“Design and configuration of Network Address Translation & Port Address Translation”
Introduction
1.1 Introduction
Network Address Translation (NAT) is designed for IP address simplification and conservation. It enables private IP internet works that use no registered IP addresses to connect to the Internet. NAT operates on a Cisco router that connects two networks together, and translates the private (inside local) addresses in the internal network to public addresses (outside local) before packets are forwarded to another network. As a part of this functionality, we can configure NAT to advertise only one address for the entire network to the outside world. This effectively hides the internal network from the world. Therefore, it provides additional security.
The shortage of IP addresses is only one reason to use NAT. Two other good reasons are:
??Security
??Administration
Security and Administration Implementing dynamic NAT automatically creates a firewall between internal network and outside networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to computer unless computer has initiated the contact. So we can browse the Internet and connect to a site, even download a file. But somebody else can’t simply latch onto IP address and use it to connect to a port on our computer. Static NAT, also called inbound mapping, allows connections initiated by external devices to computers on the stub domain to take place in specific circumstances. For instance, we may wish to map an inside global address to a specific inside local addresses that is assigned to Web server.
NAT will translate the IP addresses located in what is referred to as the header of the data packet. It will also adjust the checksum portion of the data packet to reflex this change. If the packet is encrypted, it may not include this field; if this fields in not accessible the NAT/PAT process will fail. A site may find that it will have a difficult time implementing particular portions of their stated security policy if NAT/PAT solutions are not carefully designed and tested prior to full deployment.
1.2 Objectives
The objectives of this paper are as follows.
1. To provide a description a NAT and PAT.
2. To explain, in a simplified manner, how NAT works.
3. To explain, in a simplified manner, how PAT works.
4. To design an office network.
1.3 Understanding NAT and PAT
NAT is a feature of a router that will translate IP addresses. When a packet comes in, it will be rewritten in order to forward it to a host that is not the IP destination. A router will keep track of this translation, and when the host sends a reply, it will translate.
Home users who talk about NAT are actually talking about PAT, or Port Address Translation. This is quite easy to remember: PAT translates ports, as the name implies, and likewise, NAT translates addresses. Sometimes PAT is also called Overloaded NAT. It doesn’t really matter what we call it, just be careful about blanket “NAT can’t” statements: they are likely incorrect routable” means: not routable on the Internet. We can and should mix RFC1918 ad Now that that’s out of the way, let’s clarify some terminology required for a NAT discussion. When we refer to the inside, we’re talking about the internal network interface that receives egress traffic. This internal network may or may not be using private addresses — more on those in a minute. The outside refers to the external-facing network interface, the one that receives ingress traffic. In the real world, it is not the case that NAT is simply using a single outside IP; translating traffic into internal IPs and ports. That’s what our lanky router does.
The “inside” of a NAT configuration is not synonymous with “private” or RFC1918 addresses. The often-referred-to “non-routable” addresses are not un-routable. We may configure most any router to pass traffic for these private IP subnets. If we try and pass a packet to ISP for any of these addresses, it will be dropped. This is what “non- dresses (for management interfaces) of our local internal network
NAT is not used to simply share a single IP address. But when it is, in this strange configuration that’s really called PAT, issues can arise. Say two geeks want to throw up an IPIP tunnel between their networks so they can avoid all the issues of firewall rules and state-keeping. If they both use the same IP subnet, they can’t just join two networks together: They won’t be able to broadcast for each other, so they will never communicate, It would seem that one side or the other would have to renumber their entire subnet, but there is a trick. Using a semi-complicated NAT and DNS setup, the hosts could actually communicate. This is another case of blanket “NAT is evil” statements actually having little reflection on reality. This issue does come up frequently when two companies merge and various branch offices need to communicate.
So why in the world would someone want to use one external IP and map it to one internal IP, opposed to just translating the port. Policy, it’s even likely that both sides will use real bona fide Internet IP addresses. Everyone understands that NAT (the naive definition) will keep track of state; it’s the only way to make translations happen. What they may not realize is that filtering is a powerful security mechanism.
