies networks through their VPN concentrators. My question has nothing to do with VPN.Obviously I'm not communicating my thoughts into words as well as I should be. Daren and tech are the only ones that have come close to what I'm actually asking.Tech was coming close to my question at this point:

[BranchPC]----[BranchRouter]----z-----[HQCoreRouter]--[HQInternetRouter]----z-----[ISP Router]---z-----

In this case, the NAT would probably occur at the HQInternetRouter. So the whole network from the BranchPC through to the internal interface of the HQInternetRouter can use private IP addressing. The external interface of the HQInternetRouter must have at least a public IP address so, NAT might be used to translate the private IP address to the public IP address to be routed out into the Internet.




,but I'm thinking more in terms of:
-[Remote sites 1-40 (NO NAT configured)]----Frame Relay Switch-----[HQCoreRouter]( 40 Different subinterfaces with 40 different DLCIS)


I'm asking if it's possible to have all 40 remote sites have NAT performed only on the HQ core router? So publicly destined traffic would be forwarded to the core, translated, and sent out of the core to the internet. I don't understand why my question is so hard to understand. This is what both me and Daren meant by managed WAN. All 40 sites and the Core can share private traffic between each other using private addresses.

[tech_airman]

Petrucciowns,

Actually JJ, that's not what I'm asking at all. I already have VPN access to my works network, and other companies networks through their VPN concentrators. My question has nothing to do with VPN.Obviously I'm not communicating my thoughts into words as well as I should be. Daren and tech are the only ones that have come close to what I'm actually asking.Tech was coming close to my question at this point:

[BranchPC]----[BranchRouter]----z-----[HQCoreRouter]--[HQInternetRouter]----z-----[ISP Router]---z-----

In this case, the NAT would probably occur at the HQInternetRouter. So the whole network from the BranchPC through to the internal interface of the HQInternetRouter can use private IP addressing. The external interface of the HQInternetRouter must have at least a public IP address so, NAT might be used to translate the private IP address to the public IP address to be routed out into the Internet.




,but I'm thinking more in terms of:
-[Remote sites 1-40 (NO NAT configured)]----Frame Relay Switch-----[HQCoreRouter]( 40 Different subinterfaces with 40 different DLCIS)


I'm asking if it's possible to have all 40 remote sites have NAT performed only on the HQ core router?

Does each of the 40 remote sites have unique private IP sub/network addresses relative to each other?

So publicly destined traffic would be forwarded to the core, translated, and sent out of the core to the internet. I don't understand why my question is so hard to understand. This is what both me and Daren meant by managed WAN. All 40 sites and the Core can share private traffic between each other using private addresses.