Introduction to Network Address Translation
Agenda Basic Concept of Network Address Translation (NAT) Port Address Translation (PAT) Definition, Benefits, Availability and Application Support NAT Concepts and Terminology NAT Technical Information
Basic Concept of NAT NAT NAT changes the IP addresses in the IP header My Network Before NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Internet Host After NAT Outbound Packet Src Addr 171.69.68.10 Dest Addr Internet Host Internet NAT 10.6.1.20 Internet Host After NAT Return Packet Src Addr Internet Host Dest Addr 10.6.1.20 Before NAT Return Packet Src Addr Internet Host Dest Addr 171.69.68.10 Nat changes the IP addresses in the IP header These slides use the following conventions Source IP addresses are always in blue Destination IP addresses are always in green Packets that are Pre-NAT are indicated by gold Packets that are Post-NAT are purple NAT changes the IP addresses in the IP header
Basic Concept of PAT PAT Before PAT Outbound Packet Dest Port Any Port Src Addr 10.6.1.20 Src Port 2031 Dest Addr Host 1 After PAT Outbound Packet Dest Port Any Port Src Addr 171.69.68.10 SRC Port 2031 Dest Addr Host 1 My Network PAT 10.6.1.20 10.6.1.6 Internet Before PAT Outbound Packet Dest Port Any Port Dest Addr 10.6.1.6 Src Port 1506 Host 2 After PAT Outbound Packet Dest Port Any Port Src Addr 171.69.68.10 SRC Port 1506 Dest Addr Host 2 The important point here is that PAT translates the 2 different source IP addresses to the same IP address. It uses the destination port information in the return packet to make the correct reverse translation. Don’t get confused by the term PAT. It is a Cisco term. We wanted to differentiate between using one global address for all translations (PAT) or using a new IP address for each translation (NAT). If you talk with a UNIX admin, they would think PAT is NAT. The IETF uses a different term for PAT – NAPT (Network Address Port Translation). Port Address Translation (PAT) extends NAT from “one-to-one” to “many-to-one” by associating the source port with each flow
Basic Concept of PAT PAT Before PAT Outbound Packet Dest Port Any Port Src Addr 10.6.1.20 Src Port 2031 Dest Addr Host 1 My Network PAT 10.6.1.20 10.6.1.6 Internet Before PAT Outbound Packet Dest Port Any Port Dest Addr 10.6.1.6 Src Port 1506 Host 2 Before PAT Return Packet Dest Addr 171.69.68.10 Dest Port 1506 Src Addr Host 2 Src Port Any Port The important point here is that PAT translates the 2 different source IP addresses to the same IP address. It uses the destination port information in the return packet to make the correct reverse translation. Don’t get confused by the term PAT. It is a Cisco term. We wanted to differentiate between using one global address for all translations (PAT) or using a new IP address for each translation (NAT). If you talk with a UNIX admin, they would think PAT is NAT. The IETF uses a different term for PAT – NAPT (Network Address Port Translation). Port Address Translation (PAT) extends NAT from “one-to-one” to “many-to-one” by associating the source port with each flow
Agenda Basic Concept of NAT and PAT Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information
NAT Defined First described in RFC 1631 Changes source and/or destination IP addresses in IP header and the IP addresses in application data streams Cisco IOS® NAT is superset of that described in RFC 1631
Private IP Addresses Problem: IP address space is limited and obtaining a large block of registered addresses is difficult Solution: Use private IP addresses (RFC 1918) internally on your network The private IP addresses you can use on your internal network are: Class A: 10.x.x.x Class B range: 172.16.x.x–172.31.x.x Class C range: 192.168.1.x–192.168.254.x You may find another IP address assigned to your Microsoft Windows host. Microsoft Windows 2000 and Windows ME has something called “Automatic Private IP Addressing (APIPA)”. It occurs when a host is configured for DHCP and for some reason is not able to reach the DHCP server. When this occurs, Windows 2000 and Windows ME configure the interface with a 169.254.x.y IP address. It then ARPs for the address it has chosen to ensure no other host on the subnet is using the same IP address. The IP address range 169.254.x.y is reserved by IANA for Local Link Networks. See http://support.microsoft.com/support/kb/articles/Q220/8/74.ASP for more information.
X Benefits NAT No Translation Before NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Internet Host After NAT Outbound Packet Src Addr 171.69.68.10 Dest Addr Internet Host NAT 10.6.1.20 Internet Host X No Translation After NAT Return Packet Src Addr Internet Host Dest Addr 10.6.1.20 Before NAT Return Packet Src Addr Internet Host Dest Addr 171.69.68.10 NAT was developed because hosts with private IP addresses could not reach a host on the internet. Problem: Hosts can’t access registered networks such as the Internet, when assigned private IP addresses Solution: NAT replaces the source address with a routable address and enables privately addressed hosts to access registered networks, such as the Internet, without requiring globally unique IP addresses on end hosts
X Benefits NAT Corporate Acquisition Before NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Acquisition After NAT Outbound Packet Src Addr 192.168.7.10 Dest Addr Acquisition NAT 10.6.1.20 10.6.1.51 X After NAT Outbound Packet Src Addr 172.21.58.10 Dest Addr Corporate Before NAT Outbound Packet Src Addr 10.6.1.51 Dest Addr Corporate This is accomplished by using a DNS server to translate the name of the host from a 10.6.1.x address to a different IP address. Once this occurs the other hosts thinks that it communicating with the translated address. In this example the 172.21.58.x must be unique in both networks. Problem: Merging corporations with conflicting private IP address space need connectivity to each other and/or the Internet Solution: NAT provides transparent, scalable, and bi-directional connectivity between corporate headquarters and acquisitions
X Benefits NAT Problem: Changing ISPs My Network ISP Network New Before NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Internet Host After NAT Outbound Packet Src Addr 171.69.68.10 Dest Addr Internet Host NAT 10.6.1.20 X Internet/ Intranet After NAT Outbound Packet Src Addr Internet Host Dest Addr 10.6.1.20 Before NAT Outbound Packet Src Addr Internet Host Dest Addr 171.69.68.10 Problem: Changing ISPs Solution: NAT eliminates the need for host renumbering when changing ISPs or IP addressing schemes
Benefits My Network Internet Before NAT Port Scanning Packet Src Addr Internet Host Dest Addr 171.69.68.10 NAT 10.6.1.20 Internet Host X Problem: Internal network should not be visible to external users Solution: NAT enhances network privacy since assigned addresses are hidden. NAT defeats port scanning of the subnet This is a beneficial side effect of NAT. NAT is not a security protocol. Cisco does not recommend that NAT be thought of as a security feature. It is not a replacement for other true security devices such as a PIX or IOS Firewall. Having said that, without a translation in the NAT translation table the packet will be dropped by the router. The NAT enabled router will respond with an ICMP unreachable packet. It is important to turn off ICMP unreachable packets (with the command “no icmp unreachable”) on the interface to reduce the risk of a denial of service attack.
Application Support Introduced in Cisco IOS software release 11.2(1) October 1996 Cisco IOS NAT performs ‘stateful inspection’ on applications it has awareness of NAT has been around since October 1996. The basic functionality of NAT has not changed. When changes are made to the NAT code, the changes are made to include applications that have embedded addresses in the data portion of the packet. So when considering NAT or PAT, one needs to consider the applications running on the network. If the application has embedded IP addresses, you need to check to se if NAT or PAT will translate them.
Agenda Basic Concept of NAT and PAT Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information
NAT Concepts NAT Inside Network Outside Network Inside Interface Outside Interface NAT Inside Host Outside Host ip nat inside ip nat outside An interface on the router can be defined as inside or outside Translations occur only from inside to outside interfaces or vice versa—never between the same type of interface What happens when a packet goes from an inside interface to an unmarked interface? No translation occurs. How about an unmarked interface to an outside interface? Again, no translation occurs. Translations only occur when going from an inside interface to an outside interface or vice versa. I want to caution you about the significance of inside and outside. If you use this with inside local and outside local you will get confused. What you want to walk away with here is that a translation will only occur when going from inside to outside or vice versa. The only other place where inside and outside interface definitions are significant is which side can produce a new translation. For “ip nat inside source …” tells you that packets received on the inside interface can create new translation entry. DO NOT USE the inside and outside interfaces to explain Inside local and outside local!
NAT Concepts NAT translations are static or dynamic Static translation are entered directly into the configuration and are always in the translation table ip nat inside source static 10.6.1.20 171.69.68.10 Dynamic translations use access lists to identify IP addresses that NAT should create translations for ip nat inside source list 1 pool nat-pool access-list 1 permit 10.0.0.0 0.255.255.255
Static vs. Dynamic Translations Static translations When you need to be able to initiate a connection from both the inside and outside interfaces (e.g. SMTP, Web) Or you want a specific host to be translated to a specific IP address Dynamic translations When you want to initiate a connection from only the inside or only the outside
NAT Concepts NAT An IP address is either local or global My Network Before NAT Outbound Packet Src Addr Inside Local Dest Addr Outside Host After NAT Outbound Packet Src Addr Inside Global Dest Addr Outside Host Internet NAT Inside Host Outside Host After NAT Inbound Packet Src Addr Outside Local Dest Addr Inside Host Before NAT Inbound Packet Src Addr Outside Global Dest Addr Inside Host Remember, local IP addresses are seen on the inside network. If you remember this fact, you will be able to read any of the documentation and understand it. Don’t use the inside interface or outside interface for reference here or you will get confused. An IP address is either local or global Local IP addresses are seen in the inside network Global IP addresses are seen in the Outside network
Inside Local/Inside Global Example My Network Before NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Outside Host After NAT Outbound Packet Src Addr 171.69.68.10 Dest Addr Outside Host Internet NAT 10.6.1.20 Outside Host Pro Inside Local Outside Local Outside Global Inside Global --- 171.69.68.10 10.6.1.20 The translation table is exactly what you see when you type “show ip nat translations” minus the lines and colors. Keep in mind how the router works. The router first looks for a translation to use in the translation table. If it can’t find one, it then looks at the access lists to see if it can create one. NAT Address Pool - - - 171.69.68.11 171.69.68.12 171.69.68.13 NAT Address Pool For Outbound Packets an Address Is Dynamically Allocated from the NAT Address Pool 171.69.68.10 171.69.68.11 171.69.68.12 171.69.68.13
Inside Local/Inside Global Example My Network After NAT Return Packet Src Addr 10.6.1.20 Dest Addr Outside Host Before NAT Return Packet Src Addr 171.69.68.10 Dest Addr Outside Host Internet NAT 10.6.1.20 Outside Host Pro Inside Local Outside Local Outside Global Inside Global --- Pro Inside Local Outside Local Outside Global Inside Global --- 171.69.68.10 10.6.1.20 NAT Address Pool 171.69.68.10 171.69.68.11 171.69.68.12 171.69.68.13 NAT Address Pool - - - 171.69.68.11 171.69.68.12 171.69.68.13 The NAT Address Translation Entry in the Translation Table Is Used to Translate Return Packets
NAT Terminology Inside local Inside global Configured IP address assigned to a host on the inside network; address may be globally unique, allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization Inside global The IP address of an inside host as it appears to the outside host and network, “Translated IP Address”; addresses can be allocated from a globally unique address space, typically provided by the ISP (if the enterprise is connected to the global Internet)
NAT Concepts My Network Internet NAT Inside Host Outside Host Before NAT Outbound Packet Src Addr Outside Local Inside Local After NAT Outbound Packet Dest Addr Outside Global Src Addr Inside Global When the packet contains both a source and destination address that needs to be translated, the router translates both IP addresses. Local IP addresses are seen on the inside network while global IP addresses are seen on the outside network
NAT Concepts A NAT translation is 1 to 1 or many to 1 Router# show ip nat translations --- Pro Inside Local Outside Local Outside Global Inside Global 171.69.70.15 192.168.1.80 171.69.68.10:1202 10.6.15.2:1202 204.71.200.67:80 171.69.68.10:1460 10.8.20.25:1460 204.71.200.69:80 tcp --- Pro Inside Local Outside Local Outside Global Inside Global 171.69.70.15 192.168.1.80 --- Pro Inside Local Outside Local Outside Global Inside Global A NAT translation is 1 to 1 or many to 1 1 to 1 translations (NAT) assign a different IP address for each translation Many to 1 (PAT) translations can assign the same IP address for each translation
Agenda Basic Concept of NAT and PAT Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information
PAT Router# show ip nat translations Pro Inside Global Inside Local Outside Local Outside Global tcp 171.69.68.5:1405 10.6.15.2:1405 204.71.200.69:80 204.71.200.69:80 PAT (Port Address Translation) includes ports in addition to IP addresses Many-to-one translation Maps multiple IP addresses to 1 or a few IP addresses Unique source port number identifies each session Conserves registered IP addresses Also called NAPT in IETF documents
Outside Address Assignment Use a pool of IP addresses Can use an interface name Interface IP addresses can be assigned: 1) Statically configured 2) Via PPP (IPCP) 3) Via DHCP on Ethernet interfaces [12.1(2)T]. More types of interfaces to follow
NAT vs. PAT NAT When there is sufficient number of IP addresses for 1 to 1 translations PAT When there are an insufficient number of IP addresses available to translate all of the inside addresses
Agenda Basic Concept of NAT and PAT Definition, Benefits, Availability and Application Support NAT Concepts and Terminology PAT NAT Technical Information
How Much Memory? Memory Needs 42 Kb of system memory to enable NAT 160–200 bytes for each entry in the NAT translation table 1,000 entries use approximately 205 Kb of memory (includes 42 Kb)
NAT Order of Operation Inside Interface Outside Interface Before NAT Outbound Packet Src Addr Outside Local Inside Local After NAT Outbound Packet Dest Addr Outside Global Src Addr Inside Global Routing NAT After NAT Inbound Packet Src Addr Outside Local Dest Addr Inside Local Before NAT Inbound Packet Src Addr Outside Global Dest Addr Inside Global NAT always checks translation table for entry before access lists For a full NAT order of operation see http://www.cisco.com/warp/public/556/5.html
Summary NAT provides transparent and bi-directional connectivity between networks having arbitrary addressing schemes NAT eliminates costs associated with host renumbering NAT eases IP address management NAT enhances network privacy
References RFC 1631—The IP Network Address Translator RFC 2663—IP Network Address Translator (NAT) Terminology and Considerations http://www.ietf.org/html.charters/nat-charter.html NAT Technical Tips http://www.cisco.com/warp/public/556/index.shtml NAT FAQ (includes platform support) http://www.cisco.com/warp/public/458/41.html TAC NAT page http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:NAT
© 2001, Cisco Systems, Inc. All rights reserved. 33