Imagine a B2B transaction that ships sensitive data across the Internet, even between continents. It’s not feasible to lay fiber for this purpose, so the Internet has to be used. We secure this transaction, or set of transactions. It can be done with IPSEC, but also utilizing NAT at the same time. Each side will have a 1:1 (real) NAT router configured to only allow specific connections from specific hosts. This guarantees that from either network, only authorized hosts will be making a connection. This also guarantees that hosts on both sides have been minimally exposed, and very unlikely compromised, since nobody else can get into that network.
Once the session starts, packets are carefully inspected in and out of each NAT router. If something nefarious happens, and someone in-between is able to inject a forged packet into the stream, at least one side will notice. One of the NAT routers will be able to detect that a sequence number anomaly has occurred, and can immediately terminate all communication. When the TCP session completes with a FIN, the state is wipe clean.
In much the same way, home users take advantage of PAT to keep their less-than-secure machines from being completely taken over on a daily basis. When a connection attempt from the outside hits the external interface of a PAT device, it cannot be forwarded unless state already exists. State setup can only be done from the inside, when an egress attempt is made
1.4 Used Technology and Components
¨ IP addressing and routing concepts
¨ Router, Wire cable
¨ Web server
NAT Overview
2.1NAT in Routed Mode
Figure 3.1.1 a typical NAT scenario in routed mode, with a private network on the inside. When the inside host at 10.1.2.27 sends a packet to a web server, the real source address, 10.1.2.27, of the packet is changed to a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the FWSM receives the packet. The FWSM then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.2.27 before sending it on to the host.
Figure 2-1.1 NAT Example: Routed Mode
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15
2.2 NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. For example, a transparent firewall FWSM is useful between two VRFs so we can establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might not be supported. In this case, using NAT in transparent mode is essential.
NAT in transparent mode has the following requirements and limitations:
•When the mapped addresses are not on the same network as the transparent firewall, then on the upstream router, we need to add a static route for the mapped addresses that points to the downstream router (through the FWSM).
•If the real destination address is not directly-connected to the FWSM, then we also need to add a static route on the FWSM for the real destination address that points to the downstream router. Without NAT, traffic from the upstream router to the downstream router does not need any routes on the FWSM because it uses the MAC address table. NAT, however, causes the FWSM to use a route lookup instead of a MAC address lookup, so it needs a static route to the downstream router.
•The alias command is not supported.
•Because the transparent firewall does not have any interface IP addresses, we cannot use interface PAT.
•ARP inspection is not supported. Moreover, if for some reason a host on one side of the firewall sends an ARP request to a host on the other side of the firewall, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request.
Figure 12-2 shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. When the inside host at 10.1.1.27 sends a packet to a web server, the real source address of the packet, 10.1.1.27, is changed to a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the FWSM receives the packet because the upstream router includes this mapped network in a static route directed through the FWSM. The FWSM then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27. Because the real address is directly-connected, the FWSM sends it directly to the host. For host 192.168.1.2, the same process occurs, except that the FWSM looks up the route in its route table, and sends the packet to the downstream router at 10.1.1.3 based on the static route.
Figure 2-2.1 NAT Example: Transparent Mode
See the following commands for this example:
hostname(config)#route inside 192.168.1.0 255.255.255.0 10.1.1.3 1
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)#nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)#global (outside) 1 209.165.201.1-209.165.201.15
2.3 Policy NAT
NAT and DHCP are a natural fit, we can choose a range of unregistered IP addresses for stub domain and have the DHCP server dole them out as necessary. It also makes it much easier to scale up network as needs grow. We don’t have to request more IP addresses from IANA. We can just increase the range of available IP addresses configured in DHCP and immediately have room for additional computers on network.
Following Figure shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host appears to be on the same network as the servers, which can help with routing.
Figure 2-3.1 Policy NAT with Different Destination Addresses
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2
hostname(config)# global (outside) 2 209.165.202.130
Figure 3-3.2 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130
Figure 2-3.2 Policy NAT with Different Destination Ports
See the following commands for this example:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT access list specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation.
Figure 3-3.3 shows a remote host connecting to a translated host. The translated host has a policy static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host.
Figure 2-3.3 Policy Static NAT with Destination Address Translation
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
2.4 NAT and Same Security Level Interfaces
NAT is not required between same security level interfaces even if we enable NAT control. We can optionally configure NAT if desired. To enable same security communication. By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets we configure more than 101 communicating interfaces. If we use different levels for each interface and do not assign any interfaces to the same security level, we can configure only one interface per level (0 to 100).To enable interfaces on the same security level to communicate with each other, enter the following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.
