Transcript

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

2© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Deploying and Troubleshooting Network Address Translation

Session NMS-2102

[email protected]

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

333© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Agenda—The WWW of NAT

• The Why, the What, and the Where

• Pitfalls and How to Avoid

• Tools for Deployment

• VPN and Network Address Translation, Can They Get Along?

• Dealing with Voice Elements

• Question and Answers?

444© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Why Use Network Address Translation?

• IPv4 shortage

• IPv6 is still the future

• Security benefits

• Make network administrators’ lives miserable!

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

555© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

What Is NAT, NAPT, PAT, Masquerading…

• NAT—NetworkAddress Translation

• All IP Traffic

• Layer 3 address rewrite

• 1-1 Mapping of Traffic (1 inside to 1 outside)

• Think—direct telephone line

• NAPT—Network Address Port Translation (PAT)

• Originally planned for TCP, UDP and ICMP traffic

• Layer 3 and 4 address/port rewrite

• Many-1 Mapping of Traffic(multiple inside to 1 outside)

• Think—phone numberwith an extension

RFC : 1631RFC : 1631

666© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Why NAT or NAPT?

• NAT has a better chance of not breaking network applications over NAPT.

• Using NAT for internet use is rare to find these days since most ISPs are only giving out one address at a time which limits you to using NAPT only.

• NAPT is getting better with application fixup support, so test first and deploy second.

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

777© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Basic Concept of NAT—Example

• NAT changes the IP address in the IP header

Local Remote

10.6.1.20

NATAfter NAT

Outbound PacketAfter NAT

Outbound Packet

Src Addr14.38.50.1Src Addr14.38.50.1

Dest Addr172.16.1.1Dest Addr172.16.1.1

After NATReturn Packet

After NATReturn Packet

Src Addr172.16.1.1Src Addr

172.16.1.1Dest Addr10.6.1.20

Dest Addr10.6.1.20

Before NATOutbound Packet

Src Addr10.6.1.20Src Addr10.6.1.20

Dest Addr172.16.1.1Dest Addr172.16.1.1

Before NATReturn Packet

Src Addr172.16.1.1Src Addr172.16.1.1

Dest Addr14.38.50.1Dest Addr14.38.50.1

172.16.1.1

888© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Dest Port23

Dest Port23

After NAPTOutbound Packet

After NAPTOutbound Packet

Src Addr14.38.50.1Src Addr14.38.50.1

Dest Addr172.16.1.1Dest Addr172.16.1.1

Src Port1506

Src Port1506

Before NAPTOutbound Packet

Basic Concept of NAPT—Example

• Port Address Translation (NAPT) extends NAT from “one-to-one” to “many-to-one” by associating the port information with each flow

NAPTLocal

10.6.1.20

10.6.1.1011

Before NAPTInbound Packet

Src Addr172.16.1.1Src Addr

172.16.1.1Src Port

23Src Port

23Dest Port

1506Dest Port

1506Dest Addr14.38.50.1Dest Addr14.38.50.1

Src Addr172.16.1.1Src Addr172.16.1.1

Port1506Port1506

Dest Addr10.6.1.10

Dest Addr10.6.1.10

After NAPTInbound Packet

After NAPTInbound Packet

Port23

Port23

Remote

11Dest Port

23Dest Port

23Src Addr10.6.1.10Src Addr10.6.1.10

Src Port1506

Src Port1506

Dest Addr172.16.1.1Dest Addr172.16.1.1

Src Addr14.38.50.1Src Addr14.38.50.1

Src Port1507

Src Port1507

Dest Port23

Dest Port23

Dest Addr172.16.1.1Dest Addr172.16.1.1

22Dest Addr172.16.1.1Dest Addr172.16.1.1

Src Addr10.6.1.10Src Addr10.6.1.10

Src Port1506

Src Port1506

Dest Port23

Dest Port23

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

999© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Translation Boundary

Src Addr10.6.1.20Src Addr10.6.1.20

Dest AddrRemote Host

Dest AddrRemote Host

Nat Inside Nat OutsideNat Outside

The Life of a Translated Packet—In the Beginning…

1

No Translation Exists—Table Is EmptyNo Translation Exists—Table Is Empty

2

Remote

Host10.6.1.20

Local

101010© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

The Life of a Translated Packet—The Evolution

3

Local IP 10.6.1.20 = Global IP 14.38.50.1Translation

Mapping

Translation Boundary

Src Addr14.38.50.1Src Addr

14.38.50.1Dest Addr

Remote HostDest Addr

Remote Host

Nat Inside Nat OutsideNat Outside

Remote

Host10.6.1.20

Local

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

111111© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

What Does the Translation Table Contain?

