S6C11 - NAT

1
S6C11 - NAT

• Network Security Translation

2
NAT Described

• Globally unique ONLY in terms of public internet
• Translates private addresses into publicly usable
  addresses to be used on public Internet
• Saves usable IP addresses
• Effective means for hiding actual device
  addressing within a private network
• Aka Network Address Translator
• defined in RFC 1631

3
NAT and PAT

• NAT Translation
• NAT box can be a Cisco router, a UNIX system, a
  Windows XP server, or several other kinds of
  systems.
• router looks inside the IP header and, if
  appropriate, replaces the local IP address with a
  globally unique IP address
• When an outside host sends a response the NAT
  router receives it, checks the current table of
  network address translations, and replaces the
  destination address with the original inside
  source address
• Port Address Translation
• allows the user to conserve addresses in the
  global address pool by allowing source ports in
  TCP connections or UDP conversations to be
  translated. Different local addresses then map to
  the same global address

4
PAT Limitations

• As long as the inside global port numbers are
  unique for each inside local host, NAT overload
  will work.
• NAT overload can go a long way to alleviate
  address depletion, but its capabilities are
  limited
• A realistic number is approximately 4,000 local
  addresses per global address.
• Each Nat translation consumes about 160 bytes of
  router DRAM.

5
Static Translation

• Translates inside local addresses
• Establishes a mapping between inside local and
  global addresses
• Configured statically, one entry at a time
• for every inside local address, static NAT
  requires an inside global address
• typically used in conjunction with dynamic NAT,
  in cases where you have overlapping networks
• RTA(config)ip nat inside source static 10.1.1.7
  171.70.2.10
• Specify an inside and outside interface
• RTA(config)interface bri0
• RTA(config-if)ip nat outside
• RTA(config-if)interface e0
• RTA(config-if)ip nat inside

6
Dynamic Translation

• Translates inside local addresses
• Establishes a mapping between inside local and
  global addresses
• Mappings configured dynamically by the router as
  needed
• translations don't exist in the NAT translation
  table until the router receives traffic that
  requires translation (such traffic is defined by
  an administrator). Dynamic translations are
  temporary, and will eventually time out.

7
Configuration for Dynamic

• Create a pool of IP addresses to be allocated as
  needed
• Router(config)ip nat pool name start-ip end-ip
  netmask netmask prefix-length prefix-length
• Specify which addresses to translate
• router(config)access-list access-list-number
  permit source source-wildcard
• establish a dynamic translation based on source
• Router(config)ip nat inside source list
  access-list-number pool name
• Configure at least one inside interface 1
  outside
• Router(config-if)ip nat inside
• Router(config-if)ip nat outside

8
Why Dynamic?

• Although NAT is not a security firewall, it can
  prevent outsiders from initiating connections
  with inside hosts, unless a permanent global
  address mapping exists in the NAT table (static
  NAT). Because outside hosts never see the
  "pre-translated" inside addresses, NAT has the
  effect of hiding the inside network structure.

9
Address Definitions

• Inside local IP address assigned to a host on
  inside network
• Inside global A legitimate IP address (assigned
  by NIC or service provider) that represents local
  IP address to outside world
• Outside local IP address of outside host as it
  appears to inside network allocated from inside
  addressable routable space
• Outside global IP address assigned to a host on
  outside network by owners allocated from
  globally routable address space

10
NAT and Address Overlapping

• NAT can resolve address issues when inside
  addresses overlap with addresses in outside
  network
• When two companies with similar address
  structures merge
• When ISPs are swapped another client has same
  address structure

11
Overload Configuration

• Configure NAT overload by using the keyword
  overload
• Router(config)ip nat inside source list
  access-list-number pool name overload
• RTA is configured
• RTA(config)ip nat pool mypatpool 171.70.2.1
  171.70.2.30 netmask 255.255.255.0
• RTA(config)access-list 24 permit 10.1.1.0
  0.0.0.255
• RTA(config)ip nat inside source list 24 pool
  mypatpool overload
• RTA(config)interface bri 0
• RTA(config-if)ip nat outside
• RTA(config-if)interface ethernet 0
• RTA(config-if)ip nat inside

12
Overload Alternative

• You can overload the address of an outside
  interface
• Router(config)ip nat inside source list
  access-list-number interface interface-name
  overload
• Config ip nat inside MyPool access-list-2 int s0
  overload

13
Information Needed

• ISDN
• Switch type, Spids, directory number (local seven
  digit ISDN phone number of router)
• ISP
• PPP Client Name (ISP assigns as login name
• PPP Authentication type and password
• IP address information (includes subnet mask)
  used in routers public address pool
• ISP phone number

