ICND2 NAT

download ICND2  NAT

of 31

Transcript of ICND2 NAT

  • 8/8/2019 ICND2 NAT

    1/31

    ICND2

    NATNetwork Address Translation

    Rudy Drew

    rudydrew@ rmit.edu.au

  • 8/8/2019 ICND2 NAT

    2/31

    Slide 2

    Private addressing

    These addresses will not be

    allowed into the public internet

  • 8/8/2019 ICND2 NAT

    3/31

    Slide 3

    NAT

    NAT is the process ofswapping one address foranother in the IP packet header e.g. 10.0.0.3 p179.9.8.80

    i.e. the source address of the packet is changed by

    RTA

  • 8/8/2019 ICND2 NAT

    4/31

    Slide 4

    NAT is designed to conserve IP addressesand enable networks to use private IP

    addresses on internal networks. These private, internal addresses are

    translated to routable, public addresses.

  • 8/8/2019 ICND2 NAT

    5/31

    Slide 5

    NAT Inside local address

    Inside local address The IP address assigned to a host onthe inside network. This address is likely to be a privateaddress. Local means that a local person is looking at theaddress. Inside means that the packet is coming from a hostthat is inside your network

  • 8/8/2019 ICND2 NAT

    6/31

    Slide 6

    NAT Example

    Inside global address A legitimate(Internet routable or public) IP address assignedby the service provider that represents one ormore inside local IP addresses to the outsideworld.

  • 8/8/2019 ICND2 NAT

    7/31

    Slide 7

    NAT Example

    Inside global address global means that aperson from the public is looking at the address.Inside means that the packet is coming from a hostinside your network.

  • 8/8/2019 ICND2 NAT

    8/31

    Slide 8

    NAT Example

    Outside global address The IPaddress of an outside host as it isknown to the hosts on the insidenetwork.

  • 8/8/2019 ICND2 NAT

    9/31

    Slide 9

    NAT Example

    Outside local address is usually the same asthe outside global address but will be differentif the server also has a private address that hasbeen translated.

  • 8/8/2019 ICND2 NAT

    10/31

    Slide 10

    NAT Example1 2

  • 8/8/2019 ICND2 NAT

    11/31

    Slide 11

    NAT Example

  • 8/8/2019 ICND2 NAT

    12/31

    Slide 12

    NAT Example

  • 8/8/2019 ICND2 NAT

    13/31

    Slide 13

    PAT Port Address Translation

    PAT (Port Address Translation) allows

    you to use a single Public IP address andassign it up to about 4000 inside hosts

  • 8/8/2019 ICND2 NAT

    14/31

    Slide 14

    PAT Port Address Translation

    PAT stores the TCP/UDP source port to track insideHost addresses. Note different vendors do this differentways. Usually a cisco router tracks the source port but

    doesnt change its value. With PAT a multiple private IPaddresses can be translated by a single public address(many-to-one translation).

    This solves the limitation ofNAT which is one-to-onetranslation.

  • 8/8/2019 ICND2 NAT

    15/31

    Slide 15

    Configuring Static NAT

    If you have enough public addresses, you may use

    statically translate some of them forservers

  • 8/8/2019 ICND2 NAT

    16/31

    Slide 16

    If you have enough public addresses, you

    may use statically translate some of them

    forservers. Static NAT is used whenspecial hosts (e.g. Web Server) needs

    to always translate to the same inside

    global address.

  • 8/8/2019 ICND2 NAT

    17/31

    Slide 17

    Configuring Static NAT

    ip nat inside source static10.1.1.2 192.168.1.2

    -if)#ip nat inside (on fa0/0)

    -if)# ip nat outside (on S0/0)

  • 8/8/2019 ICND2 NAT

    18/31

    Slide 18

    Dynamic NAT

    1 Create a pool

    2 Write an access list to access the pool

    3 Connect the pool with the inside hosts and the

    access list

    4Turn on

    NATon the interfaces

  • 8/8/2019 ICND2 NAT

    19/31

    Slide 19

    ip nat pool nat-pool1

    179.9.8.80 179.9.8.85netmask 255.255.255.0

    Creates a dynamic pool ofaddresses

    The name of this pool isnat-pool1

    6 addresses may be allocated

    starting at 8.80

  • 8/8/2019 ICND2 NAT

    20/31

    Slide 20

    access-list 1

    permit 10.1.0.0

    0.0.0.255This access list defines the

    inside local addresses that arepermitted to be translated anduse the dynamic NAT pool.

  • 8/8/2019 ICND2 NAT

    21/31

    Slide 21

    ip nat inside

    source list 1

    pool nat-pool1This command points to an

    access list to define theaddresses that are permitted tobe translated and use the dynamic

    NAT ool.

  • 8/8/2019 ICND2 NAT

    22/31

    Slide 22

    ip nat inside source list

    1 pool nat-pool1overload

    Adding the word overloadchanges NAT to PAT

    = Port AddressTranslation

  • 8/8/2019 ICND2 NAT

    23/31

    Slide 23

    PAT uses port numbers

    to decide which localhost to send the return

    data to

  • 8/8/2019 ICND2 NAT

    24/31

    Slide 24

    Configure PAT Overload

    ip nat inside source list 1

    interface serial 0 overload

    Each inside local address istranslated to the routers S0

    address

  • 8/8/2019 ICND2 NAT

    25/31

  • 8/8/2019 ICND2 NAT

    26/31

    Slide 26

    sh ip nat translations

    for a PAT translationNotice the different port

    numbers

  • 8/8/2019 ICND2 NAT

    27/31

    Slide 27

    Verifying NAT/PAT

    sh ip nat statistics

  • 8/8/2019 ICND2 NAT

    28/31

    Slide 28

    clear ip nat translations *The star means all entries

  • 8/8/2019 ICND2 NAT

    29/31

    Slide 29

    Troubleshooting NAT/PAT

  • 8/8/2019 ICND2 NAT

    30/31

    Slide 30

    Issues with NAT/PAT

    NAT also forces some applicationsthat use IP addressing to stop

    functioning because it hides end-to-end

    IP addressese.g. the SIP protocol used for VoIP writes

    IP and port information inside the data.

    Special methods (e.g. STUN, TURN) areused to try and make SIP work with NAT.)

  • 8/8/2019 ICND2 NAT

    31/31

    Slide 31

    Issues with NAT/PAT