CCNA 2 Chapter 9 NAT for IPv4

The _________next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.

* (asterisk)

ULAs are also known as local IPv6 addresses (not to be confused with IPv6 link-local addresses) and have several characteristics including:

Allows sites to be combined or privately interconnected, without creating any address conflicts or requiring renumbering of interfaces that use these prefixes. Independent of any ISP and can be used for communications within a site without having any Internet connectivity. Not routable across the Internet not quite as straight-forward as RFC 1918 addresses

The address of the destination device.

Outside address

The address of the destination as seen from the outside network. It is a globally routable IPv4 address assigned to a host on the Internet

Outside global address

The address of the destination as seen from the inside network.

Outside local address

Many-to-one address mapping between local and global addresses. This method is also known as overloading (NAT overloading).

Port Address Translation (PAT)

__________, also known as NAT overload, maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses. This is what most home routers do.

Port Address Translation (PAT)

________is the act of forwarding traffic addressed to a specific network port from one network node to another. This technique allows an external user to reach a port on a private IPv4 address (inside a LAN) from the outside, through a NAT-enabled router.

Port forwarding

PAT uses the ______instead of a Layer 4 port number.

Query ID

One-to-one address mapping between local and global addresses.

Static address translation (static NAT)

Define an ACL to permit the traffic to be translated.

Step 1.

Define the pool of addresses that will be used for translation using the ip nat pool command. This pool of addresses is typically a group of public addresses. The addresses are defined by indicating the starting IPv4 address and the ending IPv4 address of the pool. The netmask or prefix-length keyword indicates which address bits belong to the network and which bits belong to the host for the range of addresses.

Step 1. of Dynamic NAT configuration

create a mapping between the inside local address and the inside global addresses.

Step 1. of configuring static NAT

Configure source translation using the interface and overload keywords. The interface keyword identifies which interface IPv4 address to use when translating inside addresses. The overload keyword directs the router to track port numbers with each NAT entry.

Step 2.

After the mapping is configured, the interfaces participating in the translation are configured as inside or outside relative to NAT.

Step 2. of configuring static NAT

Configure a standard ACL to identify (permit) only those addresses that are to be translated. An ACL that is too permissive can lead to unpredictable results. Remember there is an implicit deny all statement at the end of each ACL.

Step 2.of Dynamic NAT configuration

Identify which interfaces are inside in relation to NAT. That is any interface that connects to the inside network.

Step 3.

Bind the ACL to the pool. The ip nat inside source list access-list-number pool pool name command is used to bind the ACL to the pool. This configuration is used by the router to identify which devices (list) receive which addresses (pool).

Step 3.of Dynamic NAT configuration

Identify which interface is outside in relation to NAT. This should be the same interface identified in the source translation statement from Step 2.

Step 4.

Identify which interfaces are inside, in relation to NAT; that is, any interface that connects to the inside network.

Step 4.of Dynamic NAT configuration

Identify which interfaces are outside, in relation to NAT; that is, any interface that connects to the outside network.

Step 5.of Dynamic NAT configuration

When a device initiates a TCP/IP session, it generates a ______or______source port value or a specially assigned query ID for ICMP, to uniquely identify the session. When the NAT router receives a packet from the client, it uses its source port number to uniquely identify the specific NAT translation.

TCP or UDP

________ for IPV6 is the process of encapsulating an IPv6 packet inside an IPv4 packet. This allows the IPv6 packet to be transmitted over an IPv4-only network.

Tunneling

The value in brackets is the IPv4 identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers.

[xxxx]

This value indicates that source address a.b.c.d is translated to w.x.y.z.

a.b.c.d--->w.x.y.z

NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4 addresses. However, PAT modifies both the_______and______.

address and port number.

