Chapter 11 network address translation for IPv4 Fetel Academy

network address translation for IPv4

Trang 1

ELECTRONICS AND TELECOMMUNICATION FACULTY

Networking CISCO NETWORKING ACADEMY

CHAPTER

Translation for IPv4

Trang 3

Objectives

Upon completion of this chapter you will be able to:

Describe NAT characteristics

Describe the benefits and drawbacks of NAT

Configure static NAT using the CLI

Configure dynamic NAT using the CLI

Configure PAT using the CLI

Configure port forwarding using the CLI

Configure NAT-PT (v6 to v4)

Use show commands to verify NAT operation

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam

Trang 4

1 NAT Operation

1.1 NAT Characteristics

Trang 5

IPv4 Private Address Space

“+ Private Internet Addresses:

= These are reserved private Internet addresses drawn from three blocks

= These addresses are for private, internal network use only

= RFC 1918 specifies that private addresses are not to be routed over the Internet

Private Internet addresses are defined in RFC 1918:

|Class_—«s| RFC 1918 Internal Address Range _ | CIDR Prefix

Trang 6

IPv4 Private Address Space

“+ Private Internet Addresses:

= Two Issues:

»You cannot route

private addresses over the Internet

>There are not enough public addresses to allow organizations to provide one to every one of their hosts

= Networks need a mechanism to translate private addresses to public addresses at the edge of their network that works in both directions

Trang 7

“+ To outside users, all traffic coming to and going from the network has the same IP address or is from the same pool of addresses

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam Lả

Trang 9

Corporate Stub Network

Border gateway router

Trang 10

hat is NAT?

* The translation process uses an internal translation table

“+ The contents of the table will vary depending on the type of network translation being implemented

«+ We will be looking at the use of static NAT, dynamic NAT and Port Address Translation (PAT)

Corporate Stub Network

Border gateway router

ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 10

Trang 11

Inside Network:

Outside Network:

Trang 14

NAT Terminology (cont.)

“+ Inside Local Address:

= An RFC 1918 address assigned to a host on an inside network

“+ Inside Global Address:

= A valid public address that the host on the inside network

is assigned as it exits the router

“+ Outside Global Address:

= A reachable IP address assigned to a host on the Internet

+» Outside Local Address:

A local address assigned to a host on an outside network

iCisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 14

Trang 15

NAT Terminology (cont.)

PC1 'Web Server

Inside Global Inside Local Outside Local Outside Global

Trang 16

Inside Local Inside Global Outside Global

Address GP Address Address

Trang 17

tinh

cisco

NAT Table

Inside bol Inside Global Outside Global

Address Address Address

192.168.10.10 209.165.200.226) 209.165.201.1

192.168.10.10

Trang 18

Tdentify the NAT Terminology

| ee

Trang 19

1 NAT Operation

1.2 Types of NAT

Trang 20

Static NAT

s* There are three types of NAT translation:

o Static address translation (static NAT) - One-to-one

address mapping between local and global addresses

o Dynamic address translation (dynamic NAT) - Many-

to-many address mapping between local and global addresses

o Port Address Translation (PAT) - Many-to-one address

mapping between local and global addresses This method

is also known as overloading (NAT overloading)

Trang 21

Static NAT

“When servers hosted in the inside network must be

accessible from the outside network

Static NAT Table

DO VU Inside Global Address - Addresses

reachable via R2

92.168.10.10 209.165.200.226 192.168.10.11 209.165.200.227 192.168.10.12 209.165.200.228

Trang 22

Dynamic NAT

s* Dynamic NAT uses a pool of public addresses and assigns

them on a first-come, first-served basis

*When an inside device requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool

s*Dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user

sessions

Trang 23

IPv4 NAT Pool

Trang 24

Port Address Translation

s* Allows you to use a single Public IP address and assign it up

to 65,536 inside hosts (4,000 is more realistic)

“+ Modifies the TCP/UDP source port to track inside host addresses

“+ Tracks and translates:

“+ Source IP Address

“+ Destination IP Address

* TCP/UDP Source Port Number

“+ These uniquely identify each connection for each stream of traffic

*» PAT is also known as NAT overload

Trang 25

NAT Table with Overload

Outside Global IP Address

Trang 26

Networking Academy, Electronics and Telecommunications Faculty, University of Sclence, Ho Chỉ Minh City, Vietnam 26

Trang 27

Next Available Port

Trang 28

Comparing NAT and PAT

“+ NAT translates IPv4 addresses on a 1:1 basis between

private IPv4 addresses and public IPv4 addresses

«* PAT modifies both the address and the port number

«+ NAT forwards incoming packets to their inside destination by referring to the incoming source IPv4 address provided by the host on the public network

“* PAT is able to translate protocols that do not use port numbers, such as ICMP; each one of these protocols is supported differently by PAT

Trang 29

Activity

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chỉ Minh City, Vietnam

Trang 30

1 NAT Operation

1.3 Benefits of NAT

œ i

Trang 31

Benefits of NAT

“+ Conserves the legally registered addressing scheme

“+ Increases the flexibility of connections to the public

network

“* Provides consistency for internal network addressing

schemes

“+ Provides network security

Trang 32

Disadvantages of NAT

s* Performance is degraded

s* End-to-end functionality is degraded

“¢ End-to-end IP traceability is lost

«* Tunneling is more complicated

“+ Initiating TCP connections can be disrupted

o TCP initiated from the outside or stateless protocols

using UDP

Trang 33

2 Configuring NAT

2.1 Configuring Static NAT

Trang 34

nai Teen,

s» Step 1:

