1 / 9

NAT & VPN

NAT & VPN. Lecture 8 Hassan Shuja 05/02/2006. NAT. Network Address Translation (NAT) Allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet Host might be using a private address or address assigned to another organization

talon-spencer
Download Presentation

NAT & VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NAT & VPN Lecture 8 Hassan Shuja 05/02/2006

  2. NAT • Network Address Translation (NAT) • Allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet • Host might be using a private address or address assigned to another organization • The source IP address is changed within the packet from the private to the public address. • Cisco terminology uses “Inside” and “Outside” to describe where the IP addresses reside • “local” and “global” are also used to describe the location of the IP addresses • A table is kept with the translation • Static NAT • A one to one mapping is setup where the inside address is always mapped to the same outside address • This mapping does not change • A second private address will require a second public address

  3. NAT • Dynamic NAT • A one to one mapping is setup where the inside IP addresses are dynamically assigned to a pool of outside addresses • If all addresses in the outside pool are being used, then the host will not be able to access the outside • Dynamic NAT & Static NAT • Dynamic NAT and Static NAT can work together • It is possible to setup a pool addresses and also statically map some of the addresses • NAT Overload • Overloading allows NAT to scale to support many clients to one IP address • Also referred to as PAT • Instead of just translating the IP address, it also translates the port number • The translation table also maintains the port number

  4. NAT • NAT Configuration • The interfaces on router need to be designated as the “inside” and “outside” interface • “ip nat inside” • “ip nat outside” • Static NAT Configuration • Configuration commands • “ip nat inside source static 10.1.1.2 200.1.1.2” • Show commands • “show ip nat translations” • Displays the translation table • “sh ip nat statistics” • Displays various different statistics

  5. NAT • Dynamic NAT • A NAT pool must be setup for outside addresses • “ip nat pool umbc 200.1.1.1 200.1.1.254 netmask 255.255.255.0” • The above command is executed in configuration mode • The addresses to be translated need to be identified • “access-list 1 permit 10.1.1.0 0.0.0.255” • The above command is executed in configuration mode • The inside addresses need to be mapped to the outside pool • “ip nat inside source list 1 pool umbc” • The above command is executed in configuration mode

  6. NAT • NAT Overload • A NAT pool must be setup for outside addresses • “ip nat pool umbc 200.1.1.1 netmask 255.255.255.255” • The above command is executed in configuration mode • Two ways of mapping the inside addresses to the outside pool • “ip nat inside source list 1 pool umbc overload” • “ip nat inside source list 1 interface serial0/0 overload” • The above command is executed in configuration mode • This will map everything in access list 1 to the IP address of the serial interface • The addresses to be translated need to be identified • “access-list 1 permit 10.1.1.0 0.0.0.255” • The above command is executed in configuration mode

  7. VPN • Virtual Private Network (VPN) • A private data network that makes use of the public telecommunication infrastructure (Internet), maintaining privacy through the use of a tunneling protocol and security procedures • A VPN is very cost effective • Traffic is encrypted as it travels across the Internet • An administrator must be aware of the traffic that flows through the tunnel and the end points of tunnel • All traffic on the secure VPN must be encrypted and authenticated • Encryption types • DES, 3DES, AES

  8. VPN • Virtual Private Network (VPN) • The security properties on all end points of the VPN tunnel must be the same • No one outside the VPN tunnel should be able to effect the security properties of the tunnel • Split Tunneling allows for traffic to be sent through a tunnel and outside the tunnel at the same time • Very big security concern with Split Tunneling • IPSEC is used for encryption of VPN tunnel • Uses ISAKMP (IKE) – UDP port 500 for tunnel setup • Uses esp (protocol 50) and ah (protocol 51) for encryption

  9. VPN • Types of VPN • A client based VPN tunnel handles only the connection for one workstation • Usually created from a PC to a VPN Gateway (server) • A LAN-2-LAN VPN tunnel is built for many clients to use • Usually created from one Gateway to another Gateway • Understand the design for each type • Discussed in class • VPN Devices • Possible to create a VPN tunnel with any device than supports IPSEC • Cisco devices • IOS router • PIX Firewall • VPN concentrator

More Related