NAT and PAT
Network Address Translation
NAT enables a local-area network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. Computers making connections from an inside interface to an outside interface get a substitute IP address from a pool of global IP addresses associated with the nat_id. Addresses assigned NAT ID 0 do not have their addresses protected from exposure on outside networks.
Use the nat and global commands to let users on the higher security interface (inside) access a lower security interface (outside).
For the opposite direction, from lower to higher, use the access-list command .
As one enters the nat and global command to let users start connections, One can use the show nat or show global command to list the existing commands. If you make a mistake, remove the old command with the no form of the command, specifying all the options of the first command. This is where a terminal with cut and paste capability is useful. After you use show global, you can cut the old command, enter no and a space on the command line, paste the old line in, and press the Enter key to remove it.
Follow these steps to let users on a higher security level interface start connections:
- Use the show nameif command to view the security level of each interface.
- Make a simple sketch of the network with each interface and its security level
- Add a nat command statement for each higher security level interface from which you want users to start connections to interfaces with lower security levels:
- Let inside users start connections on any lower security interface:
nat (inside) 1 0 0.- Let dmz4 users start connections on any lower security interface:
nat (dmz4) 1 0 0.- Let dmz3 users start connections on any lower security interface:
nat (dmz3) 1 0 0.- Let dmz2 users start connections on any lower security interface:
nat (dmz2) 1 0 0.- Let dmz1 users start connections to the outside:
nat (dmz1) 1 0 0.Instead of specifying "0 0," to let all hosts start connections, you can specify a host or a network address and mask.
For example, to let only host 192.168.2.42 start connections on the dmz2 interface, you could specify the following:
nat (dmz2) 1 192.168.2.42 255.255.255.255The "1" after the interface specifier is the NAT ID. You can use one ID for all interfaces and the firewall sorts out which nat command statement pertains to which global command statement on which interface, or you can specify a unique NAT ID to limit access to specific interface. Remember that the nat command opens access to all lower security level interfaces so that if you want users on the inside to access the perimeter interfaces as well as the outside, then use one NAT ID for all interfaces. If you only want inside users to access the dmz1 interface but not the outside interface, use unique NAT IDs for each interface.
The NAT ID in the nat command has to be the same NAT ID you use for the corresponding global command.
NAT ID 0 means to disable Network Address Translation.
- Add a global command statement for each lower security interface which you want users to have access to; for example, on the outside, dmz1, and dmz2. The global command creates a pool of addresses that translated connections pass through.
PAT
PAT maps a single global IP address to many inside addresses within a local-area network. PAT extends the range of available outside addresses at the site by dynamically assigning unique port numbers to the outside address as a connection is requested. A single IP addresses has up to 64,000 ports that are available for making connections. For PAT, the port number uniquely identifies each connection.
There should be enough global addresses to handle the number of users each interface may have trying to access the lower security interface. You can specify a single PAT entry, which permits up to 64,000 hosts to use a single IP address. PAT has some restrictions in its use such as it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as the sole global address.
For example:
global (outside) 1 209.165.201.5 netmask 255.255.255.224
global (outside) 1 209.165.201.10-209.165.201.20 netmask 255.255.255.224The first global command statement specifies a single IP address, which the firewall interprets as a PAT. You can specify PAT using the IP address at the interface using the interface keyword.The PAT lets up to 65,535 hosts start connections to the outside. The firewall permits one PAT global command statement for each interface The second global command statement augments the pool of global addresses on the outside interface. The PAT creates a pool of addresses used only when the addresses in the second global command statement are in use. This minimizes the exposure of PAT in the event users need to use H.323 applications.
global (dmz1) 1 192.168.1.10-192.168.1.100 netmask 255.255.255.0
global (dmz2) 1 192.168.2.10-192.168.2.100 netmask 255.255.255.0The global command statement for dmz1 lets users on the inside,dmz2, dmz3, and dmz4 start connections on the dmz1 interface.
The global command statement for dmz2 lets users on the inside, dmz3, and dmz4 start connections on the dmz2 interface.
If you use network subnetting, specify the subnet mask with the netmask option.
You can track usage among different subnets by mapping different internal subnets to different PAT addresses.
For example:
nat (inside) 1 10.1.0.0 255.255.0.0
nat (inside) 2 10.1.1.1 255.255.0.0
global (outside) 1 192.168.1.1
global (outside) 2 209.165.200.225In this example, hosts on the internal network 10.1.0.0/16 are mapped to global address 192.168.1.1, and hosts on the internal network 10.1.1.1/16 are mapped to global address 209.165.200.225 in global configuration mode.
Another way to measure traffic is to back up the PAT address.
For example:
nat (inside) 1 10.1.0.0 255.255.0.0
global (outside) 1 209.165.200.225
global (outside) 1 192.168.1.1In this example, two port addresses are configured for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.