Professional Documents
Culture Documents
2212 6-28nat
2212 6-28nat
11
2212 1232_05_2000_c2
AgendaTerminology
Terminology Rehash Requirements (Hardware/Software) Considerations Configuration/Basic to Real World Examples Troubleshooting
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
TerminologyInside
ZONE Inside: Intranet/Private Address
Your companys network Typically a RFC 1918 network Local address is the real IP address of the host Not routable on the Internet
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
TerminologyOutside
ZONE Outside: Internet/Public Address
Everyone elses network Registered addresses only Global address is the virtual IP address of the inside host Is routable on the Internet
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
TerminologyStatic
Commonly used for inbound traffic Permanent Local address is always known by the same global address
2212 1232_05_2000_c2
TerminologyDynamic
Typically used for outbound (inside -> outside) traffic Short lived Local address might not always be known by the same global address
2212 1232_05_2000_c2
TerminologyNAT
Network Address Translation Layer 3 Maps one internal (local) address to one external (global) address
2212 1232_05_2000_c2
TerminologyPAT
Port Address Translation Layer 3 and 4 Similar to NAT, except it maps multiple internal (local) addresses to one external (global) address
2212 1232_05_2000_c2
AgendaRequirements
Terminology Rehash Requirements (Hardware/Software) Considerations Configuration/Basic to Real World Examples Troubleshooting
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
10
RequirementsSoftware
11.2IP plus only 11.3PAT: General availability 11.3NAT: IP plus 12.xFull NAT/PAT
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
11
RequirementsHardware
Most platforms Each translation = 160 bytes 10,000 translation = 1.6 megabytes Performance/latency is negligible
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
12
AgendaConsiderations
Terminology Rehash Requirements (Hardware/Software) Considerations Configuration/Basic to Real World Examples Troubleshooting
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
13
ConsiderationsApplications
Know Your Applications
Application Layer: Embedded IP information in the payload Transport/Network Layer: PAT/NAT compliant
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
14
ConsiderationsEmbedded IP
DATA : IP = 10.1.1.1
2212 1232_05_2000_c2
15
ConsiderationsIPSec-ESP
Original Packet
IP HDR DATA
WORKS !
DATA Encrypted Authenticated
2212 1232_05_2000_c2
16
ConsiderationsIPSec-AH
Authentication Headers (AH) Transport Mode
Breaks!
NAT IP HDR Layer 3
2212 1232_05_2000_c2
DATA
17
ConsiderationsAccess-Lists Inbound
Inside
NAT
Outside
Packet Flow
Inbound ACL*
Decryption
18
ConsiderationsAccess-Lists Outbound
Inside
NAT
Outside
Packet Flow
Inbound ACL
Routing NAT
Policy Routing
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
FTPActive
Server initiated Data Connections Client tells the server on which Port to send to the Client
SYN SYN and ACK ACK Inside Network Outside Network
NAT
Port Command <Address and Port> ACK SYN SYN and ACK ACK Data Flows Server to Client Control Connection TCP Connection 1 : Active Mode: LS Set TCP Connection 2 : Active Mode: Data
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
20
FTPPassive
Client initiates data connections Server tells the client on which port to send to the client
SYN SYN and ACK ACK PASV (Passive) Inside Network Outside Network
NAT
ENT PASV <Address and Port> SYN SYN and ACK ACK Data Flows Server to Client TCP Connection 1 : Control Connection TCP Connection 2 : Passive Mode: Data
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
21
2212 1232_05_2000_c2
22
AgendaConfigurations
Terminology Rehash Requirements (Hardware/Software) Considerations Configuration/Basic to Real World Examples Troubleshooting
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
23
TopologyOutbound NAT
.20
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
2212 1232_05_2000_c2
24
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
25
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
2212 1232_05_2000_c2
26
Outbound NATBindings
.20
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
2212 1232_05_2000_c2
27
Outbound PAT
.20
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
28
Outbound NAT/PAT
.20
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
29
Outbound NATInterfaces
.20
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
30
Inbound NAT
.20
Ethernet 0
Internet .10 NAT
10.1.1.0/24
Serial 0
31
TopologyNAT by Destination
192.168.1.0/24
Partners
Internet
NAT
Ethernet 0 10.0.0.0/8
Your Company
2212 1232_05_2000_c2
32
Partners
Available Addresses: 172.16.1.0/24 router(config)# ip nat pool partners 172.16.1.3 172.16.1.254 netmask 255.255.255.0
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
NAT
Ethernet 0 10.0.0.0/8
Your Company
33
Internet
NAT
Serial 1
Ethernet 0 10.0.0.0/8
Your Your Company Company
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any
34
router(config)# route-map topartner permit 10 router(config-map)# match ip address 110 router(config)# route-map tointernet permit 10 router(config-map)# match ip address 100
2212 1232_05_2000_c2
35
NAT by DestinationBindings
192.168.1.0/24 Partners Serial 0 Serial 1 Available Addresses: 209.165.201.0/27
Internet
router(config)# ip nat inside source route-map topartner pool partners router(config)# ip nat inside source route-map tointernet pool internet
2212 1232_05_2000_c2
36
37
VPNsThe Issues
VPN Gateway
Internet
NAT 10.0.0.0/8
ISP
IPSec Tunn el
NAT:
Your Company
Roaming User
2212 1232_05_2000_c2
38
VPNsMode Configuration
VPN Gateway
NAT 10.0.0.0/8
l Tunne IPSec
router (config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255 router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any
39
Your Company
2212 1232_05_2000_c2
VPNsStatic NATs
VPN Gateway
Internet
NAT
ISP
IPSec Tunn el
NAT:
10.1.1.1/8
Roaming User
2212 1232_05_2000_c2
40
VPNsPolicy Routing
router (config)# access-list 100 permit ip 10.0.0.0 172.31.1.1/24 0.255.255.255 172.16.1.0 0.0.0.255 router(config)# route-map Internet bypassnat permit 10 NAT router(config-map)# match ip Ethernet 0 address 100 router(config-map)# set ip next-hop 172.31.1.2 router(config)# interface Ethernet 0 10.1.1.1/8 router(config-if)# ip policy route-map bypassnat
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
41
10.1.1.x
.2
.1
Virtual 209.165.201.5
Round-Robin
router(config)# ip nat pool tcpload 10.1.1.1 10.1.1.3 netmask 255.255.255.0 type rotary router(config)# access-list 1 permit host 209.165.201.5 router(config)# ip nat inside destination list 1 pool tcpload
2212 1232_05_2000_c2
42
Overlapping Networks
.2
Inside
.3 NAT
Outside
.1
.2
10.1.1.x
.1
10.1.1.x
Internet .3
Network
DNS
router-nat(config)# ip nat outside source static network 192.168.1.0 10.1.1.0 /24 router-nat(config)# ip nat inside source static network 10.1.1.0 172.16.1.0/24
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
43
Inside
.3 NAT
Outside
.1
.2
10.1.1.x
.1
10.1.1.x
Internet .3
RED-3 ???
Network
DNS
Query
2212 1232_05_2000_c2
44
Inside
.3 NAT
Outside
.1
.2
10.1.1.x
.1
10.1.1.x
Internet .3
RED-3 192.168.1.3
Network
DNS
Response = 10.1.1.3
45
Inside
.3 NAT
Outside
.1
.2
10.1.1.x
.1
10.1.1.x
Internet .3
RED-3 192.168.1.3
Network
DNS
SA:10.1.1.3 DA:192.168.1.3
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
46
Inside
.3 NAT
Outside
.1
.2
10.1.1.x
.1
10.1.1.x
Internet .3
RED-3 192.168.1.3
NAT
Network
DNS
SA:172.16.1.3 DA:192.168.1.3
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
47
Inside
.3 NAT
Outside
.1
.2
10.1.1.x
.1
10.1.1.x
Internet .3
RED-3 192.168.1.3
Network
DNS
SA:172.16.1.3 DA:10.1.1.3
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
48
Network Statics
.20
10.1.1.0 / 24
.10 NAT
Outside
49
10.1.1.0 / 24
.10 NAT
Outside
-ORrouter(config)# ip nat pool natpool 172.18.1.0 172.18.1.255 netmask 255.255.255.0 type match-host router(config)# ip nat inside source list 1 pool natpool
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
50
10.1.1.0/24
.10 NAT
Outside
router#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 172.18.1.10 10.1.1.10 ----Subnet translation: Inside global Inside local Outside local Outside global /prefix 172.18.1.0 10.1.1.0 ----/24
2212 1232_05_2000_c2
51
Network StaticsDebugs
.20
10.1.1.0/24
.10 NAT
Outside
router#debug ip nat detailed router#debug IP NAT detailed debugging is on router# 00:12:30: NAT: i: icmp (10.1.1.10, 2458) -> (10.1.2.2, 2458) [20] 00:12:30: NAT: Create inside host entry from network translation: 00:12:30: 10.1.1.10 -> 172.18.1.10 (10.1.1.0 -> 172.18.1.0) 00:12:30: NAT*: o: icmp (10.1.2.2, 2458) -> (172.18.1.10, 2458) [20]
2212 1232_05_2000_c2
52
AgendaTroubleshooting
Terminology Rehash Requirements (Hardware/Software) Considerations Configuration/Basic to Real World Examples Troubleshooting
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
53
Show CommandsTranslations
2212 1232_05_2000_c2
54
Show CommandsStatistics
55
ip nat translation
router(config)# ip nat translation ?
Specify timeout for NAT DNS flows Specify timeout for NAT TCP flows after a FIN or RST Specify timeout for NAT ICMP flows Specify maximum number of NAT entries Specify timeout for NAT TCP/UDP port specific flows Specify timeout for NAT TCP flows after a SYN and no further data Specify timeout for NAT TCP flows Specify timeout for dynamic NAT translations Specify timeout for NAT UDP flows
56
57
58
Clear Commands
2212 1232_05_2000_c2
59
Summary
NAT/PAT (overload) -> one-to-one/many-to-one address mappings Can solve IP address shortages and/or conflicts Can hide your network address space from the OUTSIDE world Is flexible by utilizing route-maps and access-lists to determine what traffic needs to be translated. Only is performed if the packet traverses from the INSIDE to OUTSIDE ip nat interfaces and is permitted via the access-list
2212 1232_05_2000_c2
2000, Cisco Systems, Inc.
60
2212 1232_05_2000_c2
61
2212 1232_05_2000_c2
62
2212 1232_05_2000_c2
63