Translating Private Addresses into Public Addresses
Cisco routers can dynamically translate private addresses into public addresses, allowing hosts with private addresses to communicate with hosts on the Internet without modification. That is, the privately addressed hosts can function as if they are connected to the Internet. You can configure a router to maintain a pool of public addresses that is smaller than the population of privately addressed hosts. The router then manages the pool and dynamically translates private addresses into public addresses as necessary for communicating with the Internet. Hosts on the Internet have no idea they are communicating with a privately addressed host; they communicate with legitimate public addresses from the router's pool. Figure l-l l shows an example of NAT in action.
Figure 1-11 Router C Performing NAT for Host A
Host A 192.166 1.1
Figure 1-11 Router C Performing NAT for Host A
Host A 192.166 1.1
- Server
Public address pool \
® Packet from Host A: source=192.168.1.1 (private address) (2) Packet from Host A: source=171.69.10.1 (public address) © Packet to Host A: destinations 71.69.10.1 (public address) @ Packet to Host A: destination=192.168.1.1 (private address)
In Figure 1-11, privately addressed Host A needs to communicate with a server on the Internet. The following sequence describes a round-trip NAT operation, starling with Host A's initial packet (refer to the numbered arrows in Figure 1-11):
1 From Host A (source = 192.168.1.1, private)—Host A's traffic gets routed through the internal network and arrives at the edge router that connects to the Internet, Router C. The source address of the packet is 192.168.1.1. Router C detects that Host A's packets are soureed from a private address and require address translation. The router looks in its pool of public addresses and selects an available address, 171.69.10.1, to use for translating packets to and from Host A.
2 From Host A (source = 171.69.10.1, public)—Next, the router translates the outgoing packets. For the original private source address (192.168.1.1), it substitutes public address 171.69.10.1 and sends the modified packets to the Internet. The Internet routes Host A's modified packets to the server (Host A's intended destination).
3 To Host A (destination = 171.69.10.1, public)—The server responds to 171.69.10.1, unaware that Host A's address is really 192.168.1.1. The Internet routes the packets from the server to Router C, the keeper and originator of the address 171.69.10.1.
4 To Host A (destination = 192.168.1.1, private)—Packets from lhe server arrive at Router C, which translates 171.69.10.1 (now the destination address) back to 192.168.1.1 and forwards the traffic to the internal network. The internal network routes the traffic to Host A, completing lhe two-way communication between Host A and the server.
The NAT router (Router C) maintains an idle timer such that if Host A stops sending packets to the Internet for a certain period of time, the router expires the address and returns it to the pool to be used by other hosts. The length of the idle timer is configurable.
Now for some definitions:
• Inside local address—The address of the privately addressed host. In the preceding example, 192.168. LI is the address of Host A, so it's the inside local address.
• Inside global addresses—The pool of legitimate public addresses.
• Outside global address—The address of the server on the Internet.
Familiarity with these terms is important when you're configuring and verifying NAT. This will be apparent in the next sections.
Post a comment