Static NAT requires that enough public _______ are available to satisfy the total number of simultaneous user sessions.

addresses

Translating between public and private IPv4 addresses is by far the most common use of NAT. However, NAT translations can occur between____ pair of addresses.

any

NAT conserves addresses through ____________.

application port-level multiplexing

PAT attempts to preserve the original source port. However, if the original source port is already used, PAT ______the first available port number starting from the beginning of the appropriate port group 0-511, 512-1,023, or 1,024-65,535.

assigns

To verify that the NAT translation is working, it is best to clear statistics from any past translations using the clear ip nat statistics command before testing

clear ip nat statistics

To clear dynamic entries before the timeout has expired, use the __________ privileged EXEC mode command. It is useful to clear the dynamic entries when testing the NAT configuration.

clear ip nat translation

Specific entries can be cleared to avoid disrupting active sessions. Use the __________privileged EXEC command to clear all translations from the table.

clear ip nat translation *

Different applications use different ports. This makes it predictable for applications and routers to identify network services. If a different port number is required, it can be appended to the URL separated by a ________.

colon (:)

Like other types of NAT, port forwarding requires the _______ of both the inside and outside NAT interfaces. Similar to static NAT, the show ip nat translations command can be used to verify the port forwarding

configuration

Incoming packets from the public network are routed to their destinations on the private network by referring to a table in the NAT router. This table tracks public and private port pairs. This is called ______

connection tracking.

NAT has many uses, primary use is to _______ public IPv4 addresses. It does this by allowing networks to use private IPv4 addresses internally and providing translation to a public address only when needed.

conserve

NAT provides _________ internal network addressing schemes. On a network not using private IPv4 addresses and NAT, changing the public IPv4 address scheme requires the readdressing of all hosts on the existing network.

consistency for

Static NAT uses a one-to-one mapping of local and global addresses. These mappings are configured by the network administrator and remain ______.

constant

This symbol refers to the destination IPv4 address.

d=

Use the __________command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router.

debug ip nat

The _______________ command generates a description of each packet considered for translation. This command also provides information about certain errors or exception conditions, such as the failure to allocate a global address.

debug ip nat detailed

By default, port forwarding is ________on the router. A port other than the default port ____can be specified

disabled , 80

Services that require the initiation of TCP connections from the outside network, or stateless protocols, such as those using UDP, can be ________.

disrupted.

Another disadvantage of using NAT is that__________ addressing is lost. ___________IPv4 traceability is also lost.

end-to-end

NAT increases the _______of connections to the public network. Multiple pools, backup pools, and load-balancing pools can be implemented to ensure reliable public network connections.

flexibility

When a device inside the stub network wants to communicate with a device outside of its network, the packet is ________to the border router

forwarded

NAT _______user IPv4 addresses. Using RFC 1918 IPv4 addresses, NAT provides the side effect of ______users and other devices' IPv4 addresses.

hides(s)(ing)

In NAT terminology, the ________ network is the set of networks that is subject to translation. The _______ network refers to all other networks.

inside , outside

The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the________ keyword is used to identify the outside IPv4 address. Therefore, no NAT pool is defined.

interface

By default, translation entries time out after 24 hours, unless the timers have been reconfigured with the _____________ command in global configuration mode.

ip nat translation timeout <timeout-seconds>

If a site has been issued more than one public IPv4 address, these addresses can be part of a pool that is used by PAT. This is similar to dynamic NAT, except that there are not enough public addresses for a one-to-one mapping of inside to outside addresses. The small pool of addresses is shared among a ______number of devices.

larger

PAT (also called NAT overload) conserves addresses in the inside global address pool by allowing the router to use one inside global address for many inside local addresses. When this type of translation is configured, the router ________enough information from higher-level protocols, TCP or UDP port numbers

maintains

IPv6 should be run ________wherever possible. This means IPv6 devices communicating with each other over IPv6 networks. However, to aid in the move from IPv4 to IPv6

natively

The debug ip nat detailed command generates more _______than the debug ip nat command, but it can provide the detail that may be needed to troubleshoot the NAT problem. Always turn off debugging when finished.

overhead

The _______keyword enables PAT.

overload

Dynamic NAT uses a _____of public addresses and assigns them on a first-come, first-served basis.

pool

PAT ensures that devices use a different TCP_____ number for each session with a server on the Internet. When a response comes back from the server, the source ______number, which becomes the destination ______number on the return trip, determines to which device the router forwards the packets.

port

With PAT, multiple addresses can be mapped to one or to a few addresses, because each private address is also tracked by a_________.

port number.

