Deploying and Troubleshooting Network Address 7954_05_2003_c1 Cisco IOS Extended Translation

  • Published on
    25-Feb-2018

  • View
    218

  • Download
    4

Embed Size (px)

Transcript

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    2 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Deploying and Troubleshooting Network Address Translation

    Session NMS-2102

    mihollow@cisco.com

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    333 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    AgendaThe WWW of NAT

    The Why, the What, and the Where

    Pitfalls and How to Avoid

    Tools for Deployment

    VPN and Network Address Translation, Can They Get Along?

    Dealing with Voice Elements

    Question and Answers?

    444 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Why Use Network Address Translation?

    IPv4 shortage

    IPv6 is still the future

    Security benefits

    Make network administrators lives miserable!

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    555 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    What Is NAT, NAPT, PAT, Masquerading

    NATNetworkAddress Translation

    All IP Traffic

    Layer 3 address rewrite

    1-1 Mapping of Traffic (1 inside to 1 outside)

    Thinkdirect telephone line

    NAPTNetwork Address Port Translation (PAT)

    Originally planned for TCP, UDP and ICMP traffic

    Layer 3 and 4 address/port rewrite

    Many-1 Mapping of Traffic(multiple inside to 1 outside)

    Thinkphone numberwith an extension

    RFC : 1631RFC : 1631

    666 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Why NAT or NAPT?

    NAT has a better chance of not breaking network applications over NAPT.

    Using NAT for internet use is rare to find these days since most ISPs are only giving out one address at a time which limits you to using NAPT only.

    NAPT is getting better with application fixup support, so test first and deploy second.

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    777 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Basic Concept of NATExample

    NAT changes the IP address in the IP header

    Local Remote

    10.6.1.20

    NATAfter NAT

    Outbound PacketAfter NAT

    Outbound Packet

    Src Addr14.38.50.1Src Addr14.38.50.1

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    After NATReturn Packet

    After NATReturn Packet

    Src Addr172.16.1.1Src Addr

    172.16.1.1Dest Addr10.6.1.20

    Dest Addr10.6.1.20

    Before NATOutbound Packet

    Src Addr10.6.1.20Src Addr10.6.1.20

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    Before NATReturn Packet

    Src Addr172.16.1.1Src Addr172.16.1.1

    Dest Addr14.38.50.1Dest Addr14.38.50.1

    172.16.1.1

    888 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Dest Port23

    Dest Port23

    After NAPTOutbound Packet

    After NAPTOutbound Packet

    Src Addr14.38.50.1Src Addr14.38.50.1

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    Src Port1506

    Src Port1506

    Before NAPTOutbound Packet

    Basic Concept of NAPTExample

    Port Address Translation (NAPT) extends NAT from one-to-one to many-to-one by associating the port information with each flow

    NAPTLocal

    10.6.1.20

    10.6.1.1011

    Before NAPTInbound Packet

    Src Addr172.16.1.1Src Addr

    172.16.1.1Src Port

    23Src Port

    23Dest Port

    1506Dest Port

    1506Dest Addr14.38.50.1Dest Addr14.38.50.1

    Src Addr172.16.1.1Src Addr172.16.1.1

    Port1506Port1506

    Dest Addr10.6.1.10

    Dest Addr10.6.1.10

    After NAPTInbound Packet

    After NAPTInbound Packet

    Port23

    Port23

    Remote

    11Dest Port

    23Dest Port

    23Src Addr10.6.1.10Src Addr10.6.1.10

    Src Port1506

    Src Port1506

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    Src Addr14.38.50.1Src Addr14.38.50.1

    Src Port1507

    Src Port1507

    Dest Port23

    Dest Port23

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    22Dest Addr172.16.1.1Dest Addr172.16.1.1

    Src Addr10.6.1.10Src Addr10.6.1.10

    Src Port1506

    Src Port1506

    Dest Port23

    Dest Port23

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    999 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Translation Boundary

    Src Addr10.6.1.20Src Addr10.6.1.20

    Dest AddrRemote Host

    Dest AddrRemote Host

    Nat Inside Nat OutsideNat Outside

    The Life of a Translated PacketIn the Beginning

    1

    No Translation ExistsTable Is EmptyNo Translation ExistsTable Is Empty

    2

    Remote

    Host10.6.1.20

    Local

    101010 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    The Life of a Translated PacketThe Evolution

    3

    Local IP 10.6.1.20 = Global IP 14.38.50.1Translation

    Mapping

    Translation Boundary

    Src Addr14.38.50.1Src Addr

    14.38.50.1Dest Addr

    Remote HostDest Addr

    Remote Host

    Nat Inside Nat OutsideNat Outside

    Remote

    Host10.6.1.20

    Local

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    111111 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    What Does the Translation Table Contain?

    NAT INSIDE traveling to NAT OUTSIDE

    Simple translation

    Extended translation

    Packet will pass, altered or not

    Source interface and destination interface

    Extended translation

    Packet dropped if not translated

    IT DependsCisco IOS-Based Device PIX

    121212 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Cisco IOS Simple Translation

    Uses only the source IP to make its decisions

    Configuration options are limited to standard or extended access-list

    Source IPTranslated IP

    Router#show ip nat translationPro Inside global Inside local Outside local Outsi de global--- 14.38.50.1 10.6.1.20 --- ---

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    131313 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Cisco IOS Extended Translation

    Uses the source IP, destination IP, port number, and protocol to make its decisions

    Will always be used if NAPT is involved (hint: overload keyword)

    Will also be used if using route-maps

    ProtocolProtocol PortPort

    Destination IPDestination IPRouter#show ip nat translationPro Inside global Inside local Outside local Outside globaltcp 14.38.50.1:11012 10.6.1.20:11012 172.17.1.1:23 172.17.1.1:23tcp 14.36.40.1:11011 10.6.1.20:11011 172.16.1.1:23 172.16.1.1:23

    141414 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    PIX Translation

    Looks at the source interface and the interface it will be routed out of to make its translation decision

    No translation? no packet flow!

    pixfirewall(config)# show xlate detail 3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static TCP PAT from inside:10.6.1.20/1026 to outside:14.38.50.1/1024 flags riUDP PAT from inside:10.6.1.20/1028 to outside:14.38.50.1/1024 flags riICMP PAT from inside:10.6.1.20/21505 to outside:14.38.50.1/0 flags ri

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    151515 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Different Kinds of Translation Mappings

    Static

    Dynamic

    Inside source

    Outside sourcePerspective

    TimersTimers

    161616 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Using:

    ip nat inside source static 10.6.1.20 14.38.50.1

    The packet enters the ip nat inside interface, since we have a permanent mapping the source address 10.6.1.20 is changed to 14.38.50.1

    Inside Static Translation

    Before NAT

    Src Addr10.6.1.20Src Addr10.6.1.20

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    After NATAfter NAT

    Src Addr14.38.50.1Src Addr14.38.50.1

    Dest Addr172.16.1.1Dest Addr172.16.1.1

    NAT Inside NAT Outside

    Remote

    172.16.1.1

    Local

    10.6.1.20

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    171717 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    Using:

    ip nat outside source static 172.16.1.1 10.1.1.1

    A packet enters the ip nat outside interface, from the mapping the source address 172.16.1.1 is changed to 10.1.1.1

    Before NAT

    Src Addr10.1.1.1

    Src Addr10.1.1.1

    Dest Addr10.6.1.20

    Dest Addr10.6.1.20

    After NATAfter NAT

    Src Addr172.16.1.1Src Addr

    172.16.1.1Dest Addr10.6.1.20

    Dest Addr10.6.1.20

    NAT Inside NAT Outside

    Remote

    172.16.1.1

    Local

    10.6.1.20

    Outside Static Translation

    181818 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

    NAT Decision Process

    Existing translation

    Static translation

    Dynamic translation

    Packet routed if possible

    Existing translation

    NAT 0 access-list

    Static

    NAT 0

    NAT /Global

    Dropped packet

    Cisco IOS-Based Device PIX Firewall

  • Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

    191919 2003, C

Recommended

View more >