Figure 14: Sample Source Static NAT
Network Address Translation (NAT) allows multiple hosts on a private internal network to access the public external network using a small pool of NAT addresses. Only addresses from this pool are visible to the external network. Between the internal and external network, a router is configured to rewrite the source or destination addresses of IP packets passing through it.
Services Routers support four types of NAT processing: source static NAT, source dynamic NAT with Network Address Port Translation (NAPT), source dynamic without NAPT, and destination static NAT.
Source static NAT translates an internal source address to a NAT address from the referenced pool on a one-to-one basis. Source static NAT is easy to implement and is useful in a situation when the available pool of addresses is equal to or greater than the number of source addresses to be translated.
In the sample source static NAT scenario shown in Figure 14, the defined prefix 192.168.1.0/24 is mapped one-to-one to the defined source address pool 121.0.1.0/24. Hence the source address 192.168.1.1 always translates to 121.0.1.1, the source address 192.168.1.2 always translates to 121.0.1.2, and so on.
Figure 14: Sample Source Static NAT
Typically, source dynamic NAT implements address translation for source traffic with Network Address Port Translation (NAPT). For each outgoing packet, the source address is replaced by a NAT address from a defined address pool and a port is assigned to it either automatically by the NAT router or from a port pool that you define. A NAT address that is assigned to a host is used for all concurrent sessions from that host. The address is released to the pool only after all the sessions for that host expire. Because all the private hosts might not simultaneously create sessions, they can share a few NAT addresses.
In the sample source dynamic NAT scenario shown in Figure 15, the source address 192.168.1.1 is translated to address 121.0.1.1 from the defined NAT pool, and is assigned port 20001 from the defined port pool. The NAT address 121.0.1.1 is reused for source address 192.168.1.2 with a different port, 20002.
A dynamic NAT pool with NAPT supports address ranges with a maximum of 32 addresses.
Figure 15: Sample Source Dynamic NAT with NAPT
Alternatively, a Services Router supports source dynamic NAT without NAPT. This technique, also known as oversubscribed NAT, allows NAT addresses from the referenced pool to be assigned dynamically. Assigning addresses dynamically also allows a few public IP addresses to be used by several private hosts in contrast with an equal sized pool required by source static NAT.
A dynamic NAT pool with no address port translation supports address ranges with a maximum of 65,535 addresses.
Destination static NAT translates the destination address for external traffic to an address specified in a destination pool. The destination pool contains one address and no port configuration.
In the destination static NAT scenario shown in Figure 16, when the NAT router receives a packet with destination address 121.0.1.1, it replaces this destination address with the associated local host address 192.168.1.1. Only the address defined in the destination address pool (121.0.1.1) is visible to the external router and not the local host address (192.168.1.1).
Figure 16: Sample Destination Static NAT
With full-cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. In addition, any external host can send a packet to the internal host by sending it to the mapped external address. Full-cone NAT is useful if you want to allow external hosts from the public network to connect to internal hosts using public IP addresses. However, we recommend that you use this feature along with strict firewall rules that allow only the intended traffic from the public network to reach the customer-edge router.
When the internal host terminates its connection to the external host, any new connection initiation from any external host to the internal host on the public IP network is not permitted. All existing connections from external to internal hosts are not affected. Full-cone NAT allows connections between external and internal hosts to take place independently of the source or destination port and is application-independent. A full-cone NAT is enabled or disabled by configuration.
The router handles the connection between the external host and the internal host like any other connection. This feature is available for both source static and source dynamic NAT.
 |
Note: Full-cone NAT is not supported for IPv6 or NAPT. For more information, see Configuring Full-Cone NAT. |