Turning Off and Turning On Interfaces
All interfaces are enabled by default. If we disable or renewable the interface within a context, only that context interface is affected. But if we disable or renewable the interface in the system execution space, then we affect that VLAN interface for all contexts. To disable an interface or renewable it, perform the following steps:
Step 1 To enter the interface configuration mode, enter the following command:
hostname(config)# interface {vlan number mapped_name}
In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.
Step 2 To disable the interface, enter the following command:
hostname(config)# shutdown
Step 3 To re-enable the interface, enter the following command:
hostname(config)# no shutdown.
2.5Order of NAT Commands Used to Match Real Addresses
The FWSM matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—Best match. Static identity NAT is included in this category. In the case of overlapping addresses in static statements, a warning will be displayed, but they are supported. The order of the static commands does not matter; the static statement that best matches the real address is used.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, we can create a general statement to translate all addresses (0.0.0.0) on an interface. If we want to translate a subset of network (10.1.1.1) to a different address, then we can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the FWSM.
2.6Maximum Number of NAT Statements
The FWSM supports the following numbers of nat, global, and static commands divided between all contexts or in single mode:
•nat command—2 K
•global command—4 K
•static command—2 K
The FWSM also supports up to 3942 ACEs in access lists used for policy NAT for single mode, and 7272 ACEs for multiple mode.
2.7 DNS and NAT
We might need to configure the FWSM to modify DNS replies by replacing the address in the reply with an address that matches the NAT configuration. We can configure DNS modification when we configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.example.com, is on the inside interface. We configure the FWSM to statically translate the ftp.example.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, we want to enable DNS reply modification on this static statement so that inside users who have access to ftp.example.com using the real address receives the real address from the DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of ftp.example.com, the DNS server replies with the mapped address (209.165.201.10). The FWSM refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14. If we do not enable DNS reply modification, then the insides host attempts to send traffic to 209.165.201.10 instead of accessing ftp.example.com directly.
2-7.1 DNS Reply Modification
Configuring NAT
3.1 Private Addressing
A key technical requirement of the Internet is that each device on the Internet must be addressed with a globally unique 32-bit TCP/IP address. The original 32-bit number scheme, which supported 4.29 billion unique addresses, seemed to have significant “head room” when it was invented back in the late 1960’s and early 70. The commercialization of the Internet, however, has consumed nearly all of the unique TCP/IP address space. The fact that nearly all private and public entities are moving to establish an Internet connection has created a serious IP address shortage. The current demand for global IP address space will, in fact, very shortly far exceeds the available address space. The inventors of TCP/IP could not envision the day when there would be a million hosts on the Internet, let alone four billion.
This depletion of IP address space was first observed in 1993. The Internet Assigned Number Authority (IANA), the organization responsible for resolving the problem, proposed to conserve the unique addressing space by blocking out (reserving) a large addressing space (private space) that may be replicated in multiple private local area networks (LANs). This pool of set-aside addresses would also be non-routable on the Internet. These address blocks, set up in 1993, and are:
· Class “A” 10.0.0.0 -> 10.255.255.255
· Class “B” 172.16.0.0 -> 172.31.255.255
· Class “C” 192.168.0.0 -> 192.168.255.255
The solution was called private addressing and was defined in RFC (Request For Comments) 1918.
The process was further enhanced with a solution called Network Address Translation (NAT) RFC 1631. NAT would be a process whereby these private addresses could be masked with an authorized or registered (real) assigned IP address. NAT is a “many-to-one” scheme that is based on the premise that not all users on a private LAN will need to access the Internet at the same time. A small pool of registered real IP addresses are registered and assigned to the user’s group. The registered IP addresses can then be dynamically assigned and reassigned, as appropriate, by the NAT device to users accessing the Internet.
A second NAT technique called port address translation (PAT) is a common solution for small to mid-size companies. The PAT technique is similar to NAT but only uses one registered IP address instead of a pool of addresses. PAT is a true many-to-one solution in that it manipulates a field in the public data packet which is then related back to the private address packet.
