Transcript NAT

Cabrillo College
Building Cisco Remote Access Network
Ch. 11 Setting IP Addresses with NAT
Rick Graziani, Instructor
March 13, 2001
1
Private addresses and NAT


Network Address Translatation
NAT, as defined by RFC 1631, is the
process of swapping one address for
another in the IP packet header. In
practice, NAT is used to allow hosts that
are privately addressed to access the
Internet.
2
Network Address Translation


The privately addressed "inside"
network sends a packet through the
NAT router.
The addresses are converted to legal,
registered IP addresses, enabling the
packets to be passed to the public
networks, such as the Internet.
3
NAT
* 192.168.2.0/24
4
5
1
3
2
* This would normally be a
routable address (nonprivate address space)
4
Cisco NAT Terminology

When configuring NAT using the Cisco
IOS, you will have to be able to
distinguish between inside and outside
addresses.
– Whether an address is “inside” or “outside”
depends on your point-of-view.
5
Cisco NAT Terminology


Addresses that your network is using are
inside addresses, regardless of whether they
belong to a private range or are globally
routable.
Addresses of systems beyond your network
are considered outside addresses (whether
they are private or global).
– Thus, your network could have inside local
addresses (private addresses) and inside global
addresses (globally routable addresses assigned
by your provider).
6
NAT
7
NAT: Pros and Cons
8
NAT

One advantage of NAT is that, since not
every inside host needs outside access
at the same time, you can get away with
using a small pool of globally unique
addresses to serve a relatively large
number of privately addressed hosts.
9
NAT

NAT comes as a great relief to
organizations that outgrow their address
space.
– If a school with a Class C address
suddenly finds that over 500 nodes on
campus need occasional Internet access,
NAT (used in conjunction with RFC 1918
addresses) may provide a convenient
solution.
10
NAT

Because outside hosts never see the
“pre-translated” inside addresses, NAT
has the effect of hiding the inside
structure of a network. Although NAT is
not a security firewall, it can prevent
outsiders from connecting directly to
inside hosts, unless a permanent global
address mapping exists in the NAT
table.
11
NAT

If you actually wants outside users to
access an internally addressed
webserver, you can statically map a
global address (2.2.2.3) to an inside
address (10.0.0.1).
– Static mappings exist in the NAT table until
they are removed by an administrator.
– Internet hosts, and DNS, can use the
global address to access the privately
addressed webserver.
12
NAT

Since CIDR places the authority to assign
addresses at the ISP level, if you moved from
one ISP to another, your company may have
to completely readdress its systems with the
new ISP’s CIDR block.
– Instead of readdressing, NAT can be deployed to
temporarily translate the old addresses to new
ones, with static mappings in place to keep web
and other public services available to the outside.
13
Types of NAT




Static NAT
Dynamic NAT
Overloading NAT (PAT)
Overlapping
14

Static NAT - Mapping an unregistered
IP address to a registered IP address
on a one-to-one basis. Particularly
useful when a device needs to be
accessible from outside the network.
In static NAT, the computer with the IP address of
192.168.32.10 will always translate to 213.18.123.110.
15

Dynamic NAT - Maps an unregistered
IP address to a registered IP address
from a group of registered IP
addresses.
In dynamic NAT, the computer with the IP address of
192.168.32.10 will translate to the first available
address in the range from 213.18.123.100 to
213.18.123.150.
16

Overloading - A form of dynamic NAT that
maps multiple unregistered IP addresses to a
single registered IP address by using different
ports. Known also as PAT (Port Address
Translation), single address NAT or port-level
multiplexed NAT.
In overloading, each computer on the private network
is translated to the same IP address (213.18.123.100)
but with a different port number assignment.
17

Overlapping - When the IP addresses used on your
internal network are registered IP addresses in use
on another network, the router must maintain a
lookup table of these addresses so that it can
intercept them and replace them with registered
unique IP addresses.
The internal IP range (237.16.32.xx) is also a registered range used by
another network. Therefore, the router is translating the addresses to
avoid a potential conflict with another network. It will also translate
the registered global IP addresses back to the unregistered local IP
addresses when information is sent to the internal network.
18
NAT Functions




Translating inside local addresses
Overloading inside global addresses
TCP load distribution
Handling overlapping networks
19
NAT Examples



Translating Inside Local Addresses
Overloading Inside Global Addresses
TCP Load Distribution
20
NAT Configuration: Static
RTA(config)#ip nat inside source static local-ip global-ip
RTA(config)#interface type number
RTA(config-if)#ip nat inside
RTA(config)#interface type number
RTA(config-if)#ip nat outside
21
NAT Configuration: Static
192.168.2.0/24
172.16.2.1
ip route 192.168.2.0 255.255.255.0 172.16.2.1
192.168.2.2
22
NAT Configuration: Static
Room 2501 Example
interface FastEthernet0/0
description Cabrillo LAN (NAT outside)
ip address 172.16.29.254 255.255.224.0
ip nat outside
interface FastEthernet0/1
description Cisco Classroom 2501 (NAT inside)
ip address 172.30.1.1 255.255.255.0
ip nat inside
! Static map to Linux Server -inside source-ip translated to nnnn
ip nat inside source static 172.30.1.11 172.16.24.66
! Static map to Catalyst 1900 switch
ip nat inside source static 172.30.1.99 172.16.24.67
23
NAT Configuration: Dynamic
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
[rotary]
RTA(config)#ip nat pool MYPOOL 207.2.2.0 207.2.2.255
netmask 255.255.255.0
Translated to these addresses
24
NAT Configuration: Dynamic
Router(config)#access-list access-list-number
permit source [source-wildcard]
Router(config)# ip nat inside source {list
{access-list-number | name} pool name
[overload] | static local-ip global-ip}
Addresses to get translated
RTA(config)#access-list 1 permit 192.168.1.0 0.0.0.255
RTA(config)#ip nat inside source list 1 pool MYPOOL
25
NAT Configuration: Dynamic
Router(config)#interface type number
Router(config-if)#ip nat inside
Router(config-if)#interface type number:
Router(config-if)#ip nat outside
RTA(config)#interface s0
RTA(config-if)#ip nat outside
RTA(config-if)#interface e0
RTA(config-if)#ip nat inside
26
NAT Configuration: Dynamic
interface FastEthernet0/0
description Cabrillo LAN (NAT outside)
ip address 172.16.29.254 255.255.224.0
ip nat outside
interface FastEthernet0/1
description Cisco Classroom 2501 (NAT inside)
ip address 172.30.1.1 255.255.255.0
ip nat inside
ip nat pool room2501 172.16.24.65 172.16.24.99
netmask 255.255.224.0
ip nat inside source list 1 pool room2501
access-list 1 permit 172.30.1.0 0.0.0.255
27
PAT: Address overloading

The most powerful feature of NAT routers is
their ability to use Port Address Translation
(PAT), which allows multiple inside
addresses to map to the same global
address.
– This is sometimes called a “many-to-one” NAT.
– literally hundreds of privately address nodes can
access the Internet using only one global address.
28
PAT

The NAT box keeps track of the
different conversations by mapping TCP
and UDP port numbers.
– This works well for client applications like
web browsers because they grab port
numbers as needed, typically from the
unassigned range between 1024 and
65,535.
29
PAT

An example PAT translation table
30
NAT Configuration: Overload
Router(config)#ip nat inside source list
24 pool natpool overload
RTA(config)#ip nat inside source list 24 pool natpool overload
31
NAT Configuration: Overload
32
PAT Configuration: Dynamic
interface FastEthernet0/0
description Cabrillo LAN (NAT outside)
ip address 172.16.29.254 255.255.224.0
ip nat outside
interface FastEthernet0/1
description Cisco Classroom 2501 (NAT inside)
ip address 172.30.1.1 255.255.255.0
ip nat inside
ip nat pool room2501 172.16.24.65 172.16.24.65
netmask 255.255.224.0 overload
ip nat inside source list 1 pool room2501
access-list 1 permit 172.30.1.0 0.0.0.255
33
NAT and PAT

NAT overload is often used in conjunction
with dynamic mappings to a NAT pool.
– A NAT router can then use a one-to-one dynamic
mapping until the available addresses are almost
depleted, at which time NAT can overload the
remaining address or addresses.
– On a Cisco router, NAT will overload the first
address in the pool until it’s maxed out, and then
move on to the second address, and so on.
34
TCP Load distribution

Cisco routers support TCP load
distribution, a powerful NAT feature
that allows you to map one global
address to multiple inside addresses for
the purpose of distributing
conversations among multiple (usually
mirrored) hosts.
35
TCP Load Distribution
36
NAT
Configuration:
Rotary
RTA(config)#ip nat pool webservers 10.0.0.1
10.0.0.2 netmask 255.0.0.0 type rotary
RTA(config)#access-list 46 permit host 2.2.2.3
RTA(config)#ip nat inside destination list 46 pool
webservers
RTA(config)#interface e0
RTA(config-if)#ip nat inside
RTA(config-if)#interface s0
RTA(config)#ip nat outside
37
NAT Configuration: Rotary
2
10.1.1.127 NAT’d to 10.1.1.1 - 10.1.1.3
38
NAT drawbacks

The tradeoff for address translation is a
loss of functionality, particularly with any
protocol or application that involves
sending IP address information outside
the IP header.
39
NAT drawbacks
The following traffic types are not supported
by Cisco IOS NAT:
–
–
–
–
–
–
Routing table updates
Domain Name System (DNS) zone transfers
BOOTP
talk, ntalk
Simple Network Management Protocol (SNMP)
NetShow
40