Network Address Translation

Session 109

Laura Jeanne Knapp

Network Consultant
1-919-224-2205
Laura@lauraknapp.com
www.lauraknapp.com
IBM Networking - Connecting people to information through technology 010
NATVPN_
 Evolving System

Concepts of NAT (Network

Address Translation) and
PAT (Port Address Translation)

Virtual Private Networks Considerations

Other Considerations

Summary

IBM Networking - Connecting people to information through technology 020

NATVPN_
 Network Address Translation
in a Nutshell
Private Network Internet
25c
25c

SA SA
10.21.99.23 99.99.99.4
DA
209.109.217.59 DA
209.109.217.59

NAT
Router

10.21.6.21 99.99.99.4
10.21.99.23

SA
25c 25c 209.109.217.59
209.109.217.59 SA
209.109.217.59

DA DA
10.21.99.23 99.99.99.4

IBM Networking - Connecting people to information through technology 030

NATVPN_
 Port Address Translation
(PAT) in a Nutshell
Private Network Internet
25c
25c

SA SA
10.21.15.188:2022 99.99.99.5:1080
DA
209.109.217.59:80 DA
209.109.217.59:80

NAT
Router

10.21.6.20 99.99.99.5
10.21.15.188 25c
25c

SA SA
10.21.101.90:1080 99.99.99.5:2080

DA DA 209.109.217.59
209.109.217.59:80 209.109.217.59:80

10.21.101.90
PAT will try and use the same port as the source,
but if it is already used, it will assign an
available free port number
IBM Networking - Connecting people to information through technology 040
NATVPN_
 Port Address Translation
(PAT) in a Nutshell without DNS
Private Network Internet
25c
25c

SA SA
10.21.15.188:2022 99.99.99.5:1080
DA
10.21.6.20:2324 DA
209.109.217.59:80

NAT
Router

10.21.6.20 99.99.99.5
10.21.15.188 25c
25c

SA SA
10.21.101.90:1080 99.99.99.5:2080

DA DA 209.109.217.59
10.21.6.20:2324 209.109.217.59:80

10.21.101.90
Without DNS name resolution the destination
internal address is the NAT router internal address
defined to the outside address
IBM Networking - Connecting people to information through technology 040
NATVPN_
 NAT and PAT

NAT - Network Address Translation

1 to 1 association
Changes IP address in the
header
RFC 1631
Layer 3
Maps one internal (local)
address to one external
(global) address

PAT - Port Address Translation

(overload in Cisco speak)
1 to many
Associates source port with
each flow
Layer 3 and 4
Maps multiple internal (local) addresses
to one external (global address)
Also called NAPT in IETF documents
A single IP address can address 65,536 unique ports
IBM Networking - Connecting people to information through technology 050
NATVPN_
 Terminology
Inside Zone
Intranet/private address
Typically uses private addresses
“Local address” is real IP address of host
Not routable in the Internet

Outside Zone
Internet/Public address
Registered addresses only
“Global address” is the virtual host address
Routable in the Internet

Static
Commonly used for inbound traffic
Permanent
“Local” address is always known by the same “global” address
‘ip nat inside source static 10.21.99.23 99.99.99.4’

Dynamic
Typically used for outbound traffic
Changes
“Local” address may have variable “global” address
‘ ip nat inside source list 1 pool nat-pool’
IBM Networking - Connecting people to information through technology 060
NATVPN_
 Why do we need NAT?
Private Network Internet
25c
25c

SA SA
10.21.15.188:2022 99.99.99.5:1080
DA
209.109.217.59:80 DA
209.109.217.59:80

NAT
Router

10.21.6.20 99.99.99.5
10.21.15.188 25c
25c

SA SA
10.21.101.90:1080 99.99.99.5:2080

DA DA 209.109.217.59
209.109.217.59:80 209.109.217.59:80

10.21.101.90
PAT will try and use the same port as the source,
but if it is already used, it will assign an
available free port number

Use of non-Internet-routable private address in private networks

Merging corporations with conflicting IP address space

Changing Internet Service Providers (ISPs)

Can assist in changing IP addressing schemes

Secures internal network since private addresses are hidden

IBM Networking - Connecting people to information through technology 070
NATVPN_
 Where is NAT Implemented?
Private Network Internet
25c
25c

