P. 1
Configuring Network Address Translation (NAT)

Configuring Network Address Translation (NAT)

|Views: 505|Likes:
Published by telecom_457036

More info:

Published by: telecom_457036 on Dec 31, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/24/2012

pdf

text

original

Configuring Network Address Translation (NAT

)
This document provides the following information about configuring Network Address  Translation on the Enterasys Matrix® N‐Series platform.
For information about... What is Network Address Translation? Why Would I Use NAT in My Network? How Can I Implement NAT? NAT Overview Configuring NAT NAT Configuration Examples Terms and Definitions Refer to page... 1 2 2 3 9 12 17

What is Network Address Translation?
Network Address Translation (NAT) and Network Address Port Translation (NAPT) are methods  of concealing a set of host addresses on a private network behind a pool of public addresses.  Together they are referred to as traditional NAT. A traditional NAT configuration is made up of a  private network and a public network that are connected by a router with NAT enabled on it.  Basic NAT is a method by which IP addresses are mapped from one group of addresses to  another, transparent to the end user. A basic NAT translation is always between a single private IP  address and a single public IP address.  NAPT is a method by which many private network addresses, along with each private address’  associated TCP/UDP port, are translated into a single public network address and its associated  TCP/UDP ports. Given that there is only a single public IP address associated with the  translations, it is the public port the private address and its port are associated with that allows for  the uniqueness of each translation. In addition, the following features are also supported: • • • Static and Dynamic NAT Pool Binding FTP, DNS, and ICMP (with five different error messages) software path NAT translation Secure Plus (force flows)

April 16, 2009

Page 1 of 19

Why Would I Use NAT in My Network?

Why Would I Use NAT in My Network?
Enterasys support for NAT provides a practical solution for organizations who wish to streamline  their IP addressing schemes. NAT operates on a router connecting a private network to a public  network, simplifying network design and conserving IP addresses. NAT can help organizations  merge multiple networks together and enhance network security by: • • • • • Helping to prevent malicious activity initiated by outside hosts from entering the corporate  network Improving the reliability of local systems by stopping worms Augmenting privacy by keeping private intranet addresses hidden from view of the public  internet, thereby inhibiting scans Limiting the number of IP addresses used for private intranets that are required to be  registered with the Internet Assigned Numbers Authority (IANA) Conserving the number of global IP addresses needed by a private intranet

How Can I Implement NAT?
To implement NAT in your network: • • Enable NAT on both the inside (local) and outside (public) interfaces to be used for translation If you intend to use inside source address dynamic translation (see “Dynamic Inside Address  Translations” on page 5 for details): – – – – – • Define an access‐list of inside addresses Define a NAT address pool of outside addresses Enable dynamic translation of inside addresses specifying an access‐list of inside  addresses and a NAT address pool of outside addresses Optionally configure overload for NAPT (defaults to NAT) Optionally specify the interface to which translations are applied

If you intend to use inside source address static translation (see “Static Inside Address  Translation” on page 3 for details), enable inside source address static translation in the  appropriate NAT or NAPT context Optionally change the NAT FTP control port from its default of 21 Optionally enable force flows to force all flows to be translated between outside and inside  addresses Optionally modify maximum allowed entries and NAT translation timeout values

• • •

April 16, 2009

Page 2 of 19

NAT Overview

NAT Overview
This section provides an overview of NAT configuration. 
Notes: NAT is currently supported on the Enterasys Matrix® N-Series products. This document details the configuration of NAT for the Matrix N-Series products. NAT is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the configuration guide that comes with your Enterasys Matrix DFE or NSA product in order to enable the NAT command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. A minimum of 256 MB of memory is required on all modules in order to enable NAT. See the SDRAM field of the show system hardware command to display the amount of memory installed on a module. Module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.

NAT Configuration
A traditional NAT configuration is made up of a private network or intranet, a public network,  and a router that interconnects the two networks. The private network is made up of one or more  hosts and devices each assigned an inside (internal) address that is not intended to be directly  connectable to a public network host or device. The public network hosts or devices have outside  (external) uniquely registered public addresses. The router interconnecting the private and public  networks support traditional NAT. It is NAT’s responsibility to translate the inside address to a  unique outside address to facilitate communication with the public network for intranet devices. NAT allows translations between IP addresses. NAPT allows translations between multiple inside  addresses and their associated ports and a single outside IP address and its associated ports. NAT  and NAPT support both static and dynamic inside address translation. 

Static Inside Address Translation
Static inside address translations are one‐to‐one bindings between the inside and outside IP  addresses. A static address binding does not expire until the command that defines the binding is  negated. When configuring NAT for static inside address translation, you assign a local IP address  and a global IP address to the binding. When configuring NAPT for static inside address  translation, you assign a local IP address and one of its associated L4 ports and a global IP address  and one of its associated L4 ports to the binding. You also specify whether the packet protocol is  TCP or UDP for this binding.

NAT Static Inside Address Translation
Figure 1 on page 4 displays a basic NAT static inside address translation overview. Client1 has a  source address of 10.1.1.1 (its own IP address) and a destination address of 200.1.1.50 (the Server1  IP address). The static translation is configured between the local IP address (Client1’s own IP  address) and the global IP address 200.1.1.1 (an available public network address).  A packet arrives at the NAT router from Client1 with a source address of 10.1.1.1, but leaves the  NAT router with a source address of 200.1.1.1. In both cases the destination is for Server1’s IP  address of 200.1.1.50. From Server1’s point of view, Client1’s IP address is 200.1.1.1. Server1 doesn’t  know anything about its actual IP address of 10.1.1.1.  When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated  address of 200.1.1.1 as the destination address, but leaves the NAT router with Client1’s actual  address of 10.1.1.1 as the destination address. Server1’s response is delivered to IP address 10.1.1.1.

April 16, 2009

Page 3 of 19

NAT Overview

Figure 1

Basic NAT Static Inside Address Translation

External Public Network DA: 200.1.1.50 SA: 200.1.1.1 Server1 200.1.1.50 DA: 200.1.1.1 SA: 200.1.1.50

Internal Private Network

NAT ROUTER

DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 Client1 10.1.1.1

NAPT Static Inside Address Translation
Figure 2 on page 5 displays a basic NAPT static inside address translation overview. Client1 has a  source IP address of 10.1.1.2 and L4 port of 125 (its own IP address and port) and a destination  address of 200.1.1.50 and L4 port of 80 (the Server1 IP address and port). The static translation is  configured between the local IP address (Client1’s own IP address and port) and the global IP  address 200.1.1.1 and L4 port 1025 (an available public network address and port).  A packet arrives at the NAT router from Client1 with a source address of 10.1.1.2:125, but leaves  the NAT router with a source address of 200.1.1.1:1025. In both cases the destination is for  Server1’s IP address of 200.1.1.50:80. From Server1’s point of view, Client1’s IP address is  200.1.1.1:1025. Server1 doesn’t know anything about its actual IP address of 10.1.1.2:125.  When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated  address of 200.1.1.1:1025 as the destination address, but leaves the NAT router with Client1’s  actual address of 10.1.1.2:125 as the destination address. Server1’s response is delivered to IP  address 10.1.1.2:125.

April 16, 2009

Page 4 of 19

NAT Overview

Figure 2

Basic NAPT Static Inside Address Translation

External Public Network DA: 200.1.1.50:80 SA: 200.1.1.1:1025 DA: 200.1.1.1:1025 SA: 200.1.1.50:80

Internal Private Network DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 10.1.1.2:125 SA: 200.1.1.50:80

NAT ROUTER

Server1 200.1.1.50 Client2 10.1.1.2

Dynamic Inside Address Translations
Dynamic address bindings are formed from a pre‐configured access‐list of local inside addresses  and a pre‐configured address pool of public outside addresses. Access‐lists are configured using  the access‐list command. Address pools are configured using the ip nat pool command. IP addresses defined for dynamic bindings are reassigned whenever they become free. Unlike a  static translation which persists until the command that defines the binding is negated, a NAT  translation timeout option is configurable for dynamic translations and defaults to 240 seconds.  The dynamic inside address translation defaults to NAT. To configure a dynamic inside address  translation for NAPT, specify the overload option when creating the translation list. Global ports  are dynamically assigned between the range of 1024 and 4999.  You can also specify the VLAN interface over which this translation will be applied. Otherwise,  the translation applies to all interfaces. 

NAT Dynamic Inside Address Translation
Figure 3 on page 6 displays a basic NAT dynamic inside address translation overview. The  overview shows two internal network clients: Client1 and Client2. The access‐list assigned to this  dynamic translation must contain permits for the IP address of each local client (10.1.1.1 and  10.1.1.2). A NAT pool must be configured with at least a two address range of publicly available IP  addresses and assigned to this dynamic translation. In this case the public IP address range is from  200.1.1.1 to 200.1.1.2. This is a NAT dynamic translation so we do not assign the overload option. 

Client1 Walkthrough:
A packet arrives at the NAT router from Client1 with a source address of 10.1.1.1, but leaves the  NAT router with a source address from the assigned pool, in this case: 200.1.1.2. In both cases the  destination is for Server1’s IP address of 200.1.1.50. From Server1’s point of view, Client1’s IP  address is 200.1.1.2. Server1 doesn’t know anything about its actual IP address of 10.1.1.1.  When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated  address of 200.1.1.2 as the destination address, but leaves the NAT router with Client1’s actual  address of 10.1.1.1 as the destination address. Server1’s response is delivered to IP address 10.1.1.1.

April 16, 2009

Page 5 of 19

NAT Overview

Figure 3

Basic NAT Dynamic Inside Address Translation
Internal Private Network DA: 200.1.1.50 SA: 10.1.1.2 DA: 10.1.1.2 SA: 200.1.1.50

External Public Network DA: 200.1.1.50 SA: 200.1.1.1 DA: 200.1.1.1 SA: 200.1.1.50 DA: 200.1.1.50 SA: 200.1.1.2 Server1 200.1.1.50 DA: 200.1.1.2 SA: 200.1.1.50

NAT ROUTER

Client2 10.1.1.2

DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 Client1 10.1.1.1

Client2 Walkthrough:
A packet arrives at the NAT router from Client2 with a source address of 10.1.1.2, but leaves the  NAT router with the remaining available source address from the assigned pool, in this case:  200.1.1.1. In both cases the destination is for Server1’s IP address of 200.1.1.50. From Server1’s  point of view, Client2’s IP address is 200.1.1.1. Server1 doesn’t know anything about its actual IP  address of 10.1.1.2.  When Server1 responds to Client2, its packet arrives at the NAT router with Client2’s translated  address of 200.1.1.1 as the destination address, but leaves the NAT router with Client2’s actual  address of 10.1.1.2 as the destination address. Server1’s response is delivered to IP address 10.1.1.2.

NAPT Dynamic Inside Address Translation
Figure 4 on page 7 displays a basic NAPT dynamic inside address translation overview. The  overview shows two internal network clients: Client1 and Client2. The access‐list assigned to this  dynamic translation must contain permits for the IP address of each local client (10.1.1.1 and  10.1.1.2). A NAT pool can be configured with a single IP address for its range of publicly available  IP addresses and assigned to this dynamic translation. A single public IP address will be sufficient  because NAPT will use the available L4 port range of this address when assigning addresses for  dynamic translation. In this case the public IP address range is from 200.1.1.1 to 200.1.1.1. This is a  NAPT dynamic translation so we must assign the overload option. 

Client1 Walkthrough:
A packet arrives at the NAT router from Client1 with a source address of 10.1.1.1:125, but leaves  the NAT router with a source address of 200.1.1.1:1024. In both cases the destination is for 

April 16, 2009

Page 6 of 19

NAT Overview

Server1’s IP address of 200.1.1.50:80. From Server1’s point of view, Client1’s IP address is  200.1.1.1:1024. Server1 doesn’t know anything about its actual IP address of 10.1.1.1:125.  When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated  address of 200.1.1.1:1024 as the destination address, but leaves the NAT router with Client1’s  actual address of 10.1.1.1:125 as the destination address. Server1’s response is delivered to IP  address 10.1.1.1:125. Figure 4 Basic NAPT Dynamic Inside Address Translation
Internal Private Network DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 10.1.1.2:125 SA: 200.1.1.50:80

External Public Network DA: 200.1.1.50:80 SA: 200.1.1.1:1025 DA: 200.1.1.1:1025 SA: 200.1.1.50:80 DA: 200.1.1.50:80 SA: 200.1.1.1:1024 Server1 200.1.1.50 DA: 200.1.1.1:1024 SA: 200.1.1.50:80

NAT ROUTER

Client2 10.1.1.2

DA: 200.1.1.50:80 SA: 10.1.1.1:125 DA: 10.1.1.1:125 SA: 200.1.1.50:80 Client1 10.1.1.1

Client2 Walkthrough:
A packet arrives at the NAT router from Client2 with a source address of 10.1.1.2:125, but leaves  the NAT router with a source address of 200.1.1.1:1025. In both cases the destination is for  Server1’s IP address of 200.1.1.50:80. From Server1’s point of view, Client2’s IP address is  200.1.1.1:1025. Server1 doesn’t know anything about its actual IP address of 10.1.1.2:125.  When Server1 responds to Client2, its packet arrives at the NAT router with Client2’s translated  address of 200.1.1.1:1025 as the destination address, but leaves the NAT router with Client1’s  actual address of 10.1.1.2:125 as the destination address. Server1’s response is delivered to IP  address 10.1.1.2:125.

DNS, FTP and ICMP Support
NAT works with DNS by having the DNS Application Layer Gateway (ALG) translate an address  that appears in a Domain Name System response to a name or inverse lookup. NAT works with FTP by having the FTP ALG translate the FTP control payload. Both FTP PORT  CMD packets and PASV packets, containing IP address information within the data portion, are  supported. The FTP control port is configurable.

April 16, 2009

Page 7 of 19

NAT Overview

The NAT implementation also supports the translation of the IP address embedded in the data  portion of following types of ICMP error message: destination unreachable (type3), source quench  (type4), redirect (type5), time exceeded (type 11) and parameter problem (type 12).

Force Flows
It is sometimes possible for a host on the outside global network that knows an inside local  address to be able to send a message directly to the inside local address without NAT translation.  The force flows feature, refered to as Secure‐Plus in the N‐Series implementation, forces all flows  between an inside NAT address to an outside NAT enabled interface to be translated. 

NAT Timeouts
The maximum timeout value in seconds per flow is configurable for the following flow types: • • • • • Dynamic translation UDP and TCP ICMP DNS FTP

NAT Router Limits
Router parameters such as the number of bindings and cache size use valuable memory resources  that are shared by other routing functions such as LSNAT and TWCB on a first‐come first‐served  basis. By default these settings are set to maximum values. By lowering the maximum limit for  affected parameters, the resource delta between the new limit and the maximum value for that  parameter will be available to other routing functions such as LSNAT and TWCB. Maximum  limits can be set or cleared for the following NAT related router parameters: • • • • • • • NAT bindings Cache size Dynamic mapping configurations Static mapping configurations Interface configurations Global Address configurations Global port configurations
Note: The maximum number of bindings and cache available should only be modified to assure availability to functionalities that share these resources such as TWCB, NAT and LSNAT. It is recommended that you consult with Enterasys customer support before modifying these parameter values.

April 16, 2009

Page 8 of 19

Configuring NAT

NAT Binding
A NAT flow has two devices associated with it that are in communication with each other: the  client device belonging to the inside (private) network and the server device belonging to the  outside (public) network. Each active NAT flow has a binding resource associated with it. Each  flow is based upon the following criteria: If it is a non‐FTP NAT flow:  • • Source IP Address  ‐ The inside client IP address Destination IP Address ‐ The outside server IP address

If it is a NAPT or FTP flow: • • • • Source IP Address  ‐ The inside client IP address Destination IP Address ‐ The outside server IP address Source Port ‐ The inside client source port Destination Port ‐ The outside server destination port

Enabling NAT
When traffic subject to translation originates from or is destined to an interface, that interface must  be enabled for NAT. If the interface is part of the internal private network, it should be enabled as  an inside interface. If the interface is part of the external public network, it should be enabled as an  outside interface.