14
Atlanta Configuration Default/Generic

• IP subnet-zero
• No IP domain-look
• Enable secret cisco
• IP NAT translation timeout 1800
• Isdn switch-type basic-ni1
• IP classless
• IP http server
• Line con 0 line vty 0 4
• Password cisco password telnet
• Login login

15
Atlanta Configuration

• Hostname Atlanta
• IP net inside source list 1 int d0 overload
• Ip nat inside source statis 10.1.1.2 215.1.1.2
• Int e0
• Ip address 10.1.1.1 255.0.0.0
• Ip nat inside

16
Atlanta Continued - Bri

• Int bri 0
• No ip address
• Encap ppp
• Dialer rotary-group 0
• Isdn spid1 014045551111000 5551111
• Isdn spid2 014045552222000 5552222

17
Atlanta Continued - dialer

• Int d0
• IP address 215.1.1.1 255.255.255.0
• IP nat outside
• Encap ppp
• Dialer in-band
• Dialer idle-timeout 200
• Dialer string 1408555333 class 56K
• Dialer hold queue 10
• Dialer load-threshold 200 either
• Dialer-group 1

18
Atlanta Dialer Contd

• PPP authentication chap callin
• PPP chap hostname Atlanta
• PPP chap password gocisco1
• PPP multilink

19
Atlanta Continued Map Class and Routes

• IP route 0.0.0.0 0.0.0.0 Dialer0
• IP route 20.0.0.0 255.0.0.0 10.1.1.2
• Map-class dialer 56K
• Access-list 1 permit 10.0.0.0 0.255.255.255
• Access-list 1 permit 20.0.0.0 0.255.255.255
• Dialer-list 1 protocol IP permit

20
Boston Configuration

• Hostname Boston
• Int e0
• Ip address 20.1.1.1 255.0.0.0
• Int e1
• IP address 10.1.1.2 255.0.0.0
• IP route 0.0.0.0 0.0.0.0 10.1.1.1
• IP http server
• Line con0 line vty 0
• Password cisco password telnet
• Login login

21
TCP Load Distribution

• Define a pool of addresses containing the
  addresses of the real hosts
• Router(config)ip nat pool name start-ip end-ip
  netmask netmask prefix-length prefix-length
  type rotary
• Define an access list permitting the address of
  the virtual host
• Router(config)access-list access-list-number
  permit source source-wildcard
• Establish dynamic inside destination translation,
  identifying the access list defined in Step
  2
• Router(config)ip nat inside destination list
  access-list-number pool name

22
TCP Continued

• Specify the inside interface
• Router(config)interface type number
• Mark the interface as connected to the inside
• Router(config-if)ip nat inside
• Specify the outside interface
• Router(config-if)interface type number
• Mark the interface as connected to the outside
• Router(config-if)ip nat outside

23
NAT Advantages

• Conserves the legally registered addressing
  scheme by allowing the privatization of intranets
• reduces the instances in which addressing schemes
  overlap
• Increases the flexibility of connection to the
  public network.
• Multiple pools, backup pools, and load sharing/
  balancing pools can be implemented to help ensure
  reliable public network connections
• De-privatization of a network
• NAT allows the existing scheme to remain, and it
  still supports the new assigned addressing scheme
  outside the private network.

24
NAT Disadvantages

• NAT increases delay.
• Switching path delays, of course, are introduced
  because of the translation of each IP address
  within the packet headers
• Loss of end-to-end IP traceability
• Forces some applications that use IP addressing
  to stop functioning because it hides end-to-end
  IP addresses
• Solution -- implement static NAT mappings.

25
Supported Traffic Types

• Any TCP/UDP traffic that does not carry source or
  destination IP addresses in the application data
  stream
• Hypertext Transfer Protocol (HTTP)
• Trivial File Transfer Protocol (TFTP)
• Telnet
• Archie
• Finger
• Network Timing Protocol (NTP)
• Network File System (NFS)
• rlogin, rsh, rcp

26
More Supported Types

• Even those that do carry address data in data
  stream
• - File Transfer Protocol (FTP) (including PORT
  and PASV commands)
• NetBIOS over TCP/IP (datagram, name, and
  session services)
• Progressive Networks' RealAudio White Pines'
  CuSeeMe
• Xing Technologies' Streamworks
• DNS "A" and "PTR" queries
• H.323/NetMeeting 12.0(1)/12.0(1)T and later
• VDOLive 11.3(4)11.3(4)T and later
• Vxtreme 11.3(4)11.3(4)T and later
• IP multicast 12.0(1)T (source address
  translation only)