Network address translation (NAT)

Network address translation (NAT)

Network address translation (NAT) is a function by which IP addresses within a packet are replaced with different IP addresses. This function is most commonly performed by either routers or firewalls. This sample chapter from Cisco Press focuses on NAT within routers. 

Operation of NAT

NAT is described in RFC 1631.1 The original intention of NAT was, like classless inter-domain routing (CIDR), to slow the depletion of available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses. Since that time, users have found NAT to be a useful tool for network migrations and mergers, server load sharing, and creating "virtual servers." This section examines all these applications, but first describes the basics of NAT functionality and terminology.

Cisco NAT devices divide their world into the inside and the outside. Typically the inside is a private enterprise or ISP, and the outside is the public Internet or an Internet-facing service provider. Additionally, a Cisco NAT device classifies addresses as either local or global. A local address is an address that is seen by devices on the inside, and a global address is an address that is seen by devices on the outside. Given these four terms, an address may be one of four types:

Inside local (IL) - Addresses assigned to inside devices. These addresses are not advertised to the outside.

Inside global (IG) - Addresses by which inside devices are known to the outside.

Outside global (OG) - Addresses assigned to outside devices. These addresses are not advertised to the inside.

Outside local (OL) - Addresses by which outside devices are known to the inside.

Types of NAT                                                  

NAT can be implemented using one of three methods:

Static NAT – performs a static one-to-one translation between two addresses, or between a port on one address to a port on another address. Static NAT is most often used to assign a public address to a device behind a NAT-enabled firewall/router.

Dynamic NAT – utilizes a pool of global addresses to dynamically translate the outbound traffic of clients behind a NAT-enabled device.

NAT Overload or Port Address Translation (PAT) – translates the outbound traffic of clients to unique port numbers off of a single global address. PAT is necessary when the number of internal clients exceeds the available global addresses.

Routing

ACL (Access Control List)

An access control list (ACL) is a mechanism you can use to define who has access to your buckets and objects, as well as what level of access they have.

In other words, an access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Each rule or line in an access-list provides a condition, either permit or deny.

Access control lists (ACLs) can be used for two purposes on Cisco devices:

1. To filter traffic

2. To identify traffic

There are two types of ACL:

1. Standard

2. Extended

Numbered access lists are broken down into several ranges, each dedicated

to a specific protocol:

 

Range of both ACL

1–99 IP standard access list

100-199 IP extended access list

1300-1999 IP standard access list (expanded range)

2000-2699 IP extended access list (expanded range)

Named access lists

Named access lists provide a bit more flexibility. Descriptive names can be used to identify your access-lists. Additionally, individual lines can be removed from a named access-list. However, like numbered lists, all new entries are still added to the bottom of the access list.

There are two common types of named access lists:

IP standard named access lists

IP extended named access lists

Routing