Network Address Translation Brigham Young University-Idaho CIT 340 © 2003 Cisco Systems, Inc. All rights reserved. 1 Short Term Solutions: IPv4 Enhancements • CIDR (Classless Inter-Domain Routing) – RFCs 1517, 1518, 1519, 1520 • VLSM (Variable Length Subnet Mask) – RFC 1009 • Private Addressing - RFC 1918 • NAT/PAT (Network Address Translation / Port Address Translation) – RFC 1631 & 3022 © 2003, Cisco Systems, Inc. All rights reserved. 2 Private Address Space • RCF 1918 sets aside three ranges of IP addresses for private networks 10.0.0.0/8 192.168.0.0/16 172.16.0.0 through 172.31.255.255 • Do not route addresses in these blocks to the Internet © 2003, Cisco Systems, Inc. All rights reserved. 3 Address Translation • Network Address Translation One to one translation of IP addresses from inside local IP address. • Port Address Translation Many-to-one translation, takes multiple inside local IP addresses and translates them to one inside global address. © 2003, Cisco Systems, Inc. All rights reserved. 4 Network Address Translation • NAT involves device such as a router that translates one set of IP addresses into another set Can conserve IP addresses by translating a large pool of private addresses into a small pool of public addresses • Disadvantages include increased latency and difficulties with protocols or applications that put IP address in data portion of IP packet © 2003, Cisco Systems, Inc. All rights reserved. 5 Network Address Translation (NAT) Addresses • Inside Local-used by host on the private side • Inside Global-public often registered IP address into which the inside local is translated • Outside Global-actual IP address of a host that resides on the outside public network • Outside Local-IP address used to translate an outside global IP address © 2003, Cisco Systems, Inc. All rights reserved. 6 NAT Inside/Outside & Local/Global Relationship Inside Network Outside Network Packet Direction SA Inside Local DA Inside Local DA Outside Local SA Outside Local © 2003, Cisco Systems, Inc. All rights reserved. SA Inside Global DA Inside Global DA Outside Global SA Outside Global 7 Advantages of NAT • Allows you to increase or decrease the number of registered IP addresses without changing devices in the network. • Static translations are manually configured to translate a single global IP address to a single local IP address. • Dynamic mappings are configured on the NAT border router by using a pool of one or more registered IP addresses. Devices on the inside of the network that wish to communicate with a host on the outside network can use these addresses in the pool. © 2003, Cisco Systems, Inc. All rights reserved. 8 Advantages of NAT (Continued) • NAT can be configured to allow the basic load sharing of packets among multiple servers using the TCP load distribution feature. TCP load distribution uses a single outside IP address, which is mapped to multiple addresses. Incoming connections are distributed in a round-robin fashion among IP addresses in the internal pool. • If you switch ISPs and need to change the registered IP addresses you are using, NAT makes it so you don’t have to renumber every device in your network. The only change is the addresses that are being used in the NAT pool. © 2003, Cisco Systems, Inc. All rights reserved. 9 Advantages of NAT (continued) • NAT also helps if you merge with another company and you are both using the same RFC 1918 address space. You can configure NAT on the border router between your routing domains to translate the address from one network to the other. © 2003, Cisco Systems, Inc. All rights reserved. 10 Disadvantages of NAT • NAT increases latency. Every packet must be processed to see if it needs translation. • NAT hides end-to-end IP addresses that render some applications unusable. • NAT changes IP addresses making it unable to track IP flow end-to-end. The good thing is this eliminates a hacker’s ability to identify the packet’s true source. © 2003, Cisco Systems, Inc. All rights reserved. 11 Disadvantages of NAT (continued) • NAT makes troubleshooting or tracking malicious traffic more difficult. • Because a host needs to be accessed from the outside network will have two IP addresses, one inside and one outside, this creates a problem called split DNS. You need to set up two DNS servers, one for external and one for internal addresses. © 2003, Cisco Systems, Inc. All rights reserved. 12 Network Address Translation (NAT) NAT: Network Address Translation • NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header. • In practice, NAT is used to allow hosts that are privately addressed to access the Internet. © 2003, Cisco Systems, Inc. All rights reserved. 13 Network Address Translation (NAT) TCP Source Port 1026 2.2.2.2 TCP Source Port 1923 TCP Source Port 1026 2.2.2.2 TCP Source Port 1924 • NAT translations can occur dynamically or statically. • The most powerful feature of NAT routers is their capability to use port address translation (PAT), which allows multiple inside addresses to map to the same global address. • This is sometimes called a many-to-one NAT. • With PAT, or address overloading, literally hundreds of privately addressed nodes can access the Internet using only one global address. • The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers. © 2003, Cisco Systems, Inc. All rights reserved. 14 Translating Inside Local Addresses Inside local IP Inside global IP 10.1.2.25 200.1.1.25 Internet 10.1.2.25 NAT Border Router 206.100.29.1 © 2003, Cisco Systems, Inc. All rights reserved. 15 Configuring NAT • Each interface must be designated either inside or outside. That way the router knows how to handle traffic. Router(config)#interface e0/0 Router(config-if)#ip nat inside Router(config-if)#interface s0/0 Router(config-if)#ip nat outside © 2003, Cisco Systems, Inc. All rights reserved. 16 Configuring Static NAT • Static NAT maps one inside global address to one inside local address Router(config)#ip nat inside source static 10.1.2.25 200.1.1.25 • This creates a permanent entry into the NAT table so traffic sent to 200.1.1.25 will be translated to 10.1.2.25. You can also configure just a certain port to be translated Router(config)#ip nat inside source static tcp 10.1.2.25 80 200.1.1.25 80 Router(config)#ip nat inside source static tcp 10.1.2.24 80 200.1.1.25 81 © 2003, Cisco Systems, Inc. All rights reserved. 17 Configuring Dynamic NAT • Dynamic NAT is used to map inside IP addresses to outside IP addresses on the fly from a pool of available IP addresses • First designate your inside and outside interfaces. Create an access list to allow traffic to be translated. Next configure a pool of addresses Router(config)#int f0/0 Could also use netmask Router(config-if)#ip nat inside 255.255.255.0 Router(config-if)#int s0/0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#access-list 12 permit 10.1.2.0 0.0.0.255 Router(config)#ip nat pool outbound 200.1.1.2 200.1.1.254 prefix- length 24 Router(config)#ip nat inside source list 12 pool outbound Router(config)# • You can use the netmask with subnet in dotted decimal or prefix with length and number of bits in subnet mask © 2003, Cisco Systems, Inc. All rights reserved. 18 Configuring NAT Using Overloading • Once all the IP addresses in a pool have been allocated, any new connections attempts will fail. So if your ISP allocates 13 addresses, only the first 13 users will be able to access the Internet. Once a NAT entry has expired, the IP address is released back to the pool. • Configuring overloading allows the router to reuse each IP address in the pool. It changes not only the IP addresses but the port number also. • This is known as Port Address Translation (PAT) also known as Network Address and Port Translation (NAPT). • The router will add the protocol and port information for each translation entry, which allows more inside IP addresses to access the outside network than there are IP addresses in the pool. © 2003, Cisco Systems, Inc. All rights reserved. 19 Configuring NAT Using Overloading (continued) • The pool of addresses can be one IP address in size, but it can support approximately 64,000 inside users, using a single protocol by varying the outbound port numbers. © 2003, Cisco Systems, Inc. All rights reserved. 20 Configuring NAT Using Overloading (continued) Router(config)#ip nat inside source list 12 pool outbound overload Router(config)# • This applies the pool and access list and allows the use of ports with the overload command © 2003, Cisco Systems, Inc. All rights reserved. 21 Configuring TCP Load Distribution • NAT has a feature unrelated to conserving public addresses. • Load Distribution allow a host (like a web server) inside the network to distribute the load among several hosts. • Destination addresses that match an access list are replaced with addresses from a pool that been designated as a rotary pool by adding the type rotary keywords at the end of the ip nat pool command © 2003, Cisco Systems, Inc. All rights reserved. 22 Configuring TCP Load Distribution(continued) Routers(config)#ip nat pool web-hosts 10.1.1.1 10.1.19 netmask 255.255.255.0 type rotary Routers(config)#access-list 12 permit 10.1.1.254 Routers(config)#ip nat inside destination list 12 pool web-hosts © 2003, Cisco Systems, Inc. All rights reserved. 23 Configuring NAT for Overlapping Addresses • Overlapping addresses is similar to dynamic NAT. • The difference is you must configure a pool inside as well as outside. Router(config)#access-list 12 permit 10.1.1.0 0.0.0.255 Router(config)#ip nat insidepool 10.1.2.1 10.1.2.254 netmask 255.255.255.0 Router(config)#ip nat outsidepool 200.1.1.2 200.1.1.254 prefixlength 24 Router(config)#ip nat inside source list 12 pool insidepool Router(config)#ip nat outside source list 12 pool outsidepool Router(config)# © 2003, Cisco Systems, Inc. All rights reserved. 24 Verifying and Troubleshooting the NAT Configuration Router#show ip nat translations Router#show ip nat translations verbose Router#show ip nat statistics Router#debug ip nat © 2003, Cisco Systems, Inc. All rights reserved. 25 Commands that clear NAT Table Clear ip nat translation Clears all NAT table entries Clear ip nat translation inside global-ip Clears all simple inside NAT translation table entries for the specified IP address Clear ip nat translations outside localip Clears all simple outside NAT translation table entries for the specified IP address Clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] Clears the specific extended NAT table entry represented by the global and local IP addresses and port. © 2003, Cisco Systems, Inc. All rights reserved. 26