Slide 1

NETWORK SECURITY

Network Address Translation

CONTENTS

What is NAT

NAT Terminology

How NAT works

NAT translation

Dynamic, static and overloading

Advantages and disadvantages

Configuration and troubleshooting on Ciscorouters.

WHAT IS NAT?

An IETF standard that allows an organization to presentitself to the Internet with far fewer IP addresses thanthere are nodes on its internal network.

NAT translates non-routable, private, internal addressesinto routable, public addresses.

NAT uses:

To save IP addresses by allowing networks to use private IPaddresses.

Adds a degree of privacy and security to a network by hidinginternal IP addresses from outside networks.

A NAT-enabled device typically operates at the border ofa stub network. (A stub network is a network that has asingle connection to its neighbor network).

NAT TERMINOLOGY

Inside local address – “The IP address assigned to a hoston the inside network” (McQuery, 2008).

From the figure an example is: x.x.x.x

Inside global address –A legitimate public IP addressassigned to a host when it exits a NAT device.

From the figure x.x.x.x is translated to p.p.p.p

Outside global address – “The public IP address of anoutside host as it appears to the inside network” (McQuery,2008).

For example, the web server is reachable at IP address209.165.201.1.

NAT TRANSLATION

NAT TYPES

“Static NAT: This type of NAT is designed to allow one-to-one mappingbetween local and global addresses.

The static version requires you to have one real Internet IP address for every host onyour network”

“Dynamic NAT: This version gives you the ability to map an unregisteredIP address to a registered IP address from out of a pool of registered IPaddresses.

 You need enough real, IP addresses for everyone who's going to be sending packets toand receiving them from the Internet at the same time”

 “Overloading: This is the most popular type of NAT configuration. Itmaps multiple unregistered IP addresses to a single registered IP address(many-to-one) by using different source ports.

Also known as Port Address Translation (PAT).

By using PAT (NAT Overload), you get to have thousands of users connectto the Internet using only one real global IP address

(Lammle, 2011).

NAT OVERLOAD

PAT uses unique source port numbers on the inside global IPaddress to distinguish between translations. Port number isencoded in 16 bits, thus, 65,536 addresses can be translatedinto 1 address!!

NAT ADVANTAGES AND DISADVANTAGES

NAT Advantages

NAT Disadvantages

Conserves the legally registeredaddresses

Translation introduces switchingpath delays.

Remedies address overlapoccurrence.

Loss of end to end IP traceability.

Increases flexibility when connectingto Internet.

Certain applications will notfunction with well with NATenabled. (like VoIP)

Eliminates address renumbering asnetwork changes.

Provides security by hiding internalIP addresses

CONFIGURING STATIC NAT ON A CISCO ROUTER

Library(config)# ip nat inside source static<local –IP> <global-IP>

Library(config)# interface <interface name slot>

Library(config-if)# ip address <ip address><subnet mask>

Library(config-if)# ip nat inside

Library(config)# interface <interface name slot>

Library(config-if)# ip address <ip address><subnet mask>

Library(config-if)# ip nat outside

STATIC NAT CONFIGURATION EXAMPLE

Library(config)# ip nat inside sourcestatic 10.1.1.1 170.46.2.2

Library(config)# interface Ethernet0

Library(config-if)# ip address 10.1.1.10255.255.255.0

Library(config-if)# ip nat inside

Library(config)# interface Serial0

Library(config-if)# ip address 170.46.2.1255.255.255.0

Library(config-if)# ip nat outside

DYNAMIC NAT CONFIGURATION

Library(config)# ip nat pool <pool name> <start-ip><end-ip> netmask <subnet mask>

Library(config)# ip nat inside source list <access-list number> pool <pool name>

Library(config)# interface <interface name slot>

Library(config-if)# ip address <ip address> <subnetmask>

Library(config-if)# ip nat inside

Library(config)# interface <interface name slot>

Library(config-if)# ip address <ip address> <subnetmask>

Library(config-if)# ip nat outside

Library(config)# access-list <acl-no> {permit | deny}<source> <source wildcard mask>

DYNAMIC NAT CONFIGURATION EXAMPLE

Library(config)# ip nat pool todd 170.168.2.3170.168.2.254 netmask 255.255.255.0

Library(config)# ip nat inside source list 1 pooltodd

Library(config)# interface Ethernet0

Library(config-if)# ip address 10.1.1.10255.255.255.0

Library(config-if)# ip nat inside

Library(config)# interface Serial0

Library(config-if)# ip address 170.168.2.1255.255.255.0

Library(config-if)# ip nat outside

Library(config)# access-list 1 permit 10.1.1.00.0.0.255

VERIFYING NAT CONFIGURATIONS

“Check the dynamic pools. Are they composed of theright scope of addresses?

Check to see if any dynamic pools overlap.

Check to see if the addresses used for static mappingand those in the dynamic pools overlap.

Ensure that your access lists specify the correctaddresses for translation.

Make sure there aren't any addresses left out thatneed to be there, and ensure that none are includedthat shouldn't be.

Check to make sure you've got both the inside andoutside interfaces delimited properly.”(Lammle,2011)

VERIFYING NAT AND NAT OVERLOAD

Library# Show ip nat translations

Library# Debug ip Nat

Library# Show ip nat statistics