Scaling Networks with Network Address Translation Scaling Networks with Network Address Translation Solutions for IPv4 Security and Scalability ECPI College of Technology Department of Computer Information Sciences Mtaylor v2009-3
Objectives Understand limits of traditional addressing methods Understand limits of traditional addressing methods Describe how Network Address Translation can contribute to security Describe how Network Address Translation can contribute to security Describe how Port Address Translation enhances usage of scarce public ip addresses Describe how Port Address Translation enhances usage of scarce public ip addresses
NAT Presentation Lab 6.1 NAT Presentation Lab 6.1 Optional but useful: Set this up to follow the presentation
Limits of Public Internet Addresses Limited number of networks available for private use Limited number of networks available for private use –Most major class numbers for both Class A and Class B were claimed by 1990 Numbers are usually controlled by providers Numbers are usually controlled by providers –Makes it difficult to change providers –Makes market less competitive
Solution: Private Address Ranges Class Network Range CIDR Prefix A – /8 B /12 C /16 Big Limitation: These addresses cannot be routed on the Internet. They are filtered out and dropped as soon as the ISP router sees them.
What to do? Translate the private IP address at the border of the network into a public IP address that the Internet can use. Translate the private IP address at the border of the network into a public IP address that the Internet can use. Called Network Address Translation Called Network Address Translation
NAT Terminology Inside Local Addresses Inside Local Addresses –An IP address assigned to a host inside a network. This address is likely to be a RFC 1918 private address. Inside Global Address Inside Global Address –A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP address to the outside world. Outside Local Address Outside Local Address –The IP address of an outside host as it known to the hosts in the inside network. Outside Global Address Outside Global Address –The IP address assigned to a host on the outside network. The owner of the host assigns this address.
Basic Process of NAT The inside source address is a Private Address, aka, inside local address – this address gets changed or translated into an inside global address if you are using public ip addresses on that network The inside source address is a Private Address, aka, inside local address – this address gets changed or translated into an inside global address if you are using public ip addresses on that network Outside means public and signifies what the rest of the world will recognize the inside address as Outside means public and signifies what the rest of the world will recognize the inside address as The inside address is kept in a translation table so that when a packet returns, it can return to the host machine that it belongs to The inside address is kept in a translation table so that when a packet returns, it can return to the host machine that it belongs to Original Header Ver- sion Type OfSer Destination Address Private Inside Local Source Address Hdr Len Total Length ….. Ver- sion Type OfSer Destination Address Inside global Address Hdr Len Total Length ….. unchanged Translated Header
NAT Implementations Static NAT Static NAT –One to One mapping of an internal ip address to a specific external address Dynamic NAT Dynamic NAT –Many to many mapping of a pool of internal addresses to a pool of external addresses.
Static NAT: one to one mapping In this scenario: only the specific machines defined in the static translation can have Internet Access
Dynamic NAT uses an address pool Machines 1.3, 1.4 & 1.5 currently have an outside translation Machines 1.3, 1.4 & 1.5 currently have an outside translation Additional machine addresses are allowed when one of these finishes its session Additional machine addresses are allowed when one of these finishes its session
Port Address Translation Multiple Inside Local addresses are translated into a single outside global (routable) address
Configuring NAT Regardless of whether it is NAT (Static or Dynamic) or PAT, the inside and outside interfaces must be defined
Implementing Static NAT On Perimeter Router in global configuration mode On Perimeter Router in global configuration mode –Perimeter(config)#Ip nat inside source static On Perimeter Router fa0/0 port On Perimeter Router fa0/0 port –Perimeter(config-if)#ip nat inside On Perimeter Router s0/0 port On Perimeter Router s0/0 port –Perimeter(config-if)#ip nat outside Perimeter Repeat the first line for each inside to outside translation
Verifying the Translation Router-A#show ip nat translation Pro Inside global Inside local Outside local Outside global Pro Inside global Inside local Outside local Outside global Router-A#debug ip nat IP: s= (Serial0), d= , len 100, unroutable ICMP type=8, code=0 IP: s= (local), d= (Serial0), len 56, sending ICMP type=3, code=1
Implementing Dynamic NAT Define a pool and permit addresses into the pool Define a pool and permit addresses into the pool (Config)#ip nat pool mynetwork netmask (config)#Access-list 7 permit (config)#Ip nat inside source list 7 pool mynetwork Note that the number of addresses in the pool is matched exactly to the number of addresses in the network As long as the number of people who need access to the Internet does not exceed 31, we can place as many addresses in the source list as we wish. As long as the number of people who need access to the Internet does not exceed 31, we can place as many addresses in the source list as we wish. How to add another network to the mix with another line router(config)#Access-list 7 permit Again, when the 32 nd node attempts to get a translation, an error will occur denying participation because the total address pool has been exceeded.
To set up multiple subnets Set up ‘ip nat inside’ on both Ethernet ports Set up ‘ip nat inside’ on both Ethernet ports Create pool Create pool Include both networks in the access list (use wildcard mask) Include both networks in the access list (use wildcard mask)
To set up multiple subnets Ip nat pool duhpool netmask Ip nat pool duhpool netmask Access-list 7 permit Access-list 7 permit Access-list 7 permit Access-list 7 permit Ip nat inside source list 7 pool duhpool Ip nat inside source list 7 pool duhpool
Implementing PAT using overload ip nat pool lotsofthem prefix 24 ip nat source list 7 pool lotsofthem overload This configures the outside interface to use port numbers to create a many to one internal translation table. This configures the outside interface to use port numbers to create a many to one internal translation table.
