SlideShare une entreprise Scribd logo

Network Address Translation (NAT)

J
Joud Khattab

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

Technologie
1  sur  83
Télécharger pour lire hors ligne
Outline 0 Introduction. 0 Translation Modes. 0 NAT Kinds. 0 NAT Scenario. 0 Concerns about NAT. 0 Apply NAT in packet tracer. By Joud Khattab 2
Introduction 1. IPv4 Problem. 2. Private network. 3. Solution with NAT. By Joud Khattab 3
IPv4 Problem 0 Whatever connects directly into Internet must have public (globally unique) IP address. 0 There is a shortage of public IPv4 address. 0 The solutions: 0 Long term solution is IPv6. 0 short term solution is CIDR (Classless Inter Domain Routing ). 0 NAT. By Joud Khattab 4
Private Network 0 Private IP network is an IP network that is not directly connected to the Internet. 0 IP addresses in a private network can be assigned arbitrarily. 0 Not registered and not guaranteed to be globally unique. 0 Three address ranges are reserved for private usage (non-routable addresses): 0 Class A : 10.0.0.0/8 0 Class B : 172.16.0.0/16 to 172.31.0.0/16 0 Class C : 192.168.0.0/24 to 192.168.255.0/24 0 A private IP is mapped to a Public IP, when the machine has to access the Internet By Joud Khattab 5
Private Network H1 Router/NAT H2 10.0.1.3 10.0.1.1 10.0.1.2 H3 Router/NAT H4 10.0.1.310.0.1.2 Private network 2 Internet H5 10.0.1.1 Private network 1 128.195.4.119 128.143.71.21 213.168.112.3 By Joud Khattab 6
Solution with NAT 0 Its short term to Network Address Translation, and its known as network masquerading or IP- masquerading. 0 NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network. 0 NAT is a method that enables hosts on private networks to communicate with hosts on the Internet. 0 NAT run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair. 0 NAT device has address translation table. By Joud Khattab 7
Solution with NAT 0 NAT can transparently change a network internal, private address to a public address 0 a new mapping is dynamically created when the first packet for a connection passes the NAT. 0 return traffic can use the same mapping to the other direction. 0 allows normally only outbound connections. 0 often use TCP/UDP ports for multiplexing. 0 NAT always checks translation table for entry before access lists. 0 NAT provides some shields for the internal network. By Joud Khattab 8
Solution with NAT By Joud Khattab 9
Simple NAT NAT (Private IP addresses) (Public IP addresses) Main Internet (Public IP addresses) By Joud Khattab 10
Multiple NAT ISP NAT (Private IP addresses) (Public IP addresses) Main Internet ISP network Home NAT Home network 10.0.0.12 192.168.2.12 192.168.2.99 156.148.70.32 By Joud Khattab 11
NAT Terminology Local Global Inside An IP address not routable on the internet and refers to a device inside our network An IP address that is routable on the internet and refers to a device inside our network Outside An IP address not routable on the internet and refers to a device outside our network An IP address that is routable on the internet and refers to a device outside our network By Joud Khattab 12
Translation Modes 1. Static Translation. 0 a block external addresses are translated to a same size block of internal addresses. 2. Dynamic Translation (IP Masquerading): 0 large number of internal users share a single or pool of external addresses. 3. PAT (Port Address Translation). By Joud Khattab 13
Translation Modes Inside Local Address (10.1.1.100 ) Private IP address that is being translated into public IP Address Inside Global Address (4.4.4.4 ) The public IP that the Private IP address is being translated to Outside Global Address (3.3.3.3 ) The Destination’s IP Address Outside Local Address The Destination’s Private IP Address By Joud Khattab 14
Static Translation 0 Map a range of external address to the same size block of internal addresses 0 Firewall just does a simple translation of each address. 0 Port forwarding - map a specific port to come through the Firewall rather than all ports; useful to expose a specific service on the internal network to the public network. By Joud Khattab 15
Static Translation 0 Static translation are entered directly into the configuration and are always in the translation table: 0 ip nat inside source static 10.6.1.20 171.69.68.10 By Joud Khattab 16
Static Translation Source Address 10.1.1.100 Destination Address 3.3.3.3 We statically tell the Router to translate a single Inside local address into a single Inside Global Address 10.1.1.100 will be mapped to 4.4.4.2 ( one of the Inside Global Address provided by our ISP ) Inside Global Inside Local 4.4.4.2 10.1.1.100 By Joud Khattab 17
Dynamic Translation 0 Individual hosts inside the Firewall are identified based on of each connection flowing through the firewall. 0 Since a connection doesn’t exist until an internal host requests a connection through the firewall to an external host, and most Firewalls only open ports only for the addressed host only that host can route back into the internal network 0 IP Source routing could route back in; but, most Firewalls block incoming source routed packets. 0 NAT only prevents external hosts from making connections to internal hosts. 0 Some protocols won’t work; protocols that rely on separate connections back into the local network By Joud Khattab 18
Dynamic Translation 0 Dynamic translations use access lists to identify IP addresses that NAT should create translations for: 0 ip nat inside source list 1 pool nat-pool 0 access-list 1 permit 10.0.0.0 0.255.255.255 By Joud Khattab 19
Dynamic Translation A type of NAT in which an Inside Local Address is mapped to Inside Global Address drawing from a pool of registered (public) IP addresses. Typically, the router in a network will keep a table of registered IP addresses, and when a private IP address requests access to the Internet, the router chooses an IP address from the table that is not at the time being used by another private IP address Inside Local Address Inside Global Address Outside Global Address 10.1.1.101 4.4.4.2 3.3.3.3 10.1.1.102 4.4.4.3 3.3.3.3 By Joud Khattab 20
Static vs. Dynamic Translations 0 Static translations: 0 When you need to be able to initiate a connection from both the inside and outside interfaces (e.g. SMTP, Web). 0 Or you want a specific host to be translated to a specific IP address. 0 Dynamic translations: 0 When you want to initiate a connection from only the inside or only the outside. By Joud Khattab 21
PAT Translation If we have a multiple number of Inside Local addresses and one Inside Global Address !! In this case we use PAT PAT keep Track of Port Numbers - 10.1.1.101:44252  4.4.4.4:4096 - 10.1.1.102:17115  4.4.4.4:4097 Source Address 10.1.1.101:44252 Destination Address 3.3.3.3:80 Inside Local Address Inside Global Address Outside Global Address 10.1.1.101:44252 4.4.4.4:4096 3.3.3.3:80 10.1.1.102:17115 4.4.4.4:4097 3.3.3.3:80 By Joud Khattab 22
Compare between NAT & PAT 0 NAT changes the IP addresses in the IP header My Network Internet 10.6.1.20 Internet Host NATBefore NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Internet Host After NAT Outbound Packet Src Addr 171.69.68.10 Dest Addr Internet Host After NAT Return Packet Src Addr Internet Host Dest Addr 10.6.1.20 Before NAT Return Packet Src Addr Internet Host Dest Addr 171.69.68.10 By Joud Khattab 23
Compare between NAT & PAT 0 Port Address Translation (PAT) extends NAT from “one-to one” to “many-to-one” by associating the source port with each flow. PAT My Network 10.6.1.20 10.6.1.6 Before PAT Outbound Packet Dest Port Any Port Dest Addr 10.6.1.6 Src Port 1506 Dest Addr Host 2 After PAT Outbound Packet Dest Port Any Port Src Addr 171.69.68.10 SRC Port 1506 Dest Addr Host 2 After PAT Outbound Packet Dest Port Any Port Src Addr 171.69.68.10 SRC Port 2031 Dest Addr Host 1 Before PAT Outbound Packet Dest Port Any Port Src Addr 10.6.1.20 Src Port 2031 Dest Addr Host 1 Internet By Joud Khattab 24
Compare between NAT & PAT 0 Port Address Translation (PAT) extends NAT from “one-to one” to “many-to-one” by associating the source port with each flow. PAT My Network 10.6.1.20 10.6.1.6 Before PAT Outbound Packet Dest Port Any Port Dest Addr 10.6.1.6 Src Port 1506 Dest Addr Host 2 Before PAT Outbound Packet Dest Port Any Port Src Addr 10.6.1.20 Src Port 2031 Dest Addr Host 1 Internet Before PAT Return Packet Dest Addr 171.69.68.10 Dest Port 1506 Src Addr Host 2 Src Port Any Port By Joud Khattab 25
NAT Kinds 1. Full cone NAT. 2. Restricted cone NAT. 3. Port Restricted cone NAT. 4. Symmetric NAT. By Joud Khattab 26
Full cone NAT 0 Full cone is NAT where all requests from the same internal IP address and port are mapped to the same public IP address and port. 0 Once a mapping is created, all incoming traffic to the public address is routed to the internal host without checking the address of the remote host. By Joud Khattab 27
Full cone NAT Host A Host C Full cone Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:4321, D=192.168.2.2:4445) Packet(S=1.1.1.6:1234, D=1.1.1.4:10100) Packet(S=1.1.1.6:1234, D=192.168.2.2:4445) By Joud Khattab 28
Full cone NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 Policy: 0 ALLOW ALL TO 1.1.1.4:10100 By Joud Khattab 29
Restricted cone NAT 0 Restricted cone like full cone all requests from the same internal IP address and port are mapped to the same public IP address and port. 0 Unlike a full cone NAT, a remote host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. By Joud Khattab 30
Restricted cone NAT Host A Host C Restricted cone Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:4321, D=192.168.2.2:4445) Packet(S=1.1.1.6:1234, D=1.1.1.4:10100) X Packet(S=192.168.2.2:4445, D=1.1.1.6:7777) Packet(S=1.1.1.4:10100, D=1.1.1.6:7777) Packet(S=1.1.1.6:4321, D=1.1.1.4:10100) Packet(S=1.1.1.6:4321, D=192.168.2.2:4445) By Joud Khattab 31
Restricted cone NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 Policy: 0 ALLOW 1.1.1.5 TO 1.1.1.4:10100 0 ALLOW 1.1.1.6 TO 1.1.1.4:10100 By Joud Khattab 32
Port restricted cone NAT 0 Port restricted cone is like a restricted cone NAT, but the restriction includes port numbers. 0 Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P. By Joud Khattab 33
Port restricted cone NAT Host A Host C Port - restr cone Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:7777, D=192.168.2.2:4445) X Packet(S=1.1.1.5:7777, D=1.1.1.4:10100) By Joud Khattab 34
Port restricted cone NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 Policy: 0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100 By Joud Khattab 35
STUN- Session Traversal Utilies for NAT 0 STUN is a standardized set of methods and a network protocol to allow an end host to discover its public IP address if it is located behind a NAT. 0 It is used to permit NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications. 0 STUN is intended to be a tool to be used by other protocols, such as ICE. By Joud Khattab 36
Symmetric NAT 0 Symmetric NAT is a NAT where all requests from the same internal IP address and port to a specific destination IP address and port are mapped to the same external source IP address and port. 0 If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host. By Joud Khattab 37
Symmetric NAT By Joud Khattab 38
Symmetric NAT Host A Host Csymmetric Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:7777, D=192.168.2.2:4445) Packet(S=1.1.1.5:7777, D=1.1.1.4:10100) Packet(S=192.168.2.2:4445, D=1.1.1.6:7777) Packet(S=1.1.1.4:10179, D=1.1.1.6:7777) Packet(S=1.1.1.6:7777, D=192.168.2.2:4445) Packet(S=1.1.1.6:7777, D=1.1.1.4:10179) Packet(S=1.1.1.6:7777, D=1.1.1.4:10100) X By Joud Khattab 39
Symmetric NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 192.168.2.2:4445 <-> 1.1.1.4:10179 0 Policy: 0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179 By Joud Khattab 40
Binding timeout 0 When a NAT device creates a binding (a public-private IP address mapping), it will associate a timer with it. 0 The timer is used to destroy the binding once there is no activity/traffic associated with the binding. 0 Because of this, a NAT aware application that wishes to keep the binding open must periodically send outbound packets, a mechanism known as keep-alive, or otherwise it will ultimately loose the binding and unable to receive incoming packets from Internet. By Joud Khattab 41
NAT Scenario 1. Pooling of IP addresses. 2. Supporting migration between network service providers. 3. IP masquerading. 4. Load balancing of servers. By Joud Khattab 42
Pooling of IP addresses 0 Scenario: 0 Corporate network has many hosts but only a small number of public IP addresses. 0 NAT solution: 0 Corporate network is managed with a private address space. 0 NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses. 0 When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host. By Joud Khattab 43
Pooling of IP addresses H1 private address: 10.0.1.2 public address: H5 Private network Internet Source = 10.0.1.2 Destination = 213.168.112.3 Source = 128.143.71.21 Destination = 213.168.112.3 public address: 213.168.112.3 NAT device Private Address Public Address 10.0.1.2 Pool of addresses: 128.143.71.0-128.143.71.30 By Joud Khattab 44
Migration between network service providers 0 multiple internet connections are attached to a NAT Firewall that it chooses and uses based on bandwidth, congestion and availability. 0 Can be used to provide automatic fail-over of servers or load balancing. 0 Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to use based on client load 0 kind of like reverse load balancing. 0 a dead ISP will be treated as a fully loaded one and the client will be routed through another ISP. By Joud Khattab 45
Migration between network service providers 0 Scenario: 0 In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. 0 NAT solution: 0 Assign private addresses to the hosts of the corporate network. 0 NAT device has static address translation entries which bind the private address of a host to the public address. 0 Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network. 0 Note: 0 The difference to the use of NAT with IP address pooling is that the mapping of public and private IP addresses is static. By Joud Khattab 46
Migration between network service providers By Joud Khattab 47
IP masquerading 0 Also called: 0 Network address and port translation (NAPT), port address translation (PAT). 0 Scenario: 0 Single public IP address is mapped to multiple hosts in a private network. 0 NAT solution: 0 Assign private addresses to the hosts of the corporate network. 0 NAT device modifies the port numbers for outgoing traffic. By Joud Khattab 48
IP masquerading H1 private address: 10.0.1.2 Private network Source = 10.0.1.2 Source port = 2001 Source = 128.143.71.21 Source port = 2100 NAT device Private Address Public Address 10.0.1.2/2001 128.143.71.21/2100 10.0.1.3/3020 128.143.71.21/4444 H2 private address: 10.0.1.3 Source = 10.0.1.3 Source port = 3020 Internet Source = 128.143.71.21 Destination = 4444 128.143.71.21 By Joud Khattab 49
Load balancing of servers 0 Scenario: 0 Balance the load on a set of identical servers, which are accessible from a single IP address. 0 NAT solution: 0 Here, the servers are assigned private addresses. 0 NAT device acts as a proxy for requests to the server from the public network. 0 The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server. 0 A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion. By Joud Khattab 50
Load balancing of servers 0 a single incoming IP address is distributed across a number of internal servers. 0 A firewall that will dynamically map a request to a pool of identical clone machines 0 often done for really busy web sites. 0 each clone must have a way to notify the Firewall of its current load so the Fire wall can choose a target machine. 0 or the firewall just uses a dispatching algorithm like round robin. 0 Only works for stateless protocols (like HTTP). By Joud Khattab 51
Load balancing of servers By Joud Khattab 52
Concerns about NAT 1. Performance. 2. Fragmentation. 3. End-to-end connectivity. 4. IP address in application data. By Joud Khattab 53
Performance 0 Modifying the IP header by changing the IP address. 0 requires that NAT boxes recalculate the IP header checksum. 0 Modifying port number requires that NAT boxes recalculate TCP checksum. By Joud Khattab 54
Fragmentation 0 Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments. By Joud Khattab 55
End-To-End Connectivity 0 NAT destroys universal end-to-end reachability of hosts on the Internet. 0 A host in the public Internet often cannot initiate communication to a host in a private network. 0 The problem is worse, when two hosts that are in a private network need to communicate with each other. By Joud Khattab 56
IP address in application data 0 Applications that carry IP addresses in the payload of the application data generally do not work across private public network boundary. 0 Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table. By Joud Khattab 57
Problems with NAT 0 Can’t be used with: 0 protocols that require a separate back-channel(FTP). 0 protocols that encrypt TCP headers. 0 embed TCP address info . 0 specifically use original IP for some security reason. 0 (the solutions). By Joud Khattab 58
How Much Memory? 0 Needs 42 Kb of system memory to enable NAT. 0 160–200 bytes for each entry in the NAT translation table. 0 1,000 entries use approximately 205 Kb of memory (includes 42 Kb). By Joud Khattab 59
NAT in IPv6 0 Network address translation is not commonly used in IPv6 as one of its aims is to restore true host-to-host connectivity. 0 NAT loopback is not commonly needed. Although still possible, the large addressing space of IPv6 obviates the need to conserve addresses and every device can be given a unique globally routable address. 0 NAT loopback, when implemented, works as in IPv4. By Joud Khattab 60
Apply NAT in packet tracer 1. Configure Static NAT. 2. Configure Dynamic NAT. 3. Configure Dynamic PAT. By Joud Khattab 61
Configure Static NAT By Joud Khattab 62
Configure Static NAT 0 configure R1 : 0 Router>enable 0 Router#configure terminal 0 Router(config)#hostname R1 0 R1(config)#interface fastethernet 0/0 0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 0 R1(config-if)#no shutdown 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip address 20.0.0.2 255.0.0.0 0 R1(config-if)#no shutdown 0 R1(config-if)#exit By Joud Khattab 63
Configure Static NAT 0 R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.1 0 R1(config)#ip nat inside source static 10.0.0.2 50.0.0.1 0 R1(config)#interface fastEthernet 0/0 0 R1(config-if)#ip nat inside 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip nat outside 0 R1(config-if)#exit 0 R1(config)# By Joud Khattab 64
Configure Static NAT 0 configure R0 : 0 Router>enable 0 Router#configure terminal 0 Router(config)#hostname R0 0 R0(config)#interface fastethernet 0/0 0 R0(config-if)#ip address 30.0.0.1 255.0.0.0 0 R0(config-if)#no shutdown 0 R0(config-if)#exit 0 R0(config)#interface serial 0/0/0 0 R0(config-if)#ip address 20.0.0.1 255.0.0.0 0 R0(config-if)#clock rate 64000 0 R0(config-if)#bandwidth 64 0 R0(config-if)#no shutdown 0 R01(config-if)#exit 0 R0(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2 R0(config)# By Joud Khattab 65
Configure Static NAT 0 As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never know about it. 0 They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and you will get replay. 0 Packet Tracer PC Command Line 1.0 0 PC>ping 50.0.0.1 0 Pinging 50.0.0.1 with 32 bytes of data: Reply from 50.0.0.1: bytes=32 time=141ms TTL=126 Reply from 50.0.0.1: bytes=32 time=80ms TTL=126 Reply from 50.0.0.1: bytes=32 time=109ms TTL=126 Reply from 50.0.0.1: bytes=32 time=125ms TTL=126 0 Ping statistics for 50.0.0.1: 0 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 0 Approximate round trip times in milli-seconds: 0 Minimum = 80ms, Maximum = 141ms, Average = 113ms By Joud Khattab 66
Configure Static NAT 0 Now ping from 10.0.0.2 and you will get destination host unreachable error. 0 PC>ping 10.0.0.2 0 Pinging 10.0.0.2 with 32 bytes of data: Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. 0 Ping statistics for 10.0.0.2: 0 Packets: Sent = 4, Received = 0, Lost = 4 (100% loss) By Joud Khattab 67
Configure Static NAT 0 This demonstration show how the companies use NAT to hide their internal network from the outside of the world. Now open web browser from any PC in 30.0.0.0 network and brows the 50.0.0.1 site By Joud Khattab 68
Configure Dynamic NAT By Joud Khattab 69
Configure Dynamic NAT 0 In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5 to use. 0 configure Router0 : Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 192.168.0.1 255.0.0.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 30.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 By Joud Khattab 70
Configure Dynamic NAT R1(config-if)#bandwidth 64 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255 R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0 R1(config)#ip nat inside source list 1 pool test R1(config)#interface fastEthernet 0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#exit By Joud Khattab 71
Configure Dynamic NAT configure Router1 : Router>enable Router#configure terminal Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 20.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface serial 0/0/0 Router(config-if)#ip address 30.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 Router(config)#hostname R2 By Joud Khattab 72
Configure Dynamic NAT 0 For testing of NAT go R1 and enable debug for NAT from privilege mode 0 R1#debug ip nat 0 Now go on pc and ping to 20.0.0.2 By Joud Khattab 73
Configure Dynamic NAT 0 When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will check NAT pools for free address to translate with this address. Which you can check in the output of debag command in R1 0 IP NAT debugging is on 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] By Joud Khattab 74
Configure Dynamic NAT 0 As you can see in output 192.168.0.5 is translate with 50.0.0.1 before leaving the router. 0 Now check for web access from any client pc By Joud Khattab 75
Configure Dynamic PAT 0 In dynamics Nat translations is made IP to IP. so you need as much global IP address as you have inside local address. That's an issue if you have few global IP address and hundred of inside local address to translate. In such a situation you need to use PAT. 0 For demonstration we are going to configure the same topology which we used in dynamic NAT but this time we are using only one global IP address 50.0.0.1 By Joud Khattab 76
Configure Dynamic PAT By Joud Khattab 77
Configure Dynamic PAT 0 IP address of PC are already configured double click on R1 and configured it as given here 0 configure R1 : 0 Router>enable 0 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. 0 Router(config)#hostname R1 0 R1(config)#interface fastEthernet 0/0 0 R1(config-if)#ip address 192.168.0.1 255.255.255.0 0 R1(config-if)#no shutdown 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip address 30.0.0.1 255.0.0.0 By Joud Khattab 78
Configure Dynamic PAT 0 R1(config-if)#clock rate 64000 0 R1(config-if)#bandwidth 64 0 R1(config-if)#no shutdown 0 R1(config-if)#exit 0 R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255 0 R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0 0 R1(config)#ip nat inside source list 1 pool test overload 0 R1(config)#interface fastEthernet 0/0 0 R1(config-if)#ip nat inside 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip nat outside 0 R1(config-if)#exit 0 R1(config)# By Joud Khattab 79
Configure Dynamic PAT 0 configure R2 : 0 Router>enable 0 Router#configure terminal 0 Router(config)#interface serial 0/0/0 0 Router(config-if)#ip address 30.0.0.2 255.0.0.0 0 Router(config-if)#no shutdown 0 Router(config-if)#exit 0 Router(config)#interface fastEthernet 0/0 0 Router(config-if)#ip address 20.0.0.1 255.0.0.0 0 Router(config-if)#no shutdown 0 Router(config-if)#exit 0 Router(config)#hostname R2 0 R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 By Joud Khattab 80
Configure Dynamic PAT 0 Now go on pc and ping to 20.0.0.2 By Joud Khattab 81
Configure Dynamic PAT 0 To verify PAT go on R1 and run show ip nat translations 0 R1#show ip nat translations 0 Pro Inside global Inside local Outside local Outside global icmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1 icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2 icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3 icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4 0 As you can see this time address translation is done with port address instead of IP By Joud Khattab 82
Thank You By Joud Khattab 83

Recommandé

Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
 
IPV6 ADDRESS
IPV6 ADDRESSIPV6 ADDRESS
IPV6 ADDRESSJothi Lakshmi
 
ipv6 ppt
ipv6 pptipv6 ppt
ipv6 pptShiva Kumar
 
Static Routing
Static RoutingStatic Routing
Static RoutingKishore Kumar
 
Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.pptEdgardo Scrimaglia
 
IPv4 addressing and subnetting
IPv4 addressing and subnettingIPv4 addressing and subnetting
IPv4 addressing and subnettingShashank Asthana
 
Nat pat
Nat patNat pat
Nat patCYBERINTELLIGENTS
 
Ccna ppt1
Ccna ppt1Ccna ppt1
Ccna ppt1AIRTEL
 

Recommandé

Network address translation
Network address translationNetwork address translation
Network address translationVarsha Honde
 
IPV6 ADDRESS
IPV6 ADDRESSIPV6 ADDRESS
IPV6 ADDRESSJothi Lakshmi
 
ipv6 ppt
ipv6 pptipv6 ppt
ipv6 pptShiva Kumar
 
Static Routing
Static RoutingStatic Routing
Static RoutingKishore Kumar
 
Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.pptEdgardo Scrimaglia
 
IPv4 addressing and subnetting
IPv4 addressing and subnettingIPv4 addressing and subnetting
IPv4 addressing and subnettingShashank Asthana
 
Nat pat
Nat patNat pat
Nat patCYBERINTELLIGENTS
 
Ccna ppt1
Ccna ppt1Ccna ppt1
Ccna ppt1AIRTEL
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
Subnetting
SubnettingSubnetting
Subnettingselvakumar_b1985
 
Routing protocols
Routing protocolsRouting protocols
Routing protocolsSourabh Goyal
 
IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6Adeel Rasheed
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)Amit Kumar , Jaipur Engineers
 
Network address translation
Network address translationNetwork address translation
Network address translationKarppinen Ngoc Anh
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPTAIRTEL
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocolMuhammad Arshad
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Varinder Singh Walia
 
IPv4
IPv4IPv4
IPv4Dhiraj Mishra
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing TheGodfather HA
 
Ipv4 & ipv6
Ipv4 & ipv6Ipv4 & ipv6
Ipv4 & ipv6urooj ehsan
 
Ip addressing
Ip addressingIp addressing
Ip addressingTanvir Amin
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)RaghulR21
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocolsBhagyashri Dhoke
 
Ipv4 and Ipv6
Ipv4 and Ipv6Ipv4 and Ipv6
Ipv4 and Ipv6Rishav Bhurtel
 
Vlan
Vlan Vlan
Vlan sanss40
 
Nat 03
Nat 03Nat 03
Nat 03Davinder Chauhan
 
Nat 07
Nat 07Nat 07
Nat 07Davinder Chauhan
 

Contenu connexe

Tendances

Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6Adeel Rasheed
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPTAIRTEL
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPTAIRTEL
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)Respa Peter
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)RaghulR21
 

Tendances (20)

Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6
 
Subnetting
SubnettingSubnetting
Subnetting
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6IP Address - IPv4 & IPv6
IP Address - IPv4 & IPv6
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
What is Network Address Translation (NAT)
What is Network Address Translation (NAT)What is Network Address Translation (NAT)
What is Network Address Translation (NAT)
 
Network address translation
Network address translationNetwork address translation
Network address translation
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPT
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)
 
IPv4
IPv4IPv4
IPv4
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
 
Ipv4 & ipv6
Ipv4 & ipv6Ipv4 & ipv6
Ipv4 & ipv6
 
Ip addressing
Ip addressingIp addressing
Ip addressing
 
Open shortest path first (ospf)
Open shortest path first (ospf)Open shortest path first (ospf)
Open shortest path first (ospf)
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
 
Ppt of routing protocols
Ppt of routing protocolsPpt of routing protocols
Ppt of routing protocols
 
Ipv4 and Ipv6
Ipv4 and Ipv6Ipv4 and Ipv6
Ipv4 and Ipv6
 
Vlan
Vlan Vlan
Vlan
 

Similaire à Network Address Translation (NAT)

Network address translations
Network address translations Network address translations
Network address translations Shahzad shareef
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxGeorgeThoreJr
 
Chapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfChapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfBuntha Chhay
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
networkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptxnetworkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptxzmulani8
 
Network Address Port Translation. Residential Network connections vi.pdf
Network Address Port Translation. Residential Network connections vi.pdfNetwork Address Port Translation. Residential Network connections vi.pdf
Network Address Port Translation. Residential Network connections vi.pdfshalins6
 
Cisco discovery d homesb module 5 - v.4 in english.
Cisco discovery d homesb module 5 - v.4 in english.Cisco discovery d homesb module 5 - v.4 in english.
Cisco discovery d homesb module 5 - v.4 in english.igede tirtanata
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
 
Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall NetProtocol Xpert
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccnarobertoxe
 

Similaire à Network Address Translation (NAT) (20)

Nat 03
Nat 03Nat 03
Nat 03
 
Nat 07
Nat 07Nat 07
Nat 07
 
Network address translations
Network address translations Network address translations
Network address translations
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routers
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
 
Chapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdfChapter 5-Network Address Translation.pdf
Chapter 5-Network Address Translation.pdf
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
 
Skip to Main content.docx
Skip to Main content.docxSkip to Main content.docx
Skip to Main content.docx
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
 
networkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptxnetworkaddresstranslation-160909142440.pptx
networkaddresstranslation-160909142440.pptx
 
Network Address Port Translation. Residential Network connections vi.pdf
Network Address Port Translation. Residential Network connections vi.pdfNetwork Address Port Translation. Residential Network connections vi.pdf
Network Address Port Translation. Residential Network connections vi.pdf
 
Cisco discovery d homesb module 5 - v.4 in english.
Cisco discovery d homesb module 5 - v.4 in english.Cisco discovery d homesb module 5 - v.4 in english.
Cisco discovery d homesb module 5 - v.4 in english.
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 
IPv6
IPv6IPv6
IPv6
 
Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall Basic ASA Configuration, NAT in ASA Firewall
Basic ASA Configuration, NAT in ASA Firewall
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
 
Ip addressing
Ip addressingIp addressing
Ip addressing
 

Plus de Joud Khattab

Customer Engagement Management
Customer Engagement ManagementCustomer Engagement Management
Customer Engagement ManagementJoud Khattab
 
Design thinking and Role Playing
Design thinking and Role PlayingDesign thinking and Role Playing
Design thinking and Role PlayingJoud Khattab
 
Algorithms and Data Structure 2020
Algorithms and Data Structure 2020Algorithms and Data Structure 2020
Algorithms and Data Structure 2020Joud Khattab
 
Artificial Intelligence 2020
Artificial Intelligence 2020Artificial Intelligence 2020
Artificial Intelligence 2020Joud Khattab
 
Automata and Compiler 2020
Automata and Compiler 2020Automata and Compiler 2020
Automata and Compiler 2020Joud Khattab
 
Software Engineering 2020
Software Engineering 2020Software Engineering 2020
Software Engineering 2020Joud Khattab
 
Software Engineering 2018
Software Engineering 2018Software Engineering 2018
Software Engineering 2018Joud Khattab
 
Automate and Compiler 2018
Automate and Compiler 2018Automate and Compiler 2018
Automate and Compiler 2018Joud Khattab
 
Artificial Intelligence 2018
Artificial Intelligence 2018Artificial Intelligence 2018
Artificial Intelligence 2018Joud Khattab
 
Algorithms and Data Structure 2018
Algorithms and Data Structure 2018Algorithms and Data Structure 2018
Algorithms and Data Structure 2018Joud Khattab
 
Geospatial Information Management
Geospatial Information ManagementGeospatial Information Management
Geospatial Information ManagementJoud Khattab
 
Big Data for Development
Big Data for DevelopmentBig Data for Development
Big Data for DevelopmentJoud Khattab
 
Personality Detection via MBTI Test
Personality Detection via MBTI TestPersonality Detection via MBTI Test
Personality Detection via MBTI TestJoud Khattab
 
Optimization Techniques
Optimization TechniquesOptimization Techniques
Optimization TechniquesJoud Khattab
 
From Image Processing To Computer Vision
From Image Processing To Computer VisionFrom Image Processing To Computer Vision
From Image Processing To Computer VisionJoud Khattab
 

Plus de Joud Khattab (20)

Customer Engagement Management
Customer Engagement ManagementCustomer Engagement Management
Customer Engagement Management
 
Design thinking and Role Playing
Design thinking and Role PlayingDesign thinking and Role Playing
Design thinking and Role Playing
 
Algorithms and Data Structure 2020
Algorithms and Data Structure 2020Algorithms and Data Structure 2020
Algorithms and Data Structure 2020
 
Artificial Intelligence 2020
Artificial Intelligence 2020Artificial Intelligence 2020
Artificial Intelligence 2020
 
Automata and Compiler 2020
Automata and Compiler 2020Automata and Compiler 2020
Automata and Compiler 2020
 
Database 2020
Database 2020Database 2020
Database 2020
 
Software Engineering 2020
Software Engineering 2020Software Engineering 2020
Software Engineering 2020
 
Software Engineering 2018
Software Engineering 2018Software Engineering 2018
Software Engineering 2018
 
Database 2018
Database 2018Database 2018
Database 2018
 
Automate and Compiler 2018
Automate and Compiler 2018Automate and Compiler 2018
Automate and Compiler 2018
 
Artificial Intelligence 2018
Artificial Intelligence 2018Artificial Intelligence 2018
Artificial Intelligence 2018
 
Algorithms and Data Structure 2018
Algorithms and Data Structure 2018Algorithms and Data Structure 2018
Algorithms and Data Structure 2018
 
Data Storytelling
Data StorytellingData Storytelling
Data Storytelling
 
Geospatial Information Management
Geospatial Information ManagementGeospatial Information Management
Geospatial Information Management
 
Big Data for Development
Big Data for DevelopmentBig Data for Development
Big Data for Development
 
Personality Detection via MBTI Test
Personality Detection via MBTI TestPersonality Detection via MBTI Test
Personality Detection via MBTI Test
 
Fog Computing
Fog ComputingFog Computing
Fog Computing
 
Seasonal ARIMA
Seasonal ARIMASeasonal ARIMA
Seasonal ARIMA
 
Optimization Techniques
Optimization TechniquesOptimization Techniques
Optimization Techniques
 
From Image Processing To Computer Vision
From Image Processing To Computer VisionFrom Image Processing To Computer Vision
From Image Processing To Computer Vision
 

Dernier

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Dernier (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Network Address Translation (NAT)

  • 1.
  • 2. Outline 0 Introduction. 0 Translation Modes. 0 NAT Kinds. 0 NAT Scenario. 0 Concerns about NAT. 0 Apply NAT in packet tracer. By Joud Khattab 2
  • 3. Introduction 1. IPv4 Problem. 2. Private network. 3. Solution with NAT. By Joud Khattab 3
  • 4. IPv4 Problem 0 Whatever connects directly into Internet must have public (globally unique) IP address. 0 There is a shortage of public IPv4 address. 0 The solutions: 0 Long term solution is IPv6. 0 short term solution is CIDR (Classless Inter Domain Routing ). 0 NAT. By Joud Khattab 4
  • 5. Private Network 0 Private IP network is an IP network that is not directly connected to the Internet. 0 IP addresses in a private network can be assigned arbitrarily. 0 Not registered and not guaranteed to be globally unique. 0 Three address ranges are reserved for private usage (non-routable addresses): 0 Class A : 10.0.0.0/8 0 Class B : 172.16.0.0/16 to 172.31.0.0/16 0 Class C : 192.168.0.0/24 to 192.168.255.0/24 0 A private IP is mapped to a Public IP, when the machine has to access the Internet By Joud Khattab 5
  • 6. Private Network H1 Router/NAT H2 10.0.1.3 10.0.1.1 10.0.1.2 H3 Router/NAT H4 10.0.1.310.0.1.2 Private network 2 Internet H5 10.0.1.1 Private network 1 128.195.4.119 128.143.71.21 213.168.112.3 By Joud Khattab 6
  • 7. Solution with NAT 0 Its short term to Network Address Translation, and its known as network masquerading or IP- masquerading. 0 NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network. 0 NAT is a method that enables hosts on private networks to communicate with hosts on the Internet. 0 NAT run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair. 0 NAT device has address translation table. By Joud Khattab 7
  • 8. Solution with NAT 0 NAT can transparently change a network internal, private address to a public address 0 a new mapping is dynamically created when the first packet for a connection passes the NAT. 0 return traffic can use the same mapping to the other direction. 0 allows normally only outbound connections. 0 often use TCP/UDP ports for multiplexing. 0 NAT always checks translation table for entry before access lists. 0 NAT provides some shields for the internal network. By Joud Khattab 8
  • 9. Solution with NAT By Joud Khattab 9
  • 10. Simple NAT NAT (Private IP addresses) (Public IP addresses) Main Internet (Public IP addresses) By Joud Khattab 10
  • 11. Multiple NAT ISP NAT (Private IP addresses) (Public IP addresses) Main Internet ISP network Home NAT Home network 10.0.0.12 192.168.2.12 192.168.2.99 156.148.70.32 By Joud Khattab 11
  • 12. NAT Terminology Local Global Inside An IP address not routable on the internet and refers to a device inside our network An IP address that is routable on the internet and refers to a device inside our network Outside An IP address not routable on the internet and refers to a device outside our network An IP address that is routable on the internet and refers to a device outside our network By Joud Khattab 12
  • 13. Translation Modes 1. Static Translation. 0 a block external addresses are translated to a same size block of internal addresses. 2. Dynamic Translation (IP Masquerading): 0 large number of internal users share a single or pool of external addresses. 3. PAT (Port Address Translation). By Joud Khattab 13
  • 14. Translation Modes Inside Local Address (10.1.1.100 ) Private IP address that is being translated into public IP Address Inside Global Address (4.4.4.4 ) The public IP that the Private IP address is being translated to Outside Global Address (3.3.3.3 ) The Destination’s IP Address Outside Local Address The Destination’s Private IP Address By Joud Khattab 14
  • 15. Static Translation 0 Map a range of external address to the same size block of internal addresses 0 Firewall just does a simple translation of each address. 0 Port forwarding - map a specific port to come through the Firewall rather than all ports; useful to expose a specific service on the internal network to the public network. By Joud Khattab 15
  • 16. Static Translation 0 Static translation are entered directly into the configuration and are always in the translation table: 0 ip nat inside source static 10.6.1.20 171.69.68.10 By Joud Khattab 16
  • 17. Static Translation Source Address 10.1.1.100 Destination Address 3.3.3.3 We statically tell the Router to translate a single Inside local address into a single Inside Global Address 10.1.1.100 will be mapped to 4.4.4.2 ( one of the Inside Global Address provided by our ISP ) Inside Global Inside Local 4.4.4.2 10.1.1.100 By Joud Khattab 17
  • 18. Dynamic Translation 0 Individual hosts inside the Firewall are identified based on of each connection flowing through the firewall. 0 Since a connection doesn’t exist until an internal host requests a connection through the firewall to an external host, and most Firewalls only open ports only for the addressed host only that host can route back into the internal network 0 IP Source routing could route back in; but, most Firewalls block incoming source routed packets. 0 NAT only prevents external hosts from making connections to internal hosts. 0 Some protocols won’t work; protocols that rely on separate connections back into the local network By Joud Khattab 18
  • 19. Dynamic Translation 0 Dynamic translations use access lists to identify IP addresses that NAT should create translations for: 0 ip nat inside source list 1 pool nat-pool 0 access-list 1 permit 10.0.0.0 0.255.255.255 By Joud Khattab 19
  • 20. Dynamic Translation A type of NAT in which an Inside Local Address is mapped to Inside Global Address drawing from a pool of registered (public) IP addresses. Typically, the router in a network will keep a table of registered IP addresses, and when a private IP address requests access to the Internet, the router chooses an IP address from the table that is not at the time being used by another private IP address Inside Local Address Inside Global Address Outside Global Address 10.1.1.101 4.4.4.2 3.3.3.3 10.1.1.102 4.4.4.3 3.3.3.3 By Joud Khattab 20
  • 21. Static vs. Dynamic Translations 0 Static translations: 0 When you need to be able to initiate a connection from both the inside and outside interfaces (e.g. SMTP, Web). 0 Or you want a specific host to be translated to a specific IP address. 0 Dynamic translations: 0 When you want to initiate a connection from only the inside or only the outside. By Joud Khattab 21
  • 22. PAT Translation If we have a multiple number of Inside Local addresses and one Inside Global Address !! In this case we use PAT PAT keep Track of Port Numbers - 10.1.1.101:44252  4.4.4.4:4096 - 10.1.1.102:17115  4.4.4.4:4097 Source Address 10.1.1.101:44252 Destination Address 3.3.3.3:80 Inside Local Address Inside Global Address Outside Global Address 10.1.1.101:44252 4.4.4.4:4096 3.3.3.3:80 10.1.1.102:17115 4.4.4.4:4097 3.3.3.3:80 By Joud Khattab 22
  • 23. Compare between NAT & PAT 0 NAT changes the IP addresses in the IP header My Network Internet 10.6.1.20 Internet Host NATBefore NAT Outbound Packet Src Addr 10.6.1.20 Dest Addr Internet Host After NAT Outbound Packet Src Addr 171.69.68.10 Dest Addr Internet Host After NAT Return Packet Src Addr Internet Host Dest Addr 10.6.1.20 Before NAT Return Packet Src Addr Internet Host Dest Addr 171.69.68.10 By Joud Khattab 23
  • 24. Compare between NAT & PAT 0 Port Address Translation (PAT) extends NAT from “one-to one” to “many-to-one” by associating the source port with each flow. PAT My Network 10.6.1.20 10.6.1.6 Before PAT Outbound Packet Dest Port Any Port Dest Addr 10.6.1.6 Src Port 1506 Dest Addr Host 2 After PAT Outbound Packet Dest Port Any Port Src Addr 171.69.68.10 SRC Port 1506 Dest Addr Host 2 After PAT Outbound Packet Dest Port Any Port Src Addr 171.69.68.10 SRC Port 2031 Dest Addr Host 1 Before PAT Outbound Packet Dest Port Any Port Src Addr 10.6.1.20 Src Port 2031 Dest Addr Host 1 Internet By Joud Khattab 24
  • 25. Compare between NAT & PAT 0 Port Address Translation (PAT) extends NAT from “one-to one” to “many-to-one” by associating the source port with each flow. PAT My Network 10.6.1.20 10.6.1.6 Before PAT Outbound Packet Dest Port Any Port Dest Addr 10.6.1.6 Src Port 1506 Dest Addr Host 2 Before PAT Outbound Packet Dest Port Any Port Src Addr 10.6.1.20 Src Port 2031 Dest Addr Host 1 Internet Before PAT Return Packet Dest Addr 171.69.68.10 Dest Port 1506 Src Addr Host 2 Src Port Any Port By Joud Khattab 25
  • 26. NAT Kinds 1. Full cone NAT. 2. Restricted cone NAT. 3. Port Restricted cone NAT. 4. Symmetric NAT. By Joud Khattab 26
  • 27. Full cone NAT 0 Full cone is NAT where all requests from the same internal IP address and port are mapped to the same public IP address and port. 0 Once a mapping is created, all incoming traffic to the public address is routed to the internal host without checking the address of the remote host. By Joud Khattab 27
  • 28. Full cone NAT Host A Host C Full cone Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:4321, D=192.168.2.2:4445) Packet(S=1.1.1.6:1234, D=1.1.1.4:10100) Packet(S=1.1.1.6:1234, D=192.168.2.2:4445) By Joud Khattab 28
  • 29. Full cone NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 Policy: 0 ALLOW ALL TO 1.1.1.4:10100 By Joud Khattab 29
  • 30. Restricted cone NAT 0 Restricted cone like full cone all requests from the same internal IP address and port are mapped to the same public IP address and port. 0 Unlike a full cone NAT, a remote host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. By Joud Khattab 30
  • 31. Restricted cone NAT Host A Host C Restricted cone Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:4321, D=192.168.2.2:4445) Packet(S=1.1.1.6:1234, D=1.1.1.4:10100) X Packet(S=192.168.2.2:4445, D=1.1.1.6:7777) Packet(S=1.1.1.4:10100, D=1.1.1.6:7777) Packet(S=1.1.1.6:4321, D=1.1.1.4:10100) Packet(S=1.1.1.6:4321, D=192.168.2.2:4445) By Joud Khattab 31
  • 32. Restricted cone NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 Policy: 0 ALLOW 1.1.1.5 TO 1.1.1.4:10100 0 ALLOW 1.1.1.6 TO 1.1.1.4:10100 By Joud Khattab 32
  • 33. Port restricted cone NAT 0 Port restricted cone is like a restricted cone NAT, but the restriction includes port numbers. 0 Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P. By Joud Khattab 33
  • 34. Port restricted cone NAT Host A Host C Port - restr cone Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:7777, D=192.168.2.2:4445) X Packet(S=1.1.1.5:7777, D=1.1.1.4:10100) By Joud Khattab 34
  • 35. Port restricted cone NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 Policy: 0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100 By Joud Khattab 35
  • 36. STUN- Session Traversal Utilies for NAT 0 STUN is a standardized set of methods and a network protocol to allow an end host to discover its public IP address if it is located behind a NAT. 0 It is used to permit NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications. 0 STUN is intended to be a tool to be used by other protocols, such as ICE. By Joud Khattab 36
  • 37. Symmetric NAT 0 Symmetric NAT is a NAT where all requests from the same internal IP address and port to a specific destination IP address and port are mapped to the same external source IP address and port. 0 If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host. By Joud Khattab 37
  • 38. Symmetric NAT By Joud Khattab 38
  • 39. Symmetric NAT Host A Host Csymmetric Host B (192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:7777, D=192.168.2.2:4445) Packet(S=1.1.1.5:7777, D=1.1.1.4:10100) Packet(S=192.168.2.2:4445, D=1.1.1.6:7777) Packet(S=1.1.1.4:10179, D=1.1.1.6:7777) Packet(S=1.1.1.6:7777, D=192.168.2.2:4445) Packet(S=1.1.1.6:7777, D=1.1.1.4:10179) Packet(S=1.1.1.6:7777, D=1.1.1.4:10100) X By Joud Khattab 39
  • 40. Symmetric NAT 0 Mapping: 0 192.168.2.2:4445 <-> 1.1.1.4:10100 0 192.168.2.2:4445 <-> 1.1.1.4:10179 0 Policy: 0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179 By Joud Khattab 40
  • 41. Binding timeout 0 When a NAT device creates a binding (a public-private IP address mapping), it will associate a timer with it. 0 The timer is used to destroy the binding once there is no activity/traffic associated with the binding. 0 Because of this, a NAT aware application that wishes to keep the binding open must periodically send outbound packets, a mechanism known as keep-alive, or otherwise it will ultimately loose the binding and unable to receive incoming packets from Internet. By Joud Khattab 41
  • 42. NAT Scenario 1. Pooling of IP addresses. 2. Supporting migration between network service providers. 3. IP masquerading. 4. Load balancing of servers. By Joud Khattab 42
  • 43. Pooling of IP addresses 0 Scenario: 0 Corporate network has many hosts but only a small number of public IP addresses. 0 NAT solution: 0 Corporate network is managed with a private address space. 0 NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses. 0 When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host. By Joud Khattab 43
  • 44. Pooling of IP addresses H1 private address: 10.0.1.2 public address: H5 Private network Internet Source = 10.0.1.2 Destination = 213.168.112.3 Source = 128.143.71.21 Destination = 213.168.112.3 public address: 213.168.112.3 NAT device Private Address Public Address 10.0.1.2 Pool of addresses: 128.143.71.0-128.143.71.30 By Joud Khattab 44
  • 45. Migration between network service providers 0 multiple internet connections are attached to a NAT Firewall that it chooses and uses based on bandwidth, congestion and availability. 0 Can be used to provide automatic fail-over of servers or load balancing. 0 Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to use based on client load 0 kind of like reverse load balancing. 0 a dead ISP will be treated as a fully loaded one and the client will be routed through another ISP. By Joud Khattab 45
  • 46. Migration between network service providers 0 Scenario: 0 In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. 0 NAT solution: 0 Assign private addresses to the hosts of the corporate network. 0 NAT device has static address translation entries which bind the private address of a host to the public address. 0 Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network. 0 Note: 0 The difference to the use of NAT with IP address pooling is that the mapping of public and private IP addresses is static. By Joud Khattab 46
  • 47. Migration between network service providers By Joud Khattab 47
  • 48. IP masquerading 0 Also called: 0 Network address and port translation (NAPT), port address translation (PAT). 0 Scenario: 0 Single public IP address is mapped to multiple hosts in a private network. 0 NAT solution: 0 Assign private addresses to the hosts of the corporate network. 0 NAT device modifies the port numbers for outgoing traffic. By Joud Khattab 48
  • 49. IP masquerading H1 private address: 10.0.1.2 Private network Source = 10.0.1.2 Source port = 2001 Source = 128.143.71.21 Source port = 2100 NAT device Private Address Public Address 10.0.1.2/2001 128.143.71.21/2100 10.0.1.3/3020 128.143.71.21/4444 H2 private address: 10.0.1.3 Source = 10.0.1.3 Source port = 3020 Internet Source = 128.143.71.21 Destination = 4444 128.143.71.21 By Joud Khattab 49
  • 50. Load balancing of servers 0 Scenario: 0 Balance the load on a set of identical servers, which are accessible from a single IP address. 0 NAT solution: 0 Here, the servers are assigned private addresses. 0 NAT device acts as a proxy for requests to the server from the public network. 0 The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server. 0 A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion. By Joud Khattab 50
  • 51. Load balancing of servers 0 a single incoming IP address is distributed across a number of internal servers. 0 A firewall that will dynamically map a request to a pool of identical clone machines 0 often done for really busy web sites. 0 each clone must have a way to notify the Firewall of its current load so the Fire wall can choose a target machine. 0 or the firewall just uses a dispatching algorithm like round robin. 0 Only works for stateless protocols (like HTTP). By Joud Khattab 51
  • 52. Load balancing of servers By Joud Khattab 52
  • 53. Concerns about NAT 1. Performance. 2. Fragmentation. 3. End-to-end connectivity. 4. IP address in application data. By Joud Khattab 53
