Network Address Translation (NAT)
Download
Report
Transcript Network Address Translation (NAT)
Source NAT Configuration Example
Alcatel-Lucent Security Products Configuration Example Series
Network Address Translation (NAT)
The purpose of NAT is to map the local IP
addresses used in one network to different IP
addresses known by another network.
Generally this is private network addresses on
the inside taking a public address via NAT or
PAT to operate on the internet.
Types of NAT:
• Source Address Mapping
• Destination Address Mapping
• Source or Destination Port Mapping
2 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
Reasons to Use NAT:
•Connect unregistered (private) addresses to a
public network
•Minimize the number of IP addresses required
•Tighten security
•Perform load balancing
3 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•The Most common form of NAT is Source
Mapping as mentioned earlier. This is used to
translate private IP’s so that they can surf the
public network.
•In most cases the NAT is what is referred to as
“Many to One NAT”. This means that many
private addresses are translating to one public
address. This is accomplished by using a
different source port number for each session
using the one public address.
•Many to One NAT is also very commonly
referred to as PAT (Port Address Translation).
4 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• The Bricks will allow you to perform NAT/PAT
at any rule in any rule set. This gives you a
great deal of flexibility.
•First decide if you want to NAT everything from
one rule or if you want to NAT specifically at
each rule. The common way is to put a single
“Pass All” rule on the Ethernet port that is
going to the router (internet) and NAT
everything through that rule.
•You could also NAT on an internal interface if
you would like. This will give you much
granularity, but will also add a step at each
rule.
5 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• Next determine if there is a router between
the Brick and the private hosts. If not use the
Bricks VBA (Virtual Brick Address) as the
NAT/PAT address. This is important as the
Brick will need to respond to ARP requests to
advertise that public address.
•Let’s do a simple Source NAT example on the
interface that is going to the Internet.
•This example assumes that you have already
created your rules and host groups. If you
haven’t already done so see the configuration
examples to lead you through those steps.
6 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•Refer to the simple diagram below for our example. Fill
in your own addresses and configure accordingly.
Internet
Internet
Router
IP 135.119.2.161/27
Eth 1 VBA 135.119.2.167/27
Brick
Eth 2 IP
192.168.1.31/24
Private Network
192.168.1.1
to
192.168.1.30/24
Eth 0
AALSMS
IP 135.119.2.165/27
7 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• In this example I have created a Host Group
called “Internal-Users-and-Servers” that
contains the host addresses of 192.168.1.1192.168.1.30/24 as seen in the diagram.
•I have already created a rule-set called
“Inside-Zone” as seen below that contains all
of the rules that I need for this subnet.
8 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• Next lets create a rule set for the outside
zone that allows all traffic and NAT’s it to a
public address.
9 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•In the “Pass All” rule set Double click on rule
number 1000 that you created to pass the
traffic from your private network to the WAN.
•Click on the “Address Translation” tab.
10 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•From the pull down menu Choose Virtual Brick
Address.
•Also select Pool.
• We will apply the virtual brick address in the
next few slides when we apply the rule set.
11 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•When you are done with the Brick Zone Rule
Editor Click OK to close it.
•Now we will apply this “Pass-All” rule set to
the Brick and apply the VBA (virtual Brick
Address) to that interface.
•From the main menu Double Click on your
Brick.
•Click on the Policy Assignment tab.
•Double click on the interface that is
connected to the router. In our example that
is Ethernet 1.
•Apply your “Pass-All” rule set and the VBA as
shown on the next slide.
12 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•Note: this VBA should be a
public address that can be
used on the internet.
•Click OK when finished.
•The Virtual Brick Address
that you just assigned will
respond to ARP requests
from the router.
•Next we will assign a
Default Route so that the
internal hosts will have a
path from the class C
network to the router.
13 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• Click on the Static Routes tab and assign a
default route as shown below.
•The “Gateway IP Address” should be the
interface on the router.
•When you are done Click File>Save and Apply.
14 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• From one of the PC’s on the private network
open a browser and see if your NAT
configuration is working.
• Here are a couple of troubleshooting Tips
for this configuration.
•The Gateway IP set in the PC’s on the private
network should be set to the Brick interface that
this network is connected to.
•The default route that you set up should be pointing
towards the address of the router that connects you
to the internet.
•The VBA on the Brick interface pointing to the
router should be a public address as this will be
what you are NATing to.
•The PC’s should be configured with DNS addresses in
order to resolve names.
15 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• If you want to see the NATed sessions
there are several ways to do this from the
Sessions Log. You can create custom
reports based on many variables.
•From the Navigator window Click on
Sessions Logged, right click and select
New Sessions Logged to open the window
that you see at the right.
•A “Mapped” session is the same as a NATed
session.
•If you click on “Mapped Session” and
click Run, you will see all NATed sessions.
•See if you can show them by source host
and host group.
16 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•Now see if you can show your NATed
sessions by selecting the “Zone” (rule set).
•You can actually select the Brick, the
Zone, the Host Group, the source IP
Address, by protocol, by source or
destination port number or by service.
•There is a great deal of granularity in this
report generator.
•Reports can be saved and reused as well.
•Output is in HTML format and can easily
be exported to external reporting tools or
to MS Excel, just by right clicking on the
report output.
•Reports can be saved and archived.
17 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
•You can also gather some information on NAT/PAT sessions from the Brick Command
Lines as you can see below.
•From the navigator double click on your Brick, select the Brick Utilities Menu, then
select Open Brick Console.
•At the console type display sessions (Zone) (IP) as seen below.
18 | Presentation Title | Month 2006
All Rights Reserved © Alcatel-Lucent 2006, #####
Network Address Translation (NAT)
• For more detailed information on configuring Source
or Destination NAT/PAT see the AALSMS Policy
Guide.
• You can access the manuals by clickingHelp>On Line Product Manuals>AALSMS Policy
Guide.
• The Manuals can also be found on your AALSMS
Installation CD.
19