1 © 2003 Cisco Systems, Inc. All rights reserved. Network Address Translation Brigham Young...

1© 2003 Cisco Systems, Inc. All rights reserved.

Network Address Translation

Brigham Young University-Idaho

CIT 340

222© 2003, Cisco Systems, Inc. All rights reserved.

Short Term Solutions: IPv4 Enhancements

• CIDR (Classless Inter-Domain Routing) – RFCs 1517, 1518, 1519, 1520

• VLSM (Variable Length Subnet Mask) – RFC 1009

• Private Addressing - RFC 1918

• NAT/PAT (Network Address Translation / Port Address Translation) – RFC 1631 & 3022


Private Address Space

• RCF 1918 sets aside three ranges of IP addresses for private networks

10.0.0.0/8

192.168.0.0/16

172.16.0.0 through 172.31.255.255

• Do not route addresses in these blocks to the Internet


Address Translation

• Network Address Translation

One to one translation of IP addresses from inside local IP address.

• Port Address Translation

Many-to-one translation, takes multiple inside local IP addresses and translates them to one inside global address.


Network Address Translation

• NAT involves device such as a router that translates one set of IP addresses into another set

Can conserve IP addresses by translating a large pool of private addresses into a small pool of public addresses

• Disadvantages include increased latency and difficulties with protocols or applications that put IP address in data portion of IP packet


Network Address Translation (NAT) Addresses

• Inside Local-used by host on the private side

• Inside Global-public often registered IP address into which the inside local is translated

• Outside Global-actual IP address of a host that resides on the outside public network

• Outside Local-IP address used to translate an outside global IP address


NAT Inside/Outside & Local/Global Relationship

SA Inside Local

DA Outside

Local

SA Inside Global

DA Outside Global

DA Inside Local

SA Outside

Local

DA Inside Global

SA Outside Global

Packet Direction

Inside Network Outside Network


Advantages of NAT

• Allows you to increase or decrease the number of registered IP addresses without changing devices in the network.

• Static translations are manually configured to translate a single global IP address to a single local IP address.

• Dynamic mappings are configured on the NAT border router by using a pool of one or more registered IP addresses. Devices on the inside of the network that wish to communicate with a host on the outside network can use these addresses in the pool.


Advantages of NAT (Continued)

• NAT can be configured to allow the basic load sharing of packets among multiple servers using the TCP load distribution feature. TCP load distribution uses a single outside IP address, which is mapped to multiple addresses. Incoming connections are distributed in a round-robin fashion among IP addresses in the internal pool.

• If you switch ISPs and need to change the registered IP addresses you are using, NAT makes it so you don’t have to renumber every device in your network. The only change is the addresses that are being used in the NAT pool.


Advantages of NAT (continued)

• NAT also helps if you merge with another company and you are both using the same RFC 1918 address space. You can configure NAT on the border router between your routing domains to translate the address from one network to the other.


Disadvantages of NAT

• NAT increases latency. Every packet must be processed to see if it needs translation.

• NAT hides end-to-end IP addresses that render some applications unusable.

• NAT changes IP addresses making it unable to track IP flow end-to-end. The good thing is this eliminates a hacker’s ability to identify the packet’s true source.


Disadvantages of NAT (continued)

• NAT makes troubleshooting or tracking malicious traffic more difficult.

• Because a host needs to be accessed from the outside network will have two IP addresses, one inside and one outside, this creates a problem called split DNS. You need to set up two DNS servers, one for external and one for internal addresses.


Network Address Translation (NAT)

NAT: Network Address Translation

• NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header.

• In practice, NAT is used to allow hosts that are privately addressed to access the Internet.


Network Address Translation (NAT)

• NAT translations can occur dynamically or statically.

• The most powerful feature of NAT routers is their capability to use port address translation (PAT), which allows multiple inside addresses to map to the same global address.

• This is sometimes called a many-to-one NAT.

• With PAT, or address overloading, literally hundreds of privately addressed nodes can access the Internet using only one global address.

• The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers.

2.2.2.2 TCP Source Port 1923

2.2.2.2 TCP Source Port 1924

TCP Source Port 1026

TCP Source Port 1026


Translating Inside Local Addresses

Inside local IP Inside global IP

10.1.2.25 200.1.1.25

NAT Border Router

206.100.29.1

10.1.2.25

Internet


Configuring NAT

• Each interface must be designated either inside or outside. That way the router knows how to handle traffic.

Router(config)#interface e0/0

Router(config-if)#ip nat inside

Router(config-if)#interface s0/0

Router(config-if)#ip nat outside


Configuring Static NAT

• Static NAT maps one inside global address to one inside local address

Router(config)#ip nat inside source static 10.1.2.25 200.1.1.25

• This creates a permanent entry into the NAT table so traffic sent to 200.1.1.25 will be translated to 10.1.2.25. You can also configure just a certain port to be translated

Router(config)#ip nat inside source static tcp 10.1.2.25 80 200.1.1.25 80

Router(config)#ip nat inside source static tcp 10.1.2.24 80 200.1.1.25 81


Configuring Dynamic NAT

• Dynamic NAT is used to map inside IP addresses to outside IP addresses on the fly from a pool of available IP addresses

• First designate your inside and outside interfaces. Create an access list to allow traffic to be translated. Next configure a pool of addresses

Router(config)#int f0/0

Router(config-if)#ip nat inside

Router(config-if)#int s0/0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#access-list 12 permit 10.1.2.0 0.0.0.255

Router(config)#ip nat pool outbound 200.1.1.2 200.1.1.254 prefix- length 24

Router(config)#ip nat inside source list 12 pool outbound

Router(config)#

• You can use the netmask with subnet in dotted decimal or prefix with length and number of bits in subnet mask

Could also use netmask 255.255.255.0


Configuring NAT Using Overloading

• Once all the IP addresses in a pool have been allocated, any new connections attempts will fail. So if your ISP allocates 13 addresses, only the first 13 users will be able to access the Internet. Once a NAT entry has expired, the IP address is released back to the pool.

• Configuring overloading allows the router to reuse each IP address in the pool. It changes not only the IP addresses but the port number also.

• This is known as Port Address Translation (PAT) also known as Network Address and Port Translation (NAPT).

• The router will add the protocol and port information for each translation entry, which allows more inside IP addresses to access the outside network than there are IP addresses in the pool.


Configuring NAT Using Overloading (continued)

• The pool of addresses can be one IP address in size, but it can support approximately 64,000 inside users, using a single protocol by varying the outbound port numbers.


Configuring NAT Using Overloading (continued)

Router(config)#ip nat inside source list 12 pool outbound overload

Router(config)#

• This applies the pool and access list and allows the use of ports with the overload command


Configuring TCP Load Distribution

• NAT has a feature unrelated to conserving public addresses.

• Load Distribution allow a host (like a web server) inside the network to distribute the load among several hosts.

• Destination addresses that match an access list are replaced with addresses from a pool that been designated as a rotary pool by adding the type rotary keywords at the end of the ip nat pool command


Configuring TCP Load Distribution(continued)

Routers(config)#ip nat pool web-hosts 10.1.1.1 10.1.19 netmask 255.255.255.0 type rotary

Routers(config)#access-list 12 permit 10.1.1.254

Routers(config)#ip nat inside destination list 12 pool web-hosts


Configuring NAT for Overlapping Addresses

• Overlapping addresses is similar to dynamic NAT.

• The difference is you must configure a pool inside as well as outside.

Router(config)#access-list 12 permit 10.1.1.0 0.0.0.255

Router(config)#ip nat insidepool 10.1.2.1 10.1.2.254 netmask 255.255.255.0

Router(config)#ip nat outsidepool 200.1.1.2 200.1.1.254 prefix-length 24

Router(config)#ip nat inside source list 12 pool insidepool

Router(config)#ip nat outside source list 12 pool outsidepool

Router(config)#


Verifying and Troubleshooting the NAT Configuration

Router#show ip nat translations

Router#show ip nat translations verbose

Router#show ip nat statistics

Router#debug ip nat


Commands that clear NAT Table

Clear ip nat translation Clears all NAT table entries

Clear ip nat translation inside global-ip Clears all simple inside NAT translation table entries for the specified IP address

Clear ip nat translations outside local-ip

Clears all simple outside NAT translation table entries for the specified

IP address

Clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip

global-port]

Clears the specific extended NAT table entry represented by the global and

local IP addresses and port.

Date post:	26-Dec-2015
Category:	Documents
Upload:	amie-chapman
View:	215 times
Download:	0 times

1 © 2003 Cisco Systems, Inc. All rights reserved. Network Address Translation Brigham Young...

Documents