| IP address depletion is a big problem
facing the public network. To maximize the use of your registered IP
addresses, Cisco IOS® Release 11.2 software and subsequent releases
offer NAT (Network Address Translation) functionality. This feature, which is described in RFC 1631 (The IP
Network Address Translator), is a solution that provides a way to
use the same IP addresses in multiple internal subnetworks, thereby
reducing the need for registered IP addresses.
The NAT functionality allows
privately addressed networks to connect to public networks such as
the Internet. The privately addressed "inside" network
sends a packet through the NAT router; the addresses are converted
to legal, registered IP addresses, enabling the packets to be passed
to the public networks, such as the Internet. These features were
formerly available only through pass-through firewall gateways. This
functionality is now found on routers as well.
NAT terminology is
defined in Table
and is represented in Figure .
NAT technology enables private IP internetworks that use nonregistered IP addresses to connect to the public network, as shown in Figure
. A NAT router is placed on the border of a stub domain (inside network) and a public network (outside network), and translates the internal local addresses into globally unique IP addresses before sending packets to the outside network. NAT takes advantage of the fact that relatively few hosts in a stub domain communicate outside of the domain at any given time. Therefore, only a subset of the IP addresses in a stub domain must be translated into globally unique IP addresses for outside communication.
If your internal addresses must
change because you changed service providers or because two
intranets merged (two companies merged, for example), NAT can be
used to translate the appropriate addresses. NAT enables you to
change the addresses incrementally, without making changes to hosts or
routers except for those bordering stub domains, eliminating
duplicate address ranges without readdressing host computers.
The translation performed by using
NAT can be either static or dynamic. Static translation
occurs when you specifically configure addresses in a lookup table.
A specific inside local address maps to a prespecified outside
global address.
The inside and outside addresses are statically mapped one for one. Dynamic
translation Dynamic translation occurs when you configure the
NAT border router with (1) specific inside addresses to be
translated and (2) an address pool to be used for the outside
addresses. There can be
multiple pools of outside addresses.
Multiple internal hosts can
also share a single outside IP address, thus conserving address
space. Address sharing is accomplished by port multiplexing, or
changing the source port on the outbound packet so that replies can
be directed back to the appropriate router.
For load sharing, you can map outside
IP addresses to inside IP addresses by using the Transmission
Control Protocol (TCP) load-distribution feature. Load distribution
can also be accomplished by using NAT where one external address
maps to this address. In this case, round robin sharing between inside machines
occurs. In this case, incoming new connections are distributed
across several machines. Each connection may state information that
a given connection must remain on one server.
Use NAT if the following is true:
- You need to connect to the
Internet and your hosts do not have globally unique IP
addresses.
- You change over to a new Internet
service provider (ISP) that requires you to renumber your
network.
- Two intranets with duplicate
addresses merge.
- You want to support basic load
sharing.
Before implementing NAT, you should evaluate the following considerations. 
Typical NAT advantages are as follow:
- NAT conserves the legally registered addressing scheme by allowing the privatization of intranets, yet it allows legal addressing scheme pools to be set up to gain access to the Internet.
- NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, the network was connected to the public network (which may use the same addressing scheme). Without address translation, the potential for overlap exists globally.
- NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified because planners have more flexibility when creating an address plan.
- Deprivatization of a network requires the renumbering of the existing network; the costs can be associated with the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and it still supports the new assigned addressing scheme outside the private network.
Typical NAT disadvantages are as follows:
- NAT increases delay. Switching
path delays, of course, are introduced because of the
translation of each IP address within the packet headers.
Performance may be a consideration because NAT is currently
accomplished by using process switching. The CPU must look at
every packet to decide whether it has to translate it, and then
alter the IP header-and possibly the TCP header. It is not
likely that this process will be easily cacheable.
- One significant disadvantage, when
implementing and using NAT, is the loss of end-to-end IP
traceability. It becomes much more difficult to trace packets
that undergo numerous packet address changes over multiple NAT
hops. This scenario does, however, lead to more secure links
because hackers who want to determine the source of a packet
will find it difficult, if not impossible, to trace or obtain
the origination source or destination address.
- NAT also forces some applications
that use IP addressing to stop functioning because it hides
end-to-end IP addresses. Applications that use physical
addresses instead of a qualified domain name will not reach
destinations that are translated across the NAT router.
Sometimes, this problem can be avoided by implementing static
NAT mappings.
|