11.1 NAT
11.1.1 NAT terminology
IP address depletion is a big problem facing the public network. To maximize the use of your registered IP addresses, Cisco IOS® Release 11.2 software and subsequent releases offer NAT (Network Address Translation) functionality. This feature, which is described in RFC 1631 (The IP Network Address Translator), is a solution that provides a way to use the same IP addresses in multiple internal subnetworks, thereby reducing the need for registered IP addresses.

The NAT functionality allows privately addressed networks to connect to public networks such as the Internet. The privately addressed "inside" network sends a packet through the NAT router; the addresses are converted to legal, registered IP addresses, enabling the packets to be passed to the public networks, such as the Internet. These features were formerly available only through pass-through firewall gateways. This functionality is now found on routers as well. 

NAT terminology is defined in Table and is represented in Figure .

NAT technology enables private IP internetworks that use nonregistered IP addresses to connect to the public network, as shown in Figure . A NAT router is placed on the border of a stub domain (inside network) and a public network (outside network), and translates the internal local addresses into globally unique IP addresses before sending packets to the outside network. NAT takes advantage of the fact that relatively few hosts in a stub domain communicate outside of the domain at any given time. Therefore, only a subset of the IP addresses in a stub domain must be translated into globally unique IP addresses for outside communication.

If your internal addresses must change because you changed service providers or because two intranets merged (two companies merged, for example), NAT can be used to translate the appropriate addresses. NAT enables you to change the addresses incrementally, without making changes to hosts or routers except for those bordering stub domains, eliminating duplicate address ranges without readdressing host computers.

The translation performed by using NAT can be either static or dynamic. Static translation occurs when you specifically configure addresses in a lookup table. A specific inside local address maps to a prespecified outside global address. The inside and outside addresses are statically mapped one for one. Dynamic translation Dynamic translation occurs when you configure the NAT border router with (1) specific inside addresses to be translated and (2) an address pool to be used for the outside addresses. There can be multiple pools of outside addresses. 

Multiple internal hosts can also share a single outside IP address, thus conserving address space. Address sharing is accomplished by port multiplexing, or changing the source port on the outbound packet so that replies can be directed back to the appropriate router.

For load sharing, you can map outside IP addresses to inside IP addresses by using the Transmission Control Protocol (TCP) load-distribution feature. Load distribution can also be accomplished by using NAT where one external address maps to this address. In this case, round robin sharing between inside machines occurs. In this case, incoming new connections are distributed across several machines. Each connection may state information that a given connection must remain on one server.

Use NAT if the following is true:

  • You need to connect to the Internet and your hosts do not have globally unique IP addresses.
  • You change over to a new Internet service provider (ISP) that requires you to renumber your network.
  • Two intranets with duplicate addresses merge.
  • You want to support basic load sharing.

Before implementing NAT, you should evaluate the following considerations.

Typical NAT advantages are as follow:

  • NAT conserves the legally registered addressing scheme by allowing the privatization of intranets, yet it allows legal addressing scheme pools to be set up to gain access to the Internet.
  • NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, the network was connected to the public network (which may use the same addressing scheme). Without address translation, the potential for overlap exists globally.
  • NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified because planners have more flexibility when creating an address plan.
  • Deprivatization of a network requires the renumbering of the existing network; the costs can be associated with the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and it still supports the new assigned addressing scheme outside the private network.

Typical NAT disadvantages are as follows:

  • NAT increases delay. Switching path delays, of course, are introduced because of the translation of each IP address within the packet headers. Performance may be a consideration because NAT is currently accomplished by using process switching. The CPU must look at every packet to decide whether it has to translate it, and then alter the IP header-and possibly the TCP header. It is not likely that this process will be easily cacheable.
  • One significant disadvantage, when implementing and using NAT, is the loss of end-to-end IP traceability. It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops. This scenario does, however, lead to more secure links because hackers who want to determine the source of a packet will find it difficult, if not impossible, to trace or obtain the origination source or destination address.
  • NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings.