Outline

 

This challenge involves the configuration of dynamic NAT. The objectives of this challenge are to:

 

 

Example

 

> en

# config t

(config)# ip nat inside source static 160.94.210.50 93.123.33.13

(config)# ip nat inside source static 160.94.210.53 93.123.33.15

(config)# ip nat inside source static 160.94.210.55 93.123.33.18

(config)# int e0

(config-if)# ip nat inside

(config-if)# int s0

(config-if)# ip nat outside

 

Explanation

 

  In this case the lines:

 

(config)# ip nat inside source static 160.94.210.50 93.123.33.13

(config)# ip nat inside source static 160.94.210.53 93.123.33.15

(config)# ip nat inside source static 160.94.210.55 93.123.33.18

 

defines that a host with the address of 160.94.210.50 will be viewed from the outside of the network as 93.123.33.13. Thus, for example, if the host at 160.94.210.50 is a Web server, users from outside the network will access it using the address of 93.123.33.13. Normally servers which have public access have a static mappings as this allows them to be accessed through the static mapping.

 

Theory

 

Network address translation (NAT) is defined in RFC1631, and swaps one network address with another. This allows private networks (RFC1918) to be created, which are then translated to public address when they access the Internet. A router can operate at the border of a domain and translate addresses from private to public, and vice-versa. For example, a node could be given a private address of 192.168.10.12. The NAT could then translate this to a public address of 168.10.34.31. The NAT table would then have the mapping of:

 

Private                                   Public

192.168.10.12                       168.10.34.21

 

If a host from outside the domain sends a data packet back to the domain, the NAT will translate the public address back into the private address. These translations can be statically assigned, such as where it is setup with a permanent mapping, or dynamically, where the tables can change as the network requires.  Figure 1 gives an example, where the destination address is 11.22.33.44. The address in this case is changed from 192.168.10.12 to 168.10.34.21, as the data packet goes out of the domain, and is changed back when it comes back into the domain.

PAT (Port address translation)

NAT routers can use port address translation (PAT), which allows many internal address to be mapped to the same global address. This is also named as a many-to-one NAT, or address overloading. With PAT, the NAT router keeps a track of the connections, and the TCP/UDP ports that are being used. The NAT router then changes the global address back into a private address based on these. In Figure 2 there is a single external address (168.10.34.21), but multiple source ports are used to identify the connection. It can be seen in the example in Figure 3 that a host has four different connections with a WWW server, and each of the connections have been mapped to a unique source port (5555, 5556, 5557 and 5558).

 

Figure 1  Example of NAT

In summary the advantages of NAT are:

 

·         Hides the network addresses of the network.

·         Bars direct contact with a host.

·         Increased range of address.

·         Allow easy creation of subnetworks.

 

Figure 2  Example of port address translation (PAT)

Figure 3  Example of port address translation (PAT)

NAT types

The three main types of NAT are:                

 

·         Static translation. Each public IP address translates to a private one through a static table.  It is good for security/ logging/ traceabilty, but does not hide the internal network. As the network addresses are statically defined, the nodes inside the network can be contacted directly from outside. Static translation also does not save in network addresses, although an organisation may limit access by limiting the number of private addresses which are available.

·         IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic, and uses TCP ports to identify  connections. It has the advantage that a complete network requires only a single public address, but, of course, the network which is allocted with private addresses is dependent upon the NAT device for its connection to external networks.

·         Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used (Figure 4).

Figure 4 Load balancing translation

NAT backtracking

Dynamic NAT is good at isolating the external network from a pubic untrusted network, as it allows the NAT device to create a table of connections which have been initiated from inside. Thus external devices cannot contact hosts as they cannot be mapped into in the NAT device. Unfortunately some applications, such as FTP and IRC, require a server connection to be setup on the host. Thus the NAT device must be able to implement backtracking of connections, as illustrated in Figure 5.

 

Figure 5 NAT backtracking

NAT weaknesses

Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping, and external nodes can thus connect to internal devices. It also does not hide the host from the external network, so that it can be traced, if the mapping table is known. Dynamic NAT is much better for security, as it hides the network. Unfortunately it has two major weaknesses:

 

- Backtracking allows external parties to trace back a connection.

- If the NAT device becomes compromised the external party can redirect traffic.

 

These weaknesses are illustrated in Figure 5.

