Loading ...
Global Do...
News & Politics
6
0
Try Now
Log In
Pricing
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 1 1 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 2 3 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Deploying Network Address Translation Session IPS-220 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4 Golden Rule “Network Address Translations will occur only if: the packet travels from an IP NAT inside to an IP NAT outside interface and the access-list permits it.” Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 3 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5 Agenda—Terminology • Terminology Rehash from Session IPS-120 • Requirements (Hardware/Software) • Network Examples • Application Examples • Future of Network Address Translation • Question/Answers IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 .2 .1 NAT NAT—One-to-One Mapping • Network address translation • Layer 3 address modification • Maps one internal (local) address to one external (global) address i.e. 10.1.1.1 ? 172.16.4.1 10.1.1.2 ? 172.16.4.2 Network Pool: 172.16.4.1-.254 10.1.1.0/24 Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 4 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 NAPT—Many to One Mapping • Network address port translation (a.k.a. PAT/overloading) • Layer 3 and 4 address and port modification (mainly: tcp, udp, icmp) • Maps multiple internal (local) address to one external (global) address i.e. 10.1.1.1:2056 ? 172.16.4.1:1024 10.1.1.2:3000 ? 172.16.4.1:1025 Pool: 172.16.4.1 .2 .1 NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8 Router Translations • Inside source translation: will modify the source address of a packet that was received on the IP NAT inside interface • Outside source translation: will modify the source address of a packet that was received on the IP NAT outside interface Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 5 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 The Inside Interface • Inside local address (IL)—The IP address that is assigned to a host on the inside network; the address is probably not a legitimate IP address assigned by the Network Information Center (NIC) or service provider • Inside global address (IG)—A legitimate IP address (assigned by the NIC or service provider) that represents one or more inside local IP addresses to the outside world IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 The Outside Interface • Outside local address (OL)—The IP address of an outside host as it appears to the inside network; not necessarily a legitimate address, it was allocated from address space routable on the inside • Outside global address (OG)—The IP address assigned to a host on the outside network by the host's owner; the address was allocated from globally routable address or network space Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 6 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 10.1.1.x Inside Analogy of Translation Terms Outside Pool : 172.16.4.1-.254 Pool: 192.168.1.1-.254 10.1.2.x Inside Source… Outside Source... HOST IL IG 10.1.1.1 172.16.4.1 OL OG 192.168.1.1 10.1.2.1 10.1.2.1 10.1.2.1 P1 with NAT P1 NO NAT 10.1.1.1 10.1.1.1 10.1.1.1 172.16.4.1 .3 .2 .1 .1 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 10.1.1.x 10.1.2.x .3 .2 .1 .1 NAT Reality of Translation Terms Pool: 172.16.4.1-.254 Pool: 192.168.1.1-.254 Inside Source… Outside Source... 10.1.1.1 172.16.4.1 192.168.1.1 10.1.2.1 10.1.2.1 10.1.2.1 Outside Source Inside Source 10.1.1.1 10.1.1.1 10.1.1.1 172.16.4.1 HOST IL IG OL OG Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 7 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 Translation Rules • If a translation exists, use the translated address; i.e. inside global address • If no translation exists, build one and record the details in the translation table • Simple translations look at the source address only, whereas extended translations use source, destination, and protocol IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 Router#show ip nat translation Pro Inside global Inside local Outside local Outside global tcp 172.16.4.1:11012 10.1.1.1:11012 172.17.1.1:23 172.17.1.1:23 tcp 172.16.3.1:11011 10.1.1.1:11011 172.16.1.1:23 172.16.1.1:23 Extended (Using Route-Maps or Overload) Simple (Using Access-Lists without Overload) Router#show ip nat translation Pro Inside global Inside local Outside local Outside global --- 172.16.4.1 10.1.1.1 --- --- Simple Vs. Extended Translations Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 8 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 Agenda—Requirements • Terminology Rehash from Session IPS-120 • Requirements (Hardware/Software) • Network Examples • Application Examples • Future of Network Address Translation • Question/Answers IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 Requirements—Software • 11.2—IP plus only • 11.3—PAT: general availability • 11.3—NAT: IP plus • 12.x—full NAT/PAT* Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 9 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 Requirements—Hardware • Most platforms* • Each translation = 160 bytes • 10,000 translation = 1.6 megabytes • Performance/latency is negligible** IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 Agenda—Network • Terminology Rehash from Session IPS-120 • Requirements (Hardware/Software) • Network Examples • Application Examples • Future of Network Address Translation • Question/Answers Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 10 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 10.1.1.0 / 24 Ethernet 0 Serial 0 NAT Only Scenario: Topology/Config Pool: 209.165.201.0 /27 router(config)# ip nat pool natpool 209.165.201.10 209.165.201.30 netmask 255.255.255.224 router(config)# access-list 10 permit 10.1.1.0 0.0.0.255 router(config)# ip nat inside source list 10 pool natpool router(config)# interface ethernet 0 router(config-if)# ip nat inside router(config-if)# interface serial 0 router(config-if)# ip nat outside .10 .20 NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 NAT Only Scenario: Pros/Cons Pros • Very high success-rate for almost all IP-based applications Cons • Limited number of simultaneous users; i.e users = numbers of addresses in pool • Multiple addresses needed from ISP ( = $$$) Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 11 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 NAPT Only Scenario: Topology/Config router(config)# access-list 10 permit 10.1.1.0 0.0.0.255 router(config)# ip nat inside source list 10 interface serial 0 overload router(config)# interface ethernet 0 router(config-if)# ip nat inside router(config-if)# interface serial 0 router(config-if)# ip nat outside 10.1.1.0 / 24 Ethernet 0 Serial 0 Pool: 209.165.201.0 /27 .10 .20 NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 NAPT Only Scenario: Pros/Cons Pros • Simultaneous users can be in the neighborhood of 64K Cons • Only 1 address is needed from the ISP • Only some TCP, UDP, ICMP, and PPTP* applications can be used Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 12 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 NAT and NAPT Scenario: Topology/Config router(config)# ip nat pool natpool 209.165.201.10 209.165.201.30 netmask 255.255.255.224 router(config)# access-list 10 permit 10.1.1.0 0.0.0.255 router(config)# ip nat inside source list 10 pool natpool overload router(config)# interface ethernet 0 router(config-if)# ip nat inside router(config-if)# interface serial 0 router(config-if)# ip nat outside 10.1.1.0 / 24 Ethernet 0 Serial 0 Pool: 209.165.201.0 /27 .10 .20 NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 NAT and NAPT Scenario: Pros/Cons Pros • You get the pros of both NAT and NAPT combined Cons • Dual connection traffic (i.e. Native IPSec) will still not work since it will NAPT the TCP, UDP, ICMP-based traffic using one address and then NAT the other connection with a different address Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 13 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 NAT NAPT—With Easy IP router(config)# access-list 1 permit 10.1.1.0 0.0.0.255 router(config)# ip nat inside source list 1 interface dialer0 overload router(config)# interface dialer 0 router(config-if)# ip address negotiated router(config-if)# ip nat outside router(config-if)# interface ethernet 0 router(config-if)# ip nat inside ---- 6400(config)# ip local pool swim 172.16.4.1 172.16.4.254 6400(config)# interface virtual-template1 6400(config-if)# peer default ip address pool swim 10.1.1.0/24 6400 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 Virtual 209.165.201.5 10.1.1.x router(config)# ip nat pool tcpload 10.1.1.1 10.1.1.3 netmask 255.255.255.0 type rotary router(config)# access-list 1 permit host 209.165.201.5 router(config)# ip nat inside destination list 1 pool tcpload TCP Load Balancing Scenario Round-Robin NAT Internet .1 .3 .2 Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 14 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 TCP Load Balance