Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scaling Networks with Network Address Translation Scaling Networks with Network Address Translation Solutions for IPv4 Security and Scalability ECPI College.

Published byEmery Timothy Newman Modified over 8 years ago

Similar presentations

Presentation on theme: "Scaling Networks with Network Address Translation Scaling Networks with Network Address Translation Solutions for IPv4 Security and Scalability ECPI College."— Presentation transcript:

1 Scaling Networks with Network Address Translation Scaling Networks with Network Address Translation Solutions for IPv4 Security and Scalability ECPI College of Technology Department of Computer Information Sciences Mtaylor v2009-3

2 Objectives Understand limits of traditional addressing methods Understand limits of traditional addressing methods Describe how Network Address Translation can contribute to security Describe how Network Address Translation can contribute to security Describe how Port Address Translation enhances usage of scarce public ip addresses Describe how Port Address Translation enhances usage of scarce public ip addresses

3 NAT Presentation Lab 6.1 NAT Presentation Lab 6.1 Optional but useful: Set this up to follow the presentation

4 Limits of Public Internet Addresses Limited number of networks available for private use Limited number of networks available for private use –Most major class numbers for both Class A and Class B were claimed by 1990 Numbers are usually controlled by providers Numbers are usually controlled by providers –Makes it difficult to change providers –Makes market less competitive

5 Solution: Private Address Ranges Class Network Range CIDR Prefix A 10.0.0.0 – 10.255.255.255 10.0.0.0/8 B 172.16.0.0- 172.31.255.255 172.16.0.0/12 C 192.168.0.0- 192.168.255.255 192.168.0.0/16 Big Limitation: These addresses cannot be routed on the Internet. They are filtered out and dropped as soon as the ISP router sees them.

6 What to do? Translate the private IP address at the border of the network into a public IP address that the Internet can use. Translate the private IP address at the border of the network into a public IP address that the Internet can use. Called Network Address Translation Called Network Address Translation

7 NAT Terminology Inside Local Addresses Inside Local Addresses –An IP address assigned to a host inside a network. This address is likely to be a RFC 1918 private address. Inside Global Address Inside Global Address –A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP address to the outside world. Outside Local Address Outside Local Address –The IP address of an outside host as it known to the hosts in the inside network. Outside Global Address Outside Global Address –The IP address assigned to a host on the outside network. The owner of the host assigns this address.

8 Basic Process of NAT The inside source address is a Private Address, aka, inside local address – this address gets changed or translated into an inside global address if you are using public ip addresses on that network The inside source address is a Private Address, aka, inside local address – this address gets changed or translated into an inside global address if you are using public ip addresses on that network Outside means public and signifies what the rest of the world will recognize the inside address as Outside means public and signifies what the rest of the world will recognize the inside address as The inside address is kept in a translation table so that when a packet returns, it can return to the host machine that it belongs to The inside address is kept in a translation table so that when a packet returns, it can return to the host machine that it belongs to Original Header Ver- sion Type OfSer Destination Address Private Inside Local Source Address Hdr Len Total Length ….. Ver- sion Type OfSer Destination Address Inside global Address Hdr Len Total Length ….. unchanged Translated Header

9 NAT Implementations Static NAT Static NAT –One to One mapping of an internal ip address to a specific external address Dynamic NAT Dynamic NAT –Many to many mapping of a pool of internal addresses to a pool of external addresses.

10 Static NAT: one to one mapping In this scenario: only the specific machines defined in the static translation can have Internet Access

11 Dynamic NAT uses an address pool Machines 1.3, 1.4 & 1.5 currently have an outside translation Machines 1.3, 1.4 & 1.5 currently have an outside translation Additional machine addresses are allowed when one of these finishes its session Additional machine addresses are allowed when one of these finishes its session

12 Port Address Translation Multiple Inside Local addresses are translated into a single outside global (routable) address

13 Configuring NAT Regardless of whether it is NAT (Static or Dynamic) or PAT, the inside and outside interfaces must be defined

