IPv4 Addressing - NAT (Network Address Translation) ======================================================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is NAT?** NAT (Network Address Translation) is a method used by routers to translate private IP addresses to a public IP address (and vice versa) for internet communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is NAT used?** NAT helps conserve public IP addresses and adds a layer of security by hiding internal network structures. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the types of NAT?** Common types include Static NAT, Dynamic NAT, and PAT (Port Address Translation, also called NAT Overload). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Static NAT?** Maps one private IP address to one public IP address. Used when a device needs to be consistently reachable from the internet. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Dynamic NAT?** Maps a private IP to any available public IP from a pool. The mapping changes over time. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does NAT provide security?** Yes, to some extent. It hides internal IP addresses from external networks, reducing direct attack surfaces. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is NAT used in IPv6?** Generally no. IPv6 has a vast address space, eliminating the need for NAT. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is NAT configured?** NAT is typically configured on routers or firewalls at the network edge. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is NAT Windows specific?** No, NAT is not Windows specific. It is supported on various platforms including routers, firewalls, and operating systems like Windows, Linux, and BSD. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is NAT Linux specific?** No, NAT is not Linux specific. However, Linux systems commonly implement NAT using tools like `iptables` or `nftables`. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by NAT?** NAT is transport protocol-agnostic. It works at the IP level and supports TCP, UDP, ICMP, and other IP-based protocols. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by NAT?** NAT does not use a specific port. It translates IP addresses and may modify port numbers (especially in PAT), but it itself does not operate on a particular port. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is NAT using client-server model?** No, NAT is not a communication protocol and does not follow the client-server model. It is a network function that facilitates communication between clients and servers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the difference between NAT and PAT?** NAT translates IP addresses, while PAT translates both IP addresses and port numbers to allow multiple devices to share a single public IP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can NAT cause problems for some applications?** Yes, NAT can interfere with protocols that embed IP information in the payload, such as FTP or SIP, unless NAT traversal techniques are used. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is NAT traversal?** Techniques that enable protocols to work through NAT devices, such as STUN, TURN, and ICE, allowing peer-to-peer connections. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is a NAT table?** A NAT table keeps track of active mappings between private and public IP addresses and ports. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is NAT Overload?** Another term for PAT, where many private IPs share a single public IP by differentiating connections with port numbers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can NAT affect VPN connections?** Yes, NAT can complicate VPN setup and operation due to IP translation and may require special configuration like NAT Traversal. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does NAT change the MAC address?** No, NAT operates at the network layer and does not modify MAC addresses. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is NAT stateful or stateless?** NAT is stateful, tracking active sessions to maintain accurate IP and port mappings. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What happens if NAT runs out of available public IP addresses?** New outgoing connections cannot be established until existing mappings expire or more public IPs become available. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can NAT be used with IPv4 and IPv6 simultaneously?** Yes, NAT64 allows IPv6-only devices to communicate with IPv4 networks using translation techniques. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Hairpin NAT?** A NAT feature that allows internal devices to communicate with other internal devices using the public IP address. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does NAT improve network performance?** Not directly; NAT primarily manages IP address translation but may introduce slight latency. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can NAT be used in data centers?** Yes, NAT is often used to manage IP addressing and secure internal networks in data centers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Port Forwarding in relation to NAT?** Port forwarding redirects incoming traffic on a specific port to an internal device’s IP and port. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does NAT support multicast traffic?** NAT generally does not support multicast traffic well because it’s designed for unicast IP translation. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the impact of NAT on end-to-end connectivity?** NAT breaks true end-to-end connectivity by modifying IP addresses, which can affect peer-to-peer applications. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can NAT be bypassed?** Certain tunneling protocols or VPNs can bypass NAT restrictions by encapsulating traffic. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What role does NAT play in IPv4 exhaustion?** NAT helps mitigate IPv4 exhaustion by allowing multiple private devices to share fewer public IPs. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is a NAT gateway?** A NAT gateway is a network device or service that performs NAT functions for a network segment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is NAT compatible with cloud environments?** Yes, cloud providers often use NAT gateways or instances to manage network address translation in virtual networks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`NAT Version&RFC Details ` * :ref:`NAT Basic Setup on Ubuntu using IPv4 ` * :ref:`NAT Usecases ` * :ref:`NAT Basic Features ` * :ref:`NAT Feature : IP Address Translation ` * :ref:`NAT Feature : Port Address Translation (PAT) ` * :ref:`NAT Feature : Conserves IPv4 Addresses ` * :ref:`NAT Feature : Enhances Network Security ` * :ref:`NAT Feature : Supports Multiple NAT Types ` * :ref:`NAT Feature : Protocol-Aware Behavior ` * :ref:`NAT Feature : Enables Internet Access for Private Networks ` * :ref:`Reference links ` .. _NAT_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _NAT_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _NAT_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _NAT_step5: .. tab-set:: .. tab-item:: NAT Version&RFC Details .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Version_RFC_details.csv :widths: 10,10,10,30 :header-rows: 1 .. _NAT_step16: .. tab-set:: .. tab-item:: Test Case 1: Basic NAT Implementation (ICMP Ping Test) **verify that a private host (PC1) can reach a public host (PC2) through a NAT-enabled router (R1)** **Topology** [PC1 / LAN Host] --- Fa0/0 --- [R1 Router] --- Fa0/1 --- [PC2 / Internet Simulation] * PC1 → 192.168.1.10/24 * Router R1 LAN (Fa0/0) → 192.168.1.1/24 → NAT inside * Router R1 WAN (Fa0/1) → 10.0.0.2/24 → NAT outside * PC2 → 10.0.0.1/24 .. note:: * The router performs NAT between the inside (LAN) and outside (WAN) networks. * PC1 has only a private IP, but NAT enables it to communicate with PC2. * The default gateway for PC1 must always point to the router (192.168.1.1). **PC1 (VM1) — LAN Host Setup** * Step-1 : Assign