Scenario: Pros/Cons Pros • Cheap investment • Good for mail servers and simple web clusters Cons • Applications that are connection-oriented or utilize multiple connections or redirections will not work IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 10.0.0.0/8 Available Addresses: 209.165.201.0 / 27 Available Addresses: 172.16.1.0/24 192.168.1.0/24 Serial 0 Serial 1 Ethernet 0 NAT by on Destination Internet NAT Your Company Partners Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 15 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 10.0.0.0/8 Available Addresses: 172.16.1.0/24 192.168.1.0/24 Serial 0 Ethernet 0 router(config)# ip nat pool partners 172.16.1.3 172.16.1.254 netmask 255.255.255.0 NAT by Destination—to Partners NAT Your Company Partners IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 10.0.0.0/8 Available Addresses: 209.165.201.0/27 Serial 1 Ethernet 0 router(config)# ip nat pool internet 209.165.201.10 209.165.201.30 netmask 255.255.255.224 NAT NAT by Destination—To Internet Internet Your Company Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 16 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 31 router(config)# access-list 110 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 router(config)# route-map topartners permit 10 router(config-map)# match ip address 110 router(config-map)# match interface serial 0 NAT by Destination— Route Map Declaration 10.0.0.0/8 Available Addresses: 209.165.201.0/27 Available Addresses: 172.16.1.0/24 192.168.1.0/24 Serial 0 Serial 1 Ethernet 0 Partners Your Company Internet NAT IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 32 NAT by Destination— Route Map Declaration router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any router(config)# route-map tointernet permit 10 router(config-map)# match ip address 100 router(config-map)# match interface serial 1 10.0.0.0/8 Available Addresses: 209.165.201.0/27 Available Addresses: 172.16.1.0/24 192.168.1.0/24 Serial 0 Serial 1 Ethernet 0 Partners Your Company Internet NAT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 17 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 33 router(config)# ip nat inside source route-map topartners pool partners router(config)# ip nat inside source route-map tointernet pool internet NAT by Destination—Bindings router(config)# interface ethernet 0 router(config-if)# ip nat inside router(config-if)# interface serial 0 router(config-if)# ip nat outside router(config-if)# interface serial 1 router(config-if)# ip nat outside 10.0.0.0/8 Available Addresses: 209.165.201.0/27 Available Addresses: 172.16.1.0/24 192.168.1.0/24 Serial 0 Serial 1 Ethernet 0 Partners Your Company Internet NAT IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 34 NAT by Destination Scenario: Pros/Cons Pros • Allows flexibility of having two or more NAT pools based on destination Cons • Extra configurations (route-maps) if using only NAT pools; overload/NAPT does not have this issue • Can run into issues with simple versus extended translations if route-maps are not used Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 18 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 35 .10 .20 10.1.1.0 / 24 Router(config)# ip nat inside source static network 10.1.1.0 172.18.1.0 /24 no-alias SrcAddr= 10.1.1.20 ? 172.18.1.20 SrcAddr= 10.1.1.10 ? 172.18.1.10 Network Static NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 36 Network Static Scenario: Pros/Cons Pros • Good fit for connecting two sites when NAT is required • Allows bi-directional traffic Cons • Since it does allow bi-directional you lose the security benefit (resource hiding) that NAT provides Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 19 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 37 Network Static Pool router(config)# ip nat pool natpool 172.18.1.0 172.18.1.255 netmask 255.255.255.0 type match-host router(config)# ip nat inside source list 1 pool natpool .10 .20 10.1.1.0 / 24 SrcAddr= 10.1.1.20 ? 172.18.1.20 SrcAddr= 10.1.1.10 ? 172.18.1.10 NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 38 Network Static Pool Scenario: Pros/Cons Pros • Easy to track what hosts are doing • Address hiding if no translation exists Cons • Requires equal number of inside hosts to outside global addresses i.e. /24 internal would need a /24 external Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 20 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 39 Dual NAT—Virtual View • Typical network setup • No overlap, simple routing DNS Network .3 .2 .1 .1 172.16.1.0 192.168.1.x .3 .2 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 40 DNS Network .3 .2 .1 .1 .3 .2 Dual NAT—Reality View • Overlapping network address space between blue and red networks 10.1.1.x 10.1.1.x Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 21 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 41 DNS Network .2 .1 .1 .3 .2 router-nat(config)# ip nat outside source static network 192.168.1.0 10.1.1.0 /24 router-nat(config)# ip nat inside source static network 10.1.1.0 172.16.1.0/24 Inside Outside NAT Dual NAT—the Solution 10.1.1.x 10.1.1.x IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 42 RED-3 ??? Query Overlapping Networks—DNS Query RED-3 DNS Network .2 .1 .1 .3 .2 Inside Outside NAT .3 10.1.1.x 10.1.1.x Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 22 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 43 RED-3 192.168.1.3 Response = 10.1.1.3 DNS Response Modified via Address Translation Overlapping Networks— DNS Response DNS Network .2 .1 .1 .3 .2 Inside Outside NAT .3 10.1.1.x 10.1.1.x IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 44 RED-3 192.168.1.3 SA:10.1.1.3 DA:192.168.1.3 Overlapping Networks— The Packet Is Sent DNS Network .2 .1 .1 .3 .2 Inside Outside NAT .3 10.1.1.x 10.1.1.x Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 23 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 45 SA:172.16.1.3 DA:192.168.1.3 NAT Overlapping Networks— Source Translation RED-3 192.168.1.3 DNS Network .2 .1 .1 .3 .2 Inside Outside NAT .3 10.1.1.x 10.1.1.x IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 46 SA:172.16.1.3 DA:10.1.1.3 Overlapping Networks— Destination Translation RED-3 192.168.1.3 DNS Network .2 .1 .1 .3 .2 Inside Outside NAT .3 10.1.1.x 10.1.1.x Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 24 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 47 Overlapping Networks— Destination Translation NAT Translation Table RED-3 192.168.1.3 DNS Network .2 .1 .1 .3 .2 Inside Outside NAT .3 10.1.1.x 10.1.1.x HOST 10.1.1.3 10.1.1.3 IL 172.16.1.3 IG 10.1.1.3 OL 192.168.1.3 OG IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 48 Overlapping Networks Scenario: Pros/Cons Pros • Single point of administration for the NAT table • Allows two overlapping network address spaces to communicate Cons • Uses DNS to assist in the translation of the remote network (not required) Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 25 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 49 IP HDR Data Authenticated IP HDR IPSec HDR New IP HDR Data Encapsulating Security Payload (ESP): Protocol 50 Tunnel Mode Only IPSec 101—ESP Encrypted Layer 3 Original Packet NAT WORKS ! IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 50 IPSec HDR IP HDR Data IP HDR Authentication Headers (AH): Protocol 51 IPSec 101—AH Authenticated HDR + Data = Checksum Checksum Stored Layer 3 Breaks! NAT Data Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 26 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 51 10.1.1.0 / 24 Ethernet 0 Serial 0 Native IPSec with NAT and NAPT Scenario: Internet Pool: 209.165.201.0 /27 router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255 host 1.1.1.1 router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255 any router(config)# route-map napt2internet permit 10 router(config-map)# match address 100 router(config)# ip nat inside source route-map napt2internet interface serial 0 overload ! Continued ! VPN Client VPN Gateway 1.1.1.1 NAT IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 52 .20 Native IPSec with NAT and NAPT Scenario: ! Continued ! router(config)# ip nat pool natpool 209.165.201.10 209.165.201.30 netmask 255.255.255.224 router(config)# access-list 110 permit ip 10.1.1.0 0.0.0.255 host 1.1.1.1 router(config)# route-map vpnusenat permit 10 router(config-map)# match address 110 router(config)# ip nat inside source route-map vpnusenat pool natpool 10.1.1.0 / 24 Serial 0 Internet Pool: 209.165.201.0 /27 VPN Client VPN Gateway 1.1.1.1 NAT Ethernet 0 Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 27 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 53 IPSec Scenario: Pros/Cons Pros • ESP in tunnel mode can only use NAT • NAT/NAPT support in the VPN3000 (UDP) and VPN5000 (TCP:80) concentrators Cons • No ESP transport or AH tunnel/ transport support • No PAT support unless the VPN device incorporates a NAT over IPSec functionality IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 54 NAT Inside Outside Inbound ACL* NAT