Post on 26-Dec-2015
1© 2003 Cisco Systems, Inc. All rights reserved.
Network Address Translation
Brigham Young University-Idaho
CIT 340
222© 2003, Cisco Systems, Inc. All rights reserved.
Short Term Solutions: IPv4 Enhancements
• CIDR (Classless Inter-Domain Routing) – RFCs 1517, 1518, 1519, 1520
• VLSM (Variable Length Subnet Mask) – RFC 1009
• Private Addressing - RFC 1918
• NAT/PAT (Network Address Translation / Port Address Translation) – RFC 1631 & 3022
333© 2003, Cisco Systems, Inc. All rights reserved.
Private Address Space
• RCF 1918 sets aside three ranges of IP addresses for private networks
10.0.0.0/8
192.168.0.0/16
172.16.0.0 through 172.31.255.255
• Do not route addresses in these blocks to the Internet
444© 2003, Cisco Systems, Inc. All rights reserved.
Address Translation
• Network Address Translation
One to one translation of IP addresses from inside local IP address.
• Port Address Translation
Many-to-one translation, takes multiple inside local IP addresses and translates them to one inside global address.
555© 2003, Cisco Systems, Inc. All rights reserved.
Network Address Translation
• NAT involves device such as a router that translates one set of IP addresses into another set
Can conserve IP addresses by translating a large pool of private addresses into a small pool of public addresses
• Disadvantages include increased latency and difficulties with protocols or applications that put IP address in data portion of IP packet
666© 2003, Cisco Systems, Inc. All rights reserved.
Network Address Translation (NAT) Addresses
• Inside Local-used by host on the private side
• Inside Global-public often registered IP address into which the inside local is translated
• Outside Global-actual IP address of a host that resides on the outside public network
• Outside Local-IP address used to translate an outside global IP address
777© 2003, Cisco Systems, Inc. All rights reserved.
NAT Inside/Outside & Local/Global Relationship
SA Inside Local
DA Outside
Local
SA Inside Global
DA Outside Global
DA Inside Local
SA Outside
Local
DA Inside Global
SA Outside Global
Packet Direction
Inside Network Outside Network
888© 2003, Cisco Systems, Inc. All rights reserved.
Advantages of NAT
• Allows you to increase or decrease the number of registered IP addresses without changing devices in the network.
• Static translations are manually configured to translate a single global IP address to a single local IP address.
• Dynamic mappings are configured on the NAT border router by using a pool of one or more registered IP addresses. Devices on the inside of the network that wish to communicate with a host on the outside network can use these addresses in the pool.
999© 2003, Cisco Systems, Inc. All rights reserved.
Advantages of NAT (Continued)
• NAT can be configured to allow the basic load sharing of packets among multiple servers using the TCP load distribution feature. TCP load distribution uses a single outside IP address, which is mapped to multiple addresses. Incoming connections are distributed in a round-robin fashion among IP addresses in the internal pool.
• If you switch ISPs and need to change the registered IP addresses you are using, NAT makes it so you don’t have to renumber every device in your network. The only change is the addresses that are being used in the NAT pool.
101010© 2003, Cisco Systems, Inc. All rights reserved.
Advantages of NAT (continued)
• NAT also helps if you merge with another company and you are both using the same RFC 1918 address space. You can configure NAT on the border router between your routing domains to translate the address from one network to the other.
111111© 2003, Cisco Systems, Inc. All rights reserved.
Disadvantages of NAT
• NAT increases latency. Every packet must be processed to see if it needs translation.
• NAT hides end-to-end IP addresses that render some applications unusable.
• NAT changes IP addresses making it unable to track IP flow end-to-end. The good thing is this eliminates a hacker’s ability to identify the packet’s true source.
121212© 2003, Cisco Systems, Inc. All rights reserved.
Disadvantages of NAT (continued)
• NAT makes troubleshooting or tracking malicious traffic more difficult.
• Because a host needs to be accessed from the outside network will have two IP addresses, one inside and one outside, this creates a problem called split DNS. You need to set up two DNS servers, one for external and one for internal addresses.
131313© 2003, Cisco Systems, Inc. All rights reserved.
Network Address Translation (NAT)
NAT: Network Address Translation
• NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header.
• In practice, NAT is used to allow hosts that are privately addressed to access the Internet.
141414© 2003, Cisco Systems, Inc. All rights reserved.
Network Address Translation (NAT)
• NAT translations can occur dynamically or statically.
• The most powerful feature of NAT routers is their capability to use port address translation (PAT), which allows multiple inside addresses to map to the same global address.
• This is sometimes called a many-to-one NAT.
• With PAT, or address overloading, literally hundreds of privately addressed nodes can access the Internet using only one global address.
• The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers.
2.2.2.2 TCP Source Port 1923
2.2.2.2 TCP Source Port 1924
TCP Source Port 1026
TCP Source Port 1026
151515© 2003, Cisco Systems, Inc. All rights reserved.
