Network Address Translation / Port Address Translation

Network Address Translation
Brigham Young University-Idaho
CIT 340
© 2003 Cisco Systems, Inc. All rights reserved.
1
Short Term Solutions: IPv4
Enhancements
• CIDR (Classless Inter-Domain Routing) –
RFCs 1517, 1518, 1519, 1520
• VLSM (Variable Length Subnet Mask) –
RFC 1009
• Private Addressing - RFC 1918
• NAT/PAT (Network Address Translation /
Port Address Translation) – RFC 1631 &
3022
© 2003, Cisco Systems, Inc. All rights reserved.
2
Private Address Space
• RCF 1918 sets aside three ranges of IP
addresses for private networks
10.0.0.0/8
192.168.0.0/16
172.16.0.0 through 172.31.255.255
• Do not route addresses in these blocks to
the Internet
© 2003, Cisco Systems, Inc. All rights reserved.
3
Address Translation
• Network Address Translation
One to one translation of IP addresses from
inside local IP address.
• Port Address Translation
Many-to-one translation, takes multiple inside
local IP addresses and translates them to one
inside global address.
© 2003, Cisco Systems, Inc. All rights reserved.
4
Network Address Translation
• NAT involves device such as a router that
translates one set of IP addresses into
another set
Can conserve IP addresses by translating a
large pool of private addresses into a small
pool of public addresses
• Disadvantages include increased latency
and difficulties with protocols or
applications that put IP address in data
portion of IP packet
© 2003, Cisco Systems, Inc. All rights reserved.
5
Network Address Translation (NAT)
Addresses
• Inside Local-used by host on the private side
• Inside Global-public often registered IP address
into which the inside local is translated
• Outside Global-actual IP address of a host that
resides on the outside public network
• Outside Local-IP address used to translate an
outside global IP address
© 2003, Cisco Systems, Inc. All rights reserved.
6
NAT Inside/Outside & Local/Global
Relationship
Inside Network
Outside Network
Packet Direction
SA Inside
Local
DA Inside
Local
DA
Outside
Local
SA
Outside
Local
© 2003, Cisco Systems, Inc. All rights reserved.
SA Inside
Global
DA Inside
Global
DA
Outside
Global
SA
Outside
Global
7
Advantages of NAT
• Allows you to increase or decrease the number of registered
IP addresses without changing devices in the network.
• Static translations are manually configured to translate a
single global IP address to a single local IP address.
• Dynamic mappings are configured on the NAT border router
by using a pool of one or more registered IP addresses.
Devices on the inside of the network that wish to
communicate with a host on the outside network can use
these addresses in the pool.
© 2003, Cisco Systems, Inc. All rights reserved.
8
Advantages of NAT (Continued)
• NAT can be configured to allow the basic load sharing of
packets among multiple servers using the TCP load
distribution feature. TCP load distribution uses a single
outside IP address, which is mapped to multiple addresses.
Incoming connections are distributed in a round-robin
fashion among IP addresses in the internal pool.
• If you switch ISPs and need to change the registered IP
addresses you are using, NAT makes it so you don’t have to
renumber every device in your network. The only change is
the addresses that are being used in the NAT pool.
© 2003, Cisco Systems, Inc. All rights reserved.
9
Advantages of NAT (continued)
• NAT also helps if you merge with another
company and you are both using the same
RFC 1918 address space. You can
configure NAT on the border router
between your routing domains to translate
the address from one network to the other.
© 2003, Cisco Systems, Inc. All rights reserved.
10
Disadvantages of NAT
• NAT increases latency. Every packet must be
processed to see if it needs translation.
• NAT hides end-to-end IP addresses that render
some applications unusable.
• NAT changes IP addresses making it unable to
track IP flow end-to-end. The good thing is this
eliminates a hacker’s ability to identify the
packet’s true source.
© 2003, Cisco Systems, Inc. All rights reserved.
11
Disadvantages of NAT (continued)
• NAT makes troubleshooting or tracking
malicious traffic more difficult.
• Because a host needs to be accessed from the
outside network will have two IP addresses, one
inside and one outside, this creates a problem
called split DNS. You need to set up two DNS
servers, one for external and one for internal
addresses.
© 2003, Cisco Systems, Inc. All rights reserved.
12
Network Address Translation (NAT)
NAT: Network Address Translation
• NAT, as defined by RFC 1631, is the process of swapping
one address for another in the IP packet header.
• In practice, NAT is used to allow hosts that are privately
addressed to access the Internet.
© 2003, Cisco Systems, Inc. All rights reserved.
13
Network Address Translation (NAT)
TCP Source Port 1026
2.2.2.2 TCP Source Port 1923
TCP Source Port 1026
2.2.2.2 TCP Source Port 1924
•
NAT translations can occur dynamically or statically.
•
The most powerful feature of NAT routers is their capability to use port address translation (PAT),
which allows multiple inside addresses to map to the same global address.
•
This is sometimes called a many-to-one NAT.
•
With PAT, or address overloading, literally hundreds of privately addressed nodes can access
the Internet using only one global address.
•
The NAT router keeps track of the different conversations by mapping TCP and UDP port
numbers.
© 2003, Cisco Systems, Inc. All rights reserved.
14
Translating Inside Local Addresses
Inside local IP
Inside global IP
10.1.2.25
200.1.1.25
Internet
10.1.2.25
NAT Border Router
206.100.29.1
© 2003, Cisco Systems, Inc. All rights reserved.
15
Configuring NAT
• Each interface must be designated either inside
or outside. That way the router knows how to
handle traffic.
Router(config)#interface e0/0
Router(config-if)#ip nat inside
Router(config-if)#interface s0/0
Router(config-if)#ip nat outside
© 2003, Cisco Systems, Inc. All rights reserved.
16
Configuring Static NAT
• Static NAT maps one inside global address
to one inside local address
Router(config)#ip nat inside source static 10.1.2.25 200.1.1.25
• This creates a permanent entry into the NAT
table so traffic sent to 200.1.1.25 will be
translated to 10.1.2.25. You can also configure
just a certain port to be translated
Router(config)#ip nat inside source static tcp 10.1.2.25 80 200.1.1.25 80
Router(config)#ip nat inside source static tcp 10.1.2.24 80 200.1.1.25 81
© 2003, Cisco Systems, Inc. All rights reserved.
17
Configuring Dynamic NAT
• Dynamic NAT is used to map inside IP addresses to outside IP addresses
on the fly from a pool of available IP addresses
• First designate your inside and outside interfaces. Create an access list to
allow traffic to be translated. Next configure a pool of addresses
Router(config)#int f0/0
Could also use netmask
Router(config-if)#ip nat inside
255.255.255.0
Router(config-if)#int s0/0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#access-list 12 permit 10.1.2.0 0.0.0.255
Router(config)#ip nat pool outbound 200.1.1.2 200.1.1.254
prefix- length 24
Router(config)#ip nat inside source list 12 pool outbound
Router(config)#
• You can use the netmask with subnet in dotted decimal or prefix with
length and number of bits in subnet mask
© 2003, Cisco Systems, Inc. All rights reserved.
18
Configuring NAT Using Overloading
• Once all the IP addresses in a pool have been allocated, any
new connections attempts will fail. So if your ISP allocates
13 addresses, only the first 13 users will be able to access
the Internet. Once a NAT entry has expired, the IP address is
released back to the pool.
• Configuring overloading allows the router to reuse each IP
address in the pool. It changes not only the IP addresses
but the port number also.
• This is known as Port Address Translation (PAT) also known
as Network Address and Port Translation (NAPT).
• The router will add the protocol and port information for
each translation entry, which allows more inside IP
addresses to access the outside network than there are IP
addresses in the pool.
© 2003, Cisco Systems, Inc. All rights reserved.
19
Configuring NAT Using Overloading
(continued)
• The pool of addresses can be one IP
address in size, but it can support
approximately 64,000 inside users, using a
single protocol by varying the outbound
port numbers.
© 2003, Cisco Systems, Inc. All rights reserved.
20
Configuring NAT Using Overloading
(continued)
Router(config)#ip nat inside source list 12 pool outbound overload
Router(config)#
• This applies the pool and access list and allows the use of ports
with the overload command
© 2003, Cisco Systems, Inc. All rights reserved.
21
Configuring TCP Load Distribution
• NAT has a feature unrelated to conserving public
addresses.
• Load Distribution allow a host (like a web server)
inside the network to distribute the load among
several hosts.
• Destination addresses that match an access list
are replaced with addresses from a pool that
been designated as a rotary pool by adding the
type rotary keywords at the end of the ip nat
pool command
© 2003, Cisco Systems, Inc. All rights reserved.
22
Configuring TCP Load Distribution(continued)
Routers(config)#ip nat pool web-hosts 10.1.1.1 10.1.19 netmask
255.255.255.0 type rotary
Routers(config)#access-list 12 permit 10.1.1.254
Routers(config)#ip nat inside destination list 12 pool web-hosts
© 2003, Cisco Systems, Inc. All rights reserved.
23
Configuring NAT for Overlapping
Addresses
• Overlapping addresses is similar to dynamic NAT.
• The difference is you must configure a pool inside as well as
outside.
Router(config)#access-list 12 permit 10.1.1.0 0.0.0.255
Router(config)#ip nat insidepool 10.1.2.1 10.1.2.254 netmask
255.255.255.0
Router(config)#ip nat outsidepool 200.1.1.2 200.1.1.254 prefixlength 24
Router(config)#ip nat inside source list 12 pool insidepool
Router(config)#ip nat outside source list 12 pool outsidepool
Router(config)#
© 2003, Cisco Systems, Inc. All rights reserved.
24
Verifying and Troubleshooting the NAT
Configuration
Router#show ip nat translations
Router#show ip nat translations verbose
Router#show ip nat statistics
Router#debug ip nat
© 2003, Cisco Systems, Inc. All rights reserved.
25
Commands that clear NAT Table
Clear ip nat translation
Clears all NAT table entries
Clear ip nat translation inside global-ip
Clears all simple inside NAT translation
table entries for the specified IP address
Clear ip nat translations outside localip
Clears all simple outside NAT
translation table entries for the specified
IP address
Clear ip nat translation protocol inside
global-ip global-port local-ip local-port
[outside local-ip local-port global-ip
global-port]
Clears the specific extended NAT table
entry represented by the global and
local IP addresses and port.
© 2003, Cisco Systems, Inc. All rights reserved.
26