Routing Outbound ACL Decryption Inbound ACL Considerations— Access-Lists Inbound Packet Flow *Only If the Packet Is Encrypted Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 28 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 55 Inbound ACL Policy Routing NAT Routing Outbound ACL Considerations— Access-Lists Outbound Encryption NAT Inside Outside Packet Flow IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 56 Roaming User ISP VPN Gateway 10.0.0.0/8 VPN Remote Client—The Issues router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255 any router(config)# route-map vpnusenat permit 10 router(config-map)# match address 110 router(config)# ip nat inside source route-map vpnusenat pool natpool router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255 ??? Not Sure on the Destination ISP Address IPSec Tunnel NAT/VPN Internet Your Company Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 29 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 57 VPN Remote Client Issues • Unable to predict IP address that would be assigned to the VPN user • Treat the VPN user as just another client out on the Internet, same rules apply, except they do not want to use NAT • Solution: NAT by destination and mode configuration (IP address pools for VPN) IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 58 10.0.0.0/8 VPN Gateway with Mode Config Pool of 172.16.1.1-.254 router (config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255 router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any VPN Remote Client—Mode Configuration IPSec Tunnel Roaming User NAT Your Company Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 30 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 59 IPSec Tunnel Roaming User ISP VPN Gateway 10.1.1.1/8 VPN Client and Static NAT router(config)# ip nat inside source static 10.1.1.1 209.165.201.5 NAT Internet IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 60 10.1.1.1/8 172.31.1.1/24 router (config)# access-list 100 permit ip host 10.1.1.1 172.16.1.0 0.0.0.255 router(config)# route-map bypassnat permit 10 router(config-map)# match ip address 100 router(config-map)# set ip next-hop 172.31.1.2 router(config)# interface Ethernet 0 router(config-if)# ip policy route-map bypassnat Ethernet 0 VPNs—Policy Routing NAT Internet Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 31 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 61 Agenda—Applications • Terminology Rehash from Session IPS-120 • Requirements (Hardware/Software) • Network Examples • Application Examples • Future of Network Address Translation • Question/Answers IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 62 Application Support • Application layer: embedded IP information in the payload • Transport/network layer: PAT/NAT compliant Know Your Applications Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 32 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 63 IP HDR: Src IP = 10.1.1.1 Data: IP = 10.1.1.1 Considerations—Embedded IP IP HDR: Src IP = x.x.x.x Data: IP = 10.1.1.1 Address Translation Inside Outside IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 64 Applications that Embed IP Address Information • DNS "A" and "PTR" queries • NetBIOS over TCP/IP (datagram, name, and session services) • NetMeeting 2.1, 2.11 (4.3.2519) and 3.01 (4.4.3385) • H.323v2 – H.225/245 message types except RAS includes "FastConnect, Setup, Alerting, Facility, Progress, OpenLogicalChannel, OpenLogicalChannelAck, MCLocationIndication, CommunicationModeCommand, CommunicationModeResponse” • FTP PORT and PASV commands Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 33 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 65 TCP Connection 1: Active Mode: LS Set TCP Connection 2: Active Mode: Data Control Connection SYN SYN and ACK ACK “Inside” Network I i t “Outside” Network ti t Port Command <Address and Port> ACK SYN SYN and ACK ACK Data Flows Server to Client Translate Embedded Address—Reserve Source Port, IF PAT Is to Be Used FTP—Active • Server initiated data connections • Client tells the server on which port to send to the client NAT IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 66 TCP Connection 1: Control Connection TCP Connection 2: Passive Mode: Data SYN SYN and ACK ACK PASV (Passive) “Inside” Network I i t “Outside” Network ti t ENT PASV <Address and Port> SYN SYN and ACK ACK Data Flows Server to Client Translate Embedded Address FTP—Passive • Client initiates data connections • Server tells the client on which port to