IP address and bring up the interface .. code-block:: shell ip addr add 192.168.1.10/24 dev eth0 ip link set eth0 up ip route add default via 192.168.1.1 .. note:: * Default route ensures traffic destined outside 192.168.1.0/24 goes through R1. **PC2 (VM2) — Internet Simulation Host** * Step-1 : Assign IP address and bring up the interface .. code-block:: shell sudo ip addr add 10.0.0.1/24 dev enp0s8 sudo ip link set enp0s8 up .. note:: * PC2 acts as an “internet host” with a public IP (10.0.0.1). * No special configuration is needed on PC2, it just replies to ICMP packets. **Router (R1) — NAT Configuration** * Step-1 : Configure LAN interface as inside .. code-block:: shell R1#configure terminal R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exit .. note:: * `ip nat inside` must be applied on the **private (LAN) interface**. * Step-2 : Configure WAN interface as outside .. code-block:: shell R1(config)#interface FastEthernet1/0 R1(config-if)#ip address 10.0.0.2 255.255.255.0 R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exit .. note:: * `ip nat outside` must be applied on the **public (WAN) interface**. * Step-3 : Configure Access Control List (ACL) for NAT .. code-block:: shell R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 .. note:: * This ACL specifies which private IP range should be translated. * Step-4 : Configure NAT Overload (PAT) .. code-block:: shell R1(config)#ip nat inside source list 1 interface FastEthernet1/0 overload R1(config)#end .. note:: * Overload (PAT) allows many inside hosts to share one public IP (10.0.0.2). * Translation is done using unique port numbers. * Step-5 : Verify router interface status .. code-block:: shell R1#show ip interface brief Expected Output: .. code-block:: Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.1 YES manual up up FastEthernet1/0 10.0.0.2 YES manual up up .. note:: * Both interfaces must show `up up` for NAT to work. **PC1 — NAT Test** * Step-1 : Ping PC2 through NAT .. code-block:: shell ping 10.0.0.1 Expected Output: .. code-block:: 64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=12 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=15 ms .. note:: * Successful ping confirms NAT is working. * TTL decreases by 1 when packets pass through R1. * Step-2 : Verify NAT Table on Router .. code-block:: shell R1#show ip nat translations Example Output: .. code-block:: Pro Inside global Inside local Outside local Outside global icmp 10.0.0.2:2907 192.168.1.10:2907 10.0.0.1:2907 10.0.0.1:2907 .. note:: * Inside local = private IP (192.168.1.10). * Inside global = public IP assigned by NAT (10.0.0.2). * This confirms NAT translation is successful. **Step-8 : Wireshark Verification** * Capture on LAN side (Fa0/0): - Source: 192.168.1.10 - Destination: 10.0.0.1 - This is traffic **before NAT**. :download:`Download wireshark capture ` * Capture on WAN side (Fa0/1): - Source: 10.0.0.2 - Destination: 10.0.0.1 - This is traffic **after NAT**. :download:`Download wireshark capture ` .. note:: * Wireshark captures prove how NAT modifies source IP when leaving the router. .. tab-item:: Explanation — Why NAT Needs Inside and Outside **ip nat inside** * Applied on LAN-facing interface (private network). * Tells the router: "Packets arriving here are private and must be translated when leaving." **ip nat outside** * Applied on WAN-facing interface (public/ISP side). * Tells the router: "Packets leaving here are going to the public side." **Why both are needed** * NAT translation happens only between inside and outside interfaces. * Without interface labels: - Router would not know which traffic to translate. - `ip nat inside source list ... overload` would fail. .. note:: * Always double-check that the correct interfaces are marked as `inside` and `outside`. * Wrong configuration will cause NAT to fail even if ACL and overload are set correctly. **Test Case 2: NAT Overload / PAT (Port Address Translation)** **verify that multiple LAN hosts can share a single public IP (assigned dynamically via DHCP) using port translation** **Topology** [PC1 