SA SA
10.21.15.188:2022 99.99.99.5:1080
DA
209.109.217.59:80 DA
209.109.217.59:80

NAT
Router

10.21.6.20 99.99.99.5
10.21.15.188 25c
25c

SA SA
10.21.101.90:1080 99.99.99.5:2080

DA 209.109.217.59
Routers DA
209.109.217.59:80 209.109.217.59:80

Firewalls 10.21.101.90
PAT will try and use the same port as the source,
VPN devices but if it is already used, it will assign an
available free port number
Each translation = 160 - 200 bytes

10,000 translations = 1.6 megabytes

Performance/latency is negligible

Needs about 42 Kbytes of system memory

IBM Networking - Connecting people to information through technology 080
NATVPN_
 NAT Basic Information
Private Network Internet
25c
25c

SA SA
10.21.15.188:2022 99.99.99.5:1080
DA
209.109.217.59:80 DA
209.109.217.59:80

NAT
Router

10.21.6.20 99.99.99.5
10.21.15.188 25c
25c

SA SA
10.21.101.90:1080 99.99.99.5:2080

DA DA 209.109.217.59
209.109.217.59:80 209.109.217.59:80

10.21.101.90
PAT will try and use the same port as the source,
but if it is already used, it will assign an
available free port number

An interface can be defined as inside or outside

Translations occur from ‘inside to outside’ interfaces or

from ‘outside to inside’

Translations never occur from ‘inside to inside’ or ‘outside to outside’

IBM Networking - Connecting people to information through technology 090
NATVPN_
 Inside and Outside Definitions
Private Network Internet Private Network
25c

SA
10.21.15.188:2022 25c

SA
DA 10.21.15.188
10.21.6.20 DA
10.21.6.21

NAT NAT
Router Router

10.21.6.20 99.99.99.5 99.99.99.4 10.21.6.21

10.21.15.188 10.21.99.23
25c

SA
10.21.101.90:1056 209.109.217.59
DA
10.21.6.20

10.21.101.90
Inside Local: The IP address assigned to a device on the inside network

Inside Global: The IP address of an inside device as it is known to the

outside

Outside Local: The IP address of an outside device as it is known to the

inside network

Outside Global: The IP address assigned to a device on the outside

network
IBM Networking - Connecting people to information through technology 090
NATVPN_
 NAT Configuration
Private Network Internet Private Network
25c

SA
10.21.15.188:2022 25c

SA
DA 10.21.15.188
209.109.217.59:80
DA
209.109.217.59

NAT NAT
Router Router

10.21.6.20 99.99.99.5 99.99.99.4 10.21.6.21

10.21.15.188 10.21.99.23
25c

SA
10.21.101.90:1056 209.109.217.59
DA
209.109.217.59:23

10.21.101.90

Protocol Inside Inside Outside Outside

Global Local Local Global
Any 99.99.99.4 10.21.99.23

IBM Networking - Connecting people to information through technology 100

NATVPN_
 NAT Configuration Expanded
Private Network Internet Private Network
25c

SA
10.21.15.188:2022 25c

SA
DA 10.21.99.23
10.21.6.20 DA
10.21.6.21

NAT NAT
Router Router

10.21.6.20 99.99.99.5 99.99.99.4 10.21.6.21

10.21.15.188 10.21.99.23
25c

SA
10.21.101.90:1056
DA
10.21.6.20
209.109.217.59

10.21.101.90

Protocol Inside Inside Outside Outside

Global Local Local Global
Any 99.99.99.4 10.21.99.23 10.21.6.21 209.109.217.59

IBM Networking - Connecting people to information through technology 100

NATVPN_
 NAT Configuration Expanded
Private Network Internet Private Network
25c

SA
10.21.15.188:2022 25c

SA
DA 10.21.99.23
10.21.6.20 DA
10.21.6.21

NAT NAT
Router Router

10.21.6.20 99.99.99.5 99.99.99.4 10.21.6.21

10.21.15.188 10.21.99.23
25c

SA
10.21.101.90:1056
DA
10.21.6.20
209.109.217.59

10.21.101.90

Protocol Inside Inside Outside Outside

Global Local Local Global

TCP 99.99.99.5:1202 10.21.101.90:1056 209.109.217.59:23 209.109.217.59:23

TCP 99.99.99.5:2022 10.21.15.188:2022 209.109.217.59:80 209.109.217.59:80

IBM Networking - Connecting people to information through technology 100

NATVPN_
 Outside and Inside Source Addresses
25c

Inside Source
25c

Translate Translate
source address destination address
Inside adapter Outside adapter

Inside source translation

IP hosts addresses that should not be seen in the public Internet
Translates source IP address for packets going from inside to outside
Translates destination IP address for packets going from outside to inside

25c

Outside Source
25c

Translate Translate
destination address source address
Inside adapter Outside adapter

Outside source translation

Same IP addresses are being used on both inside and outside
networks (overlapping networks)
Translates source IP address for packets going from outside to inside
Translates destination IP address for packets going from inside to outside
IBM Networking - Connecting people to information through technology 110
NATVPN_
 NAT Order of Operation

Private Network Internet Private Network

25c

SA
10.21.15.188:2022 25c

SA
DA
10.21.15.188
10.21.6.20
To be delivered DA
10.21.6.21
to 209.109.217.59
To be delivered
NAT NAT to 209.109.217.59
Router Router

10.21.6.20 99.99.99.5 99.99.99.4 10.21.6.21

10.21.15.188 10.21.99.23
25c

SA
10.21.101.90:1056
DA
10.21.6.20
209.109.217.59
To be delivered
to 209.109.217.59
10.21.101.90

NAT always checks translation table before access lists

Check with vendors regarding full NAT order of operation

it varies even in a single vendors product line

Vendors have assigned ‘marketing’ names to PAT

IBM Networking - Connecting people to information through technology 120
NATVPN_
 Agenda

Concepts of NAT (Network

Address Translation) and
PAT (Port Address Translation)

Virtual Private Networks Considerations

Other Considerations

Summary

IBM Networking - Connecting people to information through technology 130

NATVPN_
 Application Considerations

Is there embedded IP information in the payload?

Well behaved applications Problem applications

HTTP IP Multicast
Telnet VOIP
Archie ICMP
Finger PPTP
NTP H.323
rlogin SMTP
rsh FTP
rcp NetBios over IP
NFS RealAudio
TFTP CuSeeMe
DNS “a”
DNS “ptr”
Most DVC

IBM Networking - Connecting people to information through technology 140

NATVPN_
 Embedded IP

IP Header : SA = 10.21.15.188 Data : IP = 10.21.15.188

Inside

Address
Translation

Outside

IP Header : SA = 209.109.217.59 Data : IP = 10.21.15.188

Which address will the end system use for the response?
IBM Networking - Connecting people to information through technology 150
NATVPN_
 IPSec - ESP Considerations

IP Header : SA = 10.21.15.188 Data : IP = 10.21.15.188

New IP Header IPSec Header IP Header : SA = 10.21.15.188 Data : IP = 10.21.15.188

NAT Encrypted

Authenticated

ESP Tunnel Mode

(host-gateway and gateway-gateway)

IBM Works !!!!!!!!!!

Networking - Connecting people to information through technology 160
NATVPN_
 IPSec - AH

Authenticated
HDR + Data = Checksum

IP Header : SA = 10.21.15.188 Data : IP = 10.21.15.188

BREAKS
IP Header : SA = 99.99.99.5 IPSec Header Data : IP = 10.21.15.188

NAT Checksum Encrypted

Stored
If any field in the in the original header is modified AH will fail.
Remember AH was designed to prevent source spoofing, man-in-middle
attacks, and unauthorized modifications
IBM Networking - Connecting people to information through technology 170
NATVPN_
 IPSec - Catch 22

Transport mode ESP (host to host)

NAT modifies the TCP/UDP packet
NAT must recalculate the checksum
If NAT updates the checksum,
ESP authentication will fail
Turning off checksums in transport mode ESP
Then we have a IKE issue
IKE provides security association
setup between endpoints
Most often used is pre-shared key
Pre-shared key relies on the source address
of the packet
(Use a VPN solution with X.509 digital certificates
or public key signature)
NAT before IPSec
Perform NAT on a device located behind your IPSec
security gateway
Use an IPSec device that also performs NAT
Perform outbound address translation before applying security
Perform security before address translation for inbound address
IBM Networking - Connecting people to information through technology 170
NATVPN_
 Access Lists Inbound

Private Network Internet

Packet Flow

Routing Inbound Inbound

ACL ACL
(if packet
Outbound NAT Decryption encrypted)
ACL
IBM Networking
Networking -- Connecting
Connecting people
people to
to information
information through
through technology
technology 180
NATVPN_
OPTIC__
 Access Lists Outbound

Private Network Internet

Packet Flow

Policy NAT Outbound

Routing ACL

Inbound Routing Encryption

ACL
IBM Networking - Connecting people to information through technology 190
NATVPN_
 Router Configuration
IPSec between Internet and Private Network

Sample configuration showing how to encrypt traffic between a

private network (10.103.1.x) and a public network (98.98.98.x)
using IPSec

10.103.1.75 95.95.95.1 99.99.99.1 98.98.98.1

95.95.95.2 99.99.99.2
Internet

Acme RTP Public Network

IBM Networking - Connecting people to information through technology 200

NATVPN_
 Router Configuration
IPSec between Internet and Private Network
Crypto isakamp policy 1
hash md5
authentication pre-share
Public Router
crypto isakamp key cisco123 address 95.95.95.2
:
crypto map rtp 1 ipsec-isakamp
set peer 95.95.95.2 10.103.1.75 95.95.95.1 99.99.99.1 98.98.98.1
match address 115
:
interface Ethernet 0/0 95.95.95.2 99.99.99.2
ip address 98.98.98.1 255.255.255.0 Internet

Acme RTP Public Network

:
interface Ethernet 0/1
ip address 99.99.99.2 255.255.255.0
:
no ip route cache
:
access list 115 permit ip 98.98.98.0 0.0.0.255 10.103.1.0 0.0.0.255
access list 115 deny ip 98.98.98.0 0.0.0.255 any

IBM Networking - Connecting people to information through technology 210

NATVPN_
 Router Configuration
IPSec between Internet and Private Network
Crypto isakamp policy 1
hash md5 Acme RTP Router
authentication pre-share
crypto isakamp key cisco123 address 99.99.99.2
:
crypto map rtp 1 ipsec-isakamp
set peer 99.99.99.2
match address 115 10.103.1.75 95.95.95.1 99.99.99.1 98.98.98.1
:
interface Ethernet 0/0
ip address 95.95.95.2 95.95.95.2 99.99.99.2
ip nat outside Internet

no route-cache Acme RTP Public Network

:
interface Ethernet 0/1
ip address 10.103.1.75 255.255.255.0
ip nat inside
:
no ip route cache
:
access list 115 permit ip 10.103.1.0 0.0.0.255 98.98.98.0 0.0.0.255
access list 115 deny ip 10.103.1.0 0.0.0.222 any
IBM Networking - Connecting people to information through technology 220
NATVPN_
 Router Configuration
IPSec Router-Router

Encrypts traffic from the network behind Acme RTP(10.103.1.x) to the

network behind Acme POK (10.50.50.x) and performs PAT. VPN client
traffic can flow into Acme RTP. Internet traffic is not encrypted.

95.95.95.2 99.99.99.2
10.103.1.75 10.50.50.50
Internet

Acme RTP Acme POK

IBM Networking - Connecting people to information through technology NATVPN_

230
 Router Configuration
IPSec Router-Router
Crypto isakamp policy 1
hash md5
authentication pre-share
Acme RTP Router
crypto isakamp key cisco123 address 99.99.99.2
:
crypto map rtp 1 ipsec-isakamp
set peer 99.99.99.2
95.95.95.2 99.99.99.2
match address 115 10.103.1.75 10.50.50.50
: Internet
interface Serial0
Acme RTP Acme POK
ip address 95.95.95.2 255.255.255.0
ip nat outside
crypto map rtp interface Ethernet 0/1
ip address 10.103.1.75 255.255.255.0
ip nat inside
:
ip nat inside source route-map nonat pool SER0 overload
:
no ip route cache
:
access list 115 permit ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255
access list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255
access list 110 permit 10.103.1.0 0.0.0.255 any
route map nonat permit 10
match ip address 110
IBM Networking - Connecting people to information through technology NATVPN_
240
 Router Configuration
IPSec Router-Router
Crypto isakamp policy 1
hash md5
authentication pre-share
Acme POK Router
crypto isakamp key cisco123 address 95.95.95.2
:
crypto map rtp 1 ipsec-isakamp
set peer 95.95.95.2
95.95.95.2 99.99.99.2
match address 115 10.103.1.75 10.50.50.50
: Internet
interface Ethernet0
Acme RTP Acme POK
ip address 99.99.99.2 255.255.255.0
ip nat outside
crypto map rtp interface Ethernet 1
ip address 10.50.50.50 255.255.255.0
ip nat inside
:
ip nat inside source route-map nonat pool eth1 overload
:
no ip route cache
:
access list 115 permit ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255
access list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255
access list 110 permit 10.50.50.0 0.0.0.255 any
access list 115 deny ip 10.50.50.0 0.0.0.255
route map nonat permit 10
match ip address 110
IBM Networking - Connecting people to information through technology NATVPN_
250
 Agenda

Concepts of NAT (Network

Address Translation) and
PAT (Port Address Translation)

Virtual Private Networks Considerations

Other Considerations

Summary

IBM Networking - Connecting people to information through technology NATVPN_

260
 NAT in Overlapping Networks

Private Network Other Network

10.1.1.1 NAT
Router 10.1.1.1
inside outside

10.1.1.2 10.1.1.2

ip nat outside source static network 192.168.1.0 10.1.1.0/24

ip nat inside source static network 10.1.1.0 172.16.1.0/24

IBM Networking - Connecting people to information through technology NATVPN_

290
 NAT in Overlapping Networks

Private Network Other Network

DNS Server

10.1.1.1 NAT
Router 10.1.1.1
inside outside

Where is
10.1.1.2 Blue??? 10.1.1.2

DNS server responds with 10.1.1.2 which is modified in the

NAT router to 192.168.1.2

IBM Networking - Connecting people to information through technology NATVPN_

300
 NAT in Overlapping Networks
Private Network Other Network
DNS Server

10.1.1.1 NAT
Router 10.1.1.1
inside outside

Where is
10.1.1.2 Blue??? 10.1.1.2

Inside Inside Outside Outside

Global Local Local Global

192.168.1.2 10.1.1.2

172.16.1.2 10.1.1.2

192.168.1.2 10.1.1.2 172.16.1.2 10.1.1.2

Inside global and local addresses came from the IP header

Outside global and local addresses came from the DNS payload
The summary was derived from the ping between the two devices
IBM Networking - Connecting people to information through technology 310
NATVPN_
 NAT in Overlapping Networks

Private Network Other Network

DNS Server

10.1.1.1 NAT
Router 10.1.1.1
inside outside

25c

SA
10.1.1.2 172.16.1.2 10.1.1.2
25c

SA DA
10.1.1.2 10.1.1.3

DA
192.168.1.2

IBM Networking - Connecting people to information through technology NATVPN_

320
 NAT Summary

NAT provides transparent connectivity

Networks can have arbitrary addressing

schemes

NAT needs to consider applications

in order to work

NAT enhances network privacy

NAT can be complex to configure,

maintain, and understand

Does NAT really solve our addressing

problems or just cover them up for a
short time?

IBM Networking - Connecting people to information through technology NATVPN_

330
 References

CISCO NAT order of operation : http://www.cisco.com/warp/public/556/5.html

RFC 1631 : The IP Network Address Translator

RFC 2663 : IP Network Address Translator Terminology and Considerations

IETF : http://www.ietf.org/html.charters/nat-charter.html

Cisco NAT technical tips : http://www.cisco.com/warp/public/556/index.shtml

NAT and VPN : http://www.isp-planet.com/technology/nat_ipsec.html

NAT and LINUX : http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html

NAT usage : http://www.nbama.com/network/docs/natrfc.htm

NAT Home Page : http://www.uq.net.au/~zzdmacka/the-nat-page/

Technical Paper : http://www.vicomsoft.com/knowledge/reference/nat.html

IBM Networking - Connecting people to information through technology 340

NATVPN_