Professional Documents
Culture Documents
NAT terminology
1 2
3 4
2
Private addressing
12 bits in common
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0
10101100 . 00011111 . 11111111 . 11111111 – 172.31.255.255
-------------------------------------------------------------
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0/12
4
NAT terminology
• Inside addresses – Inside addresses are the set of networks that are subject
to translation.
– Inside addresses are typically RFC 1918 addresses, but they can be any
valid IP addresses.
• Outside addresses – Outside address are all other addresses.
– Usually these are valid addresses located on the Internet.
5
NAT terminology
7
NAT functions
DA SA DA SA
1 IP Header 2 IP Header
10
NAT
1 2
DA SA DA SA
4 IP Header 3 IP Header
• NAT allows you to have more than your allocated number of IP addresses by
using RFC 1918 address space with smaller mask.
• However, because you have to use your Public IP addresses for the Internet,
NAT still limits the number of hosts you can have access the Internet at any
one time (depending upon the number of hosts in your public network
mask.)
13
Configuring Dynamic NAT
14
Configuring Dynamic NAT
Translate to these
outside addresses
Start
here
Source IP address
must match here
15
Configuring Dynamic NAT
Router(config)#ip nat translation timeout seconds
• On a Cisco router, dynamic NAT table entries remain in the table for 24 hours
by default.
• Once the entry times out, outside hosts will no longer be able to reach
10.1.1.6 until a new table entry is created.
• The table entry can only be created from the inside.
A 24-hour timeout is relatively long.
• Adjust the translation timeout using the following command: ip nat
translation timeout
• Although NAT is not a security firewall, it can prevent outsiders from initiating
connections with inside hosts.
• This is unless a permanent global address mapping exists in the NAT table,
static NAT.
• NAT has the effect of hiding the inside network structure because outside
16
hosts never see the “pre-translated” inside addresses.
Static NAT
18
Configuring Static NAT
19
Port Address Translation
“NAT overload”
PAT – Port Address Translation
• PAT (Port Address Translation) allows you to use a single Public IP address and
assign it up to 65,536 inside hosts (4,000 is more realistic).
• PAT modifies the TCP/UDP source port to track inside Host addresses.
• Tracks and translates SA, DA and SP (which uniquely identifies each
connection) for each stream of traffic.
21
PAT Example
NAT/PAT table
maintains translation
of:
DA, SA, SP
DA SA DP SP DA SA DP SP
DA SA DP SP DA SA DP SP
DA SA DP SP DA SA DP SP
24
PAT – Port Address Translation
DA SA DP SP DA SA DP SP
DA SA DP SP DA SA DP SP
• In this example a single Public IP addresses is used, using PAT, source ports, to
differentiate between connection streams.
26
Configure PAT – Overload
This is a different
example, using the IP
address of the outside
interface instead
specifying an IP
address
27
TCP load distribution
TCP load
distribution
With NAT
translation
29
TCP load
distribution
With no NAT
translation
• TCP load distribution can be used even when there is no translation between
private addresses and public addresses.
• RTA is configured to map both www1, 171.70.2.3/24, and www2,
171.70.2.4/24, to the same inside global IP address, 171.70.2.10/24.
• All three of these IP addresses are public addresses on the same subnet. In
configurations like these, the address 171.70.2.10 is referred to as a virtual
host.
30
Configuring TCP load distribution
31
TCP load distribution configuration
• example
RTA is configured to translate destination
addresses that match 171.70.2.10, access list 46,
using the webservers pool.
• Because the webservers pool was defined using
the rotary keyword, the first translation will be
to 171.70.2.3.
• However, the second translation will be to
171.70.2.4, the third back to 171.70.2.3, and so
on. In this way, the load is distributed among the
Web servers.
• One way to allow HostA to communicate with HostZ is to use DNS and NAT.
• Instead of using the IP address of HostZ, HostA can use the hostname for
HostZ.
• For example, a user on HostA could issue the command ping HostZ which
would result in a name-to-address lookup using DNS.
• A NAT translation is done for the DNS query sourced from 10.1.1.7.
• The query from 10.1.1.7 is translated by RTA so that it appears to be from the
inside global address 192.168.1.7.
• The DNS server responds to this query.
35
ng
Networks
• The DNS server responds with the actual IP address for Host Z, 10.1.1.6.
• However, RTA translates the payload of the DNS response.
• Cisco's implementation of NAT will actually alter the contents of a DNS
packet.
• RTA will create a simple table entry that maps the outside global address,
10.1.1.6, to an outside local address, 192.168.3.6.
• HostA will believe that HostZ is at 192.168.3.6, presumably, a reachable IP
network.
• Note: NAT does not look at the payload of the DNS reply unless translation
occurs on the IP header of the reply packet.
36
ng
Networks
37
Overlapping
Networks
Configuration
• RTA uses the inGlobal address pool to translate HostA's address so that
outside hosts can reach HostA.
• RTA uses the outLocal pool to translate outside hosts in the overlapping
network so that HostA can reach those hosts.
38
Overlapping Networks
• Three entries are created from the output of the show ip nat
translations command after HostA has sent HostZ an IP packet.
• The first entry was created when HostA sent a DNS query.
• The second entry was created when RTA translated the payload of the DNS
reply.
• The third entry was created when the packet was exchanged between HostA
and HostZ.
• The third entry is a summary of the first two entries and is used for more
efficient translations.
39
Verifying NAT translations
Verifying NAT translations
• The verbose keyword can be used with this command to display more
information, including the time remaining for a dynamic entry.
41
Troubleshooting NAT translations
• The asterisk next to NAT indicates that the translation is occurring in the fast path.
• The first packet in a conversation will always go through the slow path, that is, to be
process-switched.
• The remaining packets will go through the fast path if a cache entry exists.
– s = a.b.c.d is the source address.
– a.b.c.d -> w.x.y.z is the address that the source was translated.
– d = a.b.c.d is the destination address.
– The value in brackets is the IP identification number. This information may be
useful for debugging. This information enables the comparison of data from the
debug to data from other sources, such as packet traces from sniffers.
42
Clearing NAT translations
• Once NAT is enabled, no changes can be made to the NAT process while
dynamic translations are active.
• Use the clear ip nat translation * command to clear all
translated entries.
• There are additional forms of this command to clear specific entries.
43
NAT Considerations
NAT advantages
46
NAT disadvantages/advantage
• One significant disadvantage when implementing and using NAT is the loss of
end-to-end IP traceability.
• It becomes more difficult to trace packets that undergo numerous packet
address changes over multiple NAT hops.
• This scenario does, however, lead to more secure links.
• Hackers who want to determine the source of a packet will find it difficult, if
not impossible, to trace or obtain the original source or destination address.
47
Traffic types supported by Cisco
• Cisco ISO NAT supports the following traffic types:
– Any TCP/UDP traffic that does not carry source or destination IP
addresses in the application data stream
– Hypertext Transfer Protocol (HTTP)
– Trivial File Transfer Protocol (TFTP)
– Telnet
– Archie
– Finger
– Network Timing Protocol (NTP)
– Network File System (NFS)
– rlogin, rsh, rcp
48
Traffic types supported by Cisco
• Cisco IOS NAT also supports the following traffic types although they carry IP
addresses in the application data stream:
– ICMP
– File Transfer Protocol (FTP), including PORT and PASV commands
– NetBIOS over TCP/IP for datagram, name, and session services
– Progressive Networks' RealAudio
– White Pines' CuSeeMe
– Xing Technologies' Streamworks
– DNS "A" and "PTR" queries
– H.323/NetMeeting versions 12.0(1)/12.0(1)T and later
– VDOLive versions 11.3(4)11.3(4)T and later
– Vxtreme versions 11.3(4)11.3(4)T and later
– IP multicast version 12.0(1)T for source address translation only
49
Traffic types not supported by
•
Cisco
Cisco IOS NAT does not support the following traffic types:
– Routing table updates
– DNS zone transfers
– BOOTP
– talk, ntalk
– Simple Network Management Protocol (SNMP)
– NetShow
50
Laboratorios
NAT PAT Overload
NAT TCP Load Balancing
Laboratorio No. 1