192.168.1.10] --- sw1(eth0) --- Fa0/0 --- [R1 Router] --- Fa0/1 --- [DHCP WAN / ISP] --- [Internet Server 10.0.0.1] [PC2 192.168.1.20] --- sw1(eth1) --- Fa0/0 --- [R1 Router] .. note:: * The WAN interface (Fa0/1) gets its IP dynamically from a DHCP server. * NAT overload (PAT) allows multiple LAN hosts to share that single public IP. * Translation is based on unique **source port numbers**. **Router (R1) — PAT Configuration** * Step-1 : Configure the outside interface (WAN) to get IP via DHCP .. code-block:: shell R1(config)#interface FastEthernet1/0 R1(config-if)#ip address dhcp R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exit * Step-2 : Configure the inside interface (LAN) .. code-block:: shell R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exit * Step-3 : Configure ACL for private subnet .. code-block:: shell R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 * Step-4 : Enable NAT Overload (PAT) .. code-block:: shell R1(config)#ip nat inside source list 1 interface FastEthernet1/0 overload R1(config)#end * Step-5 : Verify WAN IP .. code-block:: shell R1#show ip interface brief **PC1 — LAN Host Setup** .. code-block:: shell ip addr add 192.168.1.10/24 dev enp0s8 ip route add default via 192.168.1.1 **PC2 — LAN Host Setup** .. code-block:: shell ip addr add 192.168.1.20/24 dev enp0s8 ip route add default via 192.168.1.1 **NAT / PAT Test** * Step-1 : From PC1 and PC2, ping or reach an external host (e.g., 8.8.8.8). * Step-2 : Verify NAT translations on the router. Example Output: .. code-block:: Pro Inside global Inside local Outside local Outside global icmp 192.168.122.85:3193 192.168.1.10:3193 8.8.8.8:3193 8.8.8.8:3193 icmp 192.168.122.85:1147 192.168.1.20:1147 8.8.8.8:1147 8.8.8.8:1147 **Wireshark Verification** * Step-1 : Capture on **PC1** - Source IP: 192.168.1.10 - Destination: 8.8.8.8 - Shows private IP before NAT. :download:`Download PC1 capture ` * Step-2 : Capture on **PC2** - Source IP: 192.168.1.20 - Destination: 8.8.8.8 - Shows private IP before NAT. :download:`Download PC2 capture ` * Step-3 : Capture on **Router (Fa0/1 - WAN side)** - Source IP: Router’s DHCP WAN IP (192.168.122.85) - Destination: 8.8.8.8 - Both PC1 & PC2 traffic merged into same public IP, differentiated by **ports**. :download:`Download Router capture ` .. note:: * PC1 & PC2 both use the same global IP but different ports → proves PAT. * Router capture confirms NAT translation. **Test Case 3: Static NAT (One-to-One Mapping)** **verify that a specific private host is permanently mapped to a public IP (static translation)** **Topology** [VM1 192.168.1.10] --- sw1(eth0) --- Fa0/0 --- [R1 Router] --- Fa0/1 --- [DHCP WAN / ISP 192.168.122.85] --- sw2 --- [VM2 192.168.122.20] .. note:: * Static NAT creates a **permanent one-to-one mapping** between private and public IP. * In this case → `192.168.1.10 ↔ 192.168.122.85`. * Works **both inbound & outbound**. **Router (R1) — Static NAT Configuration** * Step-1 : Configure inside (LAN) interface .. code-block:: shell R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exit * Step-2 : Configure outside (WAN) interface (DHCP) .. code-block:: shell R1(config)#interface FastEthernet1/0 R1(config-if)#ip address dhcp R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exit * Step-3 : Apply Static NAT mapping .. code-block:: shell R1(config)#ip nat inside source static 192.168.1.10 192.168.122.85 R1(config)#end * Step-4 : Verify NAT table .. code-block:: shell R1#show ip nat translations Example Output: .. code-block:: Pro Inside global Inside local Outside local Outside global --- 192.168.122.85 192.168.1.10 --- --- **VM1 — Inside Host Setup** .. code-block:: shell sudo ip addr add 192.168.1.10/24 dev enp0s8 sudo ip link set enp0s8 up sudo ip route add default via 192.168.1.1 **VM2 — Outside Host Setup** .. code-block:: shell sudo ip addr add 192.168.122.20/24 dev enp0s8 sudo ip link set enp0s8 up sudo ip route add default via 192.168.122.1 **Static NAT Test** * Step-1 : From outside VM2, ping the public IP of R1 (192.168.122.85) .. code-block:: shell ping 192.168.122.85 * Step-2 : Verify NAT translations on router Example Output: .. code-block:: Pro Inside global Inside local Outside local Outside global icmp 192.168.122.85:1139 192.168.1.10:1139 192.168.122.20:1139 192.168.122.20:1139 --- 192.168.122.85 192.168.1.10 --- --- .. note:: * **Inside local** = private IP (192.168.1.10). * **Inside global** = mapped public IP (192.168.122.85). * Router correctly forwards inbound & outbound traffic. **Wireshark Verification** * Step-1 : Capture on **VM1 (LAN side)** - Destination IP: 192.168.1.10 - Shows **translated packet delivered** to private host. :download:`Download VM1 capture ` * Step-2 : Capture on **VM2 (outside host)** - Destination IP: 192.168.122.85 - Shows packet sent to public IP. :download:`Download VM2 capture ` * Step-3 : Capture on **Router (Fa0/1 - WAN side)** - Destination IP: 192.168.122.85 (public) → translated to 192.168.1.10 (private). - Reply source: 192.168.122.85. :download:`Download Router capture ` .. note:: * Outside host (VM2) talks to public IP 192.168.122.85. * Router translates → delivers traffic to VM1 (192.168.1.10). * Reply goes back via same static mapping. * Confirms **static one-to-one NAT works**. **Test Case 4: Dynamic NAT (Pool of Public IPs)** **verify that multiple private hosts are dynamically mapped to a pool of public IPs** **Topology** [PC1 192.168.1.10] --- sw1(eth0) --- Fa0/0 --- [R1 Router] --- Fa0/1 --- [192.168.122.0/24 WAN] --- [WAN Host 192.168.122.1] .. note:: * Dynamic NAT assigns **private IPs to a pool of available public IPs**. * Unlike PAT, **no port translation** is done. * Each inside host gets a unique IP from the pool. **Router (R1) — Dynamic NAT Configuration** * Step-1 : Configure inside (LAN) interface .. code-block:: shell R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exit * Step-2 : Configure outside (WAN) interface .. code-block:: shell R1(config)#interface FastEthernet0/1 R1(config-if)#ip address 192.168.122.2 255.255.255.0 R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exit * Step-3 : Define access list for inside subnet .. code-block:: shell R1(config)#access-list 10 permit 192.168.1.0 0.0.0.255 * Step-4 : Create NAT pool with two public IPs .. code-block:: shell R1(config)#ip nat pool MYPOOL 192.168.122.100 192.168.122.101 netmask 255.255.255.0 * Step-5 : Bind access list to pool .. code-block:: shell R1(config)#ip nat inside source list 10 pool MYPOOL R1(config)#end * Step-6 : Verify NAT pool usage .. code-block:: shell R1#show ip nat translations Example Output: .. code-block:: Pro Inside global Inside local Outside local Outside global icmp 192.168.122.100:4898 192.168.1.10:4898 192.168.122.1:4898 192.168.122.1:4898 --- 192.168.122.100 192.168.1.10 --- --- icmp 192.168.122.101:1125 192.168.1.20:1125 192.168.122.1:1125 192.168.122.1:1125 --- 192.168.122.101 192.168.1.20 --- --- **PC1 — Inside Host Setup** .. code-block:: shell sudo ip addr add 192.168.1.10/24 dev eth0 sudo ip link set eth0 up sudo ip route add default via 192.168.1.1 **PC2 — Inside Host Setup** .. code-block:: shell sudo ip addr add 192.168.1.20/24 dev eth0 sudo ip link set eth0 up sudo ip route add default via 192.168.1.1 **WAN Host Setup** .. code-block:: shell sudo ip addr add 192.168.122.1/24 dev eth0 sudo ip link set eth0 up **Dynamic NAT Test** * Step-1 : From PC1, ping WAN Host (192.168.122.1) .. code-block:: shell ping 192.168.122.1 * Step-2 : From PC2, ping WAN Host (192.168.122.1) .. code-block:: shell ping 192.168.122.1 * Step-3 : Verify NAT translations on router .. code-block:: Pro Inside global Inside local Outside local Outside global icmp 192.168.122.100:4898 192.168.1.10:4898 192.168.122.1:4898 192.168.122.1:4898 --- 192.168.122.100 192.168.1.10 --- --- icmp 192.168.122.101:1125 192.168.1.20:1125 192.168.122.1:1125 192.168.122.1:1125 --- 192.168.122.101 192.168.1.20 --- --- .. note:: * PC1 is mapped to **192.168.122.100**. * PC2 is mapped to **192.168.122.101**. * Pool allocation is **automatic**. **Wireshark Verification** * Step-1 : Capture on **Fa0/0 (LAN side)** - Source