NAT has an added benefit of adding a degree of_______and_______ to a network, because it hides internal IPv4 addresses from outside networks.

privacy and security

______ addresses are used within an organization or site to allow devices to communicate locally. ______IPv4 addresses cannot be routed over the Internet.

private

NAT increases forwarding delays because the translation of each IPv4 address within the packet headers takes time. The first packet is always _________going through the slower path. The router must look at every packet to decide whether it needs translation.

process-switched

PAT translates most common ______ carried by IPv4 that do not use TCP or UDP as a transport layer protocol. The most common of these is ICMPv4.

protocols

NAT-enabled router translates the internal IPv4 address of the device to a public address from the NAT pool. To outside devices, all traffic entering and exiting the network appears to have a______ address from the provided pool of addresses.

public IPv4

NAT allows the existing private IPv4 address scheme to _____while allowing for easy change to a new public addressing scheme. This means an organization could change ISPs and not need to change any of its inside clients.

remain

NAT does not allow _______initiated from the outside. This situation can be resolved with manual intervention. Port forwarding can be configured to identify specific ports that can be forwarded to inside hosts.

requests

This symbol refers to the source IPv4 address.

s=

The PAT process also validates that the incoming packets were requested, thus adding a degree of _____to the session.

security

With NAT overload, internal hosts can _______a single public IPv4 address for all external communications. In this type of configuration, very few external addresses are required to support many internal hosts.

share

____________displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and the number of addresses that have been allocated.

show ip nat statistics.

A useful command to verify NAT operation is _________. This command shows active NAT translations. Static translations, unlike dynamic translations, are always in the NAT table.

show ip nat translations

Implementing port forwarding with IOS commands is similar to the commands used to configure static NAT. Port forwarding is essentially a static NAT translation with a ____TCP or UDP port number.

specified

A stateful firewall is what provides security on the edge of the network.

stateful

A NAT router typically operates at the border of a _____network.

stub

o allow a device with a private IPv4 address to access devices and resources outside of the local network, the private address must first be____ to a public address..

translated

Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the ________.

translation table

Using NAT also complicates the use of _________protocols, such as IPsec, because NAT modifies values in the headers, causing integrity checks to fail.

tunneling

The intent of _____ is to provide IPv6 address space for communications within a local site; it is not meant to provide additional IPv6 address space, nor is it meant to provide a level of security.

unique local addresses (ULA)

Adding the ______ keyword displays additional information about each translation, including how long ago the entry was created and used.

verbose

Static NAT is particularly useful for ____or____ that must have a consistent address that is accessible from the Internet, such as a company web server. It is also useful for devices that must be accessible by authorized personnel when offsite, but not by the general public on the Internet.

web servers or devices

______ provides the translation of private addresses to public addresses. This allows a device with a private IPv4 address to access resources outside of their private network.

NAT

provide access between IPv6-only and IPv4-only networks. It isprovide access between IPv6-only and IPv4-only networks. It is not used as a form of private IPv6 to global IPv6 translation.

NAT for IPv6

NAT-enabled routers can be configured with one or more public IPv4 addresses. These public addresses are known as the _____.

NAT pool

The address of the device which is being translated by NAT.

Inside address

The address of source as seen from the outside network

Inside global address

The address of the source as seen from inside the network.

Inside local address

NAT includes four types of addresses:

Inside local address Inside global address Outside local address Outside global address

A local address is any address that appears on the inside portion of the network.

Local address

The total number of internal addresses that can be translated to one external address could theoretically be as high as _______ per IPv4 address. However, the number of internal addresses that can be assigned a single IPv4 address is around ______.

65,536 , 4,000

_______is when the devices are running protocols associated with both the IPv4 and IPv6

Dual-stack

Many-to-many address mapping between local and global addresses. Translations are made on an as-available basis

Dynamic address translation (dynamic NAT)

ULA have the prefix _________, which results in a first hextet range of FC00 to FDFF. The next 1 bit is set to 1 if the prefix is locally assigned. Set to 0 may be defined in the future. The next 40 bits is a global ID followed by a 16-bit Subnet ID. These first 64 bits combine to make the ULA prefix. This leaves the remaining 64 bits for the interface ID, or in IPv4 terms, the host portion of the address.

FC00::/7

A global address is any address that appears on the outside portion of the network.

Global address

_____query messages, echo requests, and echo replies include a Query ID. _______ uses the Query ID to identify an echo request with its corresponding echo reply. The Query ID is incremented with each echo request sent.

ICMPv4

_____includes both its own IPv6 private address space and NAT

IPv6

Configuring PAT for a Single Public IPv4 Address If only a single public IPv4 address is available, the overload configuration typically assigns the public address to the outside interface that connects to the _____. All inside addresses are translated to the single IPv4 address when leaving the outside interface.

ISP.