Topic 2 : Large Scale NAT 1 Agenda Large Scale NAT Properties Endpoint Independent Mapping (EIM) Endpoint Independent Filtering (EIF) Hairpin support Application Layer Gateways FTP, TFTP,RTSP, PPTP, IPSec ESP. LSN Configuration steps LAB 2 Carrier-Grade NAT (CGN / LSN) Requirements for an ISP NAT device ? Highly transparent so that existing user applications continue to work Minimal to no impact on customers Well defined NAT behavior so that new user applications can easily be developed Consistent Deterministic Fairness in resource sharing User guarantees and protection Works for both client-server (traditional) and clientclient (P2P) applications 3 Carrier-Grade NAT (CGN / LSN) Based on the following IETF RFCs and Drafts BEHAVE-TCP (RFC 5382) BEHAVE-UDP (RFC 4787) BEHAVE-ICMP (RFC 5508) CGN (draft-nishitani-cgn-0x) Primary Features Sticky Internal IP to External IP mapping Endpoint-independent mapping & filtering Hair-pinning support Fairness in sharing the resources – User Quotas 4 Carrier-Grade NAT (CGN / LSN) Advantage – Helps ISPs continue growing their business by temporarily alleviating the IPv4 address shortage issue Considerations – Double NAT – Two layers of NAT NAT in the ISP network NAT in the customer premises Addressing issues Private address conflict on NAT in customer premise Subnets on ISP and customer side need to be different Limited number of RFC 1918 addresses Does not provide a migration path to IPv6 5 NAT Terminology Definition Description Inside Local The IP address assigned to a host on the inside network – typically from the RFC 1918 Inside Global The IP address of an inside host as it appears to the outside network Outside Local The IP address of an outside host as it appears to the inside network Outside Global The IP address assigned to a host in the outside network Outside Local = Outside Global for Source NAT LSN = Source NAT 6 NAT Example Source IP Dest IP 172.16.204.35 186.212.8.189 Source IP Dest IP 70.132.116.89 186.212.8.189 Inside Outside Protocol Inside Global Inside local Outside Local Outside Global UDP 70.132.116.89 172.16.204.35 186.212.8.189 186.212.8.189 7 Port Address Translation (PAT) Many IETF documents refer to it as PAT LSN = PAT PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. The total number could theoretically be as high as 64,512 per IP address. Well Known Ports 0-1023 are not used for PAT. Only ephemeral ports 1024-65535 are used for PAT PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number . 8 End Point Independent Mapping (EIM) Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port X:x X1’:x’1 Y1:y1 Inside Y1:y1 Outside Host Y1 Host X Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port X:x X2’:x2’ Y2:y2 Y2:y2 Host Y2 EIM means X1’:x1’ = X2’:x2’ for all Y:y (Y1:y1 and Y2:y2) 9 End Point Independent Mapping (EIM) Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port 172.16.204.23:14377 70.132.116.89:14377 188.143.19.76:52808 Inside Outside Host: X 188.143.19.76:52808 Host Y1 Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port 172.16.204.23:14377 70.132.116.89:14377 2.88.70.0:11408 2.88.70.0:11408 Host Y2 AX(config)#ip nat lsn endpoint-independent-mapping enable 10 Address and Port Dependent Mapping (ADPM) Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port X:x X1’:x’1 Y1:y1 Inside Y1:y1 Outside Host Y1 Host X Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port X:x X2’:x2’ Y2:y2 Y2:y2 Host Y2 ADPM means X1’:x1’ = X2’:x2’ only if Y2:y2=Y1:y1 11 Address and Port Dependent Mapping (ADPM) Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port 172.16.204.23:14377 70.132.116.89:14377 188.143.19.76:52808 Inside Outside Host: X 188.143.19.76:52808 Host Y1 Source IP:Port Dest IP:Port Source IP:Port Dest IP:Port 172.16.204.23:14377 70.132.116.89:14378 2.88.70.0:11408 2.88.70.0:11408 Host Y2 AX(config)#ip nat lsn endpoint-independent-mapping disable 12 End Point Independent Mapping Benefits Best for peer-to-peer communication protocols like SIP and RTP Peer to peer applications like Bit torrent perform best with EIM Consume less port resources compared to APDM With EIM thousands of sessions can be mapped to one source port With APDM thousands of sessions will need thousands of unique ports – inefficient use of port resources AX Default Behavior: enabled for destination ports 102465535 13 Hair pining Two clients Host A and Host B behind a common NAT device Host A to Host B communication using the external binding Source: S:8080 Dest: X :9001 Source: S:8080 Dest: X :9002 Host S Source: A :1024 Dest: S :8080 NAT Device Source: A :1024 Dest: X:9002 Host A Source: B :1024 Dest: S :8080 Source: B :1024 Dest: X:9001 Host B 14 Filtering Modes Endpoint Independent Filtering: If a mapping between an external address and port is not present packets cannot be sent to that internal host Any external endpoint is permitted to send packets to the internal host once a mapping has been created Ideal for peer-to-peer protocols and applications Can be viewed as a security concern By default enabled for destination ports 1024-65535 Address and Port Dependent Filtering: Only allows an external end-point to send packets from the same external IP address and port which the internal host has sent a packet. This works well for client/server applications Not suited for peer-to-peer protocols and applications This filtering mode provides some “firewall” like security By default enabled for destination ports 0-1023 15 End Point Independent Filtering Port 8080 Port 8081 Port 1024 Host A Inside Outside Port 8080 Port 8081 Internal A:1024/B:8080 External X:9001/B:8080 Host B Filter *:*/X:9001 Host C AX(config)#ip nat lsn endpoint-independent-filtering enable 16 Address and Port Dependent Filtering Port 8080 Port 1024 Host A Port 8081 Inside Outside Port 8080 Port 8081 Internal A:1024/B:8080 External X:9001/B:8080 Host B Host C Filter B:8080/X:9001 AX(config)#ip nat lsn endpoint-independent-filtering disable 17 LSN Operation Modes To Enable Full Cone NAT (Pure RFC standard LSN) To Enable Symmetric NAT (Firewall NAT) AX(config)#ip nat lsn endpoint-independent-mapping disable AX(config)#ip nat lsn endpoint-independent-filtering disable To Enable Address and Port Restricted NAT AX(config)#ip nat lsn endpoint-independent-mapping enable AX(config)#ip nat lsn endpoint-independent-filtering enable AX(config)#ip nat lsn endpoint-independent-mapping enable AX(config)#ip nat lsn endpoint-independent-filtering disable Unsupported Configuration AX(config)#ip nat lsn endpoint-independent-mapping disable AX(config)#ip nat lsn endpoint-independent-filtering enable 18 Application Layer Gateways What is the purpose of ALGs ? Inspect the application layer payload of a packet and understand the application control messages. Some application embed IP addresses and data ports in the payload of the packets. ALGs are required to inspect these embedded information to allow subsequent connections An enabled ALG automatically kicks in and performs application layer inspection and the dynamic opening/closing of TCP/UDP ports as well as the associated network/port address translation. The dynamic TCP, UDP, or other ports that are opened by ACOS to permit these data or secondary channels are active strictly only after control channels are established Supported ALGs. RTSP (Disabled by default) PPTP (Disabled by default) FTP (Enabled by default) TFTP (Disable by default) IPSec ESP (Disabled by default) SIP ( Disabled by Default) 19 LSN Logging Requirement for law enformancement and forensic information. A10 supports up to 32 syslog servers Same source IP will go to the same syslog server One translation log entry can consume ~150 bytes of disk space in the syslog server. Every connection = two syslog messages (creation + deletion) 10M connections will consume 30Gbytes of disk space. Full session logging can consume 4 times as much disk space. Avoid full session logging and only enable port mapping 21 Large Scale NAT Configuration Steps Required Basic Layer-2/Layer-3 (VLANs, router interfaces, static routes etc) LSN source NAT Pool LSN Limit ID calling the above LSN source NAT pool Class List Policy matching source subnets along with the above LSN Limit ID IP nat inside source list calling the above class list name Define at least one ip nat inside interface (towards the private clients) Define at least one ip nat outside interface (towards the internet) 22 Large Scale NAT Configuration Steps Optional High availability configuration for LSN Maximum number of users per pool IP address IP address selection algorithm TCP/UDP user quota Enable or disable EIF and/or EIM. TCP/UDP translation timers Enable or disable port preservation User quota for TCP/UDP connections LSN Logging Enable disable ALGs Enable disable static port reservation 23 LSN LAB Demonstration IPv4 Internet Router VPN Server 16.0.0.236 RTSP/PPTP Server 16.0.0.221 Switch AX Active NAT Pools: 70.132.116.89-90/29 AX Standby NAT Pools 70.132.116.89-90/29 Client 172.16.204.xx 24 Questions ? 25