About Global Documents
Global Documents provides you with documents from around the globe on a variety of topics for your enjoyment.
Global Documents utilizes edocr for all its document needs due to edocr's wonderful content features. Thousands of professionals and businesses around the globe publish marketing, sales, operations, customer service and financial documents making it easier for prospects and customers to find content.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
1
1
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
2
3
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Deploying Network
Address Translation
Session IPS-220
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
4
Golden Rule
“Network Address Translations will
occur only if: the packet travels
from an IP NAT inside to an IP
NAT outside interface and the
access-list permits it.”
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
3
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
5
Agenda—Terminology
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
6
.2
.1
NAT
NAT—One-to-One Mapping
• Network address translation
• Layer 3 address modification
• Maps one internal (local) address to one external (global)
address
i.e.
10.1.1.1 ? 172.16.4.1
10.1.1.2 ? 172.16.4.2
Network
Pool: 172.16.4.1-.254
10.1.1.0/24
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
4
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
7
NAPT—Many to One Mapping
• Network address port translation (a.k.a. PAT/overloading)
• Layer 3 and 4 address and port modification (mainly: tcp,
udp, icmp)
• Maps multiple internal (local) address
to one external (global) address
i.e.
10.1.1.1:2056 ? 172.16.4.1:1024
10.1.1.2:3000 ? 172.16.4.1:1025
Pool: 172.16.4.1
.2
.1
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
8
Router Translations
• Inside source translation:
will modify the source address of a packet
that was received on the IP NAT inside
interface
• Outside source translation:
will modify the source address of a packet
that was received on the IP NAT outside
interface
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
5
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
9
The Inside Interface
• Inside local address (IL)—The IP address that
is assigned to a host on the inside network;
the address is probably not a legitimate IP
address assigned by the Network Information
Center (NIC) or service provider
• Inside global address (IG)—A legitimate IP
address (assigned by the NIC or service
provider) that represents one or more inside
local IP addresses to the outside world
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
10
The Outside Interface
• Outside local address (OL)—The IP
address of an outside host as it appears to
the inside network; not necessarily a
legitimate address, it was allocated from
address space routable on the inside
• Outside global address (OG)—The IP
address assigned to a host on the outside
network by the host's owner; the address
was allocated from globally routable
address or network space
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
6
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
11
10.1.1.x
Inside
Analogy of Translation Terms
Outside
Pool : 172.16.4.1-.254
Pool: 192.168.1.1-.254
10.1.2.x
Inside Source…
Outside Source...
HOST
IL
IG
10.1.1.1
172.16.4.1
OL
OG
192.168.1.1
10.1.2.1
10.1.2.1
10.1.2.1
P1 with NAT
P1 NO NAT
10.1.1.1
10.1.1.1
10.1.1.1
172.16.4.1
.3
.2
.1
.1
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
12
10.1.1.x
10.1.2.x
.3
.2
.1
.1
NAT
Reality of Translation Terms
Pool: 172.16.4.1-.254
Pool: 192.168.1.1-.254
Inside Source…
Outside Source...
10.1.1.1
172.16.4.1
192.168.1.1
10.1.2.1
10.1.2.1
10.1.2.1
Outside Source
Inside Source
10.1.1.1
10.1.1.1
10.1.1.1
172.16.4.1
HOST
IL
IG
OL
OG
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
7
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
13
Translation Rules
• If a translation exists, use the translated
address; i.e. inside global address
• If no translation exists, build one and
record the details in the translation table
• Simple translations look at the source
address only, whereas extended
translations use source, destination, and
protocol
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
14
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 172.16.4.1:11012 10.1.1.1:11012 172.17.1.1:23 172.17.1.1:23
tcp 172.16.3.1:11011 10.1.1.1:11011 172.16.1.1:23 172.16.1.1:23
Extended (Using Route-Maps or Overload)
Simple (Using Access-Lists without Overload)
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.4.1 10.1.1.1 ---
---
Simple Vs. Extended Translations
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
8
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
15
Agenda—Requirements
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
16
Requirements—Software
• 11.2—IP plus only
• 11.3—PAT: general availability
• 11.3—NAT: IP plus
• 12.x—full NAT/PAT*
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
9
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
17
Requirements—Hardware
• Most platforms*
• Each translation = 160 bytes
• 10,000 translation = 1.6 megabytes
• Performance/latency is negligible**
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
18
Agenda—Network
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
10
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
19
10.1.1.0 / 24
Ethernet 0
Serial 0
NAT Only Scenario: Topology/Config
Pool: 209.165.201.0 /27
router(config)# ip nat pool natpool 209.165.201.10
209.165.201.30 netmask 255.255.255.224
router(config)# access-list 10 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 10 pool natpool
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
20
NAT Only Scenario: Pros/Cons
Pros
• Very high success-rate for almost all
IP-based applications
Cons
• Limited number of simultaneous users;
i.e users = numbers of addresses in pool
• Multiple addresses needed from
ISP ( = $$$)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
11
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
21
NAPT Only Scenario: Topology/Config
router(config)# access-list 10 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 10
interface serial 0 overload
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
10.1.1.0 / 24
Ethernet 0
Serial 0
Pool: 209.165.201.0 /27
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
22
NAPT Only Scenario: Pros/Cons
Pros
• Simultaneous users can be in the
neighborhood of 64K
Cons
• Only 1 address is needed from the ISP
• Only some TCP, UDP, ICMP, and PPTP*
applications can be used
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
12
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
23
NAT and NAPT Scenario:
Topology/Config
router(config)# ip nat pool natpool 209.165.201.10
209.165.201.30 netmask 255.255.255.224
router(config)# access-list 10 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 10
pool natpool overload
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
10.1.1.0 / 24
Ethernet 0
Serial 0
Pool: 209.165.201.0 /27
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
24
NAT and NAPT Scenario: Pros/Cons
Pros
• You get the pros of both NAT and
NAPT combined
Cons
• Dual connection traffic (i.e. Native IPSec)
will still not work since it will NAPT the
TCP, UDP, ICMP-based traffic using one
address and then NAT the other
connection with a different address
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
13
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
25
NAT
NAPT—With Easy IP
router(config)# access-list 1 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 1 interface dialer0 overload
router(config)# interface dialer 0
router(config-if)# ip address negotiated
router(config-if)# ip nat outside
router(config-if)# interface ethernet 0
router(config-if)# ip nat inside
----
6400(config)# ip local pool swim 172.16.4.1 172.16.4.254
6400(config)# interface virtual-template1
6400(config-if)# peer default ip address pool swim
10.1.1.0/24
6400
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
26
Virtual
209.165.201.5
10.1.1.x
router(config)# ip nat pool tcpload 10.1.1.1 10.1.1.3
netmask 255.255.255.0 type rotary
router(config)# access-list 1 permit host 209.165.201.5
router(config)# ip nat inside destination list 1 pool tcpload
TCP Load Balancing Scenario
Round-Robin
NAT
Internet
.1
.3
.2
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
14
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
27
TCP Load Balance Scenario:
Pros/Cons
Pros
• Cheap investment
• Good for mail servers and simple
web clusters
Cons
• Applications that are connection-oriented
or utilize multiple connections or
redirections will not work
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
28
10.0.0.0/8
Available Addresses:
209.165.201.0 / 27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
NAT by on Destination
Internet
NAT
Your
Company
Partners
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
15
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
29
10.0.0.0/8
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0
Ethernet 0
router(config)# ip nat pool
partners 172.16.1.3
172.16.1.254 netmask
255.255.255.0
NAT by Destination—to Partners
NAT
Your
Company
Partners
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
30
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Serial 1
Ethernet 0
router(config)# ip nat pool internet
209.165.201.10 209.165.201.30
netmask 255.255.255.224
NAT
NAT by Destination—To Internet
Internet
Your
Company
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
16
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
31
router(config)# access-list 110 permit ip 10.0.0.0 0.255.255.255
192.168.1.0 0.0.0.255
router(config)# route-map topartners permit 10
router(config-map)# match ip address 110
router(config-map)# match interface serial 0
NAT by Destination—
Route Map Declaration
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
Partners
Your
Company
Internet
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
32
NAT by Destination—
Route Map Declaration
router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any
router(config)# route-map tointernet permit 10
router(config-map)# match ip address 100
router(config-map)# match interface serial 1
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
Partners
Your
Company
Internet
NAT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
17
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
33
router(config)# ip nat inside source route-map topartners pool partners
router(config)# ip nat inside source route-map tointernet pool internet
NAT by Destination—Bindings
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
router(config-if)# interface serial 1
router(config-if)# ip nat outside
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
Partners
Your
Company
Internet
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
34
NAT by Destination Scenario:
Pros/Cons
Pros
• Allows flexibility of having two or more NAT
pools based on destination
Cons
• Extra configurations (route-maps) if using
only NAT pools; overload/NAPT does not
have this issue
• Can run into issues with simple versus
extended translations if route-maps
are not used
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
18
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
35
.10
.20
10.1.1.0 / 24
Router(config)# ip nat inside source static network 10.1.1.0
172.18.1.0 /24 no-alias
SrcAddr= 10.1.1.20 ? 172.18.1.20
SrcAddr= 10.1.1.10 ? 172.18.1.10
Network Static
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
36
Network Static Scenario: Pros/Cons
Pros
• Good fit for connecting two sites when
NAT is required
• Allows bi-directional traffic
Cons
• Since it does allow bi-directional you lose
the security benefit (resource hiding) that
NAT provides
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
19
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
37
Network Static Pool
router(config)# ip nat pool natpool 172.18.1.0 172.18.1.255
netmask 255.255.255.0 type match-host
router(config)# ip nat inside source list 1 pool natpool
.10
.20
10.1.1.0 / 24
SrcAddr= 10.1.1.20 ? 172.18.1.20
SrcAddr= 10.1.1.10 ? 172.18.1.10
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
38
Network Static Pool Scenario:
Pros/Cons
Pros
• Easy to track what hosts are doing
• Address hiding if no translation exists
Cons
• Requires equal number of inside hosts to
outside global addresses
i.e. /24 internal would need a /24 external
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
20
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
39
Dual NAT—Virtual View
• Typical network setup
• No overlap, simple routing
DNS
Network
.3
.2
.1
.1
172.16.1.0
192.168.1.x
.3
.2
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
40
DNS
Network
.3
.2
.1
.1
.3
.2
Dual NAT—Reality View
• Overlapping network address space
between blue and red networks
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
21
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
41
DNS
Network
.2
.1
.1
.3
.2
router-nat(config)# ip nat outside source static network
192.168.1.0 10.1.1.0 /24
router-nat(config)# ip nat inside source static network
10.1.1.0 172.16.1.0/24
Inside
Outside
NAT
Dual NAT—the Solution
10.1.1.x
10.1.1.x
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
42
RED-3
???
Query
Overlapping Networks—DNS Query
RED-3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
22
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
43
RED-3
192.168.1.3
Response = 10.1.1.3
DNS Response Modified via Address Translation
Overlapping Networks—
DNS Response
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
44
RED-3
192.168.1.3
SA:10.1.1.3
DA:192.168.1.3
Overlapping Networks—
The Packet Is Sent
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
23
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
45
SA:172.16.1.3
DA:192.168.1.3
NAT
Overlapping Networks—
Source Translation
RED-3
192.168.1.3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
46
SA:172.16.1.3
DA:10.1.1.3
Overlapping Networks—
Destination Translation
RED-3
192.168.1.3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
24
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
47
Overlapping Networks—
Destination Translation
NAT Translation Table
RED-3
192.168.1.3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
HOST
10.1.1.3
10.1.1.3
IL
172.16.1.3
IG
10.1.1.3
OL
192.168.1.3
OG
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
48
Overlapping Networks Scenario:
Pros/Cons
Pros
• Single point of administration for the
NAT table
• Allows two overlapping network address
spaces to communicate
Cons
• Uses DNS to assist in the translation of
the remote network (not required)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
25
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
49
IP HDR
Data
Authenticated
IP HDR
IPSec HDR
New IP HDR
Data
Encapsulating
Security Payload
(ESP): Protocol 50
Tunnel Mode Only
IPSec 101—ESP
Encrypted
Layer
3
Original Packet
NAT
WORKS !
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
50
IPSec HDR
IP HDR
Data
IP HDR
Authentication
Headers (AH):
Protocol 51
IPSec 101—AH
Authenticated
HDR + Data = Checksum
Checksum
Stored
Layer
3
Breaks!
NAT
Data
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
26
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
51
10.1.1.0 / 24
Ethernet 0
Serial 0
Native IPSec with NAT and NAPT
Scenario:
Internet
Pool: 209.165.201.0 /27
router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255
host 1.1.1.1
router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255
any
router(config)# route-map napt2internet permit 10
router(config-map)# match address 100
router(config)# ip nat inside source route-map
napt2internet interface serial 0 overload
! Continued !
VPN Client
VPN
Gateway
1.1.1.1
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
52
.20
Native IPSec with NAT and NAPT
Scenario:
! Continued !
router(config)# ip nat pool natpool 209.165.201.10
209.165.201.30 netmask 255.255.255.224
router(config)# access-list 110 permit ip 10.1.1.0 0.0.0.255
host 1.1.1.1
router(config)# route-map vpnusenat permit 10
router(config-map)# match address 110
router(config)# ip nat inside source route-map vpnusenat
pool natpool
10.1.1.0 / 24
Serial 0
Internet
Pool: 209.165.201.0 /27
VPN Client
VPN
Gateway
1.1.1.1
NAT
Ethernet 0
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
27
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
53
IPSec Scenario: Pros/Cons
Pros
• ESP in tunnel mode can only use NAT
• NAT/NAPT support in the VPN3000 (UDP)
and VPN5000 (TCP:80) concentrators
Cons
• No ESP transport or AH tunnel/
transport support
• No PAT support unless the VPN device
incorporates a NAT over IPSec
functionality
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
54
NAT
Inside
Outside
Inbound
ACL*
NAT
Routing
Outbound
ACL
Decryption
Inbound
ACL
Considerations—
Access-Lists Inbound
Packet Flow
*Only If the Packet Is Encrypted
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
28
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
55
Inbound
ACL
Policy
Routing
NAT
Routing
Outbound
ACL
Considerations—
Access-Lists Outbound
Encryption
NAT
Inside
Outside
Packet Flow
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
56
Roaming
User
ISP
VPN
Gateway
10.0.0.0/8
VPN Remote Client—The Issues
router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255
any
router(config)# route-map vpnusenat permit 10
router(config-map)# match address 110
router(config)# ip nat inside source route-map vpnusenat
pool natpool
router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255
???
Not Sure on the Destination ISP Address
IPSec Tunnel
NAT/VPN
Internet
Your
Company
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
29
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
57
VPN Remote Client Issues
• Unable to predict IP address that would be
assigned to the VPN user
• Treat the VPN user as just another client
out on the Internet, same rules apply,
except they do not want to use NAT
• Solution: NAT by destination and mode
configuration (IP address pools for VPN)
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
58
10.0.0.0/8
VPN
Gateway
with Mode Config
Pool of
172.16.1.1-.254
router (config)# access-list 100 deny
ip 10.0.0.0 0.255.255.255
172.16.1.0 0.0.0.255
router(config)# access-list 100 permit
ip 10.0.0.0 0.255.255.255
any
VPN Remote Client—Mode
Configuration
IPSec Tunnel
Roaming
User
NAT
Your
Company
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
30
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
59
IPSec Tunnel
Roaming
User
ISP
VPN
Gateway
10.1.1.1/8
VPN Client and Static NAT
router(config)# ip nat inside source static
10.1.1.1 209.165.201.5
NAT
Internet
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
60
10.1.1.1/8
172.31.1.1/24
router (config)# access-list 100
permit ip host 10.1.1.1
172.16.1.0 0.0.0.255
router(config)# route-map
bypassnat permit 10
router(config-map)# match ip
address 100
router(config-map)# set ip
next-hop 172.31.1.2
router(config)# interface Ethernet 0
router(config-if)# ip policy
route-map bypassnat
Ethernet 0
VPNs—Policy Routing
NAT
Internet
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
31
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
61
Agenda—Applications
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
62
Application Support
• Application layer:
embedded IP
information in
the payload
• Transport/network
layer: PAT/NAT
compliant
Know Your Applications
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
32
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
63
IP HDR: Src IP = 10.1.1.1
Data: IP = 10.1.1.1
Considerations—Embedded IP
IP HDR: Src IP = x.x.x.x
Data: IP = 10.1.1.1
Address
Translation
Inside
Outside
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
64
Applications that Embed IP Address
Information
• DNS "A" and "PTR" queries
• NetBIOS over TCP/IP (datagram, name, and
session services)
• NetMeeting 2.1, 2.11 (4.3.2519) and 3.01
(4.4.3385)
• H.323v2 – H.225/245 message types except RAS
includes "FastConnect, Setup, Alerting, Facility,
Progress, OpenLogicalChannel,
OpenLogicalChannelAck, MCLocationIndication,
CommunicationModeCommand,
CommunicationModeResponse”
• FTP PORT and PASV commands
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
33
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
65
TCP Connection 1: Active Mode: LS Set
TCP Connection 2: Active Mode: Data
Control Connection
SYN
SYN and ACK
ACK
“Inside” Network
I
i
t
“Outside” Network
ti
t
Port Command
ACK
SYN
SYN and ACK
ACK
Data Flows Server to Client
Translate Embedded
Address—Reserve Source
Port, IF PAT Is to Be Used
FTP—Active
• Server initiated data connections
• Client tells the server on which port to send to
the client
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
66
TCP Connection 1: Control Connection
TCP Connection 2: Passive Mode: Data
SYN
SYN and ACK
ACK
PASV (Passive)
“Inside” Network
I
i
t
“Outside” Network
ti
t
ENT PASV
SYN
SYN and ACK
ACK
Data Flows Server to Client
Translate Embedded Address
FTP—Passive
• Client initiates data connections
• Server tells the client on which port to send to
the client
NAT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
34
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
67
router(config)# access-list 1 permit host 172.16.1.1
router(config)# ip nat service list 1 ftp tcp port 6000
Non-Standard FTP Ports
• Server (172.16.1.1) is listening
on port 6000
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
68
NetMeeting ILS Support
• LDAP registration will be modified to match the
global address of client A;
i.e 209.165.201.5
• Available starting in 12.1.5T IOS
Client A
10.1.1.1
Client B
NetMeeting
ILS Server
router(config)# ip nat inside source static
10.1.1.1 209.165.201.5
Internet
NAT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
35
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
69
PPTP over NAPT
• PPTP—RFC2637
• NAPT (PAT) capability within IOS 12.1.5T
• Works if the termination point is an IOS
router capable of terminating a PPTP
session or a Microsoft PPTP server; does
not support PIX or VPN3000 terminations
• Cannot use Microsoft Point-To-Point
Encryption (MPPE)—RFC3078
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
70
IP HDR
Data Layer 5-7
Point-to-Point Tunneling Protocol (PPTP):
Protocol 47: Data
Protocol 6 (TCP) Port 1723: Authentication
PPTP 101
Original Packet
Encapsulation within GRE without MPPE
IP HDR
Data
Tunnel ID
New IP HDR
Layer 4
Layer 4
This Unique Number Is What Gives the Router the
Ability to Determine What Flow Goes to What System
When Being NAPT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
36
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
71
PPTP over NAPT—Configuration
Ethernet 1
PPTP
Server
router(config)# access-list 1 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 1 interface
ethernet1 overload
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config)# interface ethernet 1
router(config-if)# ip nat outside
10.1.1.0 / 24
Ethernet 0
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
72
PPTP over NAPT—Translation Table
router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 10.32.1.20:11012 10.1.1.10:11012 10.32.80.85:1723 10.32.80.85:1723
tcp 10.32.1.20:11011 10.1.1.20:11011 10.32.80.85:1723 10.32.80.85:1723
gre 10.32.1.20:0 10.1.1.10:1 10.32.80.85:1
10.32.80.85:1
gre 10.32.1.20:16384 10.1.1.20: 16384 10.32.80.85: 16384 10.32.80.85: 16384
gre 10.32.1.20:1 10.1.1.10:1 10.32.80.85:1
10.32.80.85:1
gre 10.32.1.20:2 10.1.1.20:2 10.32.80.85:2
10.32.80.85:2
Ethernet 1
PPTP
Server
10.1.1.0 / 24
Ethernet 0
.10
.20
NAT
Network
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
37
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
73
pptpserver#show vpdn
% No active L2TP tunnels
% No active L2F tunnels
PPTP Tunnel and Session Information Total tunnels 2 sessions 2
LocID Remote Name State Remote Address Port Sessions
7 10.32.1.20 estabd 10.32.88.85 1372 1
LocID RemID TunID Intf Username State Last Chg
7 0 7 Vi1 cisco1 estabd 00:01:56
LocID Remote Name State Remote Address Port Sessions
8
estabd 10.32.88.85 1355 1
LocID RemID TunID Intf Username State Last Chg
8 16384 8 Vi2 cisco2 estabd 00:01:26
router#show ip nat translation pptp
Pro Inside global Inside local Outside local Outside global
gre 10.32.1.20:0 10.1.1.10:1 10.32.80.85:1
10.32.80.85:1
gre 10.32.1.20:16384 10.1.1.20: 16384 10.32.80.85: 16384 10.32.80.85: 16384
gre 10.32.1.20:7 10.1.1.10:7 10.32.80.85:7
10.32.80.85:7
gre 10.32.1.20:8 10.1.1.20:8 10.32.80.85:8
10.32.80.85:8
PPTP over NAPT—Translation Table
Correlation
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
74
Agenda—Future
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
38
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
75
Stateful NAT
• Projected to be in the 12.2.4T code
• Platform independent
• Supports many peers
• Works in a HSRP environment for true
fault tolerance
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
76
Without SNAT—the Problem
R1 NAT Translation Table
10.1.1.3
R2 NAT Translation Table
2
3
IL
IG
OL
OG
R1-NAT
R2-NAT
IL
IG
OL
OG
1
10.1.1.3
192.168.1.3
192.168.1.3
172.16.1.3
Network
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
39
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
77
IL
IG
OL
OG
With SNAT—The Solution
4
1*
10.1.1.3
R2 NAT Translation Table
3
IL
IG
OL
OG
R1-NAT
R2-NAT
R1 NAT Translation Table
10.1.1.3
192.168.1.3
192.168.1.3
172.16.1.3
2
5
1
10.1.1.3
192.168.1.3
192.168.1.3
172.16.1.3
1*
2*
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
78
With SNAT—the Commands
10.1.1.0/24
R1(config)# access-list 1 permit 10.1.1.0 0.0.0.255
R1(config)# ip nat pool P1 172.16.1.1 172.16.1.254
netmask 255.255.255.0
R1(config)# ip nat inside source list 1 pool P1 ID 11
R1(config)# ip nat distributed ID 101
R1(config-nat)# stateful 10.1.1.1
R1(config-nat)# peer 10.1.1.2
R1(config-nat)# mapping ID 11
10.1.1.3
R1-NAT
R2-NAT
Network
.1
.2
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
40
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
79
With SNAT—the Commands
R2(config)# access-list 1 permit 10.1.1.0 0.0.0.255
R2(config)# ip nat pool P2 172.16.1.1 172.16.1.254
netmask 255.255.255.0
R2(config)# ip nat inside source list 1 pool P2 ID 22
R2(config)# ip nat distributed ID 202
R2(config-nat)# stateful 10.1.1.2
R2(config-nat)# peer 10.1.1.1
R2(config-nat)# mapping ID 22
10.1.1.0/24
10.1.1.3
R1-NAT
R2-NAT
Network
.1
.2
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
80
NAT—PT
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
NAT-PT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
41
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
81
Why NAT-PT
• As in V4, NAT was a solution for the
shortage of IP addresses; it will help ease
the migration into V6 by allowing V4 and
V6 coexistence while being transparent to
the end user
• To allow the communication between
IPv4-only host with IPv6-only host
• Described in RFC2766
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
82
How NAT-PT Works
• PREFIX is a 96-bit field that allows routing
back to the NAT-PT device
• The remaining low order 32 bits of the
IPv6 address will be the IPv4 address of
the sender
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
A
B
NAT-PT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
42
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
83
How NAT-PT Works—Configuration
router(config)# ipv6 access-list natpool any any
router(config)# ipv6 nat v6v4 pool natme
172.17.1.1 172.171.254
router(config)# ipv6 nat v6v4 list natpool pool natme
router(config)# interface serial 0
router(config-if)# ipv6 nat enable
router(config-if)# ipv6 nat prefix PREFIX
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
A
B
S0
NAT-PT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
84
How NAT-PT Works—Packet Flow
Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
Dst: PREFIX::172.16.1.1
1
2
Src: 172.17.1.1
Dst: 172.16.1.1
3
Src: 172.16.1.1
Dst: 172.17.1.1
Src: PREFIX::172.16.1.1
Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
4
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
A
B
NAT-PT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
43
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
85
Useful URLs
• IOS NAT FAQ:
http://www.cisco.com/warp/public/cc/pd/iosw/i
oft/iofwft/prodlit/iosnt_qp.htm
• IOS NAT “order of operation”:
http://www.cisco.com/warp/public/556/5.html
• IOS NAT configuration:
http://www.cisco.com/univercd/cc/td/doc/prod
uct/software/ios121/121cgcr/ip_c/ipcprt1/1cdip
adr.htm#xtocid1056050
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
86
Summary
• NAT/NAPT (PAT-overload) ? one-to-
one/many-to-one address mappings
• Will modify “A” and “PTR” DNS records if
a translation exists and matches the
response
• Will modify embedded IP address
information if the NAT code knows how
• Is flexible by utilizing route-maps and
access-lists to determine what traffic
needs to be translated
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
44
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
87
Remember the Golden Rule
“Network Address Translations will
occur only if: the packet travels
from an IP NAT inside to an IP
NAT outside interface and the
access-list permits it.”
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
88
Agenda—Q/A
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
45
89
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Deploying Network
Address Translation
Session IPS-220
90
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Please Complete Your
Evaluation Form
Session IPS-220
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
46
91
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr
1
1
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
2
3
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Deploying Network
Address Translation
Session IPS-220
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
4
Golden Rule
“Network Address Translations will
occur only if: the packet travels
from an IP NAT inside to an IP
NAT outside interface and the
access-list permits it.”
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
3
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
5
Agenda—Terminology
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
6
.2
.1
NAT
NAT—One-to-One Mapping
• Network address translation
• Layer 3 address modification
• Maps one internal (local) address to one external (global)
address
i.e.
10.1.1.1 ? 172.16.4.1
10.1.1.2 ? 172.16.4.2
Network
Pool: 172.16.4.1-.254
10.1.1.0/24
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
4
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
7
NAPT—Many to One Mapping
• Network address port translation (a.k.a. PAT/overloading)
• Layer 3 and 4 address and port modification (mainly: tcp,
udp, icmp)
• Maps multiple internal (local) address
to one external (global) address
i.e.
10.1.1.1:2056 ? 172.16.4.1:1024
10.1.1.2:3000 ? 172.16.4.1:1025
Pool: 172.16.4.1
.2
.1
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
8
Router Translations
• Inside source translation:
will modify the source address of a packet
that was received on the IP NAT inside
interface
• Outside source translation:
will modify the source address of a packet
that was received on the IP NAT outside
interface
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
5
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
9
The Inside Interface
• Inside local address (IL)—The IP address that
is assigned to a host on the inside network;
the address is probably not a legitimate IP
address assigned by the Network Information
Center (NIC) or service provider
• Inside global address (IG)—A legitimate IP
address (assigned by the NIC or service
provider) that represents one or more inside
local IP addresses to the outside world
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
10
The Outside Interface
• Outside local address (OL)—The IP
address of an outside host as it appears to
the inside network; not necessarily a
legitimate address, it was allocated from
address space routable on the inside
• Outside global address (OG)—The IP
address assigned to a host on the outside
network by the host's owner; the address
was allocated from globally routable
address or network space
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
6
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
11
10.1.1.x
Inside
Analogy of Translation Terms
Outside
Pool : 172.16.4.1-.254
Pool: 192.168.1.1-.254
10.1.2.x
Inside Source…
Outside Source...
HOST
IL
IG
10.1.1.1
172.16.4.1
OL
OG
192.168.1.1
10.1.2.1
10.1.2.1
10.1.2.1
P1 with NAT
P1 NO NAT
10.1.1.1
10.1.1.1
10.1.1.1
172.16.4.1
.3
.2
.1
.1
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
12
10.1.1.x
10.1.2.x
.3
.2
.1
.1
NAT
Reality of Translation Terms
Pool: 172.16.4.1-.254
Pool: 192.168.1.1-.254
Inside Source…
Outside Source...
10.1.1.1
172.16.4.1
192.168.1.1
10.1.2.1
10.1.2.1
10.1.2.1
Outside Source
Inside Source
10.1.1.1
10.1.1.1
10.1.1.1
172.16.4.1
HOST
IL
IG
OL
OG
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
7
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
13
Translation Rules
• If a translation exists, use the translated
address; i.e. inside global address
• If no translation exists, build one and
record the details in the translation table
• Simple translations look at the source
address only, whereas extended
translations use source, destination, and
protocol
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
14
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 172.16.4.1:11012 10.1.1.1:11012 172.17.1.1:23 172.17.1.1:23
tcp 172.16.3.1:11011 10.1.1.1:11011 172.16.1.1:23 172.16.1.1:23
Extended (Using Route-Maps or Overload)
Simple (Using Access-Lists without Overload)
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.4.1 10.1.1.1 ---
---
Simple Vs. Extended Translations
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
8
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
15
Agenda—Requirements
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
16
Requirements—Software
• 11.2—IP plus only
• 11.3—PAT: general availability
• 11.3—NAT: IP plus
• 12.x—full NAT/PAT*
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
9
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
17
Requirements—Hardware
• Most platforms*
• Each translation = 160 bytes
• 10,000 translation = 1.6 megabytes
• Performance/latency is negligible**
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
18
Agenda—Network
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
10
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
19
10.1.1.0 / 24
Ethernet 0
Serial 0
NAT Only Scenario: Topology/Config
Pool: 209.165.201.0 /27
router(config)# ip nat pool natpool 209.165.201.10
209.165.201.30 netmask 255.255.255.224
router(config)# access-list 10 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 10 pool natpool
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
20
NAT Only Scenario: Pros/Cons
Pros
• Very high success-rate for almost all
IP-based applications
Cons
• Limited number of simultaneous users;
i.e users = numbers of addresses in pool
• Multiple addresses needed from
ISP ( = $$$)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
11
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
21
NAPT Only Scenario: Topology/Config
router(config)# access-list 10 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 10
interface serial 0 overload
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
10.1.1.0 / 24
Ethernet 0
Serial 0
Pool: 209.165.201.0 /27
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
22
NAPT Only Scenario: Pros/Cons
Pros
• Simultaneous users can be in the
neighborhood of 64K
Cons
• Only 1 address is needed from the ISP
• Only some TCP, UDP, ICMP, and PPTP*
applications can be used
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
12
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
23
NAT and NAPT Scenario:
Topology/Config
router(config)# ip nat pool natpool 209.165.201.10
209.165.201.30 netmask 255.255.255.224
router(config)# access-list 10 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 10
pool natpool overload
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
10.1.1.0 / 24
Ethernet 0
Serial 0
Pool: 209.165.201.0 /27
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
24
NAT and NAPT Scenario: Pros/Cons
Pros
• You get the pros of both NAT and
NAPT combined
Cons
• Dual connection traffic (i.e. Native IPSec)
will still not work since it will NAPT the
TCP, UDP, ICMP-based traffic using one
address and then NAT the other
connection with a different address
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
13
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
25
NAT
NAPT—With Easy IP
router(config)# access-list 1 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 1 interface dialer0 overload
router(config)# interface dialer 0
router(config-if)# ip address negotiated
router(config-if)# ip nat outside
router(config-if)# interface ethernet 0
router(config-if)# ip nat inside
----
6400(config)# ip local pool swim 172.16.4.1 172.16.4.254
6400(config)# interface virtual-template1
6400(config-if)# peer default ip address pool swim
10.1.1.0/24
6400
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
26
Virtual
209.165.201.5
10.1.1.x
router(config)# ip nat pool tcpload 10.1.1.1 10.1.1.3
netmask 255.255.255.0 type rotary
router(config)# access-list 1 permit host 209.165.201.5
router(config)# ip nat inside destination list 1 pool tcpload
TCP Load Balancing Scenario
Round-Robin
NAT
Internet
.1
.3
.2
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
14
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
27
TCP Load Balance Scenario:
Pros/Cons
Pros
• Cheap investment
• Good for mail servers and simple
web clusters
Cons
• Applications that are connection-oriented
or utilize multiple connections or
redirections will not work
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
28
10.0.0.0/8
Available Addresses:
209.165.201.0 / 27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
NAT by on Destination
Internet
NAT
Your
Company
Partners
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
15
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
29
10.0.0.0/8
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0
Ethernet 0
router(config)# ip nat pool
partners 172.16.1.3
172.16.1.254 netmask
255.255.255.0
NAT by Destination—to Partners
NAT
Your
Company
Partners
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
30
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Serial 1
Ethernet 0
router(config)# ip nat pool internet
209.165.201.10 209.165.201.30
netmask 255.255.255.224
NAT
NAT by Destination—To Internet
Internet
Your
Company
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
16
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
31
router(config)# access-list 110 permit ip 10.0.0.0 0.255.255.255
192.168.1.0 0.0.0.255
router(config)# route-map topartners permit 10
router(config-map)# match ip address 110
router(config-map)# match interface serial 0
NAT by Destination—
Route Map Declaration
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
Partners
Your
Company
Internet
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
32
NAT by Destination—
Route Map Declaration
router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any
router(config)# route-map tointernet permit 10
router(config-map)# match ip address 100
router(config-map)# match interface serial 1
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
Partners
Your
Company
Internet
NAT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
17
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
33
router(config)# ip nat inside source route-map topartners pool partners
router(config)# ip nat inside source route-map tointernet pool internet
NAT by Destination—Bindings
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config-if)# interface serial 0
router(config-if)# ip nat outside
router(config-if)# interface serial 1
router(config-if)# ip nat outside
10.0.0.0/8
Available Addresses:
209.165.201.0/27
Available Addresses:
172.16.1.0/24
192.168.1.0/24
Serial 0 Serial 1
Ethernet 0
Partners
Your
Company
Internet
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
34
NAT by Destination Scenario:
Pros/Cons
Pros
• Allows flexibility of having two or more NAT
pools based on destination
Cons
• Extra configurations (route-maps) if using
only NAT pools; overload/NAPT does not
have this issue
• Can run into issues with simple versus
extended translations if route-maps
are not used
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
18
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
35
.10
.20
10.1.1.0 / 24
Router(config)# ip nat inside source static network 10.1.1.0
172.18.1.0 /24 no-alias
SrcAddr= 10.1.1.20 ? 172.18.1.20
SrcAddr= 10.1.1.10 ? 172.18.1.10
Network Static
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
36
Network Static Scenario: Pros/Cons
Pros
• Good fit for connecting two sites when
NAT is required
• Allows bi-directional traffic
Cons
• Since it does allow bi-directional you lose
the security benefit (resource hiding) that
NAT provides
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
19
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
37
Network Static Pool
router(config)# ip nat pool natpool 172.18.1.0 172.18.1.255
netmask 255.255.255.0 type match-host
router(config)# ip nat inside source list 1 pool natpool
.10
.20
10.1.1.0 / 24
SrcAddr= 10.1.1.20 ? 172.18.1.20
SrcAddr= 10.1.1.10 ? 172.18.1.10
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
38
Network Static Pool Scenario:
Pros/Cons
Pros
• Easy to track what hosts are doing
• Address hiding if no translation exists
Cons
• Requires equal number of inside hosts to
outside global addresses
i.e. /24 internal would need a /24 external
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
20
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
39
Dual NAT—Virtual View
• Typical network setup
• No overlap, simple routing
DNS
Network
.3
.2
.1
.1
172.16.1.0
192.168.1.x
.3
.2
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
40
DNS
Network
.3
.2
.1
.1
.3
.2
Dual NAT—Reality View
• Overlapping network address space
between blue and red networks
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
21
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
41
DNS
Network
.2
.1
.1
.3
.2
router-nat(config)# ip nat outside source static network
192.168.1.0 10.1.1.0 /24
router-nat(config)# ip nat inside source static network
10.1.1.0 172.16.1.0/24
Inside
Outside
NAT
Dual NAT—the Solution
10.1.1.x
10.1.1.x
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
42
RED-3
???
Query
Overlapping Networks—DNS Query
RED-3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
22
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
43
RED-3
192.168.1.3
Response = 10.1.1.3
DNS Response Modified via Address Translation
Overlapping Networks—
DNS Response
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
44
RED-3
192.168.1.3
SA:10.1.1.3
DA:192.168.1.3
Overlapping Networks—
The Packet Is Sent
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
23
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
45
SA:172.16.1.3
DA:192.168.1.3
NAT
Overlapping Networks—
Source Translation
RED-3
192.168.1.3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
46
SA:172.16.1.3
DA:10.1.1.3
Overlapping Networks—
Destination Translation
RED-3
192.168.1.3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
24
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
47
Overlapping Networks—
Destination Translation
NAT Translation Table
RED-3
192.168.1.3
DNS
Network
.2
.1
.1
.3
.2
Inside
Outside
NAT
.3
10.1.1.x
10.1.1.x
HOST
10.1.1.3
10.1.1.3
IL
172.16.1.3
IG
10.1.1.3
OL
192.168.1.3
OG
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
48
Overlapping Networks Scenario:
Pros/Cons
Pros
• Single point of administration for the
NAT table
• Allows two overlapping network address
spaces to communicate
Cons
• Uses DNS to assist in the translation of
the remote network (not required)
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
25
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
49
IP HDR
Data
Authenticated
IP HDR
IPSec HDR
New IP HDR
Data
Encapsulating
Security Payload
(ESP): Protocol 50
Tunnel Mode Only
IPSec 101—ESP
Encrypted
Layer
3
Original Packet
NAT
WORKS !
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
50
IPSec HDR
IP HDR
Data
IP HDR
Authentication
Headers (AH):
Protocol 51
IPSec 101—AH
Authenticated
HDR + Data = Checksum
Checksum
Stored
Layer
3
Breaks!
NAT
Data
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
26
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
51
10.1.1.0 / 24
Ethernet 0
Serial 0
Native IPSec with NAT and NAPT
Scenario:
Internet
Pool: 209.165.201.0 /27
router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255
host 1.1.1.1
router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255
any
router(config)# route-map napt2internet permit 10
router(config-map)# match address 100
router(config)# ip nat inside source route-map
napt2internet interface serial 0 overload
! Continued !
VPN Client
VPN
Gateway
1.1.1.1
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
52
.20
Native IPSec with NAT and NAPT
Scenario:
! Continued !
router(config)# ip nat pool natpool 209.165.201.10
209.165.201.30 netmask 255.255.255.224
router(config)# access-list 110 permit ip 10.1.1.0 0.0.0.255
host 1.1.1.1
router(config)# route-map vpnusenat permit 10
router(config-map)# match address 110
router(config)# ip nat inside source route-map vpnusenat
pool natpool
10.1.1.0 / 24
Serial 0
Internet
Pool: 209.165.201.0 /27
VPN Client
VPN
Gateway
1.1.1.1
NAT
Ethernet 0
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
27
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
53
IPSec Scenario: Pros/Cons
Pros
• ESP in tunnel mode can only use NAT
• NAT/NAPT support in the VPN3000 (UDP)
and VPN5000 (TCP:80) concentrators
Cons
• No ESP transport or AH tunnel/
transport support
• No PAT support unless the VPN device
incorporates a NAT over IPSec
functionality
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
54
NAT
Inside
Outside
Inbound
ACL*
NAT
Routing
Outbound
ACL
Decryption
Inbound
ACL
Considerations—
Access-Lists Inbound
Packet Flow
*Only If the Packet Is Encrypted
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
28
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
55
Inbound
ACL
Policy
Routing
NAT
Routing
Outbound
ACL
Considerations—
Access-Lists Outbound
Encryption
NAT
Inside
Outside
Packet Flow
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
56
Roaming
User
ISP
VPN
Gateway
10.0.0.0/8
VPN Remote Client—The Issues
router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255
any
router(config)# route-map vpnusenat permit 10
router(config-map)# match address 110
router(config)# ip nat inside source route-map vpnusenat
pool natpool
router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255
???
Not Sure on the Destination ISP Address
IPSec Tunnel
NAT/VPN
Internet
Your
Company
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
29
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
57
VPN Remote Client Issues
• Unable to predict IP address that would be
assigned to the VPN user
• Treat the VPN user as just another client
out on the Internet, same rules apply,
except they do not want to use NAT
• Solution: NAT by destination and mode
configuration (IP address pools for VPN)
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
58
10.0.0.0/8
VPN
Gateway
with Mode Config
Pool of
172.16.1.1-.254
router (config)# access-list 100 deny
ip 10.0.0.0 0.255.255.255
172.16.1.0 0.0.0.255
router(config)# access-list 100 permit
ip 10.0.0.0 0.255.255.255
any
VPN Remote Client—Mode
Configuration
IPSec Tunnel
Roaming
User
NAT
Your
Company
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
30
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
59
IPSec Tunnel
Roaming
User
ISP
VPN
Gateway
10.1.1.1/8
VPN Client and Static NAT
router(config)# ip nat inside source static
10.1.1.1 209.165.201.5
NAT
Internet
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
60
10.1.1.1/8
172.31.1.1/24
router (config)# access-list 100
permit ip host 10.1.1.1
172.16.1.0 0.0.0.255
router(config)# route-map
bypassnat permit 10
router(config-map)# match ip
address 100
router(config-map)# set ip
next-hop 172.31.1.2
router(config)# interface Ethernet 0
router(config-if)# ip policy
route-map bypassnat
Ethernet 0
VPNs—Policy Routing
NAT
Internet
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
31
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
61
Agenda—Applications
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
62
Application Support
• Application layer:
embedded IP
information in
the payload
• Transport/network
layer: PAT/NAT
compliant
Know Your Applications
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
32
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
63
IP HDR: Src IP = 10.1.1.1
Data: IP = 10.1.1.1
Considerations—Embedded IP
IP HDR: Src IP = x.x.x.x
Data: IP = 10.1.1.1
Address
Translation
Inside
Outside
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
64
Applications that Embed IP Address
Information
• DNS "A" and "PTR" queries
• NetBIOS over TCP/IP (datagram, name, and
session services)
• NetMeeting 2.1, 2.11 (4.3.2519) and 3.01
(4.4.3385)
• H.323v2 – H.225/245 message types except RAS
includes "FastConnect, Setup, Alerting, Facility,
Progress, OpenLogicalChannel,
OpenLogicalChannelAck, MCLocationIndication,
CommunicationModeCommand,
CommunicationModeResponse”
• FTP PORT and PASV commands
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
33
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
65
TCP Connection 1: Active Mode: LS Set
TCP Connection 2: Active Mode: Data
Control Connection
SYN
SYN and ACK
ACK
“Inside” Network
I
i
t
“Outside” Network
ti
t
Port Command
ACK
SYN
SYN and ACK
ACK
Data Flows Server to Client
Translate Embedded
Address—Reserve Source
Port, IF PAT Is to Be Used
FTP—Active
• Server initiated data connections
• Client tells the server on which port to send to
the client
NAT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
66
TCP Connection 1: Control Connection
TCP Connection 2: Passive Mode: Data
SYN
SYN and ACK
ACK
PASV (Passive)
“Inside” Network
I
i
t
“Outside” Network
ti
t
ENT PASV
SYN
SYN and ACK
ACK
Data Flows Server to Client
Translate Embedded Address
FTP—Passive
• Client initiates data connections
• Server tells the client on which port to send to
the client
NAT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
34
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
67
router(config)# access-list 1 permit host 172.16.1.1
router(config)# ip nat service list 1 ftp tcp port 6000
Non-Standard FTP Ports
• Server (172.16.1.1) is listening
on port 6000
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
68
NetMeeting ILS Support
• LDAP registration will be modified to match the
global address of client A;
i.e 209.165.201.5
• Available starting in 12.1.5T IOS
Client A
10.1.1.1
Client B
NetMeeting
ILS Server
router(config)# ip nat inside source static
10.1.1.1 209.165.201.5
Internet
NAT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
35
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
69
PPTP over NAPT
• PPTP—RFC2637
• NAPT (PAT) capability within IOS 12.1.5T
• Works if the termination point is an IOS
router capable of terminating a PPTP
session or a Microsoft PPTP server; does
not support PIX or VPN3000 terminations
• Cannot use Microsoft Point-To-Point
Encryption (MPPE)—RFC3078
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
70
IP HDR
Data Layer 5-7
Point-to-Point Tunneling Protocol (PPTP):
Protocol 47: Data
Protocol 6 (TCP) Port 1723: Authentication
PPTP 101
Original Packet
Encapsulation within GRE without MPPE
IP HDR
Data
Tunnel ID
New IP HDR
Layer 4
Layer 4
This Unique Number Is What Gives the Router the
Ability to Determine What Flow Goes to What System
When Being NAPT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
36
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
71
PPTP over NAPT—Configuration
Ethernet 1
PPTP
Server
router(config)# access-list 1 permit 10.1.1.0 0.0.0.255
router(config)# ip nat inside source list 1 interface
ethernet1 overload
router(config)# interface ethernet 0
router(config-if)# ip nat inside
router(config)# interface ethernet 1
router(config-if)# ip nat outside
10.1.1.0 / 24
Ethernet 0
.10
.20
NAT
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
72
PPTP over NAPT—Translation Table
router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 10.32.1.20:11012 10.1.1.10:11012 10.32.80.85:1723 10.32.80.85:1723
tcp 10.32.1.20:11011 10.1.1.20:11011 10.32.80.85:1723 10.32.80.85:1723
gre 10.32.1.20:0 10.1.1.10:1 10.32.80.85:1
10.32.80.85:1
gre 10.32.1.20:16384 10.1.1.20: 16384 10.32.80.85: 16384 10.32.80.85: 16384
gre 10.32.1.20:1 10.1.1.10:1 10.32.80.85:1
10.32.80.85:1
gre 10.32.1.20:2 10.1.1.20:2 10.32.80.85:2
10.32.80.85:2
Ethernet 1
PPTP
Server
10.1.1.0 / 24
Ethernet 0
.10
.20
NAT
Network
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
37
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
73
pptpserver#show vpdn
% No active L2TP tunnels
% No active L2F tunnels
PPTP Tunnel and Session Information Total tunnels 2 sessions 2
LocID Remote Name State Remote Address Port Sessions
7 10.32.1.20 estabd 10.32.88.85 1372 1
LocID RemID TunID Intf Username State Last Chg
7 0 7 Vi1 cisco1 estabd 00:01:56
LocID Remote Name State Remote Address Port Sessions
8
estabd 10.32.88.85 1355 1
LocID RemID TunID Intf Username State Last Chg
8 16384 8 Vi2 cisco2 estabd 00:01:26
router#show ip nat translation pptp
Pro Inside global Inside local Outside local Outside global
gre 10.32.1.20:0 10.1.1.10:1 10.32.80.85:1
10.32.80.85:1
gre 10.32.1.20:16384 10.1.1.20: 16384 10.32.80.85: 16384 10.32.80.85: 16384
gre 10.32.1.20:7 10.1.1.10:7 10.32.80.85:7
10.32.80.85:7
gre 10.32.1.20:8 10.1.1.20:8 10.32.80.85:8
10.32.80.85:8
PPTP over NAPT—Translation Table
Correlation
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
74
Agenda—Future
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
38
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
75
Stateful NAT
• Projected to be in the 12.2.4T code
• Platform independent
• Supports many peers
• Works in a HSRP environment for true
fault tolerance
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
76
Without SNAT—the Problem
R1 NAT Translation Table
10.1.1.3
R2 NAT Translation Table
2
3
IL
IG
OL
OG
R1-NAT
R2-NAT
IL
IG
OL
OG
1
10.1.1.3
192.168.1.3
192.168.1.3
172.16.1.3
Network
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
39
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
77
IL
IG
OL
OG
With SNAT—The Solution
4
1*
10.1.1.3
R2 NAT Translation Table
3
IL
IG
OL
OG
R1-NAT
R2-NAT
R1 NAT Translation Table
10.1.1.3
192.168.1.3
192.168.1.3
172.16.1.3
2
5
1
10.1.1.3
192.168.1.3
192.168.1.3
172.16.1.3
1*
2*
Network
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
78
With SNAT—the Commands
10.1.1.0/24
R1(config)# access-list 1 permit 10.1.1.0 0.0.0.255
R1(config)# ip nat pool P1 172.16.1.1 172.16.1.254
netmask 255.255.255.0
R1(config)# ip nat inside source list 1 pool P1 ID 11
R1(config)# ip nat distributed ID 101
R1(config-nat)# stateful 10.1.1.1
R1(config-nat)# peer 10.1.1.2
R1(config-nat)# mapping ID 11
10.1.1.3
R1-NAT
R2-NAT
Network
.1
.2
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
40
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
79
With SNAT—the Commands
R2(config)# access-list 1 permit 10.1.1.0 0.0.0.255
R2(config)# ip nat pool P2 172.16.1.1 172.16.1.254
netmask 255.255.255.0
R2(config)# ip nat inside source list 1 pool P2 ID 22
R2(config)# ip nat distributed ID 202
R2(config-nat)# stateful 10.1.1.2
R2(config-nat)# peer 10.1.1.1
R2(config-nat)# mapping ID 22
10.1.1.0/24
10.1.1.3
R1-NAT
R2-NAT
Network
.1
.2
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
80
NAT—PT
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
NAT-PT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
41
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
81
Why NAT-PT
• As in V4, NAT was a solution for the
shortage of IP addresses; it will help ease
the migration into V6 by allowing V4 and
V6 coexistence while being transparent to
the end user
• To allow the communication between
IPv4-only host with IPv6-only host
• Described in RFC2766
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
82
How NAT-PT Works
• PREFIX is a 96-bit field that allows routing
back to the NAT-PT device
• The remaining low order 32 bits of the
IPv6 address will be the IPv4 address of
the sender
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
A
B
NAT-PT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
42
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
83
How NAT-PT Works—Configuration
router(config)# ipv6 access-list natpool any any
router(config)# ipv6 nat v6v4 pool natme
172.17.1.1 172.171.254
router(config)# ipv6 nat v6v4 list natpool pool natme
router(config)# interface serial 0
router(config-if)# ipv6 nat enable
router(config-if)# ipv6 nat prefix PREFIX
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
A
B
S0
NAT-PT
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
84
How NAT-PT Works—Packet Flow
Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
Dst: PREFIX::172.16.1.1
1
2
Src: 172.17.1.1
Dst: 172.16.1.1
3
Src: 172.16.1.1
Dst: 172.17.1.1
Src: PREFIX::172.16.1.1
Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
4
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
IPv4
IPv6
A
B
NAT-PT
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
43
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
85
Useful URLs
• IOS NAT FAQ:
http://www.cisco.com/warp/public/cc/pd/iosw/i
oft/iofwft/prodlit/iosnt_qp.htm
• IOS NAT “order of operation”:
http://www.cisco.com/warp/public/556/5.html
• IOS NAT configuration:
http://www.cisco.com/univercd/cc/td/doc/prod
uct/software/ios121/121cgcr/ip_c/ipcprt1/1cdip
adr.htm#xtocid1056050
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
86
Summary
• NAT/NAPT (PAT-overload) ? one-to-
one/many-to-one address mappings
• Will modify “A” and “PTR” DNS records if
a translation exists and matches the
response
• Will modify embedded IP address
information if the NAT code knows how
• Is flexible by utilizing route-maps and
access-lists to determine what traffic
needs to be translated
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
44
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
87
Remember the Golden Rule
“Network Address Translations will
occur only if: the packet travels
from an IP NAT inside to an IP
NAT outside interface and the
access-list permits it.”
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
88
Agenda—Q/A
• Terminology Rehash from Session IPS-120
• Requirements (Hardware/Software)
• Network Examples
• Application Examples
• Future of Network Address Translation
• Question/Answers
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
45
89
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Deploying Network
Address Translation
Session IPS-220
90
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.
Please Complete Your
Evaluation Form
Session IPS-220
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
46
91
IPS-220
2880_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved.