260 Chapter 8: Advanced TCP/IP Topics

Table 8-2 RFC 1918 Private Address Space

In other words, any organization can use these network numbers. However, no organization is allowed to advertise these networks using a routing protocol on the Internet.

You might be wondering why you would bother to reserve special private network numbers when it doesn’t matter if the addresses are duplicates. Well, as it turns out, you can use private addressing in a network, and use the Internet at the same time, as long as you use Network Address Translation (NAT).

Network Address Translation

NAT, defined in RFC 1631, allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet. The hosts might be using private addresses or addresses assigned to another organization. In either case, NAT allows these addresses that are not Internet-ready to continue to be used and still allows communication with hosts across the Internet.

NAT achieves its goal by using a valid registered IP address to represent the private address to the rest of the Internet. The NAT function changes the private IP addresses to publicly registered IP addresses inside each IP packet, as shown in Figure 8-2.

Figure 8-2 NAT IP Address Swapping: Private Addressing

Scaling the IP Address Space for the Internet 261

Notice that the router, performing NAT, changes the packet’s source IP address when leaving the private organization and the destination address in each packet forwarded back into the private network. (Network 200.1.1.0 is registered in Figure 8-2.) The NAT feature, configured in the router labeled NAT, performs the translation.

Cisco IOS software supports several variations of NAT. The next few pages cover the concepts behind several of these variations. The section after that covers the configuration related to each option.

Static NAT

Static NAT works just like the example shown in Figure 8-2, but with the IP addresses statically mapped to each other. To help you understand the implications of static NAT, and to explain several key terms, Figure 8-3 shows a similar example with more information.

Figure 8-3 Static NAT Showing Inside Local and Global Addresses

Internet

NAT 170.1.1.1

10.1.1.2

First, the concepts. The company’s ISP has assigned it registered network 200.1.1.0. Therefore, the NAT router must make the private IP addresses look like they are in network 200.1.1.0. To do so, the NAT router changes the source IP addresses in the packets going left to right in the figure.

In this example, the NAT router changes the source address (“SA” in the figure) of 10.1.1.1 to 200.1.1.1. With static NAT, the NAT router simply configures a one-to-one mapping between the private address and the registered address that is used on its behalf. The NAT router has statically configured a mapping between private address 10.1.1.1 and public, registered address 200.1.1.1.

262 Chapter 8: Advanced TCP/IP Topics

Supporting two IP hosts in the private network requires a second static one-to-one mapping using a second IP address in the public address range. For instance, to support 10.1.1.2, the router statically maps 10.1.1.2 to 200.1.1.2. Because the enterprise has a single registered Class C network, it can support at most 254 private IP addresses with NAT.

The terminology used with NAT, particularly with configuration, can be a little confusing. Notice in Figure 8-3 that the NAT table lists the private IP addresses as “private” and the public, registered addresses from network 200.1.1.0 as “public.” Cisco uses the term inside local for the private IP addresses in this example and inside global for the public IP addresses.

In Cisco terminology, the enterprise network that uses private addresses, and therefore that needs NAT, is the “inside” part of the network. The Internet side of the NAT function is the

“outside” part of the network. A host that needs NAT (such as 10.1.1.1 in the example) has the IP address it uses inside the network, and it needs an IP address to represent it in the outside network. So, because the host essentially needs two different addresses to represent it, you need two terms. Cisco calls the private IP address used in the “inside” network the inside local address and the address used to represent the host to the rest of the Internet the inside global address. (Although Cisco doesn’t use these exact terms, sometimes substituting “private” for “local” and “public” for “global” makes a little more sense to many people. Just keep all terms in mind for the exam.)

Figure 8-4 repeats the same example, with some of the terminology shown.

Figure 8-4 Static NAT Terminology

Scaling the IP Address Space for the Internet 263

Most typical NAT features change only the IP address of “inside” hosts. Therefore, the current NAT table shown in Figure 8-4 shows the inside local and corresponding inside global registered addresses. However, the outside host IP address can also be changed with NAT. When that occurs, the terms outside local and outside global are used to denote the IP address used to represent that host in the inside network and the outside network, respectively. An example later in this section explains more about translating outside addresses. Table 8-3 summarizes the terminology and meanings.

Table 8-3 NAT Addressing Terms