220 likes | 318 Views
Scaling the Network with NAT and PAT. Objectives. Explain the difference between public and private IP addresses Summarize three problems with IP addressing that NAT and PAT solve Describe the basic functionality of NAT and NAT Overloading (PAT)
E N D
Objectives • Explain the difference between public and private IP addresses • Summarize three problems with IP addressing that NAT and PAT solve • Describe the basic functionality of NAT and NAT Overloading (PAT) • Identify the differences between Static and Dynamic Translations • Configure Static and Dynamic NAT • Configure NAT Overloading (PAT) • Verify NAT and PAT Operation
Network ID 0 7 bits Node ID (24 bits) Network ID 1 0 14 bits Node ID (16 bits) Network ID 1 1 0 21 bits Node ID (8 bits) 1 1 1 0 Multicast Group ID (28 bits) 1 1 1 1 0 Reserved for Future Use (27 bits) IP Addressing Review Class A 1.0.0.0 - 127.255.255.255 Class B 128.0.0.0 - 191.255.255.255 Class C 192.0.0.0 - 223.255.255.255 Multicasts Class D 224.0.0.0 - 239.255.255.255 Experimental Use Class E 240.0.0.0 - 254.255.255.255
Network ID 0 7 bits Node ID (24 bits) Network ID 1 0 14 bits Node ID (16 bits) Network ID 1 1 0 21 bits Node ID (8 bits) IP Addressing – Private Addresses “Reserved/Private” Addresses exist in the first three classes of IP Addresses. Class A 10.0.0.0 – 10.255.255.255 Class B 172.16.0.0 – 172.31.255.255 Class C 192.168.0.0 – 192.168.255.255 These addresses are not globally routable through the public Internet.
Not Enough IP Addresses • Public IP address space (non-reserved/private) is limited and obtaining a large block of registered addresses is difficult and expensive. Your Home Network ISP Rtr Internet Hey, I need some IP Addresses for my network. How about something in the Class-B range so I can grow in the future? Are you crazy?? All I can give you is a little subnet of a Class-C network. Be happy with that!
I Can See You!! • Internal network (layout/addressing/design) shouldn’t be visible to external (ex. Internet) users. I can see your IP Address! I’ve got you now! Time to attack!! Your Home Network ISP Rtr 160.1.1.1 Internet
NAT Networks – Inside / Outside • NAT translates the source and/or destination IP addresses from packets on the inside network to different IP addresses on the outside network. NAT Rtr Inside network Outside network
Configuring Static Translations Router(config)# ip nat inside source static local-ipglobal-ip • Establishes static translation between an inside local address and an inside global address Router(config-if)# ip nat inside • Marks the interface as connected to the inside Router(config-if)# ip nat outside • Marks the interface as connected to the outside
193.50.1.2 SA Enabling Static NAT Address Mapping Example 193.50.1.1 interface serial0 ip address 193.50.1.1 255.255.255.0 ip nat outside ! interface ethernet 0 ip address 10.1.1.1 255.255.255.0 ip nat inside ! ip nat inside source static 10.1.1.2 193.50.1.2 ip address 193.50.1.1 255.255.255.0 193.50.1.2
B C A Lab - Static NAT Configuration • For each interface you need to configure INSIDE or OUTSIDE 10.0.0.1 R1 200.0.0.1 Internet 10.0.0.2 10.0.0.254 S0 E0 10.0.0.3
Switch Dynamic Translations – Pros and Cons • Dynamic Translations – Pros and Cons • Pros – Conserves addresses. Outside Local addresses get aged out and can be reused after inactivity timer expires. • Cons – No ability for outside hosts to initiate conversations. Dynamic Translation Table IL IG 10.0.0.1 = 80.0.0.3 10.0.0.2 = 80.0.0.4 Pool of addresses for NAT 80.0.0.3 – 80.0.0.6 Inside network 10.0.0.1 10.0.0.2 NAT Rtr 10.0.0.3 80.0.0.2 10.0.0.4 10.0.0.6 10.0.0.5 Outside network
Configuring Dynamic Translations Router(config)# ip nat pool name start-ip end-ip{netmask netmask | prefix-length prefix-length} • Defines a pool of global addresses to be allocated as needed. Router(config)# access-list access-list-number permit source [source-wildcard] • Defines a standard IP ACL permitting those inside local addresses that are to be translated. Router(config)# ip nat inside source list access-list-number pool name • Establishes dynamic source translation, specifying the ACL that was defined in the prior step.
Dynamic Address Translation Example ip nat pool net-208 171.69.233.209 171.69.233.222 netmask 255.255.255.240 ip nat inside source list 1 pool net-208 ! interface serial0 ip address 172.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 0 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255
10.0.0.1 10.0.0.2 10.0.0.254 E0 10.0.0.3 B C A Lab - Dynamic NAT Configuration • For each interface you need to configure INSIDE or OUTSIDE R1 200.0.0.1/200.0.0.10 Internet S0
NAT Overloading - PAT • NAT Overloading (PAT): All inside devices get translated to the SAME Inside Global address on NAT Router. Source Port number differentiates traffic. • How NAT Router chooses the source port number: NAT Router will attempt to preserve original source port number if not already in use. If Source Port number is already in use, another, unused source port number will be selected from the following ranges: • 0-511 , 512-1023, 1024-65535
Configuring Overloading Router(config)# access-list access-list-number permit sourcesource-wildcard • Defines a standard IP ACL that will permit the inside local addresses that are to be translated Router(config)# ip nat inside source list access-list-numberinterface interface overload • IP address configured on interface (in command above) will be used as the Overloaded address. • Establishes dynamic source translation, specifying the ACL that was defined in the prior step
Switch Switch PAT / NAT Overload Config Example 192.168.3.7 Interface Ethernet 0 ip address 192.168.3.1 255.255.255.0 ip nat inside ! Interface Ethernet1 ip address 192.168.4.1 255.255.255.0 ip nat inside ! Interface Serial0 ip address 172.17.38.1 255.255.255.0 ip nat outside ! Ip nat inside source list 1 interface Serial0 overload ! Access-list 1 permit 192.168.3.0 0.0.0.255 Access-list 1 permit 192.168.4.0 0.0.0.255 192.168.3.1 E0 E1 192.168.4.1 S0 172.17.38.1 192.168.4.12 Internet
Clearing the NAT Translation Table Router# clear ip nat translation * • Clears all dynamic address translation entries Router# clear ip nat translation inside global-ip local-ip [outside local-ip global-ip] • Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation Router# clear ip nat translation outside local-ip global-ip • Clears a simple dynamic translation entry that contains an outside translation Router# clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] • Clears an extended dynamic translation entry
Displaying Information with ‘show’ Commands Router# show ip nat translations • Displays active translations Router# show ip nat translation Pro Inside global Inside local Outside local Outside global --- 172.16.131.1 10.10.10.1 --- --- Router# show ip nat statistics • Displays translation statistics Router# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1Hits: 5 Misses: 0 …
A B Lab – Port Address Translation R1 R2 200.0.0.1 200.0.0.2 S0 E0 E0 S0 192.168.10.1 192.168.20.1 192.168.10.2 192.168.20.2
NAT – Network Address Translation Internet 99.99.99.99/24 fa0/1 R1 fa0/0 .1 192.168.1.0/24 .10 .7 .8
PAT – Port Address Translation Internet 99.99.99.99/24 fa0/1 R1 fa0/0 .1 ip nat inside source list 1 interface FastEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255 interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside interface FastEthernet0/1 ip address 99.99.99.99 255.255.255.0 ip nat outside 192.168.1.0/24 .7 .8