S6C11 - NAT
Network Security Translation
NAT Described
• Globally unique ONLY in terms of public
internet
– Translates private addresses into publicly
usable addresses to be used on public Internet
• Saves usable IP addresses
– Effective means for hiding actual device
addressing within a private network
• Aka Network Address Translator
– defined in RFC 1631
NAT and PAT
• NAT Translation
– NAT box can be a Cisco router, a UNIX system, a Windows XP
server, or several other kinds of systems.
• router looks inside the IP header and, if appropriate, replaces
the local IP address with a globally unique IP address
• When an outside host sends a response the NAT router receives
it, checks the current table of network address translations, and
replaces the destination address with the original inside source
address
• Port Address Translation
– allows the user to conserve addresses in the global address pool by
allowing source ports in TCP connections or UDP conversations to
be translated. Different local addresses then map to the same global
address
PAT Limitations
• As long as the inside global port numbers are
unique for each inside local host, NAT overload
will work.
• NAT overload can go a long way to alleviate
address depletion, but its capabilities are limited
• A realistic number is approximately 4,000 local
addresses per global address.
• Each Nat translation consumes about 160 bytes of
router DRAM.
Static Translation
• Translates inside local addresses
• Establishes a mapping between inside local and global
addresses
– Configured statically, one entry at a time
– for every inside local address, static NAT requires an inside
global address
– typically used in conjunction with dynamic NAT, in cases where
you have overlapping networks
• RTA(config)#ip nat inside source static 10.1.1.7
• Specify an inside and outside interface
–
–
–
–
RTA(config)#interface bri0
RTA(config-if)#ip nat outside
RTA(config-if)#interface e0
RTA(config-if)#ip nat inside
171.70.2.10
Dynamic Translation
• Translates inside local addresses
– Establishes a mapping between inside local and
global addresses
• Mappings configured dynamically by the router as
needed
– translations don't exist in the NAT translation table until
the router receives traffic that requires translation (such
traffic is defined by an administrator). Dynamic
translations are temporary, and will eventually time out.
Configuration for Dynamic
• Create a pool of IP addresses to be allocated as
needed
– Router(config)#ip nat pool name start-ip end-ip
netmask netmask | prefix-length prefix-length}
• Specify which addresses to translate
– router(config)#access-list access-list-number permit
source [source-wildcard]
• establish a dynamic translation based on source
– Router(config)#ip nat inside source list access-listnumber pool name
• Configure at least one inside interface & 1 outside
– Router(config-if)#ip nat inside
Why Dynamic?
• Although NAT is not a security firewall, it
can prevent outsiders from initiating
connections with inside hosts, unless a
permanent global address mapping exists in
the NAT table (static NAT). Because outside
hosts never see the "pre-translated" inside
addresses, NAT has the effect of hiding the
inside network structure.
Address Definitions
• Inside local – IP address assigned to a host on
inside network
• Inside global – A legitimate IP address (assigned
by NIC or service provider) that represents local
IP address to outside world
• Outside local – IP address of outside host as it
appears to inside network; allocated from inside
addressable routable space
• Outside global – IP address assigned to a host on
outside network by owners; allocated from
globally routable address space
NAT and Address Overlapping
• NAT can resolve address issues when inside
addresses overlap with addresses in outside
network
– When two companies with similar address
structures merge
– When ISPs are swapped & another client has
same address structure
Overload Configuration
• Configure NAT overload by using the keyword overload:
– Router(config)#ip nat inside source list access-list-number pool name
overload
• RTA is configured
– RTA(config)#ip nat pool mypatpool 171.70.2.1
171.70.2.30 netmask 255.255.255.0
– RTA(config)#access-list 24 permit 10.1.1.0 0.0.0.255
– RTA(config)#ip nat inside source list 24 pool
mypatpool overload
– RTA(config)#interface bri 0
• RTA(config-if)#ip nat outside
– RTA(config-if)#interface ethernet 0
• RTA(config-if)#ip nat inside
Overload Alternative
• You can overload the address of an outside
interface
– Router(config)#ip nat inside source list accesslist-number interface interface-name
overload
• Config# ip nat inside MyPool access-list-2 int s0
overload
Information Needed
• ISDN
– Switch type, Spids, directory number (local seven digit
ISDN phone number of router)
• ISP
– PPP Client Name (ISP assigns as login name
– PPP Authentication type and password
– IP address information – (includes subnet mask) used in
router’s public address pool
– ISP phone number
Atlanta Configuration
Default/Generic
•
•
•
•
•
•
•
•
•
•
IP subnet-zero
No IP domain-look
Enable secret cisco
IP NAT translation timeout 1800
Isdn switch-type basic-ni1
IP classless
IP http server
Line con 0
line vty 0 4
Password cisco
password telnet
Login
login
Atlanta Configuration
•
•
•
•
•
•
Hostname Atlanta
IP net inside source list 1 int d0 overload
Ip nat inside source statis 10.1.1.2 215.1.1.2
Int e0
Ip address 10.1.1.1 255.0.0.0
Ip nat inside
Atlanta Continued - Bri
•
•
•
•
•
•
Int bri 0
No ip address
Encap ppp
Dialer rotary-group 0
Isdn spid1 014045551111000 5551111
Isdn spid2 014045552222000 5552222
Atlanta Continued - dialer
•
•
•
•
•
•
•
•
•
•
Int d0
IP address 215.1.1.1 255.255.255.0
IP nat outside
Encap ppp
Dialer in-band
Dialer idle-timeout 200
Dialer string 1408555333 class 56K
Dialer hold queue 10
Dialer load-threshold 200 either
Dialer-group 1
Atlanta Dialer Cont’d
•
•
•
•
PPP authentication chap callin
PPP chap hostname Atlanta
PPP chap password gocisco1
PPP multilink
Atlanta Continued –
Map Class and Routes
•
•
•
•
•
•
IP route 0.0.0.0 0.0.0.0 Dialer0
IP route 20.0.0.0 255.0.0.0 10.1.1.2
Map-class dialer 56K
Access-list 1 permit 10.0.0.0 0.255.255.255
Access-list 1 permit 20.0.0.0 0.255.255.255
Dialer-list 1 protocol IP permit
Boston Configuration
•
•
•
•
•
•
•
•
•
•
Hostname Boston
Int e0
Ip address 20.1.1.1 255.0.0.0
Int e1
IP address 10.1.1.2 255.0.0.0
IP route 0.0.0.0 0.0.0.0 10.1.1.1
IP http server
Line con0
line vty 0
Password cisco password telnet
Login
login
TCP Load Distribution
• Define a pool of addresses containing the
addresses of the real hosts:
– Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length} type
rotary
• Define an access list permitting the address of the
virtual host:
– Router(config)#access-list access-list-number permit
source [source-wildcard]
• Establish dynamic inside destination translation,
identifying the access list defined in Step 2:
– Router(config)#ip nat inside destination list access-listnumber pool name
TCP Continued
• Specify the inside interface:
– Router(config)#interface type number
• Mark the interface as connected to the inside:
– Router(config-if)#ip nat inside
• Specify the outside interface:
– Router(config-if)#interface type number
• Mark the interface as connected to the outside:
– Router(config-if)#ip nat outside
NAT Advantages
• Conserves the legally registered addressing
scheme by allowing the privatization of intranets
• reduces the instances in which addressing schemes
overlap
• Increases the flexibility of connection to the
public network.
– Multiple pools, backup pools, and load sharing/
balancing pools can be implemented to help ensure
reliable public network connections
• De-privatization of a network
– NAT allows the existing scheme to remain, and it still
supports the new assigned addressing scheme outside
NAT Disadvantages
• NAT increases delay.
– Switching path delays, of course, are introduced
because of the translation of each IP address within the
packet headers
• Loss of end-to-end IP traceability
• Forces some applications that use IP addressing to
stop functioning because it hides end-to-end IP
addresses
– Solution -- implement static NAT mappings.
Supported Traffic Types
• Any TCP/UDP traffic that does not carry source or
destination IP addresses in the application data stream
•
Hypertext Transfer Protocol (HTTP)
•
Trivial File Transfer Protocol (TFTP)
•
Telnet
•
Archie
•
Finger
•
Network Timing Protocol (NTP)
•
Network File System (NFS)
•
rlogin, rsh, rcp
More Supported Types
Even those that do carry address data in data stream
- File Transfer Protocol (FTP) (including PORT and
PASV commands)
– NetBIOS over TCP/IP (datagram, name, and session
services)
– Progressive Networks' RealAudio White Pines'
CuSeeMe
– Xing Technologies' Streamworks
– DNS "A" and "PTR" queries
– H.323/NetMeeting [12.0(1)/12.0(1)T and later]
– VDOLive [11.3(4)11.3(4)T and later]
– Vxtreme [11.3(4)11.3(4)T and later]