1. Tng quan v NAT 1.1.

M t NAT

Dch a ch l thay th a ch thc trong mt packet thnh a ch c nh x c kh nng nh tuyn trn mng ch. Nat gm c 2 bc: mt tin trnh dch a ch thc thnh a ch nh x v mt tin trnh dch ngc tr li. PIX Firewall s dch a ch khi mt lut Nat kt hp vi packet. Nu khng c s kt hp vi lut Nat th tin trnh x l packet c tip tc. Ngoi l l khi kch hot Nat control. Nat control yu cu cc packets t mt interface c mc an ninh cao hn (inside) n mt interface c mc an ninh thp hn (outside) kt hp vi mt lut Nat hoc cc packets phi dng li. Nat c mt s li ch nh sau: Bn c th s dng cc a ch ring trn mng inside. Cc a ch ny khng c nh tuyn trn Internet Nat n a ch thc ca mt host thuc mng inside trc cc mng khc v vy cc attacker khng th hc c a ch thc ca mt host inside C th gii quyt vn chng cho a ch IP.

1.2. Nat control Nat control yu cu cc packets t mt interface c mc an ninh cao hn (inside) n mt interface c mc an ninh thp hn (outside) kt hp vi mt lut Nat. Bt c host no trn mng inside truy cp n mt host trn mng outside u phi c cu hnh dch a ch.

Cc interface c cng mc an ninh th khng yu cu s dng Nat truyn thng vi nhau. Tuy nhin nu bn cu hnh dynamic Nat hoc Pat trn cc interface c cng mc an ninh th tt c cc lu lng t interface n mt interface c cng mc an ninh hoc outside interface cn phi kt hp vi mt lut Nat

Tng t nu kch hot outside dynamic Nat hoc Pat th tt c cc lu lng outside cn phi kt hp vi mt lut Nat khi truy cp vo mng inside

2. Cc kiu NAT 2.1 Dynamic NAT Dynamic Nat dch mt nhm cc a ch thc thnh mt di cc a ch c nh x v c kh nng nh tuyn trn mng ch. Cc a ch c nh x c th t hn cc a ch thc. Khi mt host mun dch a ch khi truy cp vo mng ch th PIX s gn cho n mt a ch trong di a ch c nh x. Translation ch c thm vo khi host thc khi to kt ni. Translation c duy tr trong sut qu trnh kt ni. Ngi s dng khng th gi c a ch IP khi Translation time out (ht thi gian). Ngi s dng trn mng ch khng th khi to kt ni n host m s dng dynamic Nat thm ch kt ni ny c php bi access list. (ch c th khi to kt ni trong sut translation).

Vi Dynamic Nat m di a ch c nh x c s a ch t hn s a ch thc ca mng inside th xy ra tnh trng thiu a ch nu s lu lng vt qua mc mong mun. 2.2. PAT PAT dch mt nhm cc a ch thc thnh mt a ch c nh x. c bit, PIX dch a ch thc v port ngun (real socket) thnh a ch c nh x v mt port duy nht (mapped port) ln hn 1024. Mi mt kt ni yu cu mt translation ring bit bi v port ngun l khc nhau cho mi kt ni. 2.3. Static NAT Static NAT to mt translation c nh ca mt (hoc nhiu) a ch thc n mt (hoc nhiu) a ch c nh x. i vi Dynamic NAT hoc PAT th mi host s s dng a ch hoc cng khc nhau cho mi translation. Bi v a ch c nh x l nh nhau cho cc kt ni lin tc v tn ti mt translation c nh do vi static Nat, ngi s dng mng ch c th khi to mt kt ni n host c dch (nu accsess list) cho php. 2.4. Static PAT Static PAT cng tng t nh Static NAT, ngoi tr chng ta cn phi ch ra giao thc (TCP hoc UDP) v cng cho a ch thc v a ch c nh x.