 

Figure 5NAT weaknesses

Programming dynamic NAT

Network address translation allows private IP address to be translated to public address. This can either be achieved statically, where the translation is fixed by a translation table, or can be dynamic, where the translation table is set-up as required by the network. Typically, a global address pool is used from which the public addresses are taken. The command for this has the format of:

 

RouterA# config t

RouterA(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length

                      prefix-length}

 

where the submask length is defined by the optional netmask agument (such as 255.255.255.0), or by a length using prefix-length (or 24 for the 255.255.255.0 subnet mask). After this, the types of packets which will be translated will be defined. This is achieved with the access-list command, and has the form:

 

RouterA# config t

RouterA(config)#access-list access-list-number permit source   [source-wildcard]

 

A dynamic translation uses the ip nat inside source list command, such as:

 

Router(config)#ip nat inside source list access-list-number pool name

 

where the access list number is defined. This is then applied to one of the interfaces using the command (for s0):

 

RouterA# config t

RouterA (config) # int s0

RouterA(config-if)#ip nat inside

 

This will translate data packets which are coming into the port. To translate outgoing one, the ip nat outside command is used.

            For example, to define a pool of addresses from 180.10.11.1 to 180.10.11.254:

 

RouterA(config)#ip nat pool org_pool 180.10.11.1 180.10.11.254 netmask 255.255.255.0

 

which defines the global addresses as org_pool. This will be used to send translated data packets out in the Internet. An access-list command is then used to match the translation addresses:

 

RouterA(config)#access-list 2 permit 192.168.10.0 0.0.0.255

RouterA(config)#ip nat inside source list 2 pool org_pool

 

which applies the access-list number 2 to the IP NAT pool of org_pool. This can then be applied to the interfaces with:

 

RouterA(config)#interface e0

RouterA(config-if)#ip nat inside

RouterA(config-if)#interface s0

RouterA(config-if)#ip nat outside

 

Thus if a host with an address of 192.168.10.10 sends a data packet out of the network, it will have one of the addresses from the pool, such as 180.10.11.1.  All the hosts outside the network will use the address from the pool to communicate with the node. By default, these entries remain in the table for up to 24 hours (in order to allow communications to return). The time-out can be changed using the command:

 

RouterA(config)#ip nat translation timeout seconds

 

This is an important factor, especially when there is a large number of hosts which can only use a limited pool of addresses. A lower time-out will allow an address to be released, so that another node can use it.

            NAT also enhances security as it limits external users in their connection to local network, as the translations of addresses will not be permanent (unless a static translation is implemented). NAT thus hides the topology of the network.

            Static translation uses a fixed lookup table to translate the addresses, where each address which requires an Internet address has a corresponding public IP address. If it is used on its own, it cannot thus preserve IP address. Thus, typically the two methods are used, where important nodes, such as servers, will have a static entry, as this guarantees them an address, while other nodes, which are less important, will be granted a dynamic translation. This also aids security as the important devices can run enhanced security and monitoring software, which might not be possible on lower-level devices, which are typically administered on a daily basis by non-IT personnel.

            Static addresses are also useful in translating network topologies from one network address structure to another, or even when individual nodes are moved from one subnet to another.

            An example of configuring for static addresses of a node of 192.168.10.10 to the address of 180.10.11.1:

 

RouterA(config)#ip nat inside source static 192.168.10.10 180.10.11.1

 

This can this be applied to the inside and outside interfaces with:

 

RouterA(config)#interface e0

RouterA(config-if)#ip nat inside

RouterA(config-if)#interface s0

RouterA(config-if)#ip nat outside

 

NAT allows organisations to quickly remap their addresses, as conditions require, such as changing Internet access provider, or to respond to a network breach.

            One of the advanced features of NAT routers is their ability to use Port Address Translation (PAT), which allows multiple inside addresses to map to the same global address. This is sometimes called a many-to-one NAT, or address overloading. With address overloading, man private addressed nodes can access the Internet using a single global address. The NAT router keeps track of the different conversations by mapping TCP and UDP port numbers in the translation table. A translation entry is one which maps one IP address and port pair to another, and is called an extended table entry. This table will match internal private IP addresses and ports, to the global address.

            The NAT command is used to configure PAT with:

 

RouterA(config)#ip nat inside source list access-list-number pool name overload

 

For example, if a network has 20 IP global addresses from 180.10.11.1 to 180.10.11.20, then the router could be configured with:

 

RouterA(config)#ip nat pool org_pat_pool 180.10.11.1 180.10.11.20 netmask

                   255.255.255.0
RouterA(config)#access-list 2 permit 10.1.1.0 0.0.0.255
RouterA(config)#ip nat inside source list 2 pool org_pat_pool overload
RouterA(config)#interface e 0
RouterA(config-if)#ip nat inside
RouterA(config-if)#interface s 0
RouterA(config-if)#ip nat outside

 

This creates an access-list with a label of 2, which is applied using the overload method, to provide PAT. This method is obviously important in a home network, where users are granted an IP address for their router. The home network can then be setup with private addresses.