Network Address Translation. All you want to know about

Similar documents
Network Address Translation

Network Address Translation

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Deploying and Troubleshooting Network Address Translation

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Configuring Network Address Translation

H3C SecPath Series High-End Firewalls

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

H3C SecPath Series High-End Firewalls

Configuring NAT for IP Address Conservation

Stateful Network Address Translation 64

Cisco Network Address Translation (NAT)

Lab10: NATing. addressing conflicts, routers must never route private IP addresses.

Network Interconnection

Multihoming with BGP and NAT

IP Router. Introduction to IP Routing. Agenda. IP Routing 1

Implementing NAT-PT for IPv6

IPsec NAT Transparency

Using NAT in Overlapping Networks

Configuring attack detection and prevention 1

Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation

Configuring NAT for IP Address Conservation

HP Firewalls and UTM Devices

Finding Feature Information

Interconnecting Networks with TCP/IP

ICS 451: Today's plan

Network Protocol Configuration Commands

Internet Technology 3/23/2016

Configuring attack detection and prevention 1

Chapter 7. IP Addressing Services. IP Addressing Services. Part I

Your Name: Your student ID number:

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

14-740: Fundamentals of Computer and Telecommunication Networks

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

Fundamentals of Network Security v1.1 Scope and Sequence

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

HP Load Balancing Module

Configuring NAT for IP Address Conservation

Network Address Translation Bindings

Network Security. Security of Mobile Internet Communications. Chapter 17. Network Security (WS 2002): 17 Mobile Internet Security 1 Dr.-Ing G.

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Network Address Translation (NAT)

TCP /IP Fundamentals Mr. Cantu

Network Address Translation (NAT)

Cisco CCIE Security Written.

Operation Manual Security. Table of Contents

Mohammad Hossein Manshaei 1393

Internet security and privacy

Lab Configuring NAT Overload

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Mobile Communications Mobility Support in Network Layer

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

show ipv6 nat translations, on page 71

Internet Routing Protocols, DHCP, and NAT

Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security

Network Address Translation

Cisco IOS NAT Feature Matrix

Redesde Computadores(RCOMP)

Packet Header Formats

IPsec NAT Transparency

Vorlesung Kommunikationsnetze

Different Layers Lecture 20

Table of Contents. Cisco How NAT Works

Request for Comments: Campio Communications February Network Address Translation - Protocol Translation (NAT-PT)

Networking Potpourri: Plug-n-Play, Next Gen

Lucent Technologies Expires in six months June 1999

Expanding ISP and Enterprise Connectivity with Cisco IOS NAT

Implementing Firewall Technologies

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

Internetworking/Internetteknik, Examination 2G1305 Date: August 18 th 2004 at 9:00 13:00 SOLUTIONS

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Master Course Computer Networks IN2097

Network Address Translators (NATs) and NAT Traversal

Mobile Communications Chapter 9: Network Protocols/Mobile IP

Network layer: Overview. Network Layer Functions

Layering and Addressing CS551. Bill Cheng. Layer Encapsulation. OSI Model: 7 Protocol Layers.

BIG-IP CGNAT: Implementations. Version 13.0

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

IP Addressing: NAT Configuration Guide

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Network Address Translation (NAT)

IP Addressing: NAT Configuration Guide, Cisco IOS Release 12.4T

Internet Engineering Task Force (IETF) Request for Comments: 6146 Category: Standards Track. I. van Beijnum IMDEA Networks April 2011

Supporting Protocols and Technologies in TCP/IP Suites

Mobile Communications Chapter 8: Network Protocols/Mobile IP

ECE 435 Network Engineering Lecture 14

CSE 4215/5431: Mobile Communications Winter Suprakash Datta

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

CMPE 80N: Introduction to Networking and the Internet

Internetworking Part 2

internet technologies and standards

Design Considerations : Computer Networking. Outline. Challenge 1: Address Formats. Challenge. How to determine split of functionality

NAT Router Performance Evaluation

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

TCP/IP and the OSI Model

Transcription:

Network Address Translation All you want to know about (C) Herbert Haas 2005/03/11

Reasons for NAT Mitigate Internet address depletion Save global addresses (and money) Conserve internal address plan TCP load sharing Hide internal topology 2

Credits: The Creators of NAT Paul Francis Kjeld Borch Egevang 3

Terms (1) 193. 99.99.1 193. 99.99.2 193. 99.99.3 inside 193.99.99.4 outside Global addresses (NAT not necessary) 4

Terms (2) 10.1.1.1 inside outside 10.1.1.2 NAT 10.1.1.3 10.1.1.4 Local addresses 5

Terms (3) This NAT Table is maintained inside the router Inside local IP address 10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.4 Inside global IP address 193.99.99.1 193.99.99.2 193.99.99.3 193.99.99.4 6

Terms (4) Local versus global address Reflects realm of usage (inside or outside) Inside versus outside world Reflects origin 7

Terms Summary Inside Network Outside Network Outside Local Outside Global Inside Local NAT Inside Global Inside Local Inside Global Outside Local Outside Global 8

Basic Principle (1a) Binding is maintained by static NAT Table 10.1.1.1 10.1.1.2 NAT 193.9.9.99 Inside Local IP Inside Global IP 198.5.5.55 Simple NAT Table 10.1.1.1 193.9.9.1 10.1.1.2 193.9.9.2...... 9

Basic Principle (1b) 198.5.5.55 198.5.5.55 10.1.1.1 193.9.9.1 NAT 10.1.1.1 10.1.1.2 NAT Binding is maintained by static NAT Table 193.9.9.99 198.5.5.55 Inside Local IP Inside Global IP 10.1.1.1 193.9.9.1 Simple NAT Table 10.1.1.2 193.9.9.2...... 10

Basic Principle (1c) Binding is maintained by static NAT Table 10.1.1.1 NAT 193.9.9.1 198.5.5.55 198.5.5.55 10.1.1.1 10.1.1.2 NAT 193.9.9.99 Inside Local IP Inside Global IP 198.5.5.55 Simple NAT Table 10.1.1.1 193.9.9.1 10.1.1.2 193.9.9.2...... 11

Basic Principle (2a) Binding is maintained by static NAT Table 198.5.5.1 10.1.1.1 NAT 10.1.1.1 has global address 193.9.9.1 193.9.9.99 NAT 198.5.5.55 10.1.1.1 has global address 198.5.5.1 10.1.1.1 12

Basic Principle (2b) Binding is maintained by static NAT Table 10.1.1.1 NAT NAT 10.1.1.1 193.9.9.99 198.5.5.55 198.5.5.1 10.1.1.1 193.9.9.1 193.9.9.1 NAT 198.5.5.1 NAT 10.1.1.1 13

NAT Binding Possibilities Static ( Fixed Binding ) in case of one-to-one mapping of local to global addresses Dynamic ( Binding on the fly ) in case of sharing a pool of global addresses connections initiated by private hosts are assigned a global address from the pool as long as the private host has an outgoing connection, it can be reached by incoming packets sent to this global address after the connection is terminated (or a timeout is reached), the binding expires, and the address is returned to the pool for reuse is more complex because state must be maintained, and connections must be rejected when the pool is exhausted unlike static binding, dynamic binding enables address reuse, reducing the demand for globally unique addresses. 2005/03/11 14

Scenario Dynamic Binding 10.1.1.1 Inside Outside 193.9.9.99 10.1.1.2 10.1.1.3 Local addresses 10.1.1.4 Binding is maintained by dynamic NAT Table Note: a connection state or timer must be maintained per mapping NAT Inside Local IP address 10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.4 Globally unique addresses Inside Global IP address 193.99.99.1 193.99.99.2 Currently not possible Currently not possible 2005/03/11 15

NAT Tasks and Behaviour modify IP addresses according to NAT table but also must modify the IP checksum and the TCP checksum note: TCP's checksum also covers a pseudo IP header which contains the source and destination address. must also look out for ICMP and modify the places where the IP address appears there may be other places, where modifications must be done (FTP, NetBIOS over TCP/IP, SNMP, DNS, Kerberos, X-Windows, SIP, H.323, IPsec, IKE ) the packet sender and receiver (should) remain unaware that NAT is taking place NAT devices were intended to be unmanaged devices that are transparent to end-to-end protocol interaction hence no specific interaction is required between the end systems and the NAT device 2005/03/11 16

Overloading (PAT) Common problem: Many hosts inside But only one or a few inside-global addresses available Solution: Many-to-one Translation Aka "Overloading Inside Global Addresses" Aka "PAT" 17

NAPT Example (1) NAPT 65.38.12.9:80 65.38.12.9:80 10.1.1.1 10.1.1.1:1034 173.3.8.1:2137 65.38.12.9:80 65.38.12.9:80 65.38.12.9 10.1.1.2 10.1.1.2:1034 173.3.8.1:2138 Prot. TCP TCP Local 10.1.1.1:1034 10.1.1.2:1034 Global 173.3.8.1:2137 173.3.8.1:2138 Extended Translation Table 2005/03/11 18

NAPT Example (2) NAPT 10.1.1.1:1034 173.3.8.1:2137 10.1.1.1 65.38.12.9:80 65.38.12.9:80 10.1.1.2:1034 173.3.8.1:2138 65.38.12.9 10.1.1.2 65.38.12.9:80 65.38.12.9:80 Prot. TCP TCP Local 10.1.1.1:1034 10.1.1.2:1034 Global 173.3.8.1:2137 173.3.8.1:2138 Extended Translation Table 2005/03/11 19

Overloading Example (1) 65.38.12.9:80 65.38.12.9:80 10.1.1.1 10.1.1.1:1034 173.3.8.1:1034 65.38.12.9:80 PAT 65.38.12.9:80 65.38.12.9 10.1.1.2 10.1.1.2:2138 173.3.8.1:2138 Prot. Inside Local Inside Global Outside Local Outside Global TCP 10.1.1.1:1034 173.3.8.1:1034 65.38.12.9:80 65.38.12.9:80 TCP 10.1.1.2:2138 173.3.8.1:2138 65.38.12.9:80 65.38.12.9:80 Extended Translation Table 20

Overloading Example (2) 10.1.1.1:1034 173.3.8.1:1034 10.1.1.1 65.38.12.9:80 PAT 10.1.1.2:2138 65.38.12.9:80 173.3.8.1:2138 65.38.12.9 10.1.1.2 65.38.12.9:80 65.38.12.9:80 Prot. Inside Local Inside Global Outside Local Outside Global TCP 10.1.1.1:1034 173.3.8.1:1034 65.38.12.9:80 65.38.12.9:80 TCP 10.1.1.2:2138 173.3.8.1:2138 65.38.12.9:80 65.38.12.9:80 Extended Translation Table 21

Virtual Server Table Problem: How to reach an inside server from the outside NAPT/NAT let IP datagram's (with UDP or TCP segments as payload) from to outside only in if a binding is found But server waits for connections from the outside hence cannot install binding in the NAPT/NAT device Solution: Virtual Server Table Creating manually a static binding in the NAPT/NAT device to forward IP datagram's to the real inside server 2005/03/11 22

Virtual Server Table Example NAPT 10.1.1.1:25 173.3.8.1:25 10.1.1.1 65.38.12.9:1039 65.38.12.9:1039 10.1.1.2:80 173.3.8.1:80 65.38.12.9 10.1.1.2 65.38.12.9:1040 65.38.12.9:1040 Prot. TCP TCP Local 10.1.1.1:25 10.1.1.2:80 Global 173.3.8.1:25 173.3.8.1:80 Extended Translation Table 2005/03/11 23

Further Information Internet Protocol Journal www.cisco.com/ipj Issue Volume 3, Number 4 (December 2000) The Trouble with NAT Issue Volume 7, Number 3 (September 2004) Anatomy (of NAT) 2005/03/11 24

Overlapping Networks = Same addresses are used locally and globally What can happen? 25

Outside Address Translation x.x.x.x 193.9.9.2 9.3.1.8 9.3.1.2 9.3.1.2 10.0.0.8 193.9.9.2 9.3.1.8 Hidden 9.0.0.0 network Packet came from "true" 9.0.0.0 network 26

DNS Problem (1) DNS request for host "Jahoo" =5.1.2.3 / =195.44.33.11 5.1.2.3 DNS server 195.44.33.11 Hidden 5.1.2.0/24 network Legal 5.1.2.0/24 network "Jahoo" 5.1.2.10 27

DNS Problem (2) DNS request for host "Jahoo" =178.12.99.3 / =195.44.33.11 5.1.2.3 DNS server 195.44.33.11 "Jahoo" 5.1.2.10 28

DNS Problem (3) DNS reply: host "Jahoo" is 5.1.2.10 =195.44.33.11 / = 178.12.99.3 5.1.2.3 DNS server 195.44.33.11!OVERLAPPING ALERT! We cannot tell our hosts that "Jahoo" has IP address 5.1.2.10... They would think that Jahoo is inside and would try a direct delivery...!!! "Jahoo" 5.1.2.10 29

DNS Problem (4) DNS reply: host "Jahoo" is 9.9.9.9 = 195.44.33.11 / =5.1.2.3 5.1.2.3 DNS server 195.44.33.11 Nowmyhostsmust ask me where 9.9.9.9 is... "Jahoo" 5.1.2.10 30

DNS Problem (5) Message for host "Jahoo" =5.1.2.3 / =9.9.9.9 5.1.2.3 DNS server 195.44.33.11 =9.9.9.9...? Must be translated "Jahoo" 5.1.2.10 31

DNS Problem (6) 5.1.2.3 DNS server 195.44.33.11 Message for host "Jahoo" =195.44.33.11 / =5.1.2.10 "Jahoo" 5.1.2.10 NAT Table Inside Local Inside Global Outside Global Outside Local 5.1.2.3 195.44.33.11 5.1.2.10 9.9.9.9 32

TCP Load Sharing (1) Multiple servers represented by a single inside-global IP address Virtual host address New TCP session requests to the Virtual Host are forwarded to one of a group of real hosts Rotary group 33

TCP Load Sharing (2) 1.0.0.1 TCP Connection Request = 1.0.0.240 : 23 = 4.4.4.4 : 3931 1.0.0.2 4.4.4.4 1.0.0.3 5.5.5.5 1.0.0.240 6.6.6.6 34

TCP Load Sharing (3) 1.0.0.1 TCP Connection Request = 1.0.0.1 : 23 = 4.4.4.4 : 3931 1.0.0.2 4.4.4.4 1.0.0.3 5.5.5.5 1.0.0.240 Prot. TCP Inside Local Inside Global Outside Global 1.0.0.1:23 1.0.0.240:23 4.4.4.4:3931 6.6.6.6 35

TCP Load Sharing (4) 1.0.0.1 TCP Flow = 4.4.4.4 : 3931 = 1.0.0.1 : 23 1.0.0.2 4.4.4.4 1.0.0.3 5.5.5.5 1.0.0.240 Prot. TCP Inside Local Inside Global Outside Global 1.0.0.1:23 1.0.0.240:23 4.4.4.4:3931 6.6.6.6 36

TCP Load Sharing (5) 1.0.0.1 TCP Flow = 4.4.4.4 : 3931 = 1.0.0.240:23 1.0.0.2 4.4.4.4 1.0.0.3 5.5.5.5 1.0.0.240 6.6.6.6 37

TCP Load Sharing (6) 1.0.0.1 TCP Connection Request = 1.0.0.240 : 23 = 5.5.5.5 : 1297 1.0.0.2 4.4.4.4 1.0.0.3 1.0.0.240 TCP Connection Request = 1.0.0.240 : 23 = 6.6.6.6 : 8748 5.5.5.5 6.6.6.6 38

