190 likes | 198 Views
Learn how NAT maps local IP addresses to public ones, benefitting security, load balancing, and addresses. Discover different NAT types and how to configure NAT/PAT rules effectively.
E N D
Source NAT Configuration Example Alcatel-Lucent Security Products Configuration Example Series
Network Address Translation (NAT) • The purpose of NAT is to map the local IP addresses used in one network to different IP addresses known by another network. Generally this is private network addresses on the inside taking a public address via NAT or PAT to operate on the internet. • Types of NAT: • Source Address Mapping • Destination Address Mapping • Source or Destination Port Mapping
Network Address Translation (NAT) • Connect unregistered (private) addresses to a public network • Minimize the number of IP addresses required • Tighten security • Perform load balancing Reasons to Use NAT:
Network Address Translation (NAT) • The Most common form of NAT is Source Mapping as mentioned earlier. This is used to translate private IP’s so that they can surf the public network. • In most cases the NAT is what is referred to as “Many to One NAT”. This means that many private addresses are translating to one public address. This is accomplished by using a different source port number for each session using the one public address. • Many to One NAT is also very commonly referred to as PAT (Port Address Translation).
Network Address Translation (NAT) • The Bricks will allow you to perform NAT/PAT at any rule in any rule set. This gives you a great deal of flexibility. • First decide if you want to NAT everything from one rule or if you want to NAT specifically at each rule. The common way is to put a single “Pass All” rule on the Ethernet port that is going to the router (internet) and NAT everything through that rule. • You could also NAT on an internal interface if you would like. This will give you much granularity, but will also add a step at each rule.
Network Address Translation (NAT) • Next determine if there is a router between the Brick and the private hosts. If not use the Bricks VBA (Virtual Brick Address) as the NAT/PAT address. This is important as the Brick will need to respond to ARP requests to advertise that public address. • Let’s do a simple Source NAT example on the interface that is going to the Internet. • This example assumes that you have already created your rules and host groups. If you haven’t already done so see the configuration examples to lead you through those steps.
Router Brick Network Address Translation (NAT) • Refer to the simple diagram below for our example. Fill in your own addresses and configure accordingly. Internet Internet IP 135.119.2.161/27 Eth 1 VBA 135.119.2.167/27 Eth 2 IP 192.168.1.31/24 Eth 0 Private Network 192.168.1.1 to 192.168.1.30/24 AALSMS IP 135.119.2.165/27
Network Address Translation (NAT) • In this example I have created a Host Group called “Internal-Users-and-Servers” that contains the host addresses of 192.168.1.1-192.168.1.30/24 as seen in the diagram. • I have already created a rule-set called “Inside-Zone” as seen below that contains all of the rules that I need for this subnet.
Network Address Translation (NAT) • Next lets create a rule set for the outside zone that allows all traffic and NAT’s it to a public address.
Network Address Translation (NAT) • In the “Pass All” rule set Double click on rule number 1000 that you created to pass the traffic from your private network to the WAN. • Click on the “Address Translation” tab.
Network Address Translation (NAT) • From the pull down menu Choose Virtual Brick Address. • Also select Pool. • We will apply the virtual brick address in the next few slides when we apply the rule set.
Network Address Translation (NAT) • When you are done with the Brick Zone Rule Editor Click OK to close it. • Now we will apply this “Pass-All” rule set to the Brick and apply the VBA (virtual Brick Address) to that interface. • From the main menu Double Click on your Brick. • Click on the Policy Assignment tab. • Double click on the interface that is connected to the router. In our example that is Ethernet 1. • Apply your “Pass-All” rule set and the VBA as shown on the next slide.
Network Address Translation (NAT) • Note: this VBA should be a public address that can be used on the internet. • Click OK when finished. • The Virtual Brick Address that you just assigned will respond to ARP requests from the router. • Next we will assign a Default Route so that the internal hosts will have a path from the class C network to the router.
Network Address Translation (NAT) • Click on the Static Routes tab and assign a default route as shown below. • The “Gateway IP Address” should be the interface on the router. • When you are done Click File>Save and Apply.
Network Address Translation (NAT) • From one of the PC’s on the private network open a browser and see if your NAT configuration is working. • Here are a couple of troubleshooting Tips for this configuration. • The Gateway IP set in the PC’s on the private network should be set to the Brick interface that this network is connected to. • The default route that you set up should be pointing towards the address of the router that connects you to the internet. • The VBA on the Brick interface pointing to the router should be a public address as this will be what you are NATing to. • The PC’s should be configured with DNS addresses in order to resolve names.
If you want to see the NATed sessions there are several ways to do this from the Sessions Log. You can create custom reports based on many variables. From the Navigator window Click on Sessions Logged, right click and select New Sessions Logged to open the window that you see at the right. A “Mapped” session is the same as a NATed session. If you click on “Mapped Session” and click Run, you will see all NATed sessions. See if you can show them by source host and host group. Network Address Translation (NAT)
Now see if you can show your NATed sessions by selecting the “Zone” (rule set). You can actually select the Brick, the Zone, the Host Group, the source IP Address, by protocol, by source or destination port number or by service. There is a great deal of granularity in this report generator. Reports can be saved and reused as well. Output is in HTML format and can easily be exported to external reporting tools or to MS Excel, just by right clicking on the report output. Reports can be saved and archived. Network Address Translation (NAT)
Network Address Translation (NAT) • You can also gather some information on NAT/PAT sessions from the Brick Command Lines as you can see below. • From the navigator double click on your Brick, select the Brick Utilities Menu, then select Open Brick Console. • At the console type display sessions (Zone) (IP) as seen below.
Network Address Translation (NAT) • For more detailed information on configuring Source or Destination NAT/PAT see the AALSMS Policy Guide. • You can access the manuals by clicking- Help>On Line Product Manuals>AALSMS Policy Guide. • The Manuals can also be found on your AALSMS Installation CD.