Configuring NAT
This section provides details for the configuration of NAT on the Matrix N‐Series products. Table 1 lists NAT parameters and their default values.  Table 1 Default NAT Parameters
Description Specifies that NAT should be enabled on this interface as a local private network interface. Specifies that NAT should be enabled on this interface as an external public network interface. Identifies a group of NAT IP addresses used by the dynamic address binding feature for NAT translation. Specifies the start and end of a range of IP addresses for this NAT pool. Default Value None.

Parameter Inside NAT Interface Type Outside NAT Interface Type Pool Name

None.

None.

Pool IP Address Range Access List

None.

Specifies a list of IP addresses to None. translate when enabling dynamic translation of inside source addresses.

April 16, 2009

Page 9 of 19

Configuring NAT

Table 1

Default NAT Parameters (continued)
Description Specifies that NAPT translation should take place for this dynamic pool binding. The private IP address for this static NAT binding. The public IP address for this static NAT binding. The private L4 port associated with the local-ip for this static NAPT binding. The public L4 port associated with the global-ip for this static NAPT binding. Specifies the timeout value applied to dynamic translations. Specifies the timeout value applied to the UDP translations. Specifies the timeout value applied to the TCP translations. Specifies the timeout value applied to the ICMP translations. Specifies the timeout value applied to the DNS translations. Specifies the timeout value applied to the FTP translations. Specifies the maximum number of NAT bindings for this router. Specifies the maximum number of NAT cache entries for this router. Specifies the maximum number of dynamic mapping configurations. Specifies the maximum number of NAT static mapping configurations for this router. Specifies the maximum number of NAT interface configurations. Specifies the maximum number of NAT global address configurations for this router. Specifies the maximum number of NAT global port configurations for this router. Default Value NAT translation

Parameter Overload

Local IP Address Global IP Address Local Port Global Port Timeout UDP timeout TCP timeout ICMP timeout DNS timeout FTP timeout Nat Bindings NAT Cache Number of NAT Dynamic Configurations Number of NAT Static Configurations Number of NAT Interface Configurations Number of NAT Global Addresses Configured Number of NAT Global Port Configurations

None. None. None. None. 240 seconds. 240 seconds. 240 seconds. 240 seconds. 240 seconds. 240 seconds. 32000 2000 10 50

103 1000

32000

April 16, 2009

Page 10 of 19

Configuring NAT

Configuring Traditional NAT Static Inside Address Translation
Procedure 1 describes how to configure traditional NAT for a static configuration.  Procedure 1
Step 1. Task Enable NAT on all interfaces on which translation takes place for both the internal and external networks. Enable any static NAT translations of inside source addresses. Enable any static NAPT translations of inside source addresses, specifying whether the L4 port is a TCP or UDP port.

Traditional NAT Static Configuration
Command(s) ip nat {inside | outside}

2. 3.

ip nat inside source static local-ip global-ip ip nat inside source static {tcp | udp} local-ip local-port global-ip global-port

Configuring Traditional NAT Dynamic Inside Address Translation
Procedure 2 describes how to configure traditional NAT for a dynamic configuration.  Procedure 2
Step 1. Task Enable NAT on all interfaces on which translation takes place for both the internal and external networks. Define an access-list of permits for all inside addresses to be used by this dynamic translation. Define a NAT address pool for all outside addresses to be used by this dynamic translation. Enable dynamic translation of inside source addresses. Specify the overload option for NAPT translations. Optionally specify an outside interface VLAN.

Traditional NAT Dynamic Configuration
Command(s) ip nat {inside | outside}

2.

access-list list-number {deny | permit} source ip nat pool name start-ip-address end-ip-address {netmask netmask | prefix-length prefix-length} ip nat inside source [list access-list] pool pool-name [overload | interface vlan vlan-id [overload]]

3.

4.

Managing a Traditional NAT Configuration
Procedure 3 describes how to manage traditional NAT configurations.  Procedure 3
Step 1. Task Optionally block the defined inside IP addresses from ever appearing on an outside interface by assuring that all flows between an inside NAT address and an outside enabled interface are translated.

Managing a Traditional NAT Configuration
Command(s) ip nat secure-plus

April 16, 2009

Page 11 of 19

NAT Configuration Examples

Procedure 3
Step 2. 3. 4. Task

Managing a Traditional NAT Configuration
Command(s) ip nat ftp-control-port port-number ip nat translation max-entries number ip nat translation {timeout | udp-timeout | tcp-timeout | icmp-timeout | dns-timeout | ftp-timeout} seconds clear ip nat translation clear ip nat translation inside global-ip local-ip clear ip nat translation {tcp | upd} inside global-ip global-port local-ip local-port set router limits {nat-bindings nat-bindings | nat-cache nat-cache | nat-dynamic-configs nat-dynamic-configs | nat-static-config nat-static-config | nat-interface-config nat-interface-config | nat-global-addr-cfg nat-global-addr-cfg | nat-global-port-cfg nat-global-port-cfg}

Optionally specify a non-default NAT FTP control port. Configure the maximum number of translation entries. Configure NAT translation timeout values.

5. 6. 7. 8.

Clear dynamic NAT translations. Clear a specific active simple NAT translation. Clear a specific dynamic NAT translation. Set NAT router limits

Displaying NAT Statistics
Procedure 4 describes how to display NAT statistics.  Procedure 4
Step 1. 2. 3. Task Display active NAT translations. Display NAT translation statistics. Display NAT router limits

Displaying NAT Statistics
Command(s) show ip nat translations [verbose] show ip nat statistics [verbose] show router limits [nat-bindings] [nat-cache] [nat-dynamic-config] [nat-static-config] [nat-interface-config] [nat-global-addr-cfg] [nat-global-port-cfg]

NAT Configuration Examples
This section will provide a configuration example for both the static and dynamic configurations.  Each example will include both the NAT and NAPT translation methods. 
Note: For purposes of our examples we will not modify the maximum number of translation entries or any NAT router limits. These parameters should only be modified to assure availability to functionalities that share these resources such as TWCB and LSNAT. It is recommended that you consult with Enterasys customer support before modifying these parameter values. We will also assume that the FTP control port will use the default value.

April 16, 2009

Page 12 of 19

NAT Configuration Examples

NAT Static Configuration Example
This example steps you through a NAT static configuration for both NAT and NAPT translation  methods. See Figure 5 on page 13 for a depiction of the NAT static configuration example setup. Our static NAT configuration example configures two clients: Client1 with NAT translation and  Client2 with NAPT translation. Both clients are on the internal private network VLAN 10 interface  and communicate with Server1 over the external public network VLAN 100 interface. NAT is  enabled on VLAN 10 as an inside interface. NAT is enabled on VLAN 100 as an outside interface.  These are the only VLANs over which translation occurs for the static portion of this configuration  example. To configure Client1 on the NAT router, we enable static NAT translation of the inside source  address specifying local IP address 10.1.1.1 and global IP address 200.1.1.1. Server1 will only see  Client1 as IP address 200.1.1.1. To configure Client2 on the NAT router, we enable static NAT translation of the inside source  address specifying local IP address 10.1.1.2:125 and global IP address 200.1.1.2:1025. Server1 will  only see Client2 as IP address 200.1.1.2:1025. Figure 5 NAT Static Configuration Example
External Public Network DA: 200.1.1.50 SA: 200.1.1.1 DA: 200.1.1.1 SA: 200.1.1.50 VLAN 100 DA: 200.1.1.50:80 SA: 200.1.1.2:1025 Server1 200.1.1.50 200.1.1.50:80 DA: 200.1.1.2:1025 SA: 200.1.1.50:80 DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 10.1.1.2:125 SA: 200.1.1.50:80 Client2 10.1.1.2.125 Internal Private Network DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50

NAT ROUTER

VLAN 10 Client1 10.1.1.1

Finally, we enable Secure‐Plus on the NAT router to assure that inside addresses are not visible to  the public network.

