Download presentation
1
Network Address Translation
Brigham Young University-Idaho CIT 340
2
Short Term Solutions: IPv4 Enhancements
CIDR (Classless Inter-Domain Routing) – RFCs 1517, 1518, 1519, 1520 VLSM (Variable Length Subnet Mask) – RFC 1009 Private Addressing - RFC 1918 NAT/PAT (Network Address Translation / Port Address Translation) – RFC 1631 & 3022
3
Private Address Space RCF 1918 sets aside three ranges of IP addresses for private networks /8 /16 through Do not route addresses in these blocks to the Internet
4
Address Translation Network Address Translation
One to one translation of IP addresses from inside local IP address. Port Address Translation Many-to-one translation, takes multiple inside local IP addresses and translates them to one inside global address.
5
Network Address Translation
NAT involves device such as a router that translates one set of IP addresses into another set Can conserve IP addresses by translating a large pool of private addresses into a small pool of public addresses Disadvantages include increased latency and difficulties with protocols or applications that put IP address in data portion of IP packet
6
Network Address Translation (NAT) Addresses
Inside Local-used by host on the private side Inside Global-public often registered IP address into which the inside local is translated Outside Global-actual IP address of a host that resides on the outside public network Outside Local-IP address used to translate an outside global IP address
7
NAT Inside/Outside & Local/Global Relationship
Inside Network Outside Network Packet Direction SA Inside Local DA Outside Local SA Inside Global DA Outside Global DA Inside Local SA Outside Local DA Inside Global SA Outside Global
8
Advantages of NAT Allows you to increase or decrease the number of registered IP addresses without changing devices in the network. Static translations are manually configured to translate a single global IP address to a single local IP address. Dynamic mappings are configured on the NAT border router by using a pool of one or more registered IP addresses. Devices on the inside of the network that wish to communicate with a host on the outside network can use these addresses in the pool.
9
Advantages of NAT (Continued)
NAT can be configured to allow the basic load sharing of packets among multiple servers using the TCP load distribution feature. TCP load distribution uses a single outside IP address, which is mapped to multiple addresses. Incoming connections are distributed in a round-robin fashion among IP addresses in the internal pool. If you switch ISPs and need to change the registered IP addresses you are using, NAT makes it so you don’t have to renumber every device in your network. The only change is the addresses that are being used in the NAT pool.
10
Advantages of NAT (continued)
NAT also helps if you merge with another company and you are both using the same RFC 1918 address space. You can configure NAT on the border router between your routing domains to translate the address from one network to the other.
11
Disadvantages of NAT NAT increases latency. Every packet must be processed to see if it needs translation. NAT hides end-to-end IP addresses that render some applications unusable. NAT changes IP addresses making it unable to track IP flow end-to-end. The good thing is this eliminates a hacker’s ability to identify the packet’s true source.
12
Disadvantages of NAT (continued)
NAT makes troubleshooting or tracking malicious traffic more difficult. Because a host needs to be accessed from the outside network will have two IP addresses, one inside and one outside, this creates a problem called split DNS. You need to set up two DNS servers, one for external and one for internal addresses.
13
Network Address Translation (NAT)
NAT: Network Address Translation NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP packet header. In practice, NAT is used to allow hosts that are privately addressed to access the Internet.
14
Network Address Translation (NAT)
TCP Source Port 1026 TCP Source Port 1923 TCP Source Port 1026 TCP Source Port 1924 NAT translations can occur dynamically or statically. The most powerful feature of NAT routers is their capability to use port address translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a many-to-one NAT. With PAT, or address overloading, literally hundreds of privately addressed nodes can access the Internet using only one global address. The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers.
15
Translating Inside Local Addresses
Inside local IP Inside global IP Internet NAT Border Router
16
Configuring NAT Each interface must be designated either inside or outside. That way the router knows how to handle traffic. Router(config)#interface e0/0 Router(config-if)#ip nat inside Router(config-if)#interface s0/0 Router(config-if)#ip nat outside
17
Configuring Static NAT
Static NAT maps one inside global address to one inside local address Router(config)#ip nat inside source static This creates a permanent entry into the NAT table so traffic sent to will be translated to You can also configure just a certain port to be translated Router(config)#ip nat inside source static tcp Router(config)#ip nat inside source static tcp
18
Configuring Dynamic NAT
Dynamic NAT is used to map inside IP addresses to outside IP addresses on the fly from a pool of available IP addresses First designate your inside and outside interfaces. Create an access list to allow traffic to be translated. Next configure a pool of addresses Router(config)#int f0/0 Router(config-if)#ip nat inside Router(config-if)#int s0/0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#access-list 12 permit Router(config)#ip nat pool outbound prefix- length 24 Router(config)#ip nat inside source list 12 pool outbound Router(config)# You can use the netmask with subnet in dotted decimal or prefix with length and number of bits in subnet mask Could also use netmask
19
Configuring NAT Using Overloading
Once all the IP addresses in a pool have been allocated, any new connections attempts will fail. So if your ISP allocates 13 addresses, only the first 13 users will be able to access the Internet. Once a NAT entry has expired, the IP address is released back to the pool. Configuring overloading allows the router to reuse each IP address in the pool. It changes not only the IP addresses but the port number also. This is known as Port Address Translation (PAT) also known as Network Address and Port Translation (NAPT). The router will add the protocol and port information for each translation entry, which allows more inside IP addresses to access the outside network than there are IP addresses in the pool.
20
Configuring NAT Using Overloading (continued)
The pool of addresses can be one IP address in size, but it can support approximately 64,000 inside users, using a single protocol by varying the outbound port numbers.
21
Configuring NAT Using Overloading (continued)
Router(config)#ip nat inside source list 12 pool outbound overload Router(config)# This applies the pool and access list and allows the use of ports with the overload command
22
Configuring TCP Load Distribution
NAT has a feature unrelated to conserving public addresses. Load Distribution allow a host (like a web server) inside the network to distribute the load among several hosts. Destination addresses that match an access list are replaced with addresses from a pool that been designated as a rotary pool by adding the type rotary keywords at the end of the ip nat pool command
23
Configuring TCP Load Distribution(continued)
Routers(config)#ip nat pool web-hosts netmask type rotary Routers(config)#access-list 12 permit Routers(config)#ip nat inside destination list 12 pool web-hosts
24
Configuring NAT for Overlapping Addresses
Overlapping addresses is similar to dynamic NAT. The difference is you must configure a pool inside as well as outside. Router(config)#access-list 12 permit Router(config)#ip nat insidepool netmask Router(config)#ip nat outsidepool prefix-length 24 Router(config)#ip nat inside source list 12 pool insidepool Router(config)#ip nat outside source list 12 pool outsidepool Router(config)#
25
Verifying and Troubleshooting the NAT Configuration
Router#show ip nat translations Router#show ip nat translations verbose Router#show ip nat statistics Router#debug ip nat
26
Commands that clear NAT Table
Clear ip nat translation Clears all NAT table entries Clear ip nat translation inside global-ip Clears all simple inside NAT translation table entries for the specified IP address Clear ip nat translations outside local-ip Clears all simple outside NAT translation table entries for the specified IP address Clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] Clears the specific extended NAT table entry represented by the global and local IP addresses and port.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.