14 Implementing Static NAT On Perimeter Router in global configuration mode On Perimeter Router in global configuration mode –Perimeter(config)#Ip nat inside source static 172.16.1.3 201.1.1.1 On Perimeter Router fa0/0 port On Perimeter Router fa0/0 port –Perimeter(config-if)#ip nat inside On Perimeter Router s0/0 port On Perimeter Router s0/0 port –Perimeter(config-if)#ip nat outside Perimeter Repeat the first line for each inside to outside translation

15 Verifying the Translation Router-A#show ip nat translation Pro Inside global Inside local Outside local Outside global Pro Inside global Inside local Outside local Outside global 172.16.1.3201.1.1.1 --- --- Router-A#debug ip nat IP: s=172.16.1.3 (Serial0), d=201.1.1.1, len 100, unroutable ICMP type=8, code=0 IP: s=172.16.1.3 (local), d=201.1.1.1 (Serial0), len 56, sending ICMP type=3, code=1

16 Implementing Dynamic NAT Define a pool and permit addresses into the pool Define a pool and permit addresses into the pool (Config)#ip nat pool mynetwork 201.1.1.1 201.1.1.31 netmask 255.255.255.224 (config)#Access-list 7 permit 172.16.1.0 0.0.0.31 (config)#Ip nat inside source list 7 pool mynetwork Note that the number of addresses in the pool is matched exactly to the number of addresses in the network As long as the number of people who need access to the Internet does not exceed 31, we can place as many addresses in the source list as we wish. As long as the number of people who need access to the Internet does not exceed 31, we can place as many addresses in the source list as we wish. How to add another network to the mix with another line router(config)#Access-list 7 permit 172.17.3.0 0.0.0.63 Again, when the 32 nd node attempts to get a translation, an error will occur denying participation because the total address pool has been exceeded.

17 To set up multiple subnets Set up ‘ip nat inside’ on both Ethernet ports Set up ‘ip nat inside’ on both Ethernet ports Create pool Create pool Include both networks in the access list (use wildcard mask) Include both networks in the access list (use wildcard mask)

18 To set up multiple subnets Ip nat pool duhpool 201.1.1.1 201.1.1.31 netmask 255.255.255.224 Ip nat pool duhpool 201.1.1.1 201.1.1.31 netmask 255.255.255.224 Access-list 7 permit 172.16.1.0 0.0.0.255 Access-list 7 permit 172.16.1.0 0.0.0.255 Access-list 7 permit 172.16.3.0 0.0.0.63 Access-list 7 permit 172.16.3.0 0.0.0.63 Ip nat inside source list 7 pool duhpool Ip nat inside source list 7 pool duhpool

19 Implementing PAT using overload ip nat pool lotsofthem 201.1.1.1 201.1.1.1 prefix 24 ip nat source list 7 pool lotsofthem overload This configures the outside interface to use port numbers to create a many to one internal translation table. This configures the outside interface to use port numbers to create a many to one internal translation table.

20 Sample CCNA Question Use the _____ command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router? debug ip nat debug ip nat debug ip nat verbose debug ip nat verbose show ip nat statistics show ip nat statistics show ip nat translations show ip nat translations

21 Sample CCNA Question Use the _____ command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router? debug ip nat debug ip nat debug ip nat verbose debug ip nat verbose show ip nat statistics show ip nat statistics show ip nat translations show ip nat translations

22 CCNA NAT/PAT question You implement Network Address Translation (NAT) on the network. You verify the NAT configuration on the network. You issue the debug ip nat command on router-F to turn on the debugging. You then issue the show log command to view the debug output. The following is the output of the debug command: You implement Network Address Translation (NAT) on the network. You verify the NAT configuration on the network. You issue the debug ip nat command on router-F to turn on the debugging. You then issue the show log command to view the debug output. The following is the output of the debug command: 05:32:23: NAT: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [70] 05:32:23: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [70] 05:32:25: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [71] 05:32:25: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [71] 05:32:27: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [72] 05:32:27: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [72] 05:32:29: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [73] 05:32:29: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [73] 05:32:31: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [74] 05:32:31: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [74] What can you interpret from the above output? (Choose all that apply.)

