This challenge
involves the configuration of dynamic NAT. The objectives
of this challenge are to:
Example
> en
# config t
(config)# ip nat inside source static
160.94.210.50 93.123.33.13
(config)# ip nat inside source static
160.94.210.53 93.123.33.15
(config)# ip nat inside source static
160.94.210.55 93.123.33.18
(config)# int e0
(config-if)# ip nat inside
(config-if)# int s0
(config-if)# ip nat outside
Explanation
(config)# ip nat inside source static
160.94.210.50 93.123.33.13
(config)# ip nat inside source static
160.94.210.53 93.123.33.15
(config)# ip nat inside source static
160.94.210.55 93.123.33.18
defines that a host with the address of 160.94.210.50 will be viewed from
the outside of the network as 93.123.33.13. Thus, for example, if the host at
160.94.210.50 is a Web server, users from outside the network will access it
using the address of 93.123.33.13. Normally servers which have public access
have a static mappings as this allows them to be accessed through the static
mapping.
Theory
Network address translation (NAT) is defined
in RFC1631, and swaps one network address with another. This allows private
networks (RFC1918) to be created, which are then translated to public address
when they access the Internet. A router can operate at the border of a domain
and translate addresses from private to public, and vice-versa. For example, a
node could be given a private address of 192.168.10.12. The NAT could then
translate this to a public address of 168.10.34.31. The NAT table would then
have the mapping of:
Private Public
192.168.10.12 168.10.34.21
If a host from outside the domain sends a
data packet back to the domain, the NAT will translate the public address back
into the private address. These translations can be statically assigned, such
as where it is setup with a permanent mapping, or dynamically, where the tables
can change as the network requires. Figure 1 gives an example, where the destination address is 11.22.33.44.
The address in this case is changed from 192.168.10.12 to 168.10.34.21, as the
data packet goes out of the domain, and is changed back when it comes back into
the domain.
NAT routers can use port address translation
(PAT), which allows many internal address to be mapped
to the same global address. This is also named as a many-to-one NAT, or
address overloading. With PAT, the NAT router keeps a track of the connections,
and the TCP/UDP ports that are being used. The NAT router then changes the
global address back into a private address based on these. In Figure 2 there is
a single external address (168.10.34.21), but multiple source ports are
used to identify the connection. It can be seen in the example in Figure 3 that
a host has four different connections with a WWW server, and each of the
connections have been mapped to a unique source port (5555, 5556, 5557 and
5558).
Figure 1 Example of NAT
In
summary the advantages of NAT are:
·
Hides the network addresses of the network.
·
Bars direct contact with a host.
·
Increased range of address.
·
Allow easy creation of subnetworks.
Figure 2 Example of port address translation (PAT)
Figure 3 Example of port address translation (PAT)
The three main types of NAT are:
· Static translation. Each public IP address translates to a private one through a static table. It is good for security/ logging/ traceabilty, but does not hide the internal network. As the network addresses are statically defined, the nodes inside the network can be contacted directly from outside. Static translation also does not save in network addresses, although an organisation may limit access by limiting the number of private addresses which are available.
· IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic, and uses TCP ports to identify connections. It has the advantage that a complete network requires only a single public address, but, of course, the network which is allocted with private addresses is dependent upon the NAT device for its connection to external networks.
· Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used (Figure 4).
Figure 4 Load balancing translation
Dynamic NAT is good at isolating the external network from a pubic untrusted network, as it allows the NAT device to create a table of connections which have been initiated from inside. Thus external devices cannot contact hosts as they cannot be mapped into in the NAT device. Unfortunately some applications, such as FTP and IRC, require a server connection to be setup on the host. Thus the NAT device must be able to implement backtracking of connections, as illustrated in Figure 5.
Figure 5 NAT backtracking
Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping, and external nodes can thus connect to internal devices. It also does not hide the host from the external network, so that it can be traced, if the mapping table is known. Dynamic NAT is much better for security, as it hides the network. Unfortunately it has two major weaknesses:
- Backtracking allows external parties to trace back a connection.
- If the NAT device becomes compromised the external party can redirect traffic.
These weaknesses are illustrated in Figure 5.