April 16, 2009

Page 13 of 19

NAT Configuration Examples

Enable NAT Inside and Outside Interfaces
Enable NAT inside interface:
Matrix(rw)->router Matrix->router>enable Matrix->router#configure terminal Enter configuration commands: Matrix->Router(config)#interface vlan 10 Matrix->Router(config-if(Vlan 10))#ip nat inside Matrix->Router(config-if(Vlan 10))#exit Matrix->Router(config)#

Enable NAT outside interface:
Matrix->Router(config)#interface vlan 100 Matrix->Router(config-if(Vlan 100))#ip nat outside Matrix->Router(config-if(Vlan 100))#exit Matrix->Router(config)#

Enable Static Translation of Inside Source Addresses
Enable the NAT static translation of the inside source address:
Matrix->Router(config)#ip nat inside source static 10.1.1.1 200.1.1.1

Enable the NAPT static translation of the inside source address:
Matrix->Router(config)#ip nat inside source static tcp 10.1.1.2:125 200.1.1.2:1025

Enable NAT Secure-Plus
Matrix->Router(config)#ip nat secure-plus

NAT Dynamic Configuration Example
This example steps you through a NAT Dynamic Configuration for both NAT and NAPT  translation methods. See Figure 6 on page 15 for a depiction of the example setup. Our dynamic NAT configuration example configures four clients: Client1 and Client2 with NAT  translation and Client3 and Client4 with NAPT translation. The two NAT clients are on the  internal private network VLAN 10 interface and communicate with Server1 over the external  public network VLAN 100 interface. The two NAPT clients are on the internal private network  VLAN 20 and communicate with Server1 over the external public network VLAN 200 interface.  NAT is enabled on VLAN 10 and VLAN 20 as inside interfaces. NAT is enabled on VLAN 100 and  VLAN 200 as outside interfaces. These are the only VLANs over which translation occurs for the  dynamic portion of this configuration example. To configure Client1 and Client2 for dynamic NAT translation on the NAT router, we define  access‐list 1 to permit the local IP addresses 10.1.1.1 and 10.1.1.2. We then configure the NAT  translation NAT pool natpool with the global address range of 200.1.1.1 to 200.1.1.2. We then  enable dynamic translation of inside addresses associating access‐list 1 with the NAT pool  natpool. 

April 16, 2009

Page 14 of 19

NAT Configuration Examples

Figure 6

NAT Dynamic Configuration Example
External Public Network DA: 200.1.1.50 SA: 200.1.1.1 DA: 200.1.1.1 SA: 200.1.1.50 DA: 200.1.1.50 SA: 200.1.1.2 DA: 200.1.1.2 SA: 200.1.1.50 VLAN 100 VLAN 200

Internal Private Network DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 VLAN 10

NAT ROUTER

Client1 10.1.1.1

Server1 200.1.1.50 200.1.1.50:80

DA: 200.1.1.50:80 SA: 200.1.1.3:1025 DA: 200.1.1.3:1025 SA: 200.1.1.50:80

DA: 200.1.1.50 SA: 10.1.1.2 DA: 10.1.1.2 SA: 200.1.1.50 Client2 10.1.1.2 VLAN 20 DA: 200.1.1.50:80 SA: 10.1.1.3:125 DA: 10.1.1.3:125 SA: 200.1.1.50:80 Client3 10.1.1.3 VLAN 20 DA: 200.1.1.50:80 SA: 10.1.1.4:125 DA: 10.1.1.4:125 SA: 200.1.1.50:80 Client4 10.1.1.4

DA: 200.1.1.50:80 SA: 200.1.1.3:1024 DA: 200.1.1.3:1024 SA: 200.1.1.50:80

April 16, 2009

Page 15 of 19

NAT Configuration Examples

To configure Client3 and Client4 for dynamic NAPT translation on the NAT router, we define  access‐list 2 to permit the local IP addresses 10.1.1.3 and 10.1.1.4. We then configure NAT pool  dynamicpool with a global range of 200.1.1.3 to 200.1.1.3. We then enable dynamic translation of  inside addresses for overload associating access‐list 2 with the NAT pool naptpool. Finally, we enable Secure‐Plus on the NAT router to assure that inside addresses are not visible to  the public network.

Enable NAT Inside and Outside Interfaces
Enable NAT inside interface:
Matrix(rw)->router Matrix->router>enable Matrix->router#configure terminal Enter configuration commands: Matrix->Router(config)#interface vlan 10 Matrix->Router(config-if(Vlan 10))#ip nat inside Matrix->Router(config-if(Vlan 10))#exit Matrix->Router(config)#interface vlan 20 Matrix->Router(config-if(Vlan 20))#ip nat inside Matrix->Router(config-if(Vlan 20))#exit Matrix->Router(config)#

Enable NAT outside interface:
Matrix->Router(config)#interface vlan 100 Matrix->Router(config-if(Vlan 100))#ip nat outside Matrix->Router(config-if(Vlan 100))#exit Matrix->Router(config)#interface vlan 200 Matrix->Router(config-if(Vlan 200))#ip nat outside Matrix->Router(config-if(Vlan 200))#exit Matrix->Router(config)#

Define Inside Address Access-Lists
Define inside address access‐list 1 for NAT clients:
Matrix->Router(config)#access-list 1 permit host 10.1.1.1 Matrix->Router(config)#access-list 1 permit host 10.1.1.2 Matrix->Router(config)#

Define inside address access‐list 2 for NAPT clients:
Matrix->Router(config)#access-list 2 permit host 10.1.1.3 Matrix->Router(config)#access-list 2 permit host 10.1.1.4 Matrix->Router(config)#

April 16, 2009

Page 16 of 19

Terms and Definitions

Define the NAT Pools for Global Addresses
Define the NAT Pool for the NAT clients:
Matrix->Router(config)#ip nat pool natpool 200.1.1.1 200.1.1.2 255.255.255.0

Define the NAT Pool for the NAPT clients:
Matrix->Router(config)#ip nat pool naptpool 200.1.1.3 200.1.1.3 255.255.255.0 Matrix->Router(config)#

Enable Dynamic Translation of Inside Source Addresses
Enable the NAT dynamic translation of the inside source address:
Matrix->Router(config)#ip nat inside source list 1 pool natpool

Enable the NAPT dynamic translation of the inside source address:
Matrix->Router(config)#ip nat inside source list 2 pool naptpool overload

Enable NAT Secure-Plus
Matrix->Router(config)#ip nat secure-plus

This completes the NAT configuration example.

Terms and Definitions
Table 2 lists terms and definitions used in this NAT configuration discussion. Table 2
Term Basic NAT Dynamic Address Binding Force Flows (Secure-Plus) Inside (private) address NAT Address Pool Network Address Port Translation (NAPT) Network Address Translation (NAT)

NAT Configuration Terms and Definitions
Definition Refers to Network Address Translation (NAT) only. Provides a binding based upon an internal algorithm between an address from an access-list of local addresses to an address from a pool of global addresses for NAT and TCP/UDP port number translations for NAPT. Forces all flows between the inside local pool and the outside global network to be translated. An IP address internal to the network only reachable by the external network by translation. A grouping of global addresses used by both NAT and NAPT dynamic address binding. Provides a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses by mapping many network addresses, along with their associated TCP/UDP ports into a single network address and its associated TCP/UDP ports. Provides a mechanism to connect an internal realm with private addresses to an external realm with globally unique registered addresses by mapping IP addresses from one group to another, transparent to the end user.

April 16, 2009

Page 17 of 19

Terms and Definitions

Table 2
Term

NAT Configuration Terms and Definitions (continued)
Definition A registered global IP address external to the private network that the inside address is translated to. Assures that all flows between inside local addresses and outside NAT enabled interfaces are translated. Provides a one-to-one binding between local addresses to global addresses for NAT and TCP/UDP port number translations for NAPT. Refers to both NAT and NAPT.

Outside (public) address Secure-Plus (Force Flows) Static Address Binding Traditional NAT

April 16, 2009

Page 18 of 19

Revision History
Date 09/24/2008 02/12/2009 04/16/2009 Description New document In ip nat inside source context made clear that VLAN option was for an outside VLAN. Input an advanced routing license notice that includes the 256 MB requirement on all modules statement.

Enterasys Networks reserves the right to make changes in specifications and other information contained in this  document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to  determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice. IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL,  OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS)  ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN  THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN  OF, THE POSSIBILITY OF SUCH DAMAGES. Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810 © 2009 Enterasys Networks, Inc. All rights reserved. ENTERASYS, ENTERASYS NETWORKS, ENTERASYS MATRIX, and any logos associated therewith, are  trademarks or registered trademarks of Enterasys Networks, Inc., in the United States and other countries. For a 
complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.

All other product names mentioned in this manual may be trademarks or registered trademarks of their respective  companies.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->