> Specify static translation between an inside local and

inside global address

ip nat inside source static

Trang 36

RA (config) #interface faO/0

RA (config) #interface s0/0/0

RA (config-if) #ip address 192.168.1.1 255.255.255.0

RA (config-if) #ip nat outside

Trang 37

alyzing Sta

sUsually static translations are used when clients on the outside network (Internet) need to reach servers on the

inside (internal) network

Inside Network 1 Outside Network

1

Intemet

2 Web Server

Inside Global Inside Local Outside Local | Outside Global

ee 209.165.201.5 192.168.10.254 | 209.165.200.254 | 209.165.200.254

Trang 38

show ip nat translations

Inside global Inside local

\cademy, Electronics and Telecommunications Faculty, University of Science, Chỉ Minh City, Vietnam

Trang 39

Verifying Static NAT

R2# clear ip nat statistics

R2# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Peak translations: 0

Client PC establishes a session with the web server

R2# show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)

Peak translations: 2, occurred 00:00:14 ago

Outside interfaces:

Serial0/1/0 Inside interfaces:

Trang 40

Activity

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chỉ Minh City, Vietnam ci

Trang 41

2 Configuring NAT

2.2 Configuring Dynamic NAT

Trang 42

Dynamic NAT Operation

s* Dynamic NAT allows the automatic mapping of inside local addresses to inside global addresses

“+ Dynamic NAT uses a group, or pool of public IPv4 addresses for translation

“+ The pool must be large enough to accommodate all inside devices A device is unable to communicate to any external networks if no addresses are available in the pool

Trang 48

tinh

cisco

s» Step 2:

between the inside addresses

allowed by the access list and the pool of outside addresses

Trang 49

nai

s» Step 3:

between the inside addresses

allowed by the access list and the pool of outside addresses

Trang 51

192.168.1.1

RA (config) #ip nat pool NAT-POOL1 179.9.8.80 179.9.8.85

netmask 255.255.255 0

RA (config) #access-list 1 permit 10 1.0.0 O

RA (config) #ip nat inside source list 1 pool NAT-POOL1

RA (config) #interface fa0/0

RA(config-if) #ip address 10.1.1.1 255.255.255.0

RA (config-i£) #ip nat inside

RA (config) #interface s0/0/0

RA (config-if) #ip address 192.168.1.1 255.255.255.0

RA (config-if) #ip nat outside

Trang 52

Analyzing Dynamic NAT

Trang 53

Analyzing Dynamic NAT

Trang 54

R2# show ip nat translations

Pro Inside global Inside local Outside local

- 209.165.200.226 192.168.10.10 -

- 209.165.200.227 192.168.11.10 -

R2#

R2# show ip nat translations verbose

Pro Inside global Inside local Outside local

create 00:17:22, use 00:01:51 timeout:86400000, left

Trang 55

R2# clear ip nat translation *

R2# show ip nat translations

clear ip nat translation *

clear ip nat translation

inside global-ip local-ip

{eutside local-ip global-ip]

clear ip nat translation

protocol inside global-ip

global-port local-ip local-port

{outside local-ip local port

global-ip global-port]

ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science,

Clears all dynamic address translation

entries from the NAT translation table

Clear a simple dynamic translation entry containing an inside translation or both inside and outside translation

Clears an extended dynamic translation

entry

Chi Minh City, Vietnam 55

Trang 56

Verifying Dynamic NAT

R2# clear ip nat statistics

PCl and PC2 establish sessions with the server

R24 show ip nat statistics

Total active translations: 2 (0 static,|2 dynamie; 0 extended)

Peak translations: 6, occurred 00:27:07 ago

Outside interfaces:

Serial0/0/1

Inside interfaces:

Serial0/1/0 Hits: 24 Misses: 0 CEF Translated packets: 24, CEF Punted packets: 0 Expired translations: 4

R2#

Trang 57

Activity

|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chỉ Minh City, Vietnam 57

Trang 58

2 Configuring NAT

2.3 Configuring Port Address Translation (PAT)

Trang 59

Configuring PAT: Address Pool

s* There are two possible ways to configure overloading

= It depends on how the ISP allocates public IP addresses

>The ISP allocates one public IP address to the

organization

>The ISP allocates more than one public IP address

>In either case, the configuration will include the overload keyword

oThis keyword specifies to the router that Port Address Translation (PAT) is to be used

Trang 60

s* The ISP allocates one public IP address to the organization

1 Assign the IP address received from the ISP as the IP

address of the outside interface

2 Define a standard access list permitting those

addresses to be translated

3 Establish dynamic translation specifying the access list

and the actual interface instead of a pool of addresses and include the overload keyword

4 Identify the inside and outside interfaces

Trang 61

“+ The ISP allocates more than one public IP address

209.165.200.225

R2 (config) #ip nat pool] NAT-POOL2 209.165.200.226 20:

R2 (config) #ip nat inside source list 1 pool NAT-POOL2 overload

R2 (config) #interface s0/0/0

R2(config-if)ip nat inside

R2 (config) #interface s0/1/0

R2 (config-if) #ip nat outside

ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam [35

Trang 62

| Configuring PAT: Single Address

R2 (config-i£) #ip address |209.165.200.2 655 25enZ5s2aene

R2(config-if) #ip nat outs

Trang 63

Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 3

Trang 64

NAT Table

Inside Local Inside Global Outside Global Outside Local Bley Address Bory Address

192.168.10.10:1444 | 209.165.200.225:1444 | 209.165.201.1:80 209.165.201.1:80 192.168.10.11:1444 } 209.165.200.225:1445 | 209.165.202.129:80 | 209.165.202.129:80

Tiêu đề	Network Address Translation for IPv4
Trường học	Fetel Academy
Chuyên ngành	Computer Networks
Thể loại	Lecture document
Năm xuất bản	2023
Thành phố	Hanoi

Định dạng
Số trang	87
Dung lượng	23,73 MB