Topic 2 : Large Scale NAT
1
Agenda

Large Scale NAT Properties




Endpoint Independent Mapping (EIM)
Endpoint Independent Filtering (EIF)
Hairpin support
Application Layer Gateways

FTP, TFTP,RTSP, PPTP, IPSec ESP.

LSN Configuration steps

LAB
2
Carrier-Grade NAT (CGN / LSN)

Requirements for an ISP NAT device ?

Highly transparent
so that existing user applications continue to work
 Minimal to no impact on customers


Well defined NAT behavior
so that new user applications can easily be developed
 Consistent
 Deterministic


Fairness in resource sharing


User guarantees and protection
Works for both client-server (traditional) and clientclient (P2P) applications
3
Carrier-Grade NAT (CGN / LSN)

Based on the following IETF RFCs and Drafts





BEHAVE-TCP (RFC 5382)
BEHAVE-UDP (RFC 4787)
BEHAVE-ICMP (RFC 5508)
CGN (draft-nishitani-cgn-0x)
Primary Features




Sticky Internal IP to External IP mapping
Endpoint-independent mapping & filtering
Hair-pinning support
Fairness in sharing the resources – User Quotas
4
Carrier-Grade NAT (CGN / LSN)

Advantage – Helps ISPs continue growing their
business by temporarily alleviating the IPv4 address
shortage issue

Considerations –

Double NAT – Two layers of NAT
NAT in the ISP network
 NAT in the customer premises


Addressing issues
Private address conflict on NAT in customer premise
 Subnets on ISP and customer side need to be different
 Limited number of RFC 1918 addresses


Does not provide a migration path to IPv6
5
NAT Terminology
Definition
Description
Inside Local
The IP address assigned to a host on the inside
network – typically from the RFC 1918
Inside Global
The IP address of an inside host as it appears to
the outside network
Outside Local
The IP address of an outside host as it appears to
the inside network
Outside Global
The IP address assigned to a host in the outside
network
Outside Local = Outside Global for Source NAT
LSN = Source NAT
6
NAT Example
Source IP
Dest IP
172.16.204.35 186.212.8.189
Source IP
Dest IP
70.132.116.89
186.212.8.189
Inside
Outside
Protocol
Inside Global
Inside local
Outside Local
Outside Global
UDP
70.132.116.89
172.16.204.35
186.212.8.189
186.212.8.189
7
Port Address Translation (PAT)

Many IETF documents refer to it as PAT

LSN = PAT

PAT uses unique source port numbers on the Inside Global
IP address to distinguish between translations.

The total number could theoretically be as high as 64,512
per IP address.

Well Known Ports 0-1023 are not used for PAT.

Only ephemeral ports 1024-65535 are used for PAT

PAT will attempt to preserve the original source port, if this
source port is already allocated PAT will attempt to find the
first available port number .
8
End Point Independent Mapping (EIM)
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
X:x
X1’:x’1
Y1:y1
Inside
Y1:y1
Outside
Host Y1
Host X
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
X:x
X2’:x2’
Y2:y2
Y2:y2
Host Y2
EIM means X1’:x1’ = X2’:x2’ for all Y:y (Y1:y1 and Y2:y2)
9
End Point Independent Mapping (EIM)
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
172.16.204.23:14377
70.132.116.89:14377
188.143.19.76:52808
Inside
Outside
Host: X
188.143.19.76:52808
Host Y1
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
172.16.204.23:14377
70.132.116.89:14377
2.88.70.0:11408
2.88.70.0:11408
Host Y2
AX(config)#ip nat lsn endpoint-independent-mapping enable
10
Address and Port Dependent Mapping (ADPM)
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
X:x
X1’:x’1
Y1:y1
Inside
Y1:y1
Outside
Host Y1
Host X
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
X:x
X2’:x2’
Y2:y2
Y2:y2
Host Y2
ADPM means X1’:x1’ = X2’:x2’ only if Y2:y2=Y1:y1
11
Address and Port Dependent Mapping (ADPM)
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
172.16.204.23:14377
70.132.116.89:14377
188.143.19.76:52808
Inside
Outside
Host: X
188.143.19.76:52808
Host Y1
Source IP:Port Dest IP:Port
Source IP:Port Dest IP:Port
172.16.204.23:14377
70.132.116.89:14378
2.88.70.0:11408
2.88.70.0:11408
Host Y2
AX(config)#ip nat lsn endpoint-independent-mapping disable
12
End Point Independent Mapping Benefits

Best for peer-to-peer communication protocols like SIP and
RTP

Peer to peer applications like Bit torrent perform best with
EIM

Consume less port resources compared to APDM

With EIM thousands of sessions can be mapped to one
source port

With APDM thousands of sessions will need thousands of
unique ports – inefficient use of port resources