3.2 NAT types
This section describes the available NAT types. We can implement address translation as dynamic NAT, Port Address Translation, static NAT, or static PAT or as a mix of these types. We can also configure rules to bypass NAT, for example, if we enable NAT control but do not want to perform NAT. This section includes the following topics:
¨ Dynamic NAT,
¨ PAT,
¨ Static NAT,
¨ Static PAT,
¨ Bypassing NAT when NAT Control is Enabled,
They are describing below:-
¨ Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host we want to translate accesses the destination network, the FWSM assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the FWSM rejects any attempt to connect to a real host address directly. See the following “Static NAT” or “Static PAT” sections for reliable access to hosts.
Figure 12-6 shows a remote host attempting to connect to the real address. The connection is denied because the FWSM only allows returning connections to the mapped address.
Dynamic NAT has these disadvantages:
•If the mapped pool has fewer addresses than the real group, we could run out of addresses if the amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
•We have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, we might encounter a shortage of usable addresses.
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.
¨ PAT
PAT translates multiple real addresses to a single mapped IP address. Specifically, the FWSM translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access list). Not only can we not predict the real or mapped port number of the host, but the FWSM does not create a translation at all unless the translated host is the initiator. See the following “Static NAT” or “Static PAT” sections for reliable access to hosts.
PAT lets we use a single mapped address, thus conserving routable addresses. We can even use the FWSM interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.
¨ Static NAT
Static NAT creates a fixed translation of real addresses to mapped addresses. With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there is an access list that allows it).
The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if there is an access list that allows it), while dynamic NAT does not. We also need an equal number of mapped addresses as real addresses with static NAT.
¨ Static PAT
Static PAT is the same as static NAT; except it lets we specify the protocol (TCP or UDP) and port for the real and mapped addresses.
This feature lets we identify the same mapped address across many different static statements; so long as the port is different for each statement (we cannot use the same mapped address for multiple static NAT statements).
For applications that require application inspection for secondary channels (FTP, VoIP, and so on), the FWSM automatically translates the secondary ports.
For example, if we want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, we can specify static PAT statements for each server that uses the same mapped IP address, but different ports
Figure 3-2.1 Static PAT
See the following commands for this example:
hostname(config)#static(inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask 255.255.255.255
hostname(config)#static(inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask 255.255.255.255
hostname(config)#static(inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask 255.255.255.255
¨ Bypassing NAT when NAT Control is Enabled
If we enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If we do not want to perform NAT for some hosts, then we can bypass NAT for those hosts (alternatively, we can disable NAT control). We might want to bypass NAT, for example, if we are using an application that does not support NAT .We can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility with inspection engines. However, each method offers slightly different capabilities, as follows:
•Identity NAT (nat 0 command)—When we configure identity NAT (which is similar to dynamic NAT), we do not limit translation for a host on specific interfaces; we must use identity NAT for connections through all interfaces. Therefore, we cannot choose to perform normal translation on real addresses when we access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets we specify a particular interface on which to translate the addresses. Make sure that the real addresses for which we use identity NAT are routable on all networks that are available according to we access lists.
For identity NAT, even though the mapped address is the same as the real address, we cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.
•Static identity NAT (static command)—Static identity NAT lets we specify the interface on which we want to allow the real addresses to appear, so we can use identity NAT when we access interface A, and use regular translation when we access interface B. Static identity NAT also lets use policy NAT, which identifies the real and destination addresses when determining the real addresses to translate. For example, we can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B.
•NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, we do not limit translation for a host on specific interfaces; we must use NAT exemption for connections through all interfaces. However, NAT exemption does let we specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so we have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
3.3 <href=”#Setup_DHCP”>How NAT works
The network address translation (NAT) process will be active on a router, or firewall security system, that typically connects to the Internet. This process on a router, or firewall, is called an application proxy. The generic use of the term “application proxy” is when the router/firewall receives a data packet, checks its payload, manipulates it and then redirects it. In short, acts as a middleman. NAT performs a one-to-one IP address mapping from a private to a registered “real” IP address. In each data packet that is bound for the Internet, the NAT process looks at the destination and source IP addresses. The process strips off any private addressing and replaces it with one of the “real” registered IP addresses from the pool. The NAT process will keep track, through an internal mapping process, of the assigned registered IP addresses to private addresses. When the remote Internet server replies, the NAT router receives in inbound Internet packet and re-addresses the packet to the original private address
For example, when host 10.1.1.2 wishes to contact an Internet server 168.2.2.2, it will need to use the globally unique IP address. The host 10.1.1.2 sends this data packet to its local Internet router. The NAT process located in the Internet router replaces the 10.1.1.2 address with 196.20.20.2 from its source address pool. This registered source address pool is allocated to the private users/company from its contracted Internet Service Provider (ISP). The NAT router tracks the one-to-one IP address mapping translations between the private and registered addresses and waits for the reply from the destination Internet server 168.2.2.2. The address 196.20.20.2 is a legal IP address, which allows the 168.2.2.2 host to reply back through the Internet. Once the NAT router receives the reply, it strips the registered IP address 196.20.20.2 and replaces it with the original private address 10.1.1.2 before routing it on to the users LAN.