Figure 5 NAT weaknesses
Network address translation allows private IP address to be translated to public address. This can either be achieved statically, where the translation is fixed by a translation table, or can be dynamic, where the translation table is set-up as required by the network. Typically, a global address pool is used from which the public addresses are taken. The command for this has the format of:
RouterA# config t
RouterA(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length
prefix-length}
where the submask length is defined by the optional netmask agument (such as 255.255.255.0), or by a length using prefix-length (or 24 for the 255.255.255.0
subnet mask). After this, the types of packets which will be translated will be
defined. This is achieved with the access-list command, and has the form:
RouterA# config t
RouterA(config)#access-list access-list-number permit source [source-wildcard]
A
dynamic translation uses the ip nat inside source list command, such as:
Router(config)#ip nat inside source list access-list-number pool name
where the access list number is defined. This is then applied to one of the
interfaces using the command (for s0):
RouterA# config t
RouterA (config) # int s0
RouterA(config-if)#ip nat inside
This
will translate data packets which are coming into the port. To translate
outgoing one, the ip nat outside command is used.
For example, to define a pool of
addresses from 180.10.11.1 to 180.10.11.254:
RouterA(config)#ip nat pool org_pool 180.10.11.1 180.10.11.254 netmask 255.255.255.0
which defines the global addresses as org_pool. This will be used to send
translated data packets out in the Internet. An access-list command is then used to match
the translation addresses:
RouterA(config)#access-list 2 permit 192.168.10.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pool
which applies the access-list number 2 to the IP NAT pool of org_pool. This can then be applied to the interfaces
with:
RouterA(config)#interface e0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface s0
RouterA(config-if)#ip nat outside
Thus if
a host with an address of 192.168.10.10 sends a data packet out of the network,
it will have one of the addresses from the pool, such as 180.10.11.1. All the hosts outside the network will use
the address from the pool to communicate with the node. By default, these
entries remain in the table for up to 24 hours (in order to allow
communications to return). The time-out can be changed using the command:
RouterA(config)#ip nat translation timeout seconds
This is an important factor, especially when
there is a large number of hosts which can only use a
limited pool of addresses. A lower time-out will allow an address to be
released, so that another node can use it.
NAT also enhances security as it
limits external users in their connection to local network, as the translations
of addresses will not be permanent (unless a static translation is
implemented). NAT thus hides the topology of the network.
Static
translation uses a fixed lookup table to translate the addresses, where each
address which requires an Internet address has a corresponding public IP
address. If it is used on its own, it cannot thus preserve IP address. Thus,
typically the two methods are used, where important nodes, such as servers,
will have a static entry, as this guarantees them an address, while other
nodes, which are less important, will be granted a dynamic translation. This
also aids security as the important devices can run enhanced security and
monitoring software, which might not be possible on lower-level devices, which
are typically administered on a daily basis by non-IT personnel.
Static
addresses are also useful in translating network topologies from one network
address structure to another, or even when individual nodes are moved from one
subnet to another.
An example of configuring for static
addresses of a node of 192.168.10.10 to the address of 180.10.11.1:
RouterA(config)#ip nat inside source static 192.168.10.10 180.10.11.1
This can
this be applied to the inside and outside interfaces with:
RouterA(config)#interface e0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface s0
RouterA(config-if)#ip nat outside
NAT allows organisations to quickly remap their addresses, as conditions require, such as changing
Internet access provider, or to respond to a network breach.
One
of the advanced features of NAT routers is their ability to use Port Address
Translation (PAT), which allows multiple inside addresses to map to the same
global address. This is sometimes called a many-to-one NAT, or address
overloading. With address overloading, man private addressed nodes can
access the Internet using a single global address. The NAT router keeps track
of the different conversations by mapping TCP and UDP port numbers in the
translation table. A translation entry is one which maps one IP address and
port pair to another, and is called an extended table entry. This table
will match internal private IP addresses and ports, to the global address.
The
NAT command is used to configure PAT with:
RouterA(config)#ip nat inside source list access-list-number pool name overload
For example, if a network has 20 IP global addresses from 180.10.11.1 to 180.10.11.20, then the router could be configured with:
RouterA(config)#ip nat pool org_pat_pool 180.10.11.1 180.10.11.20 netmask
255.255.255.0
RouterA(config)#access-list
2 permit 10.1.1.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pat_pool overload
RouterA(config)#interface e
0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface
s 0
RouterA(config-if)#ip nat outside
This
creates an access-list with a label of 2, which is applied using the overload method,
to provide PAT. This method is obviously important in a home network, where
users are granted an IP address for their router. The home network can then be
setup with private addresses.