Translating Inside Local Addresses
Inside local IP Inside global IP
10.1.2.25 200.1.1.25
NAT Border Router
206.100.29.1
10.1.2.25
Internet
161616© 2003, Cisco Systems, Inc. All rights reserved.
Configuring NAT
• Each interface must be designated either inside or outside. That way the router knows how to handle traffic.
Router(config)#interface e0/0
Router(config-if)#ip nat inside
Router(config-if)#interface s0/0
Router(config-if)#ip nat outside
171717© 2003, Cisco Systems, Inc. All rights reserved.
Configuring Static NAT
• Static NAT maps one inside global address to one inside local address
Router(config)#ip nat inside source static 10.1.2.25 200.1.1.25
• This creates a permanent entry into the NAT table so traffic sent to 200.1.1.25 will be translated to 10.1.2.25. You can also configure just a certain port to be translated
Router(config)#ip nat inside source static tcp 10.1.2.25 80 200.1.1.25 80
Router(config)#ip nat inside source static tcp 10.1.2.24 80 200.1.1.25 81
181818© 2003, Cisco Systems, Inc. All rights reserved.
Configuring Dynamic NAT
• Dynamic NAT is used to map inside IP addresses to outside IP addresses on the fly from a pool of available IP addresses
• First designate your inside and outside interfaces. Create an access list to allow traffic to be translated. Next configure a pool of addresses
Router(config)#int f0/0
Router(config-if)#ip nat inside
Router(config-if)#int s0/0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#access-list 12 permit 10.1.2.0 0.0.0.255
Router(config)#ip nat pool outbound 200.1.1.2 200.1.1.254 prefix- length 24
Router(config)#ip nat inside source list 12 pool outbound
Router(config)#
• You can use the netmask with subnet in dotted decimal or prefix with length and number of bits in subnet mask
Could also use netmask 255.255.255.0
191919© 2003, Cisco Systems, Inc. All rights reserved.
Configuring NAT Using Overloading
• Once all the IP addresses in a pool have been allocated, any new connections attempts will fail. So if your ISP allocates 13 addresses, only the first 13 users will be able to access the Internet. Once a NAT entry has expired, the IP address is released back to the pool.
• Configuring overloading allows the router to reuse each IP address in the pool. It changes not only the IP addresses but the port number also.
• This is known as Port Address Translation (PAT) also known as Network Address and Port Translation (NAPT).
• The router will add the protocol and port information for each translation entry, which allows more inside IP addresses to access the outside network than there are IP addresses in the pool.
202020© 2003, Cisco Systems, Inc. All rights reserved.
Configuring NAT Using Overloading (continued)
• The pool of addresses can be one IP address in size, but it can support approximately 64,000 inside users, using a single protocol by varying the outbound port numbers.
212121© 2003, Cisco Systems, Inc. All rights reserved.
Configuring NAT Using Overloading (continued)
Router(config)#ip nat inside source list 12 pool outbound overload
Router(config)#
• This applies the pool and access list and allows the use of ports with the overload command
222222© 2003, Cisco Systems, Inc. All rights reserved.
Configuring TCP Load Distribution
• NAT has a feature unrelated to conserving public addresses.
• Load Distribution allow a host (like a web server) inside the network to distribute the load among several hosts.
• Destination addresses that match an access list are replaced with addresses from a pool that been designated as a rotary pool by adding the type rotary keywords at the end of the ip nat pool command
232323© 2003, Cisco Systems, Inc. All rights reserved.
Configuring TCP Load Distribution(continued)
Routers(config)#ip nat pool web-hosts 10.1.1.1 10.1.19 netmask 255.255.255.0 type rotary
Routers(config)#access-list 12 permit 10.1.1.254
Routers(config)#ip nat inside destination list 12 pool web-hosts
242424© 2003, Cisco Systems, Inc. All rights reserved.
Configuring NAT for Overlapping Addresses
• Overlapping addresses is similar to dynamic NAT.
• The difference is you must configure a pool inside as well as outside.
Router(config)#access-list 12 permit 10.1.1.0 0.0.0.255
Router(config)#ip nat insidepool 10.1.2.1 10.1.2.254 netmask 255.255.255.0
Router(config)#ip nat outsidepool 200.1.1.2 200.1.1.254 prefix-length 24
Router(config)#ip nat inside source list 12 pool insidepool
Router(config)#ip nat outside source list 12 pool outsidepool
Router(config)#
252525© 2003, Cisco Systems, Inc. All rights reserved.
Verifying and Troubleshooting the NAT Configuration
Router#show ip nat translations
Router#show ip nat translations verbose
Router#show ip nat statistics
Router#debug ip nat
262626© 2003, Cisco Systems, Inc. All rights reserved.
Commands that clear NAT Table
Clear ip nat translation Clears all NAT table entries
Clear ip nat translation inside global-ip Clears all simple inside NAT translation table entries for the specified IP address
Clear ip nat translations outside local-ip
Clears all simple outside NAT translation table entries for the specified
IP address
Clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip
global-port]
Clears the specific extended NAT table entry represented by the global and
local IP addresses and port.