IPs: 192.168.1.10, 192.168.1.20 - Destination: 192.168.122.1 :download:`Download LAN capture ` :download:`Download WAN capture ` * Step-2 : Capture on **Fa0/1 (WAN side)** - Source IPs: 192.168.122.100, 192.168.122.101 - Destination: 192.168.122.1 :download:`Download WAN capture ` .. note:: * Inside captures show **private IPs** going out. * Outside captures show **translated public IPs** from pool. * Confirms that **Dynamic NAT pool works correctly**. **Test Case 5: Protocol-Aware NAT (TCP & UDP)** **verify that NAT correctly translates TCP and UDP traffic, not just ICMP** **Topology** [PC1 192.168.1.10] --- sw1(eth0) --- Fa0/0 --- [R1 Router] --- Fa0/1 --- [WAN Host 10.0.0.1] .. note:: * NAT must handle **protocol-specific translations** for TCP and UDP. * WAN Host runs a **web server (TCP)** and **DNS server (UDP)** for testing. **WAN Host Setup** .. code-block:: shell sudo apt-get update sudo apt-get install -y apache2 bind9 sudo ip addr add 10.0.0.1/24 dev eth0 sudo ip link set eth0 up **PC1 — Inside Host Setup** .. code-block:: shell sudo ip addr add 192.168.1.10/24 dev eth0 sudo ip link set eth0 up sudo ip route add default via 192.168.1.1 **Router (R1) — PAT Configuration** * Step-1 : Configure inside interface .. code-block:: shell R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exit * Step-2 : Configure outside interface .. code-block:: shell R1(config)#interface FastEthernet0/1 R1(config-if)#ip address 10.0.0.2 255.255.255.0 R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exit * Step-3 : Define ACL for inside subnet .. code-block:: shell R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 * Step-4 : Enable NAT overload (PAT) .. code-block:: shell R1(config)#ip nat inside source list 1 interface FastEthernet0/1 overload R1(config)#end **Protocol-Aware NAT Test** * TCP Test — Web Request .. code-block:: shell curl http://10.0.0.1 Example NAT Translation on Router: .. code-block:: Pro Inside global Inside local Outside local Outside global tcp 10.0.0.2:35036 192.168.1.10:35036 10.0.0.1:80 10.0.0.1:80 * UDP Test — DNS Query .. code-block:: shell dig @10.0.0.1 google.com Example NAT Translation on Router: .. code-block:: Pro Inside global Inside local Outside local Outside global tcp 10.0.0.2:35036 192.168.1.10:35036 10.0.0.1:80 10.0.0.1:80 udp 10.0.0.2:37934 192.168.1.10:37934 10.0.0.1:53 10.0.0.1:53 **Wireshark Verification** * TCP Traffic (HTTP) - **Inside Interface (Fa0/0)** - Source IP: 192.168.1.10 - Destination IP: 10.0.0.1 - Protocol: TCP, Destination Port 80 :download:`Download LAN TCP capture ` - **Outside Interface (Fa0/1)** - Source IP: 10.0.0.2 - Destination IP: 10.0.0.1 - Source Port: NAT-assigned unique port :download:`Download WAN TCP capture ` * UDP Traffic (DNS) - **Inside Interface (Fa0/0)** - Source IP: 192.168.1.10 - Destination IP: 10.0.0.1 - Source Port: client-assigned - Destination Port: 53 :download:`Download LAN UDP capture ` - **Outside Interface (Fa0/1)** - Source IP: 10.0.0.2 - Destination IP: 10.0.0.1 - Source Port: NAT-assigned unique port :download:`Download WAN UDP capture ` .. note:: * Inside captures show **original private IPs**. * Outside captures show **translated public IPs** with unique ports. * Confirms NAT handles **TCP & UDP correctly**, proving **protocol-aware translation**. **Test Case 6: NAT Timeout / Session Expiry** **verify that NAT table entries expire after inactivity** **Topology** [PC1 192.168.1.10] --- sw1(eth0) --- Fa0/0 --- [R1 Router] --- Fa0/1 --- [WAN Host 10.0.0.1] .. note:: * NAT entries have **timeouts** to prevent stale sessions. * Default timeouts: ICMP ~30 sec, TCP ~24 hrs, UDP ~1 min. * We adjust ICMP timeout to 10 sec for testing purposes. **PC1 — Inside Host Setup** .. code-block:: shell sudo ip addr add 192.168.1.10/24 dev eth0 sudo ip link set eth0 up sudo ip route add default via 192.168.1.1 **Router (R1) — PAT Configuration with Timeout** * Step-1 : Configure inside interface .. code-block:: shell R1(config)#interface FastEthernet0/0 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#ip nat inside