• NAT INSIDE traveling to NAT OUTSIDE

• Simple translation

• Extended translation

• Packet will pass, altered or not

• Source interface and destination interface

• Extended translation

• Packet dropped if not translated

IT Depends…Cisco IOS-Based Device PIX

121212© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Cisco IOS Simple Translation

• Uses only the source IP to make its decisions

• Configuration options are limited to standard or extended access-list

Source IPTranslated IP

Router#show ip nat translationPro Inside global Inside local Outside local Outsi de global--- 14.38.50.1 10.6.1.20 --- ---

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

131313© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Cisco IOS Extended Translation

• Uses the source IP, destination IP, port number, and protocol to make its decisions

• Will always be used if NAPT is involved (hint: “overload” keyword)

• Will also be used if using route-maps

ProtocolProtocol PortPort

Destination IPDestination IPRouter#show ip nat translationPro Inside global Inside local Outside local Outside globaltcp 14.38.50.1:11012 10.6.1.20:11012 172.17.1.1:23 172.17.1.1:23tcp 14.36.40.1:11011 10.6.1.20:11011 172.16.1.1:23 172.16.1.1:23

141414© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

PIX Translation

• Looks at the source interface and the interface it will be routed out of to make its translation decision

• No translation? no packet flow!

pixfirewall(config)# show xlate detail 3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static TCP PAT from inside:10.6.1.20/1026 to outside:14.38.50.1/1024 flags riUDP PAT from inside:10.6.1.20/1028 to outside:14.38.50.1/1024 flags riICMP PAT from inside:10.6.1.20/21505 to outside:14.38.50.1/0 flags ri

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

151515© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Different Kinds of Translation Mappings

• Static

• Dynamic

• Inside source

• Outside sourcePerspective

TimersTimers

161616© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

• Using:

ip nat inside source static 10.6.1.20 14.38.50.1

• The packet enters the “ip nat inside” interface, since we have a permanent mapping the source address 10.6.1.20 is changed to 14.38.50.1

Inside Static Translation

Before NAT

Src Addr10.6.1.20Src Addr10.6.1.20

Dest Addr172.16.1.1Dest Addr172.16.1.1

After NATAfter NAT

Src Addr14.38.50.1Src Addr14.38.50.1

Dest Addr172.16.1.1Dest Addr172.16.1.1

NAT Inside NAT Outside

Remote

172.16.1.1

Local

10.6.1.20

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

171717© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

• Using:

ip nat outside source static 172.16.1.1 10.1.1.1

• A packet enters the “ip nat outside” interface, from the mapping the source address 172.16.1.1 is changed to 10.1.1.1

Before NAT

Src Addr10.1.1.1

Src Addr10.1.1.1

Dest Addr10.6.1.20

Dest Addr10.6.1.20

After NATAfter NAT

Src Addr172.16.1.1Src Addr

172.16.1.1Dest Addr10.6.1.20

Dest Addr10.6.1.20

NAT Inside NAT Outside

Remote

172.16.1.1

Local

10.6.1.20

Outside Static Translation

181818© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT Decision Process

• Existing translation

• Static translation

• Dynamic translation

• Packet routed if possible

• Existing translation

• NAT 0 access-list <#>

• Static

• NAT 0 <network>

• NAT <#>/Global <#>

• Dropped packet

Cisco IOS-Based Device PIX Firewall

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

191919© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT or NAPT Selection

• If you NAT only it will always NAT

• If you NAPT only it will NAPT

• For mixed mode (NAT and NAPT)

Cisco IOS-Based Device PIX

• NAPT ALL TCP/UDP/ICMP-based traffic

• NAT all other protocols

• Use all available NAT pools

• NAT Pools exhausted, NAPT all new connections until a NAT is freed up

202020© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

We Recommend That You Do Not Change These Values Since It Will Affect the Router on a Global Basis

We Recommend That You Do Not Change These Values Since It Will Affect the Router on a Global Basis

Setting the Timers

NAT-vpn-2503(config)# ip nat translation?dns-timeout Specify timeout for NAT DNS flowsfinrst-timeout Specify timeout for NAT TCP flows after a FIN or RSTicmp-timeout Specify timeout for NAT ICMP flowsmax-entries Specify maximum number of NAT entriesport-timeout Specify timeout for NAT TCP/UDP port specific flowssyn-timeout Specify timeout for NAT TCP flows after a SYN and no

further datatcp-timeout Specify timeout for NAT TCP flowstimeout Specify timeout for dynamic NAT translationsudp-timeout Specify timeout for NAT UDP flows

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

212121© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

pixfirewall(config)# show xlate1 in use, 1 most usedPAT Global 14.48.43.2(1024) Local 192.168.1.10(3729)

pixfirewall(config)# show conn1 in use, 1 most usedTCP out 14.48.44.11:3389 in 192.168.1.10:3729 idle 0:00:00 Bytes35788 flags UIO

pixfirewall(config)# show timeouttimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

Destination AddressDestination Address

Translated Source AddressTranslated Source Address

On the PIX

222222© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Where Should Address Translation Be Used?