3. Cu hnh Nat Control Nat Control yu cu cc packets truyn t mt inside interface n outsite interface kt hp vi mt lut Nat. kch hot Nat control s dng lnh sau y: hostname(config)# nat-control . disable Nat control s dng dng no ca lnh ny. 4. S dng Dynamic NAT v PAT 4.1. Thc hin Dynamic NAT v PAT

+ i vi Dynamic NAT v PAT, trc ht cn cu hnh lnh Nat nhn din cc a ch thc ca cc interface cn dch. Sau cu hnh lnh Global ring bit ch nh cc a ch c nh x. Mi lnh Nat cn kt hp vi lnh Global bi mt s c gi l Nat ID c ch ra trong mi lnh Nat v global.

+ Chng ta c th nhp lnh Nat cho mi interface c cng Nat ID. Tt c u s dng cng mt lnh Global c cng Nat ID.

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10

+ Chng ta cng c th nhp lnh global cho mi interface s dng cng mt Nat ID

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0

hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 hostname(config)# global (dmz) 1 10.1.1.23 + Nu chng ta s dng cc Nat ID khc nhau, chng ta c th thit lp cc a ch

thc khc nhau c cc a ch c nh x khc nhau

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (inside) 2 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 hostname(config)# global (outside) 2 209.165.201.11

+ Chng ta c th nhp nhiu lnh global cho mt interface s dng cng mt Nat ID. PIX Firewall s s dng lnh Global Dynamic Nat u tin theo th t chng c cu hnh. Sau mi s dng n lnh global Dynamic PAT. Chng ta c th s dng c hai lnh Dynamic Nat global v Dynamic PAT global, nu cn s dng Dynamic Nat cho mt ng dng ring bit no v to ra mt trng thi d phng bi lnh Dynamic PAT global khi lnh Dynamic NAT global b cn kit a ch.

hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4 hostname(config)# global (outside) 1 209.165.201.5

+ i vi Nat outside ta s dng t kha outside trong lnh Nat.

hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255

hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4 hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40

4.2. Cu hnh Dynamic NAT v PAT

Cu hnh Dynamic Nat v Pat cng tng t nhau. i vi Nat th s dng di a ch c nh x cn Dynamic Pat th ch s dng mt a ch n. + Ch cc host c dch mi c th to mt Nat session. Cc a ch c nh x c gn ng t di a ch c nh ngha bi lnh Global

+ Ch cc host c dch mi c th to mt Nat session. Cc a ch c nh x c nh ngha bi lnh global l nh nhau cho mi translation cn cc port th c gn ng.

hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]] hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface}

5. S dng lnh Static NAT Vi Static Nat translation lun lun kch hot bi v cc a ch c nh x c gn tnh t lnh Static

+ Khng c s dng cng a ch thc hoc a ch c nh x trong nhiu lnh static gia 2 interface cng nhau. Khng c s dng mt a ch c nh x trong lnh static m n c nh ngha trong lnh global i vi cng interface c nh x + Nu g lnh static th cc kt ni ang tn ti s dng translation ny s khng b nh hng nu s dng lnh clear xlate. Hy s dng lnh Clear local host. cu hnh Static NAT s dng mt trong hai lnh sau: i vi policy Static Nat, nhp lnh sau;
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

To access list s dng lnh access list. Lnh access list ny ch bao gm cc ACEs permit. Subnet mask ngun c s dng trong access list cng c s dng cho a ch c nh x. Chng ta cng c th ch nh port thc v port ngun trong access list s dng ton t eq.
i vi regular Static Nat, nhp lnh sau:

hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

6. S dng Static PAT Static PAT s dch a ch thc thnh mt a ch IP c nh x cng nh port thc thnh port c nh x. Thng thng th PAT dch port thc thnh mt port c nh x nhng chng ta cng c th chn dch mt port thc thnh mt port nh th (cng ch s port).

cu hnh Static NAT s dng mt trong hai lnh sau: i vi policy Static PAT, nhp lnh sau;
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

To access list s dng lnh access list. Lnh access list ny ch bao gm cc ACEs permit. Subnet mask ngun c s dng trong access list cng c s dng cho a ch c nh x. Chng ta cng c th ch nh port thc v port ngun trong access list s dng ton t eq.
i vi regular Static PAT, nhp lnh sau: hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]