R1(config-if)#no shutdown R1(config-if)#exit * Step-2 : Configure outside interface .. code-block:: shell R1(config)#interface FastEthernet0/1 R1(config-if)#ip address 10.0.0.2 255.255.255.0 R1(config-if)#ip nat outside R1(config-if)#no shutdown R1(config-if)#exit * Step-3 : Define ACL for inside subnet .. code-block:: shell R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255 * Step-4 : Enable NAT overload (PAT) and adjust timeouts .. code-block:: shell R1(config)#ip nat inside source list 1 interface FastEthernet0/1 overload R1(config)#ip nat translation timeout 60 R1(config)#ip nat translation icmp-timeout 10 R1(config)#end .. note:: * `ip nat translation timeout 60` → sets global timeout to 60 sec. * `ip nat translation icmp-timeout 10` → sets ICMP timeout to 10 sec for faster testing. **NAT Timeout Test** * Step-1 : Create a NAT entry .. code-block:: shell R1# clear ip nat translation * ping -c 3 10.0.0.1 Example NAT Translation: .. code-block:: Pro Inside global Inside local Outside local Outside global icmp 10.0.0.2:3196 192.168.1.10:3196 10.0.0.1:3196 10.0.0.1:3196 .. note:: * NAT entry appears for the ICMP session. * Step-2 : Verify session expiration .. code-block:: shell # Wait 15 seconds (longer than ICMP timeout) R1# show ip nat translations Expected Result: NAT entry has disappeared. **Wireshark Verification** * ICMP Traffic (Ping) - **Inside Interface (Fa0/0)** - Source IP: 192.168.1.10 - Destination IP: 10.0.0.1 - Protocol: ICMP, Type=8 Echo Request :download:`Download LAN ICMP capture ` - **Outside Interface (Fa0/1)** - Source IP: 10.0.0.2 - Destination IP: 10.0.0.1 - Protocol: ICMP, Type=8 Echo Request :download:`Download WAN ICMP capture ` .. note:: * Inside captures show **private IP traffic** before translation. * Outside captures show **translated public IPs**. * NAT table automatically **removes idle entries**, confirming session expiry works. .. _NAT_step6: .. tab-set:: .. tab-item:: NAT Usecases .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Use_Cases.csv :widths: 10,20,30 :header-rows: 1 .. _NAT_step7: .. tab-set:: .. tab-item:: NAT Basic Features .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Basic_Features.csv :widths: 10,10,30 :header-rows: 1 .. _NAT_step8: .. tab-set:: .. tab-item:: NAT Feature : IP Address Translation **IP Address Translation - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature1_IP_Address_Translation_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step9: .. tab-set:: .. tab-item:: NAT Feature : Port Address Translation (PAT) **Port Address Translation (PAT) - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature2_Port_Address_Translation_PAT_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step10: .. tab-set:: .. tab-item:: NAT Feature : Conserves IPv4 Addresses **Conserves IPv4 Addresses - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature3_Conserves_IPv4_Addresses_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step11: .. tab-set:: .. tab-item:: NAT Feature : Enhances Network Security **Enhances Network Security - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature4_Enhances_Network_Security_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step12: .. tab-set:: .. tab-item:: NAT Feature : Supports Multiple NAT Types **Supports Multiple NAT Types - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature5_Supports_Multiple_NAT_Types_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step13: .. tab-set:: .. tab-item:: NAT Feature : Protocol-Aware Behavior **Protocol-Aware Behavior - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature6_Protocol_Aware_Behavior_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step14: .. tab-set:: .. tab-item:: NAT Feature : Enables Internet Access for Private Networks **Enables Internet Access for Private Networks - Testcases** .. csv-table:: :file: ./IPv4_Addressing_NAT/NAT_Feature7_Enables_Internet_Access_for_Private_Networks_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _NAT_step15: .. tab-set:: .. tab-item:: Reference links * Reference links