Stateless NAT Guide

Introduction

This document gives an overview of Stateful NAT vs. Stateless NAT before diving into a few common use-cases, and concludes with an overview of the steps required to configure.

Note

Stateless NAT is also commonly referred to as ‘1-1 NAT’ (one-to-one NAT) and DNAT (destination NAT)

For an example use-case, see the Stateless NAT HowTo.

Overview

All hosts on a public network have a unique IP address used to route IP packets to their intended destination. Scarcity of IPv4 addresses forced the ever expanding Internet to adopt private IP addresses, see RFC 1918, for local networks. When connecting such a local network to the public Internet the private addresses must be translated to one or more public addresses; referred to Network Address Translation (NAT). The unit conducting the translation is typically referred to as a NAT gateway.

There are two common techniques:

  • Stateful NAT, NAPT, or IP masquerading: share one public IP address
  • Stateless NAT, 1-to-1 NAT, or DNAT: map range of public addresses

Stateful NAT

Stateful NAT is for sharing one public IP address, it is also commonly referred to as Network Address Port Translation, or NAPT, and also as IP masquerading.

                   .-----.
                   | WWW |    203.0.113.42
                   '--+--'
                      |
                  .--.-.
                 ( (    )__
                (_,  \ ) ,_)  Internet/Intranet
                  '-'--`--'
                   |
       ^           |.33       10.0.0.0/24
       |       .---+--.
     Public    |      | vlan2
     ------    |  GW  |
     Private   |      | vlan1
       |       '---+--'
       V           |.1
                   |          192.168.1.0/24
         ---+------+---+----------+---------
            |          |          |
            |.11       |.5        |.139
          .-+--.     .-+--.     .-+--.
          | H1 |     | H2 |     | H3 |
          '----'     '----'     '----'

Figure 1: All private hosts masqueraded as 10.0.0.33 behind GW.

The NAT gateway has only one public IP address which is shared with all hosts on the private network. E.g., when H1 sends a packet to WWW, the gateway replaces the source IP from 192.168.1.11 to 10.0.0.33 before forwarding the packet to the public side.

However, since all hosts on the private network map to the same public address, the gateway must also modify the (UDP/TCP) port numbers for each connection and keep a record of all connections to be able to track the return traffic. Stateful NAT is not covered further here.

Stateless NAT

With stateless NAT, there is exactly one public address for each private address. Commonly used for 1-to-1 NAT where a range of public addresses map to a range of internal/private addresses.

In the below image the range 10.0.2.0/24 can be used to address each of the devices H1 to H3 from the other side of the gateway. For each address the gateway translates the 10.0.2.0/24 range to 192.168.1.0/24.

              .-----.
              | WWW |    203.0.113.42
              '--+--'
                 |
             .--.-.
            ( (    )__
           (_,  \ ) ,_)  Internet/Intranet
             '-'--`--'
              |
  ^           |.33       10.0.0.0/24
  |       .---+--.
Public    |      | vlan2
------    |  GW  |
Private   |      | vlan1
  |       '---+--'
  V           |.1        (10.0.2.0/24)
              |          192.168.1.0/24
    ---+------+---+----------+---------
       |          |          |
       |.11       |.5        |.139
     .-+--.     .-+--.     .-+--.
     | H1 |     | H2 |     | H3 |
     '----'     '----'     '----'

Figure 2: All private hosts have a corresponding public IP.

With stateless NAT, each host on the private side is known by a unique address on the public side. For example, H1 with private address 192.168.1.11 is known by address 10.0.2.11 on the public side, H2 with private address 192.168.1.5 is known by address 10.0.2.5 on the public side, etc. The address translation at the NAT gateway is a simple operation, just swapping the network part. Thus, the NAT gateway does not need to keep any state.

Configuration

Stateless NAT configuration is a sub-context to the IP configuration context in the CLI:

example:/#> configure
example:/config/#> ip
example:/config/ip/#> stateless-nat
example:/config/ip/stateless-nat#>

Syntax

dnat in IN-IFACE dst ADDR[/LEN] to-dst ADDR [passive]

The dnat setting performs stateless network address translation (NAT) on the IP destination address. It is worth mentioning that Addresses are translated in both directions.

in IN-IFACE
inbound interface (typically the public interface)
dst ADDR[/LEN]
address or range to translate from with an optional prefix len. If no /LEN is given, a single address is translated, same as /32
to-dst ADDR
address or range to translate to. Notice the lack of /LEN here
[passive]

Optionally deactivate the DNAT rule without removing it from the configuration

Note

In interactive mode the CLI will ask if you wish to add a loopback route to the dst address or range. This is useful when also enabling Proxy ARP for this address range. For more information, see Multiple private networks and use of proxy ARP.

Apply configuration changes and return to Admin Exec context using:

example:/config/ip/stateless-nat#> leave
Applying configuration.
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
example:/#>