NAT operates at the Network layer (Layer 3) of the OSI Reference Model which makes sense, because this is the layer at which routers work:
Figure 3-3.1 OSI reference model
A real benefit of NAT is apparent in network administration. For example, we can move wer Web server or FTP server to another host computer without having to worry about broken links. Simply change the inbound mapping with the new inside local address at the router to reflect the new host. We can also make changes to our internal network easily since the only external IP address either belongs to the router or comes from a pool of global addresses. NAT and DHCP are a natural fit; we can choose a range of unregistered IP addresses for wer stub domain and have the DHCP server dole them out as necessary. It also makes it much easier to scale up our network as wer needs grow. We don’t have to request more IP addresses from IANA. We can just increase the range of available IP addresses configured in DHCP and immediately have room for additional computers on our network.
3.4 Designing NAT/PAT
The scenario is that our company is connected to an ISP that has a connection to www.google.com. We have one IP address that is visible to the outside world.
Our company will use network and port translation to supply IP translations to the hosts inside the network. Our can use a browser on the PCs to see this website via the ISP. Routing using has an EIGRP ready been setup for our but we will need to configure the DHCP server on our company’s border gateway router and also the dynamic NAT/ PAT.
Figure 3-4.1 Design NAT/PAT
Firstly build the physical layer for the network by adding two switches and 2 PCs to each of the switches. Rename the switches via the GUI to Student and Staff respectively. The Border Gateway router already has the routing information that it needs to connect to the ISP but we will need to setup the Fast Ethernet interfaces to use private addressing. Do not use the GUI for configuring the router – we must get used to the CLI.
For FastEthernet0/0, use the network 192.168.0.0 /24
For FastEthernet0/1, use the network 192.168.1.0 /24
Give the lowest available IP address to the Fast Ethernet interface on each of the two networks. Remember that the Fast Ethernet interfaces will be administratively closed down so we will need to turn them on. The IOS commands no shutdown can be used to turn them on after we have set their IP addresses. Make sure that we interfaces on the switches and the PCs and the Fast Ethernet connections on the router are green before continuing.
3.5 Setup DHCP
To make the DHCP server active to supply IP addressing information to the PCs attached to the switches, we will need to define two address pools, one for each of the two Ethernet networks.
Here, I have used the name net0 for the FastEthernet0/0 network and the details below will be supplied to all the PCs attached to that interface. Type this configuration into the border gateway router.
ip dhcp pool net0
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 172.17.0.2
Now we will need to create another pool of addresses for the FastEthernet0/1 interface. Use the same DNS server address but we will need to use a different network number and different default gateway. Write this down before we add the configuration. Add the configuration in exactly the same way as above.
Save our router’s configuration once we have setup the DHCP server. Save the Packet Tracer file too. Test that the DHCP configuration is working by selecting a PC and visiting the Desktop, IP Configuration. Select the DHCP radio box and if the DHCP details have been entered correctly on the router, we should receive IP details similar to those shown below.
Figure 3-4.2 setups DHCP
Setup NAT/ PAT
When setting up NAT/ PAT on our router, we will need to decide which of the interfaces are inside the NAT/ PAT scheme and which addresses are outside the NAT/ PAT scheme. We can think of the NAT/ PAT as an imaginary dividing line across wer router.
Figure 3-4.3 ACL declaration
Write down which of the interfaces on gateway router are inside the NAT scheme and which interface is outside the NAT scheme. The first step we will need to carry out is to visit each interface and apply it as either
ip nat outside or ip nat inside.
