Re: Cisco NAT

Notes regarding NAT; Network Address Translation

The goal of NAT is to obfuscate addresses. Either source or destination addresses, and either inward or outward bound traffic.

In order for NAT to work, it needs to be told several things.

==============

1 What source address(s) to use

2 What destination address(s) to use

3 What interface is considered the inside of a gateway

4 What interface is considered to be the outside of a gateway

5 Which of these ‘sides’ to obfuscate

==============

Some of these items can inferred, while some must be explicitly provided.

Take for instance a typical situation: One external IP address provided from the ISP with many hosts on the inside. The most common way this is dealt with is by utilizing a technology called PAT. This is an acronym meaning Port Address Translation. PAT hides the address of the host or network source address on the inside of a NAT gateway with the outside address supplemented with a ‘port’ number. This process is critical to the operation of the internet at this point because of the dearth of IP addresses available with IPv4, and provides security to private networks simultaneously.

While this technology can get in the way of accessing resources on the inside of a private network from the outside, there are well-understood workarounds. As long as the router remembers the actual address on the inside and matches it with the returning traffic’s port number everything is peachy!

It is critical to understand some terminology here. Since the normal terms that humans tend to use here like inside and outside can get mixed up, and inward and outbound direction can be subjective there are terms that we use to absolutely describe certain things.

There are 4 terms used to describe which port-address is meant when scripting NAT: Inside-Local, Inside-Global, Outside-Global, and Outside-Local.

For these terms, inside and outside mean your gateway(inside) and the remote gateway(outside). The terms Local and Global refer to which side of a gateway is being referred to; the side facing the WAN(Global internet) or the side facing the LAN(Local network).

LAN…………….||….WAN….WAN….WAN….WAN….||………………..LAN

Inside-Local || Inside-Global …. Outside-Global || Outside-Local

Local and Global have very specific meaning here. The ports facing your local host or network from your gateway as well as the ports facing the remote host or network from it’s gateway are both called ‘Local’ ports and ‘Local’ addresses.

The ports that face the internet itself(the WAN) from the two gateways, are considered ‘Global‘ ports and ‘Global‘ addresses.

The terms Inside and Outside are much simpler to deal with. They refer to the local gateway(inside) vs the remote gateway(outside). Anything that deals with ‘Inside’ aspects of NAT refer to the local host, network, or gateway, while ‘Outside’ aspects refer to the remote host, network, or gateway.

To be succinct here, take a typical home’s router as an example:

Local: Your network is Local to you, in that it is connected to the local(LAN) ports of your gateway router/switch.

On the remote end, those servers are also connected to the local(LAN) ports of it’s infrastructure.

Global: The Global(WAN) ports of the routers are connected to the internet at-large via each of their ISPs.

Inside: Your gear is Inside your home, business, enterprise, etc.

Outside: The destination you are trying to reach is Outside.

Inside-Local is the inside port/address the source
Inside-Global is the outside port/address of the source
Outside-Global is the outside port/address of the destination
Outside-Local is the inside port/address of the destination

Another post will follow soon that deals with direction of NAT application. Application on inside vs outside interfaces. How to deal with multiple interfaces, and sub-interfaces.

I am forseeing at least two more posts on this. The following ones will have Cisco server/switch script, graphic examples of what I tried to convey above in text, and additional ancillary information. NAT is critical to understand fully as it is the predominant technology that allows the internet to continue functioning with it’s shortage of IPv4 addresses.