• Corporate network and the Internet

• Corporate network and business partner

• Corporate network and home office

• Test Labs and corporate networks

Between…

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

232323© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Agenda—The WWW of NAT

• The Why, the What, and the Where

• Pitfalls and How to Avoid

• Tools for Deployment

• VPN and Network Address Translation, Can They Get Along?

• Dealing with Voice Elements

• Question and Answers?

242424© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

* Only if the Packet Is Encrypted

NATNAT

Inside Outside

InboundACL*

NAT

Routing

OutboundACL

Decryption

InboundACL

Cisco IOS PITFALL—Packet Flow Outside/Inside

Packet FlowPacket Flow

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

252525© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

InboundACL

PolicyRouting

NAT

Routing

OutboundACL

Cisco IOS PITFALL—Packet Flow Outside/Inside

Encryption

Packet FlowPacket Flow

Inside OutsideNATNAT

262626© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

PIX Pitfalls

• Translations must be built in order for the packet to traverse the firewall

• Do not forget the PIX is a firewall also so you need to include appropriate access rules to allow traffic flow

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

272727© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT Deployment—Things to Know

• Which networking device being used

• Application-layer, embedded IP information in the payload

• Transport and network layer compliant

Applications (5-7)

Transport (4)Transport (4)

Network (3)Network (3)

Datalink (2)Datalink (2)

Physical (1)Physical (1)

282828© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IP HDR: Src IP = 10.1.1.1IP HDR: Src IP = 10.1.1.1 Data: IP = 10.1.1.1Data: IP = 10.1.1.1

Considerations—Embedded IP

IP HDR: Src IP = x.x.x.x IP HDR: Src IP = x.x.x.x Data: IP = 10.1.1.1Data: IP = 10.1.1.1

AddressTranslation

Inside

Outside

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

292929© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Some Applications that Embed IP Address Information

• DNS “A” and “PTR” queries

• NetBIOS over TCP/IP (datagram, name, and session services)

• NetMeeting 2.1, 2.11 (4.3.2519) and 3.01 (4.4.3385)

• FTP PORT and PASV commands

• Voice elements: SIP, Skinny, MGCP, H.323, CTI, …

303030© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Overlapping Addresses

• Static and global translations should not overlap with any interface address

• Static translation should not be included in a dynamic pool range

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

313131© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IP NAT INSIDE SOURCE LIST 1 INTERFACE <interface>

Cisco IOS—Overlapping with the Interface

Interface <interface>ip address 14.48.50.1 255.255.255.0

If You Have:

Option #2

IP NAT POOL SWIM 14.48.50.1 15.48.50.1IP NAT INSIDE SOURCE LIST 1 POOL SWIM

Option #1

323232© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Agenda—Steps of Deployment

• The Why, the What, and the Where

• Pitfalls and How to Avoid

• Steps for Deployment

• VPN and Network Address Translation, Can They Get Along?

• Dealing with Voice Elements

• Question and Answers?

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

333333© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

10.0.0.0/8

Available Addresses:209.165.201.0/27

Available Addresses:172.16.1.0/24

192.168.1.0/24

Serial 1 Serial 0

Ethernet 0

NAT Based on Destination—Putting Criteria on the NAT Pools

PartnersPartnersInternet

NATNAT

Your Company

343434© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT by Destination—Goals

• You must have Internet connectivity by utilizing only ONE of the 209.165.201.0/27 address space (hint: NAPT)

• You must have partner access to the 192.168.1.0/24 network but you cannot use your current 10.0.0.0/8 or Internet addresses

• You partner is using 172.16.1.0/24 as the address range for the point-2-point serial link back to your corporate site

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

353535© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

.1.1

Available Addresses:172.16.1.0/24

Available Addresses:172.16.1.0/24

10.0.0.0/8

192.168.1.0/24

Serial 1

Ethernet 0router(config)# ip nat poolpartners 172.16.1.3

172.16.1.254 netmask255.255.255.0

router(config)# ip nat poolpartners 172.16.1.3

172.16.1.254 netmask255.255.255.0

NAT by Destination—Working on One Side at a Time: the Partners, Step 1

.2.2

NATNAT

PartnersPartners

Your Company

363636© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Your Company

10.0.0.0/8

Available Addresses:209.165.201.0/27

Serial 0

Ethernet 0

NAT by Destination—Working on the Internet Side, Step 1

.1

.2

Since Our Goal Was to Only Use One IP Address from the Available Range, We Will Use the IP of Serial

0 and Use NAPT; Therefore, No Pool Is Required

Since Our Goal Was to Only Use One IP Address from the Available Range, We Will Use the IP of Serial

0 and Use NAPT; Therefore, No Pool Is Required

NATNAT

Internet

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

373737© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

router(config)# route-map topartners permit 10router(config-map)# match interface serial 1

Serial 1Serial 1

10.0.0.0/8

Ethernet 0

Your Company

NAT by Destination—Partners Side Route Map Declaration, Step 2

Available Addresses:209.165.201.0/27

Available Addresses:172.16.1.0/24

192.168.1.0/24Serial 0

PartnersPartners Internet

383838© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Serial 1 Serial 0

Your Company

NATNAT

NAT by Destination—Internet Side Route Map Declaration, Step 2

Available Addresses:209.165.201.0/27

Available Addresses:172.16.1.0/24

192.168.1.0/24

PartnersPartners Internet

10.0.0.0/810.0.0.0/8

Ethernet 0Ethernet 0

router(config)# route-map topartners permit 10router(config-map)# match interface serial 0

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

393939© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Your Company

InternetPartnersPartners

router(config)# ip nat inside source route-map topartners pool partnersrouter(config)# ip nat inside source route-map tointernet interface serial 0

NAT by Destination—Both Sided, Step 3 and 4

router(config)# interface ethernet 0router(config-if)# ip nat insiderouter(config-if)# interface serial 0router(config-if)# ip nat outsiderouter(config-if)# interface serial 1router(config-if)# ip nat outside

10.0.0.0/8

Available Addresses:209.165.201.0/27

Available Addresses:172.16.1.0/24

192.168.1.0/24

Serial 1 Serial 0

Ethernet 0

NATNAT

404040© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Alternative to the Cisco IOS Match Interface

Access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

Access-list 100 permit ip 10.0.0.0 0.255.255.255 anyRoute-map to internet permit 10

match ip address 100

Internet Side:

Partner Side:Access-list 100 permit ip 10.0.0.0 0.255.255.255

192.168.1.0 0.0.0.255Route-map to partner permit 10

match ip address 110

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

414141© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

10.1.1.0/24Ethernet 0

Serial 0

Two Pools on a Single Interface—Goal

• To pull from the NAT pool if the destination is 1.1.1.1

• Use Serial 0 interface for everything else

Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27

Client Remote Host1.1.1.1Internet

NATNAT

424242© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Two Pools on a Single Interface—Rules

router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255host 1.1.1.1

router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255any

10.1.1.0/24Ethernet 0

Serial 0

Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27

Client Remote Host1.1.1.1Internet

NATNAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

434343© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Two Pools on a Single Interface—Overload

10.1.1.0/24Ethernet 0

Serial 0

Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27

Client Remote Host1.1.1.1Internet

NATNAT

router(config)# route-map napt2internet permit 10router(config-map)# match address 100router(config)# ip nat inside source route-map

napt2internet interface serial 0 overload

444444© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Two Pools on a Single Interface—Pool

router(config)# ip nat pool natpool 209.165.201.10 209.165.201.30 netmask 255.255.255.224

router(config)# access-list 110 permit ip 10.1.1.0 0.0.0.255host 1.1.1.1

router(config)# route-map vpnusenat permit 10router(config-map)# match address 110router(config)# ip nat inside source route-map vpnusenat

pool natpool

10.1.1.0/24Ethernet 0

Serial 0

Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27

Client Remote Host1.1.1.1Internet

NATNAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

454545© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

How to Troubleshoot Address Translation Issues

• Always make sure your project works before adding Address Translation

• Verify proper routing (e.g. asymmetrical routing is not coming into play)

• Gather traces and debugs to support the test conditions

464646© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Extended Translation—Using NAPTExtended Translation—Using NAPT

Simple Translation—Using NATSimple Translation—Using NAT

Showing the Active Translations—show ip nat translations

NAT-vpn-2503#show ip nat translationsPro Inside global Inside local Outside local Outside global--- 209.165.201.10 10.6.1.10 --- ------ 209.165.201.11 10.6.1.20 --- ---

NAT-vpn-2503#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 209.165.201.10:6269 10.6.1.10:6269 1.1.1.1:6269 1.1.1.1:6269tcp 209.165.201.11:11000 10.6.1.20:11000 1.1.1.1:23 1.1.1.1:23

Tip: You Can Use “show ip nat translation | include 10.6.1.10” to Show Only the 10.6.1.10 Hosts Translation Entries

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

474747© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT-vpn-2503#show ip nat translations verbosePro Inside global Inside local Outside local Outside globalicmp 209.165.201.10:6269 10.6.1.10:6269 1.1.1.1:6269 1.1.1.1:6269

create 00:00:02, use 00:00:02, left 00:00:57,flags: extended, use_count: 0

NAT-vpn-2503#show ip nat translations verbosePro Inside global Inside local Outside local Outside global--- 209.165.201.11 10.6.1.20 --- ---

create 00:00:05, use 00:00:05, left 23:59:54,flags: none, use_count: 0

Extended Translation—Using NAPTExtended Translation—Using NAPT

Simple Translation—Using NATSimple Translation—Using NAT

Shows when the Translation Was First Created, Last Used,

and Time Left before Expiring

Shows when the Translation Was First Created, Last Used,

and Time Left before Expiring

Showing the Active Translations—show ip nat translations verbose

484848© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT Show Commands—show ip nat statistics

NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0

Inside interfaces:Ethernet0

Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224

start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

494949© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Number of translations active on the system; this number is incremented each time a translation is created and is decremented each time a translation is cleared or times out

Number of translations active on the system; this number is incremented each time a translation is created and is decremented each time a translation is cleared or times out

NAT Show Commands—Total Translations

NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0

Inside interfaces:Ethernet0

Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224

start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0

505050© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT Show Commands—Outside/Inside

Interfaces that have an IP NAT {Inside/Outside}

designation

Interfaces that have an IP NAT {Inside/Outside}

designation

NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0

Inside interfaces:Ethernet0

Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224

start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

515151© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT Show Commands—Hits/Misses

NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0

Inside interfaces:Ethernet0

Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224

start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0

Hits: Number of times the software does a translations table lookup and finds an existing translation(Fast/CEF Switched Packet)

Misses: Number of times the table lookup fails and needs to create a new translation(Process Switched Packet)

Hits: Number of times the software does a translations table lookup and finds an existing translation(Fast/CEF Switched Packet)

Misses: Number of times the table lookup fails and needs to create a new translation(Process Switched Packet)

525252© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT Show Commands—Overview

Cumulative count of translations that have expired since the router was restarted

Cumulative count of translations that have expired since the router was restarted

NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0

Inside interfaces:Ethernet0

Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224

start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

535353© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0

Inside interfaces:Ethernet0

Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224

start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0

NAT Show Commands—Mapping Information

Dynamic inside source mappings using access-list 10; the pool of addressesavailable, 209.165.201.10 - .30, total 21;since only 1 translation is being usedof the available 21, that equates to 4%

Dynamic inside source mappings using access-list 10; the pool of addressesavailable, 209.165.201.10 - .30, total 21;since only 1 translation is being usedof the available 21, that equates to 4%

The number of times a translation could not be created when one should haveThe number of times a translation could not be created when one should have

545454© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Levels of Debugging NAT—debug ip nat {detailed}

NAT-vpn-2503# debug ip nat6d01h: NAT: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [15]6d01h: NAT*: s=1.1.1.1, d=209.165.201.10->10.6.1.10 [15]6d01h: NAT*: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [16]6d01h: NAT*: s=1.1.1.1, d=209.165.201.10->10.6.1.10 [16]

NAT-vpn-2503# debug ip nat detailed6d01h: NAT: installing alias for address 209.165.201.106d01h: NAT: i: icmp (10.6.1.10, 7584) -> (1.1.1.1, 7584) [20]6d01h: NAT: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [20]6d01h: NAT*: o: icmp (1.1.1.1, 7584) -> (209.165.201.10, 7584) [20]6d01h: NAT*: s=1.1.1.1, d=209.165.201.10->10.6.1.10 [20]6d01h: NAT*: i: icmp (10.6.1.10, 7585) -> (1.1.1.1, 7585) [21]6d01h: NAT*: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [21]6d01h: NAT*: o: icmp (1.1.1.1, 7585) -> (209.165.201.10, 7585) [21]

* = IP Fast/CEFSwitched Packet* = IP Fast/CEFSwitched Packet

Warning: Debugging at any level could be fatal to a router if done incorrectly

Warning: Debugging at any level could be fatal to a router if done incorrectly

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

555555© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Logging the Built Translations

Cisco IOS Commands:

ip nat log translations sysloglogging host 10.6.1.30logging trap debug

What the SYSLOG Server Sees:

03-14-2002 13:42:16 Local7.Debug 10.6.1.1 30: 00:12:13: NAT:Created tcp 10.6.1.20:11010 172.16.1.4:11010 192.168.1.1:23 192.168.1.1:23

03-14-2002 13:43:22 Local7.Debug 10.6.1.1 31: 00:13:19: NAT:Deleted tcp 10.6.1.20:11010 172.16.1.4:11010 192.168.1.1:23 192.168.1.1:23

03-14-2002 13:36:25 Local7.Debug 10.6.1.1 20: 00:06:22: NAT:Created icmp 10.6.1.20:1000 172.16.1.3:1000 192.168.1.1:1000 192.168.1.1:1000

03-14-2002 13:37:25 Local7.Debug 10.6.1.1 25: 00:07:22: NAT:Deleted icmp 10.6.1.20:1000 172.16.1.3:1000 192.168.1.1:1000 192.168.1.1:1000

565656© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Stateful NAT (SNAT)—Cisco IOS

• New feature as of 12.2.13T code

• Platform independent

• Support for only peer-to-peer

• Works with/without an HSRP environment for true fault tolerance

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

575757© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Without SNAT—The ProblemR1 NAT Translation Table

R2 NAT Translation Table

ILIL IGIG OLOL OGOG

R1-NATR1-NAT

R2-NATR2-NAT

ILIL IGIG OLOL OGOG

Network3—R1 Fails

10.1.1.34

1

10.1.1.310.1.1.3 192.168.1.3192.168.1.3 192.168.1.3192.168.1.3172.16.1.3172.16.1.3

2

585858© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

ILIL IGIG OLOL OGOG

With SNAT—The Solution

R2 NAT Translation Table

R1 NAT Translation Table

10.1.1.310.1.1.3 192.168.1.3192.168.1.3 192.168.1.3192.168.1.3172.16.1.3172.16.1.3

*2

2*2*

10.1.1.3 192.168.1.3 192.168.1.3172.16.1.3

4—R1 Fails

R1-NATR1-NAT

R2-NATR2-NAT

Network

10.1.1.3

ILIL IGIG OLOL OGOG

1*1*

3

56

*1

10.1.1.310.1.1.3 192.168.1.3192.168.1.3 192.168.1.3192.168.1.3172.16.1.3172.16.1.3

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

595959© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

SNAT Options

• Primary/backup mode (non-HSRP)Only peer-to-peer

• Redundancy (HSRP)Single peer only

• Updates/communication between the SNAT routers is done via TCP/15555

606060© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

LocalCorrelation

LocalCorrelation

With SNAT—Primary/Backup ModePrimary Configuration

10.1.1.0/24.1

.2

You Are on This RouterYou Are on This Router

Network10.1.1.3

R1-NATR1-NAT

R2-NATR2-NAT

R1(config)# access-list 1 permit 10.1.1.0 0.0.0.255R1(config)# ip nat pool P1 172.16.1.1 172.16.1.254

netmask 255.255.255.0R1(config)# ip nat inside source list 1 pool P1 mapping-id 11R1(config)# ip nat stateful ID 101R1(config-ipnat-snat)# primary 10.1.1.1R1(config-ipnat-snat-pri)# peer 10.1.1.2R1(config-ipnat-snat-pri)# mapping-id 11

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

616161© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

With SNAT—Primary/Backup ModeBackup Configuration

R2(config)# access-list 1 permit 10.1.1.0 0.0.0.255R2(config)# ip nat pool P1 172.16.1.1 172.16.1.254

netmask 255.255.255.0R2(config)# ip nat inside source list 1 pool P1 mapping-id 11R2(config)# ip nat stateful ID 101R2(config-ipnat-snat)# backup 10.1.1.1R2(config-ipnat-snat-bkp)# peer 10.1.1.2R2(config-ipnat-snat-bkp)# mapping-id 11

10.1.1.0/24.1

.2

You Are on This RouterYou Are on This Router

Network10.1.1.3

R1-NATR1-NAT

R2-NATR2-NAT

626262© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

R2(config)# interface Ethernet 0R2(config-if)# standby 1 ip 10.1.1.10R2(config-if)# standby 1 name snatR2(config)# ip nat pool P1 172.16.1.1 172.16.1.254

netmask 255.255.255.0R2(config)# ip nat inside source list 1 pool P1 mapping-id 11R2(config)# ip nat stateful ID 101R2(config-ipnat-snat)# redundancy snatR2(config-ipnat-snat-bkp)# mapping-id 11

With SNAT—Redundant Mode

.10 Virtual

10.1.1.0/24.1

.2

You Are on This RouterYou Are on This Router

Network10.1.1.3

R1-NATR1-NAT

R2-NATR2-NAT

Link HSRPto SNAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

636363© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Stateful Failover—Cisco IOS

• Unlike Cisco IOS, PIX will swap IP and MAC addresses instead of using a virtual address

• PIX has had failover since 3.x

• PIX added stateful failover in 5.x

• Must use a dedicated interface for updates

646464© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

10.1.1.0/24.1

.2

Network10.1.1.3

PIX1-NATPIX1-NAT

PIX2-NATPIX2-NAT

With SNAT—Primary/Backup ModeBackup Configuration

Pixfirewall(config)# nameif ethernet2 failover-int 50Pixfirewall(config)# ip address failover-int 172.16.1.1

255.255.255.0Pixfirewall(config)# failover ip address failover-int 172.16.1.2Pixfirewall(config)# failover link failover-int

Dedicated LANInterface172.16.1.x / 24

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

656565© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Agenda—VPN’s and Address Translation

• The Why, the What, and the Where

• Pitfalls and How to Avoid

• Tools for Deployment

• VPN and Network Address Translation, Can They Get Along?

• Dealing with Voice Elements

• Question and Answers?

