05_tcom5272_NAT

Download Report

Transcript 05_tcom5272_NAT 

TCOM 5272
Telecomm Lab
Dr. Mostafa Dahshan
OU-Tulsa 4W 2nd floor
660-3713
[email protected]
M. Dahshan - TCOM5272
1
Acknowledgements
 The material of this presentation are
based on:
 Cisco whitepaper “Cisco IOS Network
Address Translation Overview”
M. Dahshan - TCOM5272
2
M. Dahshan - TCOM5272
3
Network Address Translation
 Router connects two networks
 Inside: uses private addresses
 Outside: uses globally legal addresses
M. Dahshan - TCOM5272
4
Inside Addressing
 Inside Local
 Configured IP address assigned to a host on the
inside network
 Address may be globally unique, allocated out of the
private address space defined in RFC 1918, or might
be officially allocated to another organization
 Inside Global
 The IP address of an inside host as it appears to the
outside network, “Translated IP Address”
 Addresses can be allocated from a globally unique
address space, typically provided by the ISP (if the
enterprise is connected to the global Internet)
M. Dahshan - TCOM5272
5
Inside Addressing
M. Dahshan - TCOM5272
6
Outside Addressing
 Outside Local
 IP address of an outside host as it appears to the
inside network
 These addresses can be allocated from the RFC 1918
space if desired
 Outside Global
 The configured IP address assigned to a host in the
outside network
 Simple Translation Entry
 A translation entry which maps one IP address to
another
 Extended Translation Entry
 A translation entry which maps one IP address and
port pair to another
M. Dahshan - TCOM5272
7
Outside Addressing
M. Dahshan - TCOM5272
8
Translation Types

Static Address Translation



Dynamic Address Translation



One-to-one mapping between local and global addresses
Can also configure Static address translations to the port level,
and use the remainder of the IP address for other translations.
Dynamic mapping between the local and global addresses
This is done by describing the local addresses to be translated
and the pool of addresses from which to allocate global
addresses, and associating the two
Match Host


Assign the same Host portion of an IP Address and only
translate the Network prefix portion of the IP Address
Useful where you are using the host portion as a means to
identify or number users uniquely
M. Dahshan - TCOM5272
9
Port Address Translation
 Several internal addresses can be NATed to
only one or a few external addresses
 Also referred to as "overload"
 PAT uses unique source port numbers on
the Inside Global IP address to distinguish
between translations
 Because the port number is encoded in 16
bits, the total number could theoretically be
as high as 65,536 per IP address
M. Dahshan - TCOM5272
10
PAT Operation
 PAT will attempt to preserve the original source port
 If source port is already allocated PAT will attempt to
find the first available port number starting from the
beginning of the appropriate port group:
 0-5111
 512-1023
 1024-65535.
 If there is still no port available from the appropriate
group and more than one IP address is configured,
PAT will move to the next IP address and try to
allocate the original source port again
 This continues until it runs out of available ports and
IP addresses
M. Dahshan - TCOM5272
11
Basic Concept of PAT
M. Dahshan - TCOM5272
12
Unique Source Port per Trans Entry
M. Dahshan - TCOM5272
13
M. Dahshan - TCOM5272
14
Global Configuration
 Defining a pool
ip nat pool <name> <start-ip> <end-ip> {
netmask <netmask>| prefix-length <prefixlength> } [ type { rotary } ]
 Enabling translation of inside source
addresses
ip nat inside source list <acl> pool <name>
[overload] (Dynamic 1-M Translation)
ip nat inside source static <localip><global-ip> (Static 1-1 Translation)
M. Dahshan - TCOM5272
15
Global Configuration
 Define access list to match the inside
addresses
access-list <acl> permit <address>
<wildcard>
M. Dahshan - TCOM5272
16
Interface Configuration
 ip nat { inside | outside }
 Interfaces need to be marked
whether they are on the inside or the
outside
 Only packets arriving on a marked
interface will be subject to translation
M. Dahshan - TCOM5272
17
Example: TCOM Router
156.110.24.0/24
OneNet
192.168.0.1/24
192.168.0.2/24
gatewaytcom
192.35.98.1/24
10.5.5.1/24
M. Dahshan - TCOM5272
18
Example: TCOM Router
 Global Configuration
ip nat pool labnet 192.35.98.90
192.35.98.90 netmask 255.255.255.0
ip nat inside source list 9 pool
labnet overload
 Access List
access-list 9 permit 10.5.5.0
0.0.0.255
M. Dahshan - TCOM5272
19
Example: TCOM Router
 Interface Configurations
!
interface FastEthernet0/0
ip address 192.35.98.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 10.5.5.1 255.255.255.0
ip nat inside
!
interface FastEthernet1/0
ip address 192.168.0.2 255.255.255.0
ip nat outside
M. Dahshan - TCOM5272
20
Example: TCOM NAT
Pro Inside global
Inside local Outside local Outside global
tcp
192.35.98.90:1737
10.5.5.116:1737
129.15.34.24:2967
129.15.34.24:2967
tcp
192.35.98.90:1027
10.5.5.113:1037
207.46.107.25:1863
207.46.107.25:1863
tcp
192.35.98.90:4280
10.5.5.109:4280
64.233.187.165:80
64.233.187.165:80
tcp
192.35.98.90:4281
10.5.5.109:4281
64.233.187.165:80
64.233.187.165:80
tcp
192.35.98.90:3669
10.5.5.128:3669
89.101.10.196:1104
289.101.10.196:11042
tcp
192.35.98.90:2977
10.5.5.113:2977
216.52.17.134:80
216.52.17.134:80
M. Dahshan - TCOM5272
21