Interface FastEthernet0/0 ip nat inside
We do not need to change any other interface details. Do this for each of our three interfaces according to whether they are inside or outside the NAT scheme.
We will now need to define two access lists to allow traffic that will cross the NAT/ PAT boundary to be defined. Type the following
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
the last step is to apply the addresses that we wish to cross the boundary to the serial interface.
Type.the.following:
ip nat inside source list 1 interface Serial0/0 overload
This command takes the addresses defined in the access list numbered 1 above and applies them to the serial0/0 interface with the part of the command source list 1. The word overload is a command to the router to allow more than one inside address to share the address that is applied to the serial interface itself.
If we have typed all of the configurations correctly, we should now have setup the NAT/ PAT and have finished the setup part of the lab.
Verifying NAT/ PAT:
To test whether the address translation is actually taking place, we will need to use one of the PCs to communicate with a computer outside of our network.
Go to a PC and visit the Desktop, Command Prompt and type
ping.www.google.com
If this is successful, go to the CLI of our gateway router and type the following command
border-gateway#show ip nat translations
Pro Inside global Inside local Outside
local Outside global
icmp 172.16.0.2:19 192.168.0.3:19
172.17.0.2:19 172.17.0.2:19
icmp 172.16.0.2:20 192.168.0.3:20
172.17.0.2:20 172.17.0.2:20
icmp 172.16.0.2:21 192.168.0.3:21 172.17.0.2:21 172.17.0.2:21
icmp 172.16.0.2:22 192.168.0.3:22 172.17.0.2:22 172.17.0.2:22
udp 172.16.0.2:1030 192.168.0.3:1030 172.17.0.2:53 172.17.0.2:53
The output above shows the Inside local address that has been translated and the port that was associated with the application. The Outside global address is the address that is carried across the outside network and the port that is associated with it .The protocol is shown at the start of the list. The four ICM Requests associated with the ping request are shown plus the request to the DNS server to translate the address www.google.com into an IP address.
3.6 Configuring NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule. To enable NAT control, enter the following command:
hostname (config)# nat-control
To disable NAT control, enter the no form of the command.
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, WE must configure NAT to translate the inside host address shown in following figure
Figure 3-5.1 NAT Control and Outbound Traffic
Interfaces at the same security level are not required to use NAT to communicate. However, if we configure dynamic NAT or PAT on a same security interface with NAT control enabled, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule
Figure 3-5.2 NAT Control and Same Security Traffic
Similarly, if we enable outside dynamic NAT or PAT with NAT control, then all outside traffic must match a NAT rule when it accesses an inside interface
Figure 3-5.3 NAT Control and Inbound Traffic
Static NAT with NAT control does not cause these restrictions. By default, NAT control is disabled, so we do not need to perform NAT on any networks unless we choose to perform NAT. If we upgraded from an earlier version of software, however, NAT control might be enabled on our system.
3.7 Using Dynamic NAT and PAT
This section describes how to configure dynamic NAT and PAT, and includes the following topics:
¨ Dynamic NAT and PAT Implementation,
¨ Configuring Dynamic NAT or PAT.
¨ Dynamic NAT and PAT Implementation:
For dynamic NAT and PAT, we first configure a nat command identifying the real addresses on a given interface that we want to translate. Then we configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each NAT command matches a global command by comparing the NAT ID, a number that we assign to each command.
multiple nat commands using the same NAT ID on one or more interfaces; they all use the same global command when traffic exits a given interface. For example, we can configure nat commands for Inside and DMZ interfaces, both on NAT ID 1. Then we configure a global command on the Outside interface that is also on ID 1. Traffic from the Inside interface and the DMZ interface share a mapped pool or a PAT address when exiting the Outside interface
Figure 3-7.2 NAT Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)#nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)#nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)#global (outside) 1 209.165.201.3-209.165.201.10
We can also enter a global command for each interface using the same NAT ID. If we enter a global command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to be translated when going to both the Outside and the DMZ interfaces. Similarly, if we also enter a nat command for the DMZ interface on ID 1, then the global command on the Outside interface is also used for DMZ traffic. Following figure shows this–
Figure 3-7.3 Global and nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (dmz) 1 10.1.1.23
If we use different NAT IDs, we can identify different sets of real addresses to have different mapped addresses. For example, on the Inside interface, we can have two NAT commands on two different NAT IDs. On the Outside interface, we configure two global commands for these two IDs. Then, when traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A addresses; while traffic from Inside network B are translated to pool B addresses see Figure below. If we use policy NAT, we can specify the same real addresses for multiple NAT commands, as long as the destination addresses and ports are unique in each access list.
Figure 3-7.4 Different NAT IDs
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)#nat (inside) 2 192.168.1.0 255.255.255.0
hostname(config)#global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)#global (outside) 2 209.165.201.11
We can enter multiple global commands for one interface using the same NAT ID; the FWSM uses the dynamic NAT global commands first, in the order they are in the configuration, and then uses the PAT global commands in order. We might want to enter both a dynamic NAT global command and a PAT global command if we need to use dynamic NAT for a particular application, but want to have a backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, we might enter two PAT statements if we need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports
Figure 3-7.5 NAT and PAT Together
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (outside) 1 209.165.201.5
For outside NAT (from outside to inside), we need to use the outside keyword in the NAT command. If we also want to translate the same traffic when it accesses an outside interface (for example, traffic on a DMZ is translated when accessing the Inside and the Outside interfaces), then we must configure a separate NAT command without the outside option. In this case, we can identify the same addresses in both statements and use the same NAT ID Following Figure. Note that for outside NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated.
Figure 3-7.6 Outside NAT and Inside NAT Combined
See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)#static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40
When we specify a group of IP address in a NAT command, then we must perform NAT on that group of addresses when they access any lower or same security level interface, we must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface, because to perform NAT from outside to inside, we must create a separate NAT command using the outside keyword. If we do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.
¨ Configuring Dynamic NAT or PAT:
This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic NAT and PAT are almost identical; for NAT we specify a range of mapped addresses, and for PAT we specify a single address.
Figure 12-20 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined by the global command.
Figure 3-7.7 Dynamic NAT
Following Figure shows a typical dynamic PAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address defined by the global command is the same for each translation, but the port is dynamically assigned.
Figure 3-6.8 Dynamic PAT
To configure dynamic NAT or PAT, perform the following steps:
Step 1
To identify the real addresses that we want to translate, enter one of the following commands:
•Policy NAT:
hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside] [tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
We can identify overlapping addresses in other NAT commands. For example, we can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
–access-list acl_name—
Identify the real addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command .This access list should include only permit ACEs. We can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration.
–nat_id—
An integer between 1 and 65535. The NAT ID should match a global command NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 12-19 for more information about how NAT IDs are used. 0 is reserved for NAT exemption –dns—
If our NAT command includes the address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The translated host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with the static command.–outside—
If this interface is on a lower security level than the interface WE identify by the matching global statement, then we must enter outside to identify the NAT instance as outside NAT.
–tcp tcp_max_conns—
Sets the maximum number of simultaneous TCP connections for the entire subnet up to 65,536. The default is 0, which means the maximum connections.
–emb_limit—
Sets the maximum number of embryonic connections per host up to 65,536. The default is 0, which means the maximum connections. We must enter the TCP tcp_max_conns before we enter the emb_limit. If we want to use the default value for _max_conns, but change the emb_limit, then enter 0 for tcp_max_conns.
An embryonic connection is a connection request that has not finished the necessary TCP handshake between source and destination. Limiting the number of embryonic connections protects from a DoS attack. The FWSM uses the embryonic limit to trigger TCP Intercept. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the FWSM acts as a proxy for the server and generates a SYN-ACK response to the client’s SYN request. When the FWSM receives an ACK back from the client, it can then authenticate the client and allow the connection to the server.
–udp udp_max_conns—
Sets the maximum number of simultaneous UDP connections for the entire subnet up to 65,536. The default is 0, which means the maximum connections.
–norandomseq—
Disables TCP Initial Sequence Number (ISN) randomization.TCP initial sequence number randomization can be disabled if another in-line firewall is also randomizing the initial sequence numbers, because there is no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the connection is between two interfaces with the same security level, then the ISN will be randomized in the SYN in both directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session.
