S6C11 - NAT Network Security Translation NAT Described • Globally unique ONLY in terms of public internet – Translates private addresses into publicly usable addresses to be used on public Internet • Saves usable IP addresses – Effective means for hiding actual device addressing within a private network • Aka Network Address Translator – defined in RFC 1631 NAT and PAT • NAT Translation – NAT box can be a Cisco router, a UNIX system, a Windows XP server, or several other kinds of systems. • router looks inside the IP header and, if appropriate, replaces the local IP address with a globally unique IP address • When an outside host sends a response the NAT router receives it, checks the current table of network address translations, and replaces the destination address with the original inside source address • Port Address Translation – allows the user to conserve addresses in the global address pool by allowing source ports in TCP connections or UDP conversations to be translated. Different local addresses then map to the same global address PAT Limitations • As long as the inside global port numbers are unique for each inside local host, NAT overload will work. • NAT overload can go a long way to alleviate address depletion, but its capabilities are limited • A realistic number is approximately 4,000 local addresses per global address. • Each Nat translation consumes about 160 bytes of router DRAM. Static Translation • Translates inside local addresses • Establishes a mapping between inside local and global addresses – Configured statically, one entry at a time – for every inside local address, static NAT requires an inside global address – typically used in conjunction with dynamic NAT, in cases where you have overlapping networks • RTA(config)#ip nat inside source static 10.1.1.7 • Specify an inside and outside interface – – – – RTA(config)#interface bri0 RTA(config-if)#ip nat outside RTA(config-if)#interface e0 RTA(config-if)#ip nat inside 171.70.2.10 Dynamic Translation • Translates inside local addresses – Establishes a mapping between inside local and global addresses • Mappings configured dynamically by the router as needed – translations don't exist in the NAT translation table until the router receives traffic that requires translation (such traffic is defined by an administrator). Dynamic translations are temporary, and will eventually time out. Configuration for Dynamic • Create a pool of IP addresses to be allocated as needed – Router(config)#ip nat pool name start-ip end-ip netmask netmask | prefix-length prefix-length} • Specify which addresses to translate – router(config)#access-list access-list-number permit source [source-wildcard] • establish a dynamic translation based on source – Router(config)#ip nat inside source list access-listnumber pool name • Configure at least one inside interface & 1 outside – Router(config-if)#ip nat inside Why Dynamic? • Although NAT is not a security firewall, it can prevent outsiders from initiating connections with inside hosts, unless a permanent global address mapping exists in the NAT table (static NAT). Because outside hosts never see the "pre-translated" inside addresses, NAT has the effect of hiding the inside network structure. Address Definitions • Inside local – IP address assigned to a host on inside network • Inside global – A legitimate IP address (assigned by NIC or service provider) that represents local IP address to outside world • Outside local – IP address of outside host as it appears to inside network; allocated from inside addressable routable space • Outside global – IP address assigned to a host on outside network by owners; allocated from globally routable address space NAT and Address Overlapping • NAT can resolve address issues when inside addresses overlap with addresses in outside network – When two companies with similar address structures merge – When ISPs are swapped & another client has same address structure Overload Configuration • Configure NAT overload by using the keyword overload: – Router(config)#ip nat inside source list access-list-number pool name overload • RTA is configured – RTA(config)#ip nat pool mypatpool 171.70.2.1 171.70.2.30 netmask 255.255.255.0 – RTA(config)#access-list 24 permit 10.1.1.0 0.0.0.255 – RTA(config)#ip nat inside source list 24 pool mypatpool overload – RTA(config)#interface bri 0 • RTA(config-if)#ip nat outside – RTA(config-if)#interface ethernet 0 • RTA(config-if)#ip nat inside Overload Alternative • You can overload the address of an outside interface – Router(config)#ip nat inside source list accesslist-number interface interface-name overload • Config# ip nat inside MyPool access-list-2 int s0 overload Information Needed • ISDN – Switch type, Spids, directory number (local seven digit ISDN phone number of router) • ISP – PPP Client Name (ISP assigns as login name – PPP Authentication type and password – IP address information – (includes subnet mask) used in router’s public address pool – ISP phone number Atlanta Configuration Default/Generic • • • • • • • • • • IP subnet-zero No IP domain-look Enable secret cisco IP NAT translation timeout 1800 Isdn switch-type basic-ni1 IP classless IP http server Line con 0 line vty 0 4 Password cisco password telnet Login login Atlanta Configuration • • • • • • Hostname Atlanta IP net inside source list 1 int d0 overload Ip nat inside source statis 10.1.1.2 215.1.1.2 Int e0 Ip address 10.1.1.1 255.0.0.0 Ip nat inside Atlanta Continued - Bri • • • • • • Int bri 0 No ip address Encap ppp Dialer rotary-group 0 Isdn spid1 014045551111000 5551111 Isdn spid2 014045552222000 5552222 Atlanta Continued - dialer • • • • • • • • • • Int d0 IP address 215.1.1.1 255.255.255.0 IP nat outside Encap ppp Dialer in-band Dialer idle-timeout 200 Dialer string 1408555333 class 56K Dialer hold queue 10 Dialer load-threshold 200 either Dialer-group 1 Atlanta Dialer Cont’d • • • • PPP authentication chap callin PPP chap hostname Atlanta PPP chap password gocisco1 PPP multilink Atlanta Continued – Map Class and Routes • • • • • • IP route 0.0.0.0 0.0.0.0 Dialer0 IP route 20.0.0.0 255.0.0.0 10.1.1.2 Map-class dialer 56K Access-list 1 permit 10.0.0.0 0.255.255.255 Access-list 1 permit 20.0.0.0 0.255.255.255 Dialer-list 1 protocol IP permit Boston Configuration • • • • • • • • • • Hostname Boston Int e0 Ip address 20.1.1.1 255.0.0.0 Int e1 IP address 10.1.1.2 255.0.0.0 IP route 0.0.0.0 0.0.0.0 10.1.1.1 IP http server Line con0 line vty 0 Password cisco password telnet Login login TCP Load Distribution • Define a pool of addresses containing the addresses of the real hosts: – Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary • Define an access list permitting the address of the virtual host: – Router(config)#access-list access-list-number permit source [source-wildcard] • Establish dynamic inside destination translation, identifying the access list defined in Step 2: – Router(config)#ip nat inside destination list access-listnumber pool name TCP Continued • Specify the inside interface: – Router(config)#interface type number • Mark the interface as connected to the inside: – Router(config-if)#ip nat inside • Specify the outside interface: – Router(config-if)#interface type number • Mark the interface as connected to the outside: – Router(config-if)#ip nat outside NAT Advantages • Conserves the legally registered addressing scheme by allowing the privatization of intranets • reduces the instances in which addressing schemes overlap • Increases the flexibility of connection to the public network. – Multiple pools, backup pools, and load sharing/ balancing pools can be implemented to help ensure reliable public network connections • De-privatization of a network – NAT allows the existing scheme to remain, and it still supports the new assigned addressing scheme outside NAT Disadvantages • NAT increases delay. – Switching path delays, of course, are introduced because of the translation of each IP address within the packet headers • Loss of end-to-end IP traceability • Forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses – Solution -- implement static NAT mappings. Supported Traffic Types • Any TCP/UDP traffic that does not carry source or destination IP addresses in the application data stream • Hypertext Transfer Protocol (HTTP) • Trivial File Transfer Protocol (TFTP) • Telnet • Archie • Finger • Network Timing Protocol (NTP) • Network File System (NFS) • rlogin, rsh, rcp More Supported Types Even those that do carry address data in data stream - File Transfer Protocol (FTP) (including PORT and PASV commands) – NetBIOS over TCP/IP (datagram, name, and session services) – Progressive Networks' RealAudio White Pines' CuSeeMe – Xing Technologies' Streamworks – DNS "A" and "PTR" queries – H.323/NetMeeting [12.0(1)/12.0(1)T and later] – VDOLive [11.3(4)11.3(4)T and later] – Vxtreme [11.3(4)11.3(4)T and later]