View
220
Download
4
Embed Size (px)
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
2 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Deploying and Troubleshooting Network Address Translation
Session NMS-2102
mihollow@cisco.com
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
AgendaThe WWW of NAT
The Why, the What, and the Where
Pitfalls and How to Avoid
Tools for Deployment
VPN and Network Address Translation, Can They Get Along?
Dealing with Voice Elements
Question and Answers?
444 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Why Use Network Address Translation?
IPv4 shortage
IPv6 is still the future
Security benefits
Make network administrators lives miserable!
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
What Is NAT, NAPT, PAT, Masquerading
NATNetworkAddress Translation
All IP Traffic
Layer 3 address rewrite
1-1 Mapping of Traffic (1 inside to 1 outside)
Thinkdirect telephone line
NAPTNetwork Address Port Translation (PAT)
Originally planned for TCP, UDP and ICMP traffic
Layer 3 and 4 address/port rewrite
Many-1 Mapping of Traffic(multiple inside to 1 outside)
Thinkphone numberwith an extension
RFC : 1631RFC : 1631
666 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Why NAT or NAPT?
NAT has a better chance of not breaking network applications over NAPT.
Using NAT for internet use is rare to find these days since most ISPs are only giving out one address at a time which limits you to using NAPT only.
NAPT is getting better with application fixup support, so test first and deploy second.
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Basic Concept of NATExample
NAT changes the IP address in the IP header
Local Remote
10.6.1.20
NATAfter NAT
Outbound PacketAfter NAT
Outbound Packet
Src Addr14.38.50.1Src Addr14.38.50.1
Dest Addr172.16.1.1Dest Addr172.16.1.1
After NATReturn Packet
After NATReturn Packet
Src Addr172.16.1.1Src Addr
172.16.1.1Dest Addr10.6.1.20
Dest Addr10.6.1.20
Before NATOutbound Packet
Src Addr10.6.1.20Src Addr10.6.1.20
Dest Addr172.16.1.1Dest Addr172.16.1.1
Before NATReturn Packet
Src Addr172.16.1.1Src Addr172.16.1.1
Dest Addr14.38.50.1Dest Addr14.38.50.1
172.16.1.1
888 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Dest Port23
Dest Port23
After NAPTOutbound Packet
After NAPTOutbound Packet
Src Addr14.38.50.1Src Addr14.38.50.1
Dest Addr172.16.1.1Dest Addr172.16.1.1
Src Port1506
Src Port1506
Before NAPTOutbound Packet
Basic Concept of NAPTExample
Port Address Translation (NAPT) extends NAT from one-to-one to many-to-one by associating the port information with each flow
NAPTLocal
10.6.1.20
10.6.1.1011
Before NAPTInbound Packet
Src Addr172.16.1.1Src Addr
172.16.1.1Src Port
23Src Port
23Dest Port
1506Dest Port
1506Dest Addr14.38.50.1Dest Addr14.38.50.1
Src Addr172.16.1.1Src Addr172.16.1.1
Port1506Port1506
Dest Addr10.6.1.10
Dest Addr10.6.1.10
After NAPTInbound Packet
After NAPTInbound Packet
Port23
Port23
Remote
11Dest Port
23Dest Port
23Src Addr10.6.1.10Src Addr10.6.1.10
Src Port1506
Src Port1506
Dest Addr172.16.1.1Dest Addr172.16.1.1
Src Addr14.38.50.1Src Addr14.38.50.1
Src Port1507
Src Port1507
Dest Port23
Dest Port23
Dest Addr172.16.1.1Dest Addr172.16.1.1
22Dest Addr172.16.1.1Dest Addr172.16.1.1
Src Addr10.6.1.10Src Addr10.6.1.10
Src Port1506
Src Port1506
Dest Port23
Dest Port23
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
999 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Translation Boundary
Src Addr10.6.1.20Src Addr10.6.1.20
Dest AddrRemote Host
Dest AddrRemote Host
Nat Inside Nat OutsideNat Outside
The Life of a Translated PacketIn the Beginning
1
No Translation ExistsTable Is EmptyNo Translation ExistsTable Is Empty
2
Remote
Host10.6.1.20
Local
101010 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
The Life of a Translated PacketThe Evolution
3
Local IP 10.6.1.20 = Global IP 14.38.50.1Translation
Mapping
Translation Boundary
Src Addr14.38.50.1Src Addr
14.38.50.1Dest Addr
Remote HostDest Addr
Remote Host
Nat Inside Nat OutsideNat Outside
Remote
Host10.6.1.20
Local
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111111 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
What Does the Translation Table Contain?
NAT INSIDE traveling to NAT OUTSIDE
Simple translation
Extended translation
Packet will pass, altered or not
Source interface and destination interface
Extended translation
Packet dropped if not translated
IT DependsCisco IOS-Based Device PIX
121212 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Cisco IOS Simple Translation
Uses only the source IP to make its decisions
Configuration options are limited to standard or extended access-list
Source IPTranslated IP
Router#show ip nat translationPro Inside global Inside local Outside local Outsi de global--- 14.38.50.1 10.6.1.20 --- ---
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
131313 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Cisco IOS Extended Translation
Uses the source IP, destination IP, port number, and protocol to make its decisions
Will always be used if NAPT is involved (hint: overload keyword)
Will also be used if using route-maps
ProtocolProtocol PortPort
Destination IPDestination IPRouter#show ip nat translationPro Inside global Inside local Outside local Outside globaltcp 14.38.50.1:11012 10.6.1.20:11012 172.17.1.1:23 172.17.1.1:23tcp 14.36.40.1:11011 10.6.1.20:11011 172.16.1.1:23 172.16.1.1:23
141414 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
PIX Translation
Looks at the source interface and the interface it will be routed out of to make its translation decision
No translation? no packet flow!
pixfirewall(config)# show xlate detail 3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static TCP PAT from inside:10.6.1.20/1026 to outside:14.38.50.1/1024 flags riUDP PAT from inside:10.6.1.20/1028 to outside:14.38.50.1/1024 flags riICMP PAT from inside:10.6.1.20/21505 to outside:14.38.50.1/0 flags ri
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
151515 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Different Kinds of Translation Mappings
Static
Dynamic
Inside source
Outside sourcePerspective
TimersTimers
161616 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Using:
ip nat inside source static 10.6.1.20 14.38.50.1
The packet enters the ip nat inside interface, since we have a permanent mapping the source address 10.6.1.20 is changed to 14.38.50.1
Inside Static Translation
Before NAT
Src Addr10.6.1.20Src Addr10.6.1.20
Dest Addr172.16.1.1Dest Addr172.16.1.1
After NATAfter NAT
Src Addr14.38.50.1Src Addr14.38.50.1
Dest Addr172.16.1.1Dest Addr172.16.1.1
NAT Inside NAT Outside
Remote
172.16.1.1
Local
10.6.1.20
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
171717 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Using:
ip nat outside source static 172.16.1.1 10.1.1.1
A packet enters the ip nat outside interface, from the mapping the source address 172.16.1.1 is changed to 10.1.1.1
Before NAT
Src Addr10.1.1.1
Src Addr10.1.1.1
Dest Addr10.6.1.20
Dest Addr10.6.1.20
After NATAfter NAT
Src Addr172.16.1.1Src Addr
172.16.1.1Dest Addr10.6.1.20
Dest Addr10.6.1.20
NAT Inside NAT Outside
Remote
172.16.1.1
Local
10.6.1.20
Outside Static Translation
181818 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Decision Process
Existing translation
Static translation
Dynamic translation
Packet routed if possible
Existing translation
NAT 0 access-list
Static
NAT 0
NAT /Global
Dropped packet
Cisco IOS-Based Device PIX Firewall
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
191919 2003, C