Expanding ISP and Enterprise Connectivity with Cisco IOS NAT

Transcription

1 1 Expanding ISP and Enterprise Connectivity with Cisco IOS Session 2 Presentation_ID.scr 1

2 Agenda Benefits Definition Availability Terminology s of Translations Overlapping Networks Example 3 Motivation for Market consolidation Mergers Acquisitions ISP changes IP address management RFC 1918 usage IP address conservation Network privacy 4 Presentation_ID.scr 2

3 Cisco IOS Benefits Enables a privately addressed network to access registered networks, such as the Internet, without requiring registered IP addresses on end hosts Enables connectivity between networks with overlapping addresses Eliminates the need for host renumbering when changing ISPs or addressing schemes Reduces time and costs associated with IP address management tasks PAT conserves registered IP addresses Enhances network privacy since real addresses are hidden 5 What Is? First described in RFC 1631 Technique of rewriting IP addresses in headers and application data streams according to a defined policy Based on traffic source and/or destination IP address Cisco IOS is superset of that described in RFC Presentation_ID.scr 3

4 Availability and Platform Support Introduced in Cisco IOS software release 11.2(1) Available in 11.2, 11.2P, 11.3, 11.3T, 12.0, 12.0T Supported on the following router platforms: Cisco 800 Series Cisco 1000 Series Cisco 1600 Series Cisco 1700 Series Cisco 2500 Series Cisco 2600 Series Cisco 3600 Series Cisco MC3810 Cisco 4x00 Series Cisco AS5x00 Series Cisco RSP/RSP7000 Cisco 7200 Series Cisco ubr7246 Cisco 7500 Series Cisco RSM Not supported on Cisco 7000 series (unless in RSP7000) 7 Terminology Local () The IP address assigned to a host on the inside network, this address may be globally unique, allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization Global () The IP address of an inside host as it appears to the outside world, these addresses can also be allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization, or allocated from a globally-unique address space, typically provided by the ISP (if the enterprise is connected to the global internet) 8 Presentation_ID.scr 4

5 Terminology (Cont.) Local () The IP address of an outside host as it appears to the inside network, these addresses can be allocated from the RFC 1918 space if desired Global () The IP address assigned to a host on the outside network 9 s of Translations Static Statically configured one-to-one mapping between inside local and global addresses Dynamic Dynamic mapping between the inside local and global addresses Translations are created when needed 10 Presentation_ID.scr 5

6 s of Translations (Cont.) Simple Network Address Translation () Maps one IP address to another One-to-one translation Works bi-directionally Port Address Translation (PAT) Maps one IP address and port pair to another Unique port numbers identify translations on single IP address One-to-N translation Conserves registered IP addresses Works uni-directionally Also called Extended Network Address Translation 11 Which Addresses Can Be Translated with? source addresses source addresses 12 Presentation_ID.scr 6

7 Source Address Translation Network Network SA SA Internet/Intranet SA = Source Address Local IP Address Table Global IP Address All internal hosts use different registered IP addresses as seen from the outside network 13 Source AddressTranslation Network Network SA SA Internet/Intranet SA = Source Address Local IP Address Table Global IP Address Enables one to use internal address which overlap with external addresses Equivalent to outside destination translation for inside to outside traffic 14 Presentation_ID.scr 7

8 Port Address Translation (PAT) Network Network SA SA Internet/Intranet SA = Source Address Local IP Address Table Global IP Address : :5002 Port-multiplexed inside source translation All internal hosts use different registered IP addresses as seen from the outside network 15 Cisco IOS Traffic Support Traffic s/applications Supported Any TCP/UDP Traffic that Does Not Carry Source and/or Addresses in the Application Data Stream HTTP TFTP Telnet Archie Finger NTP rlogin, rsh, rcp NFS Although the Following Traffic s Carry IP Addresses in the Application Data Stream, they Are Supported by Cisco IOS : ICMP SMTP FTP (Including PORT and PASV Commands) NetBIOS over TCP/IP (Datagram, Name, and Session Services) Progressive Networks RealAudio White Pines CuSeeMe "A" and "PTR" Queries Xing Technologies StreamWorks H.323/NetMeeting 12.0(1)/12.0(1)T VDive 11.3(4)/11.3(4)T Vxtreme 11.3(4)/11.3(4)T IP Multicast 12.0(1)T Source Translation Only Traffic s/applications Supported BOOTP Talk, Ntalk NetShow Routing Table Updates Zone Transfers SNMP 16 Presentation_ID.scr 8

9 Overlapping Networks Example 10/8 () 10/8 () () () bar.com Domain foo.com Domain Global Address Pool /24 () Local Address Pool /24 () Use both Source and Source Translations 17 Assumptions, a server authoritative for the bar.com domain exists on the internal network, a server authoritative for the foo.com domain exists on the outside network Both servers handle queries recursively Clients in the internal network use the server as their default server Clients in the outside network use the server as their default server 18 Presentation_ID.scr 9

10 Assumptions (Cont.) The server is a forwarder to the server* The server has root connectivity The internal network administrator wants all internal hosts accessible to both internal and outside hosts via The outside network administrator wants all outside hosts accessible to both internal and outside hosts via * Not Strictly Necessary; One could Configure to Utilize the Root Servers, Using Addresses 19 Assumptions (Cont.) The remote office or subsidiary ( inside network) is either using addresses from the RFC 1918 space, or is using addresses in use by some other organization, as a result, no inside local addresses can ever be advertised to the outside network Overlapping addresses exist among the inside and outside networks, addresses in the bar.com and foo.com domains are not unique 20 Presentation_ID.scr 10

11 Assumptions (Cont.) It is neither permissible nor desirable to advertise and cache outside global addresses within the inside network, outside global addresses may not be advertised to the inside network Seamless connectivity is required between the inside and outside networks without the use of static translations for each host on each network 21 Bi-Directional Address Translation Rules Dynamically translate all internally originated traffic with 10/8 () source addresses to /24 () pool Dynamically translate all externally originated traffic source addresses () to /24 () pool 22 Presentation_ID.scr 11

12 Configuration ip nat inside source static ! Static translation for server ip nat outside source static ! Static translation for server ip nat pool iga netmask ! Dynamic -> address xlations ip nat pool ola netmask ! Dynamic -> address xlations ip nat inside source list 1 pool iga ip nat outside source list 2 pool ola access-list 1 permit ! Translate all traffic from 10/8 internal hosts access-list 2 permit any! Translate all externally originated traffic! interface <inside> ip address <ip-address> <net-mask> ip nat inside! interface <outside> ip address <ip-address> <net-mask> ip nat outside! ip route <outside interface>! Default route from in to out 23 Initial Table Original Address (OA) Translated Address (TA) Static, Bindings 24 Presentation_ID.scr 12

13 Internal Configuration In s.boot file: primary bar.com db.bar primary 10.in-addr.arpa db.10 primary in-addr.arpa. db forwarders options forward-only ; Slave mode on In (bar.com primary server) db.bar file: IN SOA. hostmaster.. ( 2 : Serial number : Refresh every 6 hours 900 : Retry every 15 minutes : Expire every 90 days : Minimum TTL of 1 day) ; ; Name Servers bar.com. IN NS. ; ; Addresses. IN A ; Local address;. IN A ; Local address 25 Configuration In s.boot file: primary foo.com db.foo primary 10.in-addr.arpa db.10 primary in-addr-arpa db In (foo.com primary server) db.foo file: IN SOA. hostmaster.. ( 2 : Serial number : Refresh every 6 hours 900 : Retry every 15 minutes : Expire every 90 days : Minimum TTL of 1 day) ; ; Name Servers foo.com. IN NS. ; ; Addresses. IN A ; Global address ;. IN A ; Global address 26 Presentation_ID.scr 13

14 Two-Phase Connectivity Initial query to resolve hostname -to-host packet flow Occurs bi-directionally Internally initiated Externally initiated 27 Internally Originated Query for External 10/8 () 10/8 () () () Presentation_ID.scr 14

15 10/8 () 10/8 () () Query: Step 1 () /8 () 10/8 () () Query: Step 2 () Presentation_ID.scr 15

16 10/8 () 10/8 () () Query: Step 3 () /8 () 10/8 () () Query: Step 4 () Presentation_ID.scr 16

17 Response Payload Translation Between steps 4 and 5, the address returned in the A RR response for is dynamically translated to an address from the pool, here we assume the address /8 () 10/8 () () Query: Step 5 () Presentation_ID.scr 17

18 10/8 () 10/8 () () Query: Step 6 () 6 35 Query Summary () () Step * 6 Source Address Global Address Pool /24 () Destination Address Local Address Pool /24 () *Between Steps 4 and 5, the Address Returned in the A RR Response for Is Dynamically Translated to an Address from the Pool; Here We Assume the Address Presentation_ID.scr 18

19 Resolution Result identifies s IP address as () Remember, s real address is 37 Table After Resolution Original Address (OA) Translated Address (TA) Static, Bindings Dynamic, 38 Presentation_ID.scr 19

20 10/8 () 10/8 () () Packet Flow () /8 () 10/8 () () Packet Flow: Step 1 () Presentation_ID.scr 20

21 Packet Translation Because no entry for exists in the table for at step 1, a dynamic translation to an address from the pool is created; here we assume the address is () 41 10/8 () 10/8 () () Packet Flow: Step 2 () Presentation_ID.scr 21

22 10/8 () 10/8 () () Packet Flow: Step 3 () /8 () 10/8 () () Packet Flow: Step 4 () Presentation_ID.scr 22

23 Packet Flow Summary () () Step Source Address * Destination Address * *Because no Entry for Address Exists in the Table for at Step 1, a Dynamic Translation to an Address from the Pool Is Created; Here we Assume the Address Is () 45 Table After Packet Flow Original Address (OA) Translated Address (TA) Static, Bindings Dynamic, Dynamic, 46 Presentation_ID.scr 23

24 Internally Originated PTR Query for External Similar process as for ARRs translates IP addresses in headers and in PTR QNAME field 47 Internally Originated Query for Internal 10/8 () 10/8 () () () Presentation_ID.scr 24

25 10/8 () 10/8 () () Query: Step 1 () /8 () 10/8 () () Query: Step 2 () Presentation_ID.scr 25

26 10/8 () 10/8 () () Query: Step 3 () /8 () 10/8 () () Query: Step 4 () Presentation_ID.scr 26

27 Response Payload Translation Between steps 4 and 5, the address returned in the A RR response for is dynamically translated to an address from the pool, here we assume the address /8 () 10/8 () () Query: Step 5 () Presentation_ID.scr 27

28 10/8 () 10/8 () () Query: Step 6 () 6 55 Query Summary () () Step * 6 Source Address * Global Address Pool /24 () Destination Address * Local Address Pool /24 () *Between Steps 4 and 5, the Address Returned in the A RR Response for Is Dynamically Translated to an Address from the Pool; Here We Assume the Address Presentation_ID.scr 28

29 Resolution Result identifies s IP address as () Remember, s real IP address is 57 Table After Resolution Original Address (OA) Translated Address (TA) Static, Bindings Dynamic, 58 Presentation_ID.scr 29

30 10/8 () 10/8 () () Packet Flow () /8 () 10/8 () () Packet Flow: Step 1 () Presentation_ID.scr 30

31 Packet Translation Because no entry for address exists in the table for at step 1, a dynamic translation to an address from the pool is created; here we assume the address is () 61 10/8 () 10/8 () () Packet Flow: Step 2 () Presentation_ID.scr 31

32 10/8 () 10/8 () () Packet Flow: Step 3 () /8 () 10/8 () () Packet Flow: Step 4 () Presentation_ID.scr 32

33 Packet Flow Summary () () Step Source Address * Destination Address * *Because No Entry for Address Exists in the Table for at Step 1, a Dynamic Translation to an Address from the Pool Is Created; Here We Assume the Address Is () 65 Table After Packet Flow Original Address (OA) Translated Address (TA) Static, Bindings Dynamic, Dynamic, 66 Presentation_ID.scr 33

34 Externally Originated PTR Query for Internal Similar process as for A RRs translates IP addresses in headers and in PTR QNAME field 67 Summary provides transparent and bi-directional connectivity between networks having arbitrary addressing schemes eliminates costs associated with host renumbering conserves IP addresses eases IP address management enhances network privacy 68 Presentation_ID.scr 34

35 Questions? 69 Please Complete Your Evaluation Form Session 70 Presentation_ID.scr 35

36 71 Presentation_ID.scr 36