•Regular NAT:
hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global command NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 12-19 for more information about how NAT IDs are used. 0 is reserved for identity NAT. See the “Configuring Identity NAT” section on page 12-32 for more information about identity NAT.
Step 2
To identify the mapped address to which we want to translate the real addresses when they exit a particular interface, enter the following command:
hostname(config)#global (mapped_interface) nat_id {mapped_ip[–mapped_ip]}
This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses that we want to translate when they exit this interface.
We can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across subnet boundaries if desired. For example, we can specify the following “supernet”:192.168.1.1-192.168.2.254
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
To translate the lower security DMZ network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
To identify a single real address with two different destination addresses using policy NAT, enter the following commands (see Figure 12-9 on page 12-11 for a related figure):
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130
To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands (see Figure 12-10 on page 12-12 for a related figure):
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
3.8 Using Static NAT
This section describes how to configure a static translation.
Following Figure shows a typical static NAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address is statically assigned by the static command.
Figure 3-8.1 Static NAT
To configure static NAT, enter one of the following commands.
•For policy static NAT, enter the following command:
hostname(config)#static (real_interface,mapped_interface) mapped_ip access-list acl_name [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
Identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command (see the “Adding an Extended Access List” section on page 10-6). The first address in the access list is the real address; the second address is either the source or destination address, depending on where the traffic originates. For example, to translate the real address 10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are:
hostname(config)# access-list TEST extended ip host 10.1.1.1 209.165.200.224 255.255.255.224
hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST
In this case, the second address is the destination address. However, the same configuration is used for hosts to originate a connection to the mapped address. For example, when a host on the 209.165.200.224/27 network initiates a connection to 192.168.1.1, then the second address in the access list is the source address.
This access list should include only permit ACEs. We can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the “Policy NAT” section on page 12-10 for more information.
If a network for translation (for example, 10.1.1.0 255.255.255.0), then the FWSM translates the .0 and .255 addresses. If we want to prevent access to these addresses, be sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 12-25 for information about the other options.
•To configure regular static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) mapped_ip real_ip [netmask mask] [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
See the “Configuring Dynamic NAT or PAT” section on page 12-25 for information about the options.
For example, the following policy static NAT example shows a single real address that is translated to two mapped addresses depending on the destination address (see Figure 12-9 on page 12-11 for a related figure):
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):
hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
3.9 Using Static PAT
This section describes how to configure a static port translation. Static PAT lets we translate the real IP address to a mapped IP address, as well as the real port to a mapped port. We can choose to translate the real port to the same port, which lets we translate only specific types of traffic, or we can take it further by translating to a different port.
Following Figure shows a typical static PAT scenario. The translation is always active so that both translated and remote hosts can originate connections, and the mapped address and port is statically assigned by the static command.
Figure 3-9.1Static PAT
For applications that require application inspection for secondary channels (FTP, VoIP, and so on), the FWSM automatically translates the secondary ports.
Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface. For more information about static PAT, see the “Static PAT” To configure static PAT, enter one of the following commands.
•For policy static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} mapped_ip mapped_port access-list acl_name [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]
Identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command (see the “Adding an Extended Access List” section on page 10-6). The protocol in the access list must match the protocol we set in this command. For example, if we specify tcp in the static command, then we must specify tcp in the access list. Specify the port using the eq operator.
The first address in the access list is the real address; the second address is either the source or destination address, depending on where the traffic originates. For example, to translate the real address 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are:
hostname(config)# access-list TEST extended tcp host 10.1.1.1 209.165.200.224 255.255.255.224 eq telnet
hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST
In this case, the second address is the destination address. However, the same configuration is used for hosts to originate a connection to the mapped address. For example, when a host on the 209.165.200.224/27 network initiates a Telnet connection to 192.168.1.1, then the second address in the access list is the source address.
This access list should include only permitACEs. Policy NAT does not consider the inactive or time-rangekeywords; all ACEs are considered to be active for policy NAT configuration. See the “Policy NAT” section on page 12-10 for more information.
If we specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the FWSM translates the .0 and .255 addresses. If we want to prevent access to these addresses, be sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 12-25 for information about the other options.
•To configure regular static PAT, enter the following command:
hostname(config)#static (real_interface,mapped_interface) {tcp | udp} mapped_ip mapped_port real_ip real_port [netmask mask] [dns] [[tcp<