Transcript lecture8
NAT & VPN
Lecture 8
Hassan Shuja
05/02/2006
Page 1
NAT
• Network Address Translation (NAT)
– Allows a host that does not have a valid registered IP address to
communicate with other hosts through the Internet
– Host might be using a private address or address assigned to another
organization
– The source IP address is changed within the packet from the private to the
public address.
– Cisco terminology uses “Inside” and “Outside” to describe where the IP
addresses reside
– “local” and “global” are also used to describe the location of the IP addresses
– A table is kept with the translation
• Static NAT
– A one to one mapping is setup where the inside address is always mapped
to the same outside address
– This mapping does not change
– A second private address will require a second public address
Page 2
NAT
• Dynamic NAT
– A one to one mapping is setup where the inside IP addresses are
dynamically assigned to a pool of outside addresses
– If all addresses in the outside pool are being used, then the host will not be able
to access the outside
• Dynamic NAT & Static NAT
– Dynamic NAT and Static NAT can work together
– It is possible to setup a pool addresses and also statically map some of the
addresses
• NAT Overload
– Overloading allows NAT to scale to support many clients to one IP address
– Also referred to as PAT
– Instead of just translating the IP address, it also translates the port number
– The translation table also maintains the port number
Page 3
NAT
• NAT Configuration
– The interfaces on router need to be designated as the “inside” and “outside”
interface
– “ip nat inside”
– “ip nat outside”
• Static NAT Configuration
– Configuration commands
– “ip nat inside source static 10.1.1.2 200.1.1.2”
– Show commands
– “show ip nat translations”
Displays the translation table
– “sh ip nat statistics”
– Displays various different statistics
–
Page 4
NAT
• Dynamic NAT
– A NAT pool must be setup for outside addresses
– “ip nat pool umbc 200.1.1.1 200.1.1.254 netmask 255.255.255.0”
–
The above command is executed in configuration mode
– The addresses to be translated need to be identified
– “access-list 1 permit 10.1.1.0 0.0.0.255”
–
The above command is executed in configuration mode
– The inside addresses need to be mapped to the outside pool
– “ip nat inside source list 1 pool umbc”
–
The above command is executed in configuration mode
Page 5
NAT
• NAT Overload
– A NAT pool must be setup for outside addresses
– “ip nat pool umbc 200.1.1.1 netmask 255.255.255.255”
–
The above command is executed in configuration mode
– Two ways of mapping the inside addresses to the outside pool
– “ip nat inside source list 1 pool umbc overload”
– “ip nat inside source list 1 interface serial0/0 overload”
–
–
The above command is executed in configuration mode
This will map everything in access list 1 to the IP address of the serial
interface
– The addresses to be translated need to be identified
– “access-list 1 permit 10.1.1.0 0.0.0.255”
–
The above command is executed in configuration mode
Page 6
VPN
• Virtual Private Network (VPN)
– A private data network that makes use of the public telecommunication
infrastructure (Internet), maintaining privacy through the use of a
tunneling protocol and security procedures
– A VPN is very cost effective
– Traffic is encrypted as it travels across the Internet
– An administrator must be aware of the traffic that flows through the
tunnel and the end points of tunnel
– All traffic on the secure VPN must be encrypted and authenticated
– Encryption types
–
DES, 3DES, AES
Page 7
VPN
• Virtual Private Network (VPN)
– The security properties on all end points of the VPN tunnel must be the
same
– No one outside the VPN tunnel should be able to effect the security
properties of the tunnel
– Split Tunneling allows for traffic to be sent through a tunnel and outside
the tunnel at the same time
– Very big security concern with Split Tunneling
– IPSEC is used for encryption of VPN tunnel
– Uses ISAKMP (IKE) – UDP port 500 for tunnel setup
– Uses esp (protocol 50) and ah (protocol 51) for encryption
Page 8
VPN
• Types of VPN
– A client based VPN tunnel handles only the connection for one workstation
– Usually created from a PC to a VPN Gateway (server)
– A LAN-2-LAN VPN tunnel is built for many clients to use
– Usually created from one Gateway to another Gateway
– Understand the design for each type
– Discussed in class
• VPN Devices
– Possible to create a VPN tunnel with any device than supports IPSEC
– Cisco devices
– IOS router
– PIX Firewall
– VPN concentrator
Page 9