Sample CCNA Question Use the _____ command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router? debug ip nat debug ip nat debug ip nat verbose debug ip nat verbose show ip nat statistics show ip nat statistics show ip nat translations show ip nat translations
Sample CCNA Question Use the _____ command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router? debug ip nat debug ip nat debug ip nat verbose debug ip nat verbose show ip nat statistics show ip nat statistics show ip nat translations show ip nat translations
CCNA NAT/PAT question You implement Network Address Translation (NAT) on the network. You verify the NAT configuration on the network. You issue the debug ip nat command on router-F to turn on the debugging. You then issue the show log command to view the debug output. The following is the output of the debug command: You implement Network Address Translation (NAT) on the network. You verify the NAT configuration on the network. You issue the debug ip nat command on router-F to turn on the debugging. You then issue the show log command to view the debug output. The following is the output of the debug command: 05:32:23: NAT: s= > , d= [70] 05:32:23: NAT*: s= , d= > [70] 05:32:25: NAT*: s= > , d= [71] 05:32:25: NAT*: s= , d= > [71] 05:32:27: NAT*: s= > , d= [72] 05:32:27: NAT*: s= , d= > [72] 05:32:29: NAT*: s= > , d= [73] 05:32:29: NAT*: s= , d= > [73] 05:32:31: NAT*: s= > , d= [74] 05:32:31: NAT*: s= , d= > [74] What can you interpret from the above output? (Choose all that apply.)
Choose 2 1. The source address is translated to The source address is translated to The destination address is translated back to The destination address is translated back to
Choose 2 1. The source address is translated to The source address is translated to The destination address is translated back to The destination address is translated back to
Sample CCNA Question You have started to configure Router A as a network address translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the following on Router A: * Configure access control list (ACL) 1, permits all addresses in the /24 subnet. * Configure a NAT pool called thepool with addresses through , with a subnet mask * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool.
Sample CCNA Question You have started to configure Router A as a network address translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the following on Router A: * Configure access control list (ACL) 1, permits all addresses in the /24 subnet. * Configure a NAT pool called thepool with addresses through , with a subnet mask * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool.
Sample CCNA Question You have started to configure Router A as a network address translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the following on Router A: * Configure access control list (ACL) 1, permits all addresses in the /24 subnet. * Configure a NAT pool called thepool with addresses through , with a subnet mask * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool. RouterA(config)#access-list 1 permit RouterA(config)#ip nat pool thepool netmask RouterA(config)ip nat inside source list 1 pool thepool
CCNA Sample Exam Question You are the network administrator for your company. You are in the process of implementing Network Address Translation (NAT) on the network. You use the following command in the NAT configuration: ip nat inside source list 8 pool not-overload Which correctly describes the operation of this command? (Choose all that apply.) A. This command ensures that any packets received on the inside interface that are permitted by source-list 8 will have the source address translated to an address out of the NAT pool "not-overload." B. NAT overloading is used. C. This command ensures that any packets received on the inside interface that are permitted by access-list 8 will have the source address translated to an address out of the NAT pool "not-overload." D. NAT overloading is not used.
CCNA Sample Exam Question You are the network administrator for your company. You are in the process of implementing Network Address Translation (NAT) on the network. You use the following command in the NAT configuration: ip nat inside source list 8 pool not-overload Which correctly describes the operation of this command? (Choose all that apply.) A. This command ensures that any packets received on the inside interface that are permitted by source-list 8 will have the source address translated to an address out of the NAT pool "not-overload." B. NAT overloading is used. C. This command ensures that any packets received on the inside interface that are permitted by access-list 8 will have the source address translated to an address out of the NAT pool "not-overload." D. NAT overloading is not used. Note: the overload command would be at the end of the command if overload were used
CCNA Exam Sample The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit ip nat pool newpool netmask ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address ip nat inside interface serial 0/0 ip address ip nat outside router rip network network While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit ip nat pool newpool netmask ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address ip nat inside interface serial 0/0 ip address ip nat outside router rip network network While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) A. Change access-list 1 permit to access-list 1 permit B. Change ip nat inside on interface fastethernet 0/0 to ip nat outside. C. Change network to network D. Add a loopback interface with an Internet Protocol (IP) address in the network address space. E. Add a loopback interface with an Internet Protocol (IP) address in the network address space. F. Change ip nat outside on interface serial 0/0 to ip nat inside.
CCNA Exam Sample The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit ip nat pool newpool netmask ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address ip nat inside interface serial 0/0 ip address ip nat outside router rip network network While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit ip nat pool newpool netmask ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address ip nat inside interface serial 0/0 ip address ip nat outside router rip network network While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) A. Change access-list 1 permit to access-list 1 permit B. Change ip nat inside on interface fastethernet 0/0 to ip nat outside. C. Change network to network D. Add a loopback interface with an Internet Protocol (IP) address in the network address space. E. Add a loopback interface with an Internet Protocol (IP) address in the network address space. F. Change ip nat outside on interface serial 0/0 to ip nat inside.
Lab Activity for NAT-PAT Note that switches A and B are not used in this lab Note that switches A and B are not used in this lab Router C is needed to make use of ‘debug ip nat’ commands Router C is needed to make use of ‘debug ip nat’ commands
Summary Questions What is the difference between NAT and PAT What is the difference between NAT and PAT What might be a situation in which you might use both NAT and PAT? What might be a situation in which you might use both NAT and PAT? How can NAT/PAT enhance security? How can NAT/PAT enhance security? How might a Layer 2 encryption cause problems for NAT? How might a Layer 2 encryption cause problems for NAT? Which interface is the ‘ip nat inside’ command applied to? Which interface is the ‘ip nat inside’ command applied to?