23 Choose 2 1. The source address 172.16.11.70 is translated to 10.10.50.4. 2. The source address 10.10.50.4 is translated to 172.16.11.70. 3. The destination address 172.16.11.70 is translated back to 10.10.50.4. 4. The destination address 10.10.50.4 is translated back to 172.16.11.70.

24 Choose 2 1. The source address 172.16.11.70 is translated to 10.10.50.4. 2. The source address 10.10.50.4 is translated to 172.16.11.70. 3. The destination address 172.16.11.70 is translated back to 10.10.50.4. 4. The destination address 10.10.50.4 is translated back to 172.16.11.70.

25 Sample CCNA Question You have started to configure Router A as a network address translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the following on Router A: * Configure access control list (ACL) 1, permits all addresses in the 172.16.0.0/24 subnet. * Configure a NAT pool called thepool with addresses 10.1.1.1 through 10.1.1.100, with a subnet mask 255.255.255.0. * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool.

26 Sample CCNA Question You have started to configure Router A as a network address translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the following on Router A: * Configure access control list (ACL) 1, permits all addresses in the 172.16.0.0/24 subnet. * Configure a NAT pool called thepool with addresses 10.1.1.1 through 10.1.1.100, with a subnet mask 255.255.255.0. * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool.

27 Sample CCNA Question You have started to configure Router A as a network address translation (NAT) device. You have defined its Fast Ethernet 0/0 interface as the NAT inside interface and its Serial 0/0 interface as the NAT outside interface. Using the router simulation, use unabbreviated Cisco Internetwork Operating System (IOS) commands from the console to do the following on Router A: * Configure access control list (ACL) 1, permits all addresses in the 172.16.0.0/24 subnet. * Configure a NAT pool called thepool with addresses 10.1.1.1 through 10.1.1.100, with a subnet mask 255.255.255.0. * Configure NAT translation to use translate inside source addresses that match ACL 1 into addresses from the pool thepool. RouterA(config)#access-list 1 permit 172.16.0.0 0.0.0.255 RouterA(config)#ip nat pool thepool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 RouterA(config)ip nat inside source list 1 pool thepool

28 CCNA Sample Exam Question You are the network administrator for your company. You are in the process of implementing Network Address Translation (NAT) on the network. You use the following command in the NAT configuration: ip nat inside source list 8 pool not-overload Which correctly describes the operation of this command? (Choose all that apply.) A. This command ensures that any packets received on the inside interface that are permitted by source-list 8 will have the source address translated to an address out of the NAT pool "not-overload." B. NAT overloading is used. C. This command ensures that any packets received on the inside interface that are permitted by access-list 8 will have the source address translated to an address out of the NAT pool "not-overload." D. NAT overloading is not used.

29 CCNA Sample Exam Question You are the network administrator for your company. You are in the process of implementing Network Address Translation (NAT) on the network. You use the following command in the NAT configuration: ip nat inside source list 8 pool not-overload Which correctly describes the operation of this command? (Choose all that apply.) A. This command ensures that any packets received on the inside interface that are permitted by source-list 8 will have the source address translated to an address out of the NAT pool "not-overload." B. NAT overloading is used. C. This command ensures that any packets received on the inside interface that are permitted by access-list 8 will have the source address translated to an address out of the NAT pool "not-overload." D. NAT overloading is not used. Note: the overload command would be at the end of the command if overload were used

30 CCNA Exam Sample The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit 192.168.3.0 0.0.0.255 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address 192.168.3.7 255.255.255.0 ip nat inside interface serial 0/0 ip address 192.168.2.7 255.255.255.0 ip nat outside router rip network 192.168.2.0 network 192.168.3.0 While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit 192.168.3.0 0.0.0.255 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address 192.168.3.7 255.255.255.0 ip nat inside interface serial 0/0 ip address 192.168.2.7 255.255.255.0 ip nat outside router rip network 192.168.2.0 network 192.168.3.0 While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) A. Change access-list 1 permit 192.168.3.0 0.0.0.255 to access-list 1 permit 10.0.0.0 0.255.255.255. B. Change ip nat inside on interface fastethernet 0/0 to ip nat outside. C. Change network 192.168.3.0 to network 10.0.0.0. D. Add a loopback interface with an Internet Protocol (IP) address in the network 192.168.3.0 address space. E. Add a loopback interface with an Internet Protocol (IP) address in the network 10.0.0.0 address space. F. Change ip nat outside on interface serial 0/0 to ip nat inside.