666666© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IP HDRIP HDR Data Layer 5-7Data Layer 5-7

Point-to-Point Tunneling Protocol (PPTP): Protocol 47: DataProtocol 6 (TCP) Port 1723: Authentication

PPTP 101

Original Packet

Encapsulation within GRE without MPPEIP HDRIP HDR DataDataTunnel IDTunnel IDNew IP HDRNew IP HDR

Layer 4Layer 4

Layer 4Layer 4

This Unique Number Is What Gives the Router the Ability to Determine what Flow Goes to what Systemwhen Being NAPT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

676767© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IP HDRIP HDR DataData

Authenticated

IP HDRIPSec HDRIPSec HDRNew IP HDRNew IP HDR DataData

Encapsulating Security Payload (ESP): Protocol 50Tunnel Mode Only

IPSec 101—ESP

EncryptedLayer 3

Original Packet

NATWORKS!

686868© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

ChecksumStored

IPSec HDRIPSec HDRIP HDRIP HDR

DataDataIP HDRIP HDR

Authentication Headers (AH):Protocol 51

IPSec 101—AH

Authenticated HDR + Data = Checksum

Layer 3

Breaks!Breaks!NAT

DataData

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

696969© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

What Is Being Done?

• PPTP over NAPT

• IPSec over UDP proprietary

• IPSec over TCP proprietary

• NAT-T (IPSec over UDP) standard

• IPSEC NAT transparency

707070© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Where Do We Stand Today?

Address Translation Support for VPN Traffic:

6.36.312.2.13T12.2.13TNATNAT--TT

6.36.312.2.13.T12.2.13.TIPSec NAT Transparency (Phase 1)*IPSec NAT Transparency (Phase 1)*

NONO

N/AN/A

N/AN/A

6.36.3

PIXPIX

12.2.15.T12.2.15.TIPSec NAT Transparency (Phase 2)IPSec NAT Transparency (Phase 2)

N/AN/AIPSec over TCP**IPSec over TCP**

N/AN/AIPSec over UDP**IPSec over UDP**

12.1.5T12.1.5TPPTP over NAPTPPTP over NAPT

Cisco IOSCisco IOS

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

717171© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

VPNGateway

RoamingUser

ISP

10.0.0.0/8

VPN Head End Problem Topology

router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255any

router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255??? Not Sure on the Destination ISP AddressNot Sure on the Destination ISP Address

IPSec TunnelIPSec Tunnel

NAT by Destination Rules Will Be Used

NAT/VPNNAT/VPNInternetYour

Company

727272© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

10.0.0.0/8

VPN Gatewaywith Mode

ConfigurationPool of

172.16.1.1-.254

router (config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255

router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255any

VPN Head End Solution—Mode Config

IPSec Tunnel

IPSec Tunnel RoamingUser

NATNAT

Your Company

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

737373© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IPSec TunnelIPSec Tunnel

RoamingUser

ISPVPNGateway

10.6.1.20

VPN Head End Using Static Translation

router(config)# ip nat inside source static 10.6.1.20 209.165.201.5 route-map nonat

MAIL Server

NATNAT

Internet

747474© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Cisco IOS VPN Configuration

access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.255.255.255any

route-map nonat permit 10match address 100

Ip nat pool natpool 209.165.201.10 209.165.201.20 netmask 255.255.255.248

ip nat inside source route-map nonatpool natpool

ip nat inside source static 10.6.1.20 209.165.201.5 route-map nonat

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

757575© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

PIX VPN Configuration

Access-list 100 permit ip 10.0.0.0 255.0.0.0172.16.1.0 255.255.255.0

Global (outside) 1 209.165.201.10-209.165.201.20 netmask 255.255.255.248

Nat (inide) 1 10.0.0.0 255.0.0.0

Static (inside,outside) 209.165.201.5 10.6.1.20 netmask 255.255.255.255

Nat (inside) 0 access-list 100

767676© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Agenda—Dealing with Voice Elements

• The Why, the What, and the Where

• Pitfalls and How to Avoid

• Tools for Deployment

• VPN and Network Address Translation, Can They Get Along?

• Dealing with Voice Elements

• Question and Answers?

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

777777© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Voice Traffic vs. Address Translation Device

6.36.312.2.13T12.2.13TSkinnySkinny

6.36.3NoNoSkinny NAPTSkinny NAPT

6.36.3FutureFutureMGCPMGCP

6.36.3

6.36.36.36.34.24.2PIXPIX

NoNoCTI/TAPI/JTAPICTI/TAPI/JTAPI

12.2.11T12.2.11TSIPSIP12.3.1T*12.3.1T*H323v3v4H323v3v4

12.1.5T12.1.5TH323v1v2H323v1v2

Cisco IOSCisco IOS

*Compatibility Support—Algorithm Support Planned for Future Release

787878© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Prior to the Voice Fix Ups—Registration

NAT

Skinny Registration

SkinnyRegistration

209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

IP Phone AIP Phone B

NAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

797979© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Prior to the Voice Fix Ups—Dialing

NAT

Off HookDial Digits 5510

209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

IP Phone A5510

IP Phone B5505

Display Caller5505 and Start Ringing NAT

808080© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Prior to the Voice Fix Ups—Off Hook