send to the client NAT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 34 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 67 router(config)# access-list 1 permit host 172.16.1.1 router(config)# ip nat service list 1 ftp tcp port 6000 Non-Standard FTP Ports • Server (172.16.1.1) is listening on port 6000 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 68 NetMeeting ILS Support • LDAP registration will be modified to match the global address of client A; i.e 209.165.201.5 • Available starting in 12.1.5T IOS Client A 10.1.1.1 Client B NetMeeting ILS Server router(config)# ip nat inside source static 10.1.1.1 209.165.201.5 Internet NAT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 35 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 69 PPTP over NAPT • PPTP—RFC2637 • NAPT (PAT) capability within IOS 12.1.5T • Works if the termination point is an IOS router capable of terminating a PPTP session or a Microsoft PPTP server; does not support PIX or VPN3000 terminations • Cannot use Microsoft Point-To-Point Encryption (MPPE)—RFC3078 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 70 IP HDR Data Layer 5-7 Point-to-Point Tunneling Protocol (PPTP): Protocol 47: Data Protocol 6 (TCP) Port 1723: Authentication PPTP 101 Original Packet Encapsulation within GRE without MPPE IP HDR Data Tunnel ID New IP HDR Layer 4 Layer 4 This Unique Number Is What Gives the Router the Ability to Determine What Flow Goes to What System When Being NAPT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 36 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 71 PPTP over NAPT—Configuration Ethernet 1 PPTP Server router(config)# access-list 1 permit 10.1.1.0 0.0.0.255 router(config)# ip nat inside source list 1 interface ethernet1 overload router(config)# interface ethernet 0 router(config-if)# ip nat inside router(config)# interface ethernet 1 router(config-if)# ip nat outside 10.1.1.0 / 24 Ethernet 0 .10 .20 NAT Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 72 PPTP over NAPT—Translation Table router#show ip nat translation Pro Inside global Inside local Outside local Outside global tcp 10.32.1.20:11012 10.1.1.10:11012 10.32.80.85:1723 10.32.80.85:1723 tcp 10.32.1.20:11011 10.1.1.20:11011 10.32.80.85:1723 10.32.80.85:1723 gre 10.32.1.20:0 10.1.1.10:1 10.32.80.85:1 10.32.80.85:1 gre 10.32.1.20:16384 10.1.1.20: 16384 10.32.80.85: 16384 10.32.80.85: 16384 gre 10.32.1.20:1 10.1.1.10:1 10.32.80.85:1 10.32.80.85:1 gre 10.32.1.20:2 10.1.1.20:2 10.32.80.85:2 10.32.80.85:2 Ethernet 1 PPTP Server 10.1.1.0 / 24 Ethernet 0 .10 .20 NAT Network Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 37 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 73 pptpserver#show vpdn % No active L2TP tunnels % No active L2F tunnels PPTP Tunnel and Session Information Total tunnels 2 sessions 2 LocID Remote Name State Remote Address Port Sessions 7 10.32.1.20 estabd 10.32.88.85 1372 1 LocID RemID TunID Intf Username State Last Chg 7 0 7 Vi1 cisco1 estabd 00:01:56 LocID Remote Name State Remote Address Port Sessions 8 estabd 10.32.88.85 1355 1 LocID RemID TunID Intf Username State Last Chg 8 16384 8 Vi2 cisco2 estabd 00:01:26 router#show ip nat translation pptp Pro Inside global Inside local Outside local Outside global gre 10.32.1.20:0 10.1.1.10:1 10.32.80.85:1 10.32.80.85:1 gre 10.32.1.20:16384 10.1.1.20: 16384 10.32.80.85: 16384 10.32.80.85: 16384 gre 10.32.1.20:7 10.1.1.10:7 10.32.80.85:7 10.32.80.85:7 gre 10.32.1.20:8 10.1.1.20:8 10.32.80.85:8 10.32.80.85:8 PPTP over NAPT—Translation Table Correlation IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 74 Agenda—Future • Terminology Rehash from Session IPS-120 • Requirements (Hardware/Software) • Network Examples • Application Examples • Future of Network Address Translation • Question/Answers Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 38 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 75 Stateful NAT • Projected to be in the 12.2.4T code • Platform independent • Supports many peers • Works in a HSRP environment for true fault tolerance IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 76 Without SNAT—the Problem R1 NAT Translation Table 10.1.1.3 R2 NAT Translation Table 2 3 IL IG OL OG R1-NAT R2-NAT IL IG OL OG 1 10.1.1.3 192.168.1.3 192.168.1.3 172.16.1.3 Network Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 39 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 77 IL IG OL OG With SNAT—The Solution 4 1* 10.1.1.3 R2 NAT Translation Table 3 IL IG OL OG R1-NAT R2-NAT R1 NAT Translation