31 CCNA Exam Sample The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit 192.168.3.0 0.0.0.255 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address 192.168.3.7 255.255.255.0 ip nat inside interface serial 0/0 ip address 192.168.2.7 255.255.255.0 ip nat outside router rip network 192.168.2.0 network 192.168.3.0 While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) The exhibit displays part of your network. You have configured Router A as a network address translation (NAT) device. The following displays part of Router A's configuration: access-list 1 permit 192.168.3.0 0.0.0.255 ip nat pool newpool 10.1.1.1 10.1.1.100 netmask 255.255.255.0 ip nat inside source list 1 pool newpool interface fastethernet 0/0 ip address 192.168.3.7 255.255.255.0 ip nat inside interface serial 0/0 ip address 192.168.2.7 255.255.255.0 ip nat outside router rip network 192.168.2.0 network 192.168.3.0 While you are testing, you discover that Host A cannot ping Host B. What should you do to resolve this issue? (Choose two statements.) A. Change access-list 1 permit 192.168.3.0 0.0.0.255 to access-list 1 permit 10.0.0.0 0.255.255.255. B. Change ip nat inside on interface fastethernet 0/0 to ip nat outside. C. Change network 192.168.3.0 to network 10.0.0.0. D. Add a loopback interface with an Internet Protocol (IP) address in the network 192.168.3.0 address space. E. Add a loopback interface with an Internet Protocol (IP) address in the network 10.0.0.0 address space. F. Change ip nat outside on interface serial 0/0 to ip nat inside.

32 Lab Activity for NAT-PAT Note that switches A and B are not used in this lab Note that switches A and B are not used in this lab Router C is needed to make use of ‘debug ip nat’ commands Router C is needed to make use of ‘debug ip nat’ commands

33 Summary Questions What is the difference between NAT and PAT What is the difference between NAT and PAT What might be a situation in which you might use both NAT and PAT? What might be a situation in which you might use both NAT and PAT? How can NAT/PAT enhance security? How can NAT/PAT enhance security? How might a Layer 2 encryption cause problems for NAT? How might a Layer 2 encryption cause problems for NAT? Which interface is the ‘ip nat inside’ command applied to? Which interface is the ‘ip nat inside’ command applied to?

Download ppt "Scaling Networks with Network Address Translation Scaling Networks with Network Address Translation Solutions for IPv4 Security and Scalability ECPI College."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0 Rick Graziani Cabrillo College.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0 Rick Graziani Cabrillo College.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor 660-3713

M. Dahshan - TCOM52721 TCOM 5272 Telecomm Lab Dr. Mostafa Dahshan OU-Tulsa 4W 2 nd floor
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Sybex CCNA 640-802 Chapter 11: Network Address Translation Instructor & Todd Lammle.

Sybex CCNA Chapter 11: Network Address Translation Instructor & Todd Lammle.
© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.

© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
Lecture Week 7 Implementing IP Addressing Services.

Lecture Week 7 Implementing IP Addressing Services.
Sybex CCENT 100-101 Chapter 13: Network Address Translation Instructor & Todd Lammle.

Sybex CCENT Chapter 13: Network Address Translation Instructor & Todd Lammle.
Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )
4: Addressing Working At A Small-to-Medium Business or ISP.

4: Addressing Working At A Small-to-Medium Business or ISP.
ICND2 – OSPF – Mark Lab Reset for lab 4 Configure 2 loopback interfaces on both routers –RTR1 – 10.X.X.2/32 and 10.X.X.3/32 (area X) –RTR2 – 10.X.X.4/32.

ICND2 – OSPF – Mark Lab Reset for lab 4 Configure 2 loopback interfaces on both routers –RTR1 – 10.X.X.2/32 and 10.X.X.3/32 (area X) –RTR2 – 10.X.X.4/32.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

Similar presentations

Ads by Google