Scribd Logo
Upload

Welcome to Scribd!

  • Security With NAT - EN

    Uploaded by

    Leslav Mazeiko
    10 views26 pages
    This document discusses network address translation (NAT) and port address translation (PAT). It provides an overview of NAT and PAT, explaining how they translate private IP addresses to public IP addresses. It covers configuring static and dynamic NAT translation, overloading an inside global address with PAT, and troubleshooting NAT with commands like clear, show, and debug. The goal of NAT and PAT is to allow private networks to connect to the internet using public IP addresses while conserving global address space.

    Original Description:

    nat

    Original Title

    Security With NAT_EN

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses network address translation (NAT) and port address translation (PAT). It provides an overview of NAT and PAT, explaining how they translate private IP addresses to public IP addresses. It covers configuring static and dynamic NAT translation, overloading an inside global address with PAT, and troubleshooting NAT with commands like clear, show, and debug. The goal of NAT and PAT is to allow private networks to connect to the internet using public IP addresses while conserving global address space.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    10 views26 pages

    Security With NAT - EN

    Uploaded by

    Leslav Mazeiko
    This document discusses network address translation (NAT) and port address translation (PAT). It provides an overview of NAT and PAT, explaining how they translate private IP addresses to public IP addresses. It covers configuring static and dynamic NAT translation, overloading an inside global address with PAT, and troubleshooting NAT with commands like clear, show, and debug. The goal of NAT and PAT is to allow private networks to connect to the internet using public IP addresses while conserving global address space.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 26

    Network Security

    with NAT and PAT

    ICND v2.2—4-1
    Outline

    • Overview
    • Introducing NAT and PAT
    • Translating Inside Source Addresses
    • Overloading an Inside Global Address
    • Verifying the NAT and PAT Configuration
    • Troubleshooting the NAT and PAT Configuration
    • Summary
    Private and global IP addresses

    IPv4 - 4 294 967 296 addresses


    • 10.0.0.0 – 10.255.255.255
    • 172.16.0.0 – 172.31.255.255
    • 192.168.0.0 – 192.168.255.255
    Network Address Translation (NAT)

    • IP addresses pooling
    • Internet connection (ISP)
    • IP masking
    • Servers load-balansing
    Main NAT operations

    Private Internet
    network

    Sourc e = 10.0.1.2 Sourc e = 128.143.71.21


    Destination = 213.168.112.3 Destination = 213.168.112.3

    private address: 10.0.1.2 NAT


    public address: 213.168.112.3
    public address: 128.143.71.21 device
    H1 H5
    Sourc e = 213.168.112.3 Sourc e = 213.168.112.3
    Destination = 10.0.1.2 Destination = 128.143.71.21

    Private Public
    Address Address
    10.0.1.2 128.143.71.21
    IP address pooling
    NAT‘ing with different ISPs

    S ourc e = 128.143.71.21 IS P 1
    D estination = 213.168.112.3
    a llo c a te s a d d re ss b lo c k
    S ourc e = 10.0.1.2 1 2 8 .1 4 3 .7 1 .0 /2 4 to p riva te
    D estination = 213.168.112.3 ne tw o rk:
    128.143.71.21
    private address: 10.0.1.2
    public address: 128.143.71.21
    N AT
    128.195.4.120 d e v ic e
    H1 128.195.4.120
    IS P 2
    P riv a te a llo ca te s a d d re s s b lo ck
    n e tw o rk 1 2 8 .1 9 5 .4 .0 /2 4 to p riva te
    S ourc e = 128.195.4.120
    D estination = 213.168.112.3 ne tw o rk:

    P rivate P ublic
    A ddress A ddress
    128.143.71.21
    10.0.1.2
    128.195.4.120
    Network Address Translation

    • An IP address is either local or global.


    • Local IP addresses are seen in the inside network.
    Port Address Translation
    Translating Inside Source Addresses
    Configuring Static Translation

    Router(config)#ip nat inside source static local-ip global-ip

    • Establishes static translation between an inside local address


    and an inside global address

    Router(config-if)#ip nat inside

    • Marks the interface as connected to the inside

    Router(config-if)#ip nat outside

    • Marks the interface as connected to the outside


    Enabling Static NAT
    Address Mapping Example
    Configuring Dynamic Translation

    Router(config)#ip nat pool name start-ip end-ip


    {netmask netmask | prefix-length prefix-length}

    • Defines a pool of global addresses to be allocated as needed.

    Router(config)#access-list access-list-number permit


    source [source-wildcard]

    • Defines a standard IP ACL permitting those inside local


    addresses that are to be translated.

    Router(config)#ip nat inside source list


    access-list-number pool name

    • Establishes dynamic source translation, specifying the ACL


    that was defined in the prior step.
    Dynamic Address Translation Example
    Overloading an Inside Global Address
    Configuring Overloading

    Router(config)#access-list access-list-number permit


    source source-wildcard

    • Defines a standard IP ACL that will be permit the inside local


    addresses that are to be translated

    Router(config)#ip nat inside source list


    access-list-number interface interface overload

    • Establishes dynamic source translation, specifying the ACL


    that was defined in the prior step
    Overloading an Inside
    Global Address Example
    Clearing the NAT Translation Table

    Router#clear ip nat translation *

    • Clears all dynamic address translation entries


    Router#clear ip nat translation inside global-ip
    local-ip [outside local-ip global-ip]
    • Clears a simple dynamic translation entry that contains an
    inside translation or both an inside and outside translation
    Router#clear ip nat translation outside
    local-ip global-ip
    • Clears a simple dynamic translation entry that contains an
    outside translation

    Router#clear ip nat translation protocol inside global-ip


    global-port local-ip local-port [outside local-ip
    local-port global-ip global-port]
    • Clears an extended dynamic translation entry
    Displaying Information with show Commands

    Router#show ip nat translations

    • Displays active translations


    Router#show ip nat translation
    Pro Inside global Inside local Outside local Outside global
    --- 172.16.131.1 10.10.10.1 --- ---

    Router#show ip nat statistics

    • Displays translation statistics


    Router#show ip nat statistics
    Total active translations: 1 (1 static, 0 dynamic; 0 extended)
    Outside interfaces:
    Ethernet0, Serial2.7
    Inside interfaces:
    Ethernet1
    Hits: 5 Misses: 0

    Sample Problem: Cannot
    Ping Remote Host
    Solution: New Configuration
    Using the debug ip nat Command

    Router#debug ip nat

    NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]


    NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
    NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
    NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
    NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
    NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
    NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
    NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
    Translation Not Installed in the
    Translation Table?

    Verify that:
    • The configuration is correct
    • There are not any inbound ACLs denying the packets entry
    to the NAT router
    • The ACL referenced by the NAT command is permitting all
    necessary networks
    • There are enough addresses in the NAT pool
    • The router interfaces are appropriately defined as NAT inside
    or NAT outside
    Summary

    • NAT enables private IP internetworks that use non-


    registered IP addresses to connect to the Internet. PAT, a
    feature of NAT, enables several internal addresses to be
    translated to only one or a few external addresses.
    • You can translate your own IP addresses into globally
    unique IP addresses when you are communicating outside
    of your network.
    • Overloading is a form of dynamic NAT that maps multiple
    unregistered IP addresses to a single registered IP
    address (many-to-one) by using different ports, known
    also as PAT.
    • Once NAT is configured, the clear and show commands
    can be used to verify that it is operating as expected.
    • The debug command can be used to troubleshoot NAT
    connectivity problems.
    Module Summary

    • Using ACLs, you can classify or filter packets on


    inbound and outbound routed interfaces and
    access ports.
    • Cisco IP ACLs are used to classify packets,
    which can be subjected to such features as
    security, encryption, and policy-based routing.
    • NAT and PAT translate IP addresses within
    private internal networks into legal IP addresses
    for transport over public external networks such
    as the Internet without requiring a registered
    subnet address.
    Klausimai

    You might also like