Table 10.1.1.3 192.168.1.3 192.168.1.3 172.16.1.3 2 5 1 10.1.1.3 192.168.1.3 192.168.1.3 172.16.1.3 1* 2* Network IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 78 With SNAT—the Commands 10.1.1.0/24 R1(config)# access-list 1 permit 10.1.1.0 0.0.0.255 R1(config)# ip nat pool P1 172.16.1.1 172.16.1.254 netmask 255.255.255.0 R1(config)# ip nat inside source list 1 pool P1 ID 11 R1(config)# ip nat distributed ID 101 R1(config-nat)# stateful 10.1.1.1 R1(config-nat)# peer 10.1.1.2 R1(config-nat)# mapping ID 11 10.1.1.3 R1-NAT R2-NAT Network .1 .2 Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 40 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 79 With SNAT—the Commands R2(config)# access-list 1 permit 10.1.1.0 0.0.0.255 R2(config)# ip nat pool P2 172.16.1.1 172.16.1.254 netmask 255.255.255.0 R2(config)# ip nat inside source list 1 pool P2 ID 22 R2(config)# ip nat distributed ID 202 R2(config-nat)# stateful 10.1.1.2 R2(config-nat)# peer 10.1.1.1 R2(config-nat)# mapping ID 22 10.1.1.0/24 10.1.1.3 R1-NAT R2-NAT Network .1 .2 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 80 NAT—PT 2001:0420:1987:0:2E0:B0FF:FE6A:412C 172.16.1.1 IPv4 IPv6 NAT-PT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 41 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 81 Why NAT-PT • As in V4, NAT was a solution for the shortage of IP addresses; it will help ease the migration into V6 by allowing V4 and V6 coexistence while being transparent to the end user • To allow the communication between IPv4-only host with IPv6-only host • Described in RFC2766 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 82 How NAT-PT Works • PREFIX is a 96-bit field that allows routing back to the NAT-PT device • The remaining low order 32 bits of the IPv6 address will be the IPv4 address of the sender 2001:0420:1987:0:2E0:B0FF:FE6A:412C 172.16.1.1 IPv4 IPv6 A B NAT-PT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 42 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 83 How NAT-PT Works—Configuration router(config)# ipv6 access-list natpool any any router(config)# ipv6 nat v6v4 pool natme 172.17.1.1 172.171.254 router(config)# ipv6 nat v6v4 list natpool pool natme router(config)# interface serial 0 router(config-if)# ipv6 nat enable router(config-if)# ipv6 nat prefix PREFIX 2001:0420:1987:0:2E0:B0FF:FE6A:412C 172.16.1.1 IPv4 IPv6 A B S0 NAT-PT IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 84 How NAT-PT Works—Packet Flow Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412C Dst: PREFIX::172.16.1.1 1 2 Src: 172.17.1.1 Dst: 172.16.1.1 3 Src: 172.16.1.1 Dst: 172.17.1.1 Src: PREFIX::172.16.1.1 Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C 4 2001:0420:1987:0:2E0:B0FF:FE6A:412C 172.16.1.1 IPv4 IPv6 A B NAT-PT Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 43 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 85 Useful URLs • IOS NAT FAQ: http://www.cisco.com/warp/public/cc/pd/iosw/i oft/iofwft/prodlit/iosnt_qp.htm • IOS NAT “order of operation”: http://www.cisco.com/warp/public/556/5.html • IOS NAT configuration: http://www.cisco.com/univercd/cc/td/doc/prod uct/software/ios121/121cgcr/ip_c/ipcprt1/1cdip adr.htm#xtocid1056050 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 86 Summary • NAT/NAPT (PAT-overload) ? one-to- one/many-to-one address mappings • Will modify “A” and “PTR” DNS records if a translation exists and matches the response • Will modify embedded IP address information if the NAT code knows how • Is flexible by utilizing route-maps and access-lists to determine what traffic needs to be translated Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 44 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 87 Remember the Golden Rule “Network Address Translations will occur only if: the packet travels from an IP NAT inside to an IP NAT outside interface and the access-list permits it.” IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 88 Agenda—Q/A • Terminology Rehash from Session IPS-120 • Requirements (Hardware/Software) • Network Examples • Application Examples • Future of Network Address Translation • Question/Answers Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 45 89 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Deploying Network Address Translation Session IPS-220 90 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. Please Complete Your Evaluation Form Session IPS-220 Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr 46 91 IPS-220 2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