NAT

209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

Stop Ring, Called Party Off Hook

IP Phone A5510

IP Phone B5505

Off Hook

NAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

818181© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Prior to the Voice Fix Ups—Media Offer

NAT 209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

Phone B Media—IP: 209.165.201.5 Port: 17000

IP Phone A5510

IP Phone B5505

Phone A Media—IP:10.1.1.10Port: 20000

.1

Internet

NAT

828282© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Prior to the Voice Fix Ups—Media Ports

NAT 209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

Phone A Media—IP: 10.1.1.10Port: 20000

IP Phone A5510

IP Phone B5505

Phone B Media—IP: 209.165.201.5 Port: 17000

.1

Internet

NAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

838383© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Prior to the Voice Fix Ups—One Way

NAT

209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

IP Phone A5510

IP Phone B5505

.1Internet

One Way AudioOne Way Audio

Phone A>B RTP Stream

Phone B>ARTP Stream

NAT

848484© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

With the Voice Fix Ups—Media Ports

NAT 209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

Phone A Media—IP: 10.1.1.10Port: 20000

IP Phone A5510

IP Phone B5505

Phone B Media—IP: 209.165.201.5 Port: 17000

IP Pool .10–.20

Phone A Media—IP: 209.165.201.10Port: 20000

NATNAT

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

858585© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

With the Voice Fix Ups—Final Solution

NAT

209.165.201.0/27

10.1.1.0/24

.10

.2

.1

.5

.30

IP Phone A5510

IP Phone B5505

.1Internet

Two Way AudioTwo Way Audio

Phone A>B RTP Stream

Phone B>A RTP Stream

868686© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Voice Summary

• Address translation devices need to be audio/video aware in order to process the packets correctly

• One-way audio is the typical problem when address translation is used

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

878787© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Call Manager Registration/Failover Issues

• Cisco IP phones can support SIP, Skinny, and MGCP

• TFTP fixup exists today for PIX and Cisco IOS

• So what is the issue?

888888© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IP Phone Configuration File

• Contains embedded information<authenticationURL>http://14.48.44.11/CCMCIP/authenticate.asp</authenticationURL><directoryURL>http://14.48.44.11/CCMCIP/xmldirectory.asp</directoryURL><idleURL></idleURL><informationURL>http://14.48.44.11/CCMCIP/GetTelecasterHelpText.asp</informationURL><messagesURL></messagesURL><proxyServerURL></proxyServerURL><servicesURL>http://14.48.44.11/CCMCIP/getservicesmenu.asp</servicesURL></device>

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

898989© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

IP Phones and NAT

• On the Cisco CallManagers use DNS instead of IP addresses

• Static NAT entries for CallManager Servers

• Either Split DNS or DNS Fixup can be used to properly resolve DNS entries for IP Phone Services

909090© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

DNS Fix Up with IP Phones

.10Cisco CallManager

.20 DNSNATNAT

.5 .1.1E0 E1

10.1.1.0/24209.165.201.0/27

Ip nat inside source static 10.1.1.10 209.165.201.10Ip nat inside source static udp 10.1.1.20 53 interface

Ethernet 0 53

Translation Boundary

Nat InsideNat OutsideNat Outside

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

919191© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

DNS Fix Up with IP Phones, the Query

What IP Is “CallManager.cisco.com”

.10

.20 DNSNATNAT

.5 .1.1E0 E1

DNS Query

Cisco CallManager

929292© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Response:209.165.201.10Response:209.165.201.10

DNS Fix Up with IP Phones, the Query

Cisco CallManager.cisco.com

Response:10.1.1.10

ip nat inside source static 10.1.1.10 209.165.201.10

.10

.20 DNSNATNAT

.5 .1.1E0 E1

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

939393© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Agenda—Questions and Answers

• The Why, the What, and the Where

• Pitfalls and How to Avoid

• Tools for Deployment

• VPN and Network Address Translation, Can They Get Along?

• Dealing with Voice Elements

• Question and Answers?

949494© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Useful URLs

• Cisco IOS NAT Product Support Page:

http://www.cisco.com/pcgi-in/Support/browse/psp_view.pl?p=Internetworking:NAT

• Cisco IOS NAT FAQ: CCO Document ID: 26704

• Cisco IOS NAT “order of operation”:

http://www.cisco.com/warp/public/556/5.html

• Cisco IOS NAT configuration:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdipadr.htm#xtocid1056050

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

959595© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Summary

• NAT/NAPT (PAT-overload) à one-to-one/many-to-one address mappings

• Know your applications and how they behave

• Cisco IOS need to match inside to outside address translation domain (and vice versa) otherwise packet will be forwarded without any address translation being performed

• PIX needs a translation otherwise packet is dropped

• Avoid asymmetrical routing!

969696© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1

Please Complete Your Evaluation Form

Session NMS-2102

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

979797© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1


Recommended