AX Default Behavior: enabled for destination ports 102465535
13
Hair pining

Two clients Host A and Host B behind a common NAT device

Host A to Host B communication using the external binding
Source: S:8080
Dest: X :9001
Source: S:8080
Dest: X :9002
Host S
Source: A :1024
Dest: S :8080
NAT Device
Source: A :1024
Dest: X:9002
Host A
Source: B :1024
Dest: S :8080
Source: B :1024
Dest: X:9001
Host B
14
Filtering Modes

Endpoint Independent Filtering:






If a mapping between an external address and port is not present packets
cannot be sent to that internal host
Any external endpoint is permitted to send packets to the internal host
once a mapping has been created
Ideal for peer-to-peer protocols and applications
Can be viewed as a security concern
By default enabled for destination ports 1024-65535
Address and Port Dependent Filtering:





Only allows an external end-point to send packets from the same external
IP address and port which the internal host has sent a packet.
This works well for client/server applications
Not suited for peer-to-peer protocols and applications
This filtering mode provides some “firewall” like security
By default enabled for destination ports 0-1023
15
End Point Independent Filtering
Port 8080
Port 8081
Port 1024
Host A
Inside
Outside
Port 8080
Port 8081
Internal
A:1024/B:8080
External
X:9001/B:8080
Host B
Filter
*:*/X:9001
Host C
AX(config)#ip nat lsn endpoint-independent-filtering enable
16
Address and Port Dependent Filtering
Port 8080
Port 1024
Host A
Port 8081
Inside
Outside
Port 8080
Port 8081
Internal
A:1024/B:8080
External
X:9001/B:8080
Host B
Host C
Filter
B:8080/X:9001
AX(config)#ip nat lsn endpoint-independent-filtering disable
17
LSN Operation Modes

To Enable Full Cone NAT (Pure RFC standard LSN)



To Enable Symmetric NAT (Firewall NAT)



AX(config)#ip nat lsn endpoint-independent-mapping disable
AX(config)#ip nat lsn endpoint-independent-filtering disable
To Enable Address and Port Restricted NAT



AX(config)#ip nat lsn endpoint-independent-mapping enable
AX(config)#ip nat lsn endpoint-independent-filtering enable
AX(config)#ip nat lsn endpoint-independent-mapping enable
AX(config)#ip nat lsn endpoint-independent-filtering disable
Unsupported Configuration


AX(config)#ip nat lsn endpoint-independent-mapping disable
AX(config)#ip nat lsn endpoint-independent-filtering enable
18
Application Layer Gateways

What is the purpose of ALGs ?





Inspect the application layer payload of a packet and understand the application
control messages.
Some application embed IP addresses and data ports in the payload of the
packets. ALGs are required to inspect these embedded information to allow
subsequent connections
An enabled ALG automatically kicks in and performs application layer inspection
and the dynamic opening/closing of TCP/UDP ports as well as the associated
network/port address translation.
The dynamic TCP, UDP, or other ports that are opened by ACOS to permit these
data or secondary channels are active strictly only after control channels are
established
Supported ALGs.






RTSP (Disabled by default)
PPTP (Disabled by default)
FTP (Enabled by default)
TFTP (Disable by default)
IPSec ESP (Disabled by default)
SIP ( Disabled by Default)
19
LSN Logging

Requirement for law enformancement and forensic
information.

A10 supports up to 32 syslog servers

Same source IP will go to the same syslog server

One translation log entry can consume ~150 bytes of disk
space in the syslog server.

Every connection = two syslog messages (creation +
deletion)

10M connections will consume 30Gbytes of disk space.

Full session logging can consume 4 times as much disk
space.

Avoid full session logging and only enable port mapping
21
Large Scale NAT Configuration Steps

Required







Basic Layer-2/Layer-3 (VLANs, router interfaces, static routes etc)
LSN source NAT Pool
LSN Limit ID calling the above LSN source NAT pool
Class List Policy matching source subnets along with the above
LSN Limit ID
IP nat inside source list calling the above class list name
Define at least one ip nat inside interface (towards the private
clients)
Define at least one ip nat outside interface (towards the internet)
22
Large Scale NAT Configuration Steps

Optional











High availability configuration for LSN
Maximum number of users per pool IP address
IP address selection algorithm
TCP/UDP user quota
Enable or disable EIF and/or EIM.
TCP/UDP translation timers
Enable or disable port preservation
User quota for TCP/UDP connections
LSN Logging
Enable disable ALGs
Enable disable static port reservation
23
LSN LAB Demonstration
IPv4 Internet
Router
VPN Server
16.0.0.236
RTSP/PPTP Server
16.0.0.221
Switch
AX Active
NAT Pools:
70.132.116.89-90/29
AX Standby
NAT Pools
70.132.116.89-90/29
Client 172.16.204.xx
24
Questions ?
25