TCP Load Sharing (7) 1.0.0.1 1.0.0.2 TCP Connection Request = 1.0.0.2 : 23 = 5.5.5.5 : 1297 4.4.4.4 1.0.0.3 TCP Connection Request = 1.0.0.3 : 23 = 6.6.6.6 : 8748 5.5.5.5 1.0.0.240 Prot. TCP TCP Inside Local Inside Global Outside Global 1.0.0.1:23 1.0.0.240:23 4.4.4.4:3931 1.0.0.2:23 1.0.0.240:23 5.5.5.5:1297 6.6.6.6 TCP 1.0.0.3:23 1.0.0.240:23 6.6.6.6:8748 39

NAT and FTP FTP control session negotiates port numbers PORT and PASV parameters must be processed by NAT router when doing overloading (ASCII coded!!!) Non-standard FTP port numbers are mostly supported today Cisco: ip nat service command 40

NAT and ICMP Many ICMP payloads contain IP headers NAT must translate both addresses and checksum PING Echo request & Echo are matched by ICMPidentifier Used by NAT instead of port numbers (overloading) If fragmented, only fragment 0 contains this identifier NAT tracks IP identifier for following fragments 41

NAT and... H.323: TCP/UDP session bundles, ASN.1 encoded IP addresses in payload NetBIOS over TCP/IP (NBT): packet header information at inconsistent offsets SNMP: dynamic NAT makes it impossible to track hosts (traps) over longer periods of time 42

Security (1) Usually PAT can be detected Typical translation signatures Local topology cannot be seen outside Typically SYN-ACKS from outside are blocked 43

Security (2) Typically prevents attacks like SMURF and WinNuke NAT cannot protect all DoS attacks Security requires additional software Mailfilters etc. Encrypted L3 payload must not contain address/port information 44

Drawbacks of NAT Translation is ressource intensive (delays) Encrypted protocols cannot be translated Increased probability of mis-addressing Might not support all applications Hiding hosts might be a negative effect Problems with SNMP, DNS,... 45

Configuration Commands (1) Declare interfaces to be inside/outside ip nat { inside outside } Define a pool of addresses (global) ip nat pool <name> <start-ip> <end-ip> { netmask <netmask> prefix-length <prefix-length> } [ type { rotary } ] 46

Configuration Commands (2) Enable translation of inside source addresses ip nat inside source { list <acl> pool <name> [overload] static <local-ip> <global-ip> } Enable translation of inside destination addresses ip nat inside destination { list <acl> pool <name> static <global-ip> <local-ip> } Enable translation of outside source addresses ip nat outside source { list <acl> pool <name> static <global-ip> <local-ip> } 47

Clearing Commands Clearall dynamic NAT table entries clear ip nat translation * Clear a simple dynamic inside or inside+outside translation entry clear ip nat translation inside <global-ip> <localip> [outside <local-ip global-ip>] Clear a simple dynamic outside translation entry clear ip nat translation outside <local-ip> <global-ip> Clear an extended dynamic translation entry clear ip nat translation <protocol> inside <globalip> <global-port> <local-ip> <local-port> [outside <local-ip> <local-port> <global-ip> <global-port>] 48

Further Information RFC 1631 (NAT) RFC 3022 (Traditional NAT) RFC 2694 (DNS ALG) RFC 2766 (IPv4 to IPv6 Translation) NAT Friendly Application Design Guidelines (Draft) 49

Summary NAT hides inside from outside Important to know terms inside/outside versus local/global NAT devices must also be able to process L4-L7 headers Some protocols might bever be supported (SNMP, NBT,...) Simple TCP load sharing possible NAT processing is resource intensive 50

TODO RFC 2766 (IPv4-IPv6 NAT-Protocol Translation) NAT with ISP multihoming and routing Special NAT situations by example, case studies DEBUG commands IPSec Tunnel and NAT IP Multicast and NAT...will be covered in future releases! 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback