Embed Size (px)
Citation preview
S6C11 - NAT
Network Security Translation
NAT Described
• Globally unique ONLY in terms of public internet– Translates private addresses into publicly
usable addresses to be used on public Internet• Saves usable IP addresses
– Effective means for hiding actual device addressing within a private network
• Aka Network Address Translator
– defined in RFC 1631
NAT and PAT
• NAT Translation– NAT box can be a Cisco router, a UNIX system, a Windows XP server,
or several other kinds of systems. • router looks inside the IP header and, if appropriate, replaces the
local IP address with a globally unique IP address• When an outside host sends a response the NAT router receives it,
checks the current table of network address translations, and replaces the destination address with the original inside source address
• Port Address Translation– allows the user to conserve addresses in the global address pool by
allowing source ports in TCP connections or UDP conversations to be translated. Different local addresses then map to the same global address
PAT Limitations
• As long as the inside global port numbers are unique for each inside local host, NAT overload will work.
• NAT overload can go a long way to alleviate address depletion, but its capabilities are limited
• A realistic number is approximately 4,000 local addresses per global address.
• Each Nat translation consumes about 160 bytes of router DRAM.
Static Translation
• Translates inside local addresses• Establishes a mapping between inside local and global addresses
– Configured statically, one entry at a time– for every inside local address, static NAT requires an inside global
address– typically used in conjunction with dynamic NAT, in cases where you
have overlapping networks
• RTA(config)#ip nat inside source static 10.1.1.7 171.70.2.10 • Specify an inside and outside interface
– RTA(config)#interface bri0– RTA(config-if)#ip nat outside– RTA(config-if)#interface e0– RTA(config-if)#ip nat inside
Dynamic Translation
• Translates inside local addresses– Establishes a mapping between inside local and
global addresses• Mappings configured dynamically by the router as
needed– translations don't exist in the NAT translation table until
the router receives traffic that requires translation (such traffic is defined by an administrator). Dynamic translations are temporary, and will eventually time out.
Configuration for Dynamic
• Create a pool of IP addresses to be allocated as needed– Router(config)#ip nat pool name start-ip end-ip netmask netmask
| prefix-length prefix-length}
• Specify which addresses to translate– router(config)#access-list access-list-number permit source
[source-wildcard]
• establish a dynamic translation based on source– Router(config)#ip nat inside source list access-list-number pool
name
• Configure at least one inside interface & 1 outside– Router(config-if)#ip nat inside – Router(config-if)#ip nat outside
Why Dynamic?
• Although NAT is not a security firewall, it can prevent outsiders from initiating connections with inside hosts, unless a permanent global address mapping exists in the NAT table (static NAT). Because outside hosts never see the "pre-translated" inside addresses, NAT has the effect of hiding the inside network structure.
Address Definitions
• Inside local – IP address assigned to a host on inside network
• Inside global – A legitimate IP address (assigned by NIC or service provider) that represents local IP address to outside world
• Outside local – IP address of outside host as it appears to inside network; allocated from inside addressable routable space
• Outside global – IP address assigned to a host on outside network by owners; allocated from globally routable address space
NAT and Address Overlapping
• NAT can resolve address issues when inside addresses overlap with addresses in outside network – When two companies with similar address
structures merge– When ISPs are swapped & another client has
same address structure
Overload Configuration
• Configure NAT overload by using the keyword overload: – Router(config)#ip nat inside source list access-list-number pool name overload
• RTA is configured
– RTA(config)#ip nat pool mypatpool 171.70.2.1 171.70.2.30 netmask 255.255.255.0
– RTA(config)#access-list 24 permit 10.1.1.0 0.0.0.255– RTA(config)#ip nat inside source list 24 pool mypatpool
overload– RTA(config)#interface bri 0
• RTA(config-if)#ip nat outside
– RTA(config-if)#interface ethernet 0• RTA(config-if)#ip nat inside
Overload Alternative
• You can overload the address of an outside interface– Router(config)#ip nat inside source list access-
list-number interface interface-name overload
• Config# ip nat inside MyPool access-list-2 int s0 overload
Information Needed
• ISDN– Switch type, Spids, directory number (local seven digit
ISDN phone number of router)
• ISP– PPP Client Name (ISP assigns as login name
– PPP Authentication type and password
– IP address information – (includes subnet mask) used in router’s public address pool
– ISP phone number
Atlanta Configuration Default/Generic
• IP subnet-zero• No IP domain-look• Enable secret cisco• IP NAT translation timeout 1800• Isdn switch-type basic-ni1• IP classless• IP http server• Line con 0 line vty 0 4• Password cisco password telnet• Login login
Atlanta Configuration
• Hostname Atlanta
• IP net inside source list 1 int d0 overload
• Ip nat inside source statis 10.1.1.2 215.1.1.2
• Int e0
• Ip address 10.1.1.1 255.0.0.0
• Ip nat inside
Atlanta Continued - Bri
• Int bri 0
• No ip address
• Encap ppp
• Dialer rotary-group 0
• Isdn spid1 014045551111000 5551111
• Isdn spid2 014045552222000 5552222
Atlanta Continued - dialer
• Int d0• IP address 215.1.1.1 255.255.255.0• IP nat outside• Encap ppp• Dialer in-band• Dialer idle-timeout 200• Dialer string 1408555333 class 56K• Dialer hold queue 10• Dialer load-threshold 200 either• Dialer-group 1
Atlanta Dialer Cont’d
• PPP authentication chap callin
• PPP chap hostname Atlanta
• PPP chap password gocisco1
• PPP multilink
Atlanta Continued –Map Class and Routes
• IP route 0.0.0.0 0.0.0.0 Dialer0
• IP route 20.0.0.0 255.0.0.0 10.1.1.2
• Map-class dialer 56K
• Access-list 1 permit 10.0.0.0 0.255.255.255
• Access-list 1 permit 20.0.0.0 0.255.255.255
• Dialer-list 1 protocol IP permit
Boston Configuration
• Hostname Boston• Int e0• Ip address 20.1.1.1 255.0.0.0• Int e1• IP address 10.1.1.2 255.0.0.0• IP route 0.0.0.0 0.0.0.0 10.1.1.1• IP http server• Line con0 line vty 0 • Password cisco password telnet• Login login
TCP Load Distribution• Define a pool of addresses containing the addresses of
the real hosts: – Router(config)#ip nat pool name start-ip end-ip {netmask
netmask | prefix-length prefix-length} type rotary
• Define an access list permitting the address of the virtual host: – Router(config)#access-list access-list-number permit source
[source-wildcard]
• Establish dynamic inside destination translation, identifying the access list defined in Step 2: – Router(config)#ip nat inside destination list access-list-number
pool name
•
TCP Continued
• Specify the inside interface: – Router(config)#interface type number
• Mark the interface as connected to the inside: – Router(config-if)#ip nat inside
• Specify the outside interface: – Router(config-if)#interface type number
• Mark the interface as connected to the outside: – Router(config-if)#ip nat outside
NAT Advantages
• Conserves the legally registered addressing scheme by allowing the privatization of intranets
• reduces the instances in which addressing schemes overlap• Increases the flexibility of connection to the public
network. – Multiple pools, backup pools, and load sharing/ balancing pools
can be implemented to help ensure reliable public network connections
• De-privatization of a network– NAT allows the existing scheme to remain, and it still supports the
new assigned addressing scheme outside the private network.
NAT Disadvantages
• NAT increases delay. – Switching path delays, of course, are introduced
because of the translation of each IP address within the packet headers
• Loss of end-to-end IP traceability• Forces some applications that use IP addressing to
stop functioning because it hides end-to-end IP addresses– Solution -- implement static NAT mappings.
Supported Traffic Types
• Any TCP/UDP traffic that does not carry source or destination IP addresses in the application data stream
• Hypertext Transfer Protocol (HTTP) • Trivial File Transfer Protocol (TFTP) • Telnet • Archie • Finger • Network Timing Protocol (NTP) • Network File System (NFS) • rlogin, rsh, rcp
More Supported Types
Even those that do carry address data in data stream- File Transfer Protocol (FTP) (including PORT and PASV
commands) – NetBIOS over TCP/IP (datagram, name, and session
services) – Progressive Networks' RealAudio White Pines' CuSeeMe – Xing Technologies' Streamworks – DNS "A" and "PTR" queries – H.323/NetMeeting [12.0(1)/12.0(1)T and later] – VDOLive [11.3(4)11.3(4)T and later] – Vxtreme [11.3(4)11.3(4)T and later] – IP multicast [12.0(1)T] (source address translation only)