  • 54. Performance 0 Modifying the IP header by changing the IP address. 0 requires that NAT boxes recalculate the IP header checksum. 0 Modifying port number requires that NAT boxes recalculate TCP checksum. By Joud Khattab 54
  • 55. Fragmentation 0 Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments. By Joud Khattab 55
  • 56. End-To-End Connectivity 0 NAT destroys universal end-to-end reachability of hosts on the Internet. 0 A host in the public Internet often cannot initiate communication to a host in a private network. 0 The problem is worse, when two hosts that are in a private network need to communicate with each other. By Joud Khattab 56
  • 57. IP address in application data 0 Applications that carry IP addresses in the payload of the application data generally do not work across private public network boundary. 0 Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table. By Joud Khattab 57
  • 58. Problems with NAT 0 Can’t be used with: 0 protocols that require a separate back-channel(FTP). 0 protocols that encrypt TCP headers. 0 embed TCP address info . 0 specifically use original IP for some security reason. 0 (the solutions). By Joud Khattab 58
  • 59. How Much Memory? 0 Needs 42 Kb of system memory to enable NAT. 0 160–200 bytes for each entry in the NAT translation table. 0 1,000 entries use approximately 205 Kb of memory (includes 42 Kb). By Joud Khattab 59
  • 60. NAT in IPv6 0 Network address translation is not commonly used in IPv6 as one of its aims is to restore true host-to-host connectivity. 0 NAT loopback is not commonly needed. Although still possible, the large addressing space of IPv6 obviates the need to conserve addresses and every device can be given a unique globally routable address. 0 NAT loopback, when implemented, works as in IPv4. By Joud Khattab 60
  • 61. Apply NAT in packet tracer 1. Configure Static NAT. 2. Configure Dynamic NAT. 3. Configure Dynamic PAT. By Joud Khattab 61
  • 62. Configure Static NAT By Joud Khattab 62
  • 63. Configure Static NAT 0 configure R1 : 0 Router>enable 0 Router#configure terminal 0 Router(config)#hostname R1 0 R1(config)#interface fastethernet 0/0 0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 0 R1(config-if)#no shutdown 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip address 20.0.0.2 255.0.0.0 0 R1(config-if)#no shutdown 0 R1(config-if)#exit By Joud Khattab 63
  • 64. Configure Static NAT 0 R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.1 0 R1(config)#ip nat inside source static 10.0.0.2 50.0.0.1 0 R1(config)#interface fastEthernet 0/0 0 R1(config-if)#ip nat inside 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip nat outside 0 R1(config-if)#exit 0 R1(config)# By Joud Khattab 64
  • 65. Configure Static NAT 0 configure R0 : 0 Router>enable 0 Router#configure terminal 0 Router(config)#hostname R0 0 R0(config)#interface fastethernet 0/0 0 R0(config-if)#ip address 30.0.0.1 255.0.0.0 0 R0(config-if)#no shutdown 0 R0(config-if)#exit 0 R0(config)#interface serial 0/0/0 0 R0(config-if)#ip address 20.0.0.1 255.0.0.0 0 R0(config-if)#clock rate 64000 0 R0(config-if)#bandwidth 64 0 R0(config-if)#no shutdown 0 R01(config-if)#exit 0 R0(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2 R0(config)# By Joud Khattab 65
  • 66. Configure Static NAT 0 As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never know about it. 0 They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and you will get replay. 0 Packet Tracer PC Command Line 1.0 0 PC>ping 50.0.0.1 0 Pinging 50.0.0.1 with 32 bytes of data: Reply from 50.0.0.1: bytes=32 time=141ms TTL=126 Reply from 50.0.0.1: bytes=32 time=80ms TTL=126 Reply from 50.0.0.1: bytes=32 time=109ms TTL=126 Reply from 50.0.0.1: bytes=32 time=125ms TTL=126 0 Ping statistics for 50.0.0.1: 0 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 0 Approximate round trip times in milli-seconds: 0 Minimum = 80ms, Maximum = 141ms, Average = 113ms By Joud Khattab 66
  • 67. Configure Static NAT 0 Now ping from 10.0.0.2 and you will get destination host unreachable error. 0 PC>ping 10.0.0.2 0 Pinging 10.0.0.2 with 32 bytes of data: Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. Reply from 30.0.0.1: Destination host unreachable. 0 Ping statistics for 10.0.0.2: 0 Packets: Sent = 4, Received = 0, Lost = 4 (100% loss) By Joud Khattab 67
  • 68. Configure Static NAT 0 This demonstration show how the companies use NAT to hide their internal network from the outside of the world. Now open web browser from any PC in 30.0.0.0 network and brows the 50.0.0.1 site By Joud Khattab 68
  • 69. Configure Dynamic NAT By Joud Khattab 69
  • 70. Configure Dynamic NAT 0 In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5 to use. 0 configure Router0 : Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 192.168.0.1 255.0.0.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 30.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 By Joud Khattab 70
  • 71. Configure Dynamic NAT R1(config-if)#bandwidth 64 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255 R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0 R1(config)#ip nat inside source list 1 pool test R1(config)#interface fastEthernet 0/0 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#exit By Joud Khattab 71
  • 72. Configure Dynamic NAT configure Router1 : Router>enable Router#configure terminal Router(config)#interface fastEthernet 0/0 Router(config-if)#ip address 20.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface serial 0/0/0 Router(config-if)#ip address 30.0.0.2 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 Router(config)#hostname R2 By Joud Khattab 72
  • 73. Configure Dynamic NAT 0 For testing of NAT go R1 and enable debug for NAT from privilege mode 0 R1#debug ip nat 0 Now go on pc and ping to 20.0.0.2 By Joud Khattab 73
  • 74. Configure Dynamic NAT 0 When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will check NAT pools for free address to translate with this address. Which you can check in the output of debag command in R1 0 IP NAT debugging is on 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] 0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1] 0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1] By Joud Khattab 74
  • 75. Configure Dynamic NAT 0 As you can see in output 192.168.0.5 is translate with 50.0.0.1 before leaving the router. 0 Now check for web access from any client pc By Joud Khattab 75
  • 76. Configure Dynamic PAT 0 In dynamics Nat translations is made IP to IP. so you need as much global IP address as you have inside local address. That's an issue if you have few global IP address and hundred of inside local address to translate. In such a situation you need to use PAT. 0 For demonstration we are going to configure the same topology which we used in dynamic NAT but this time we are using only one global IP address 50.0.0.1 By Joud Khattab 76
  • 77. Configure Dynamic PAT By Joud Khattab 77
  • 78. Configure Dynamic PAT 0 IP address of PC are already configured double click on R1 and configured it as given here 0 configure R1 : 0 Router>enable 0 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. 0 Router(config)#hostname R1 0 R1(config)#interface fastEthernet 0/0 0 R1(config-if)#ip address 192.168.0.1 255.255.255.0 0 R1(config-if)#no shutdown 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip address 30.0.0.1 255.0.0.0 By Joud Khattab 78
  • 79. Configure Dynamic PAT 0 R1(config-if)#clock rate 64000 0 R1(config-if)#bandwidth 64 0 R1(config-if)#no shutdown 0 R1(config-if)#exit 0 R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255 0 R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0 0 R1(config)#ip nat inside source list 1 pool test overload 0 R1(config)#interface fastEthernet 0/0 0 R1(config-if)#ip nat inside 0 R1(config-if)#exit 0 R1(config)#interface serial 0/0/0 0 R1(config-if)#ip nat outside 0 R1(config-if)#exit 0 R1(config)# By Joud Khattab 79
  • 80. Configure Dynamic PAT 0 configure R2 : 0 Router>enable 0 Router#configure terminal 0 Router(config)#interface serial 0/0/0 0 Router(config-if)#ip address 30.0.0.2 255.0.0.0 0 Router(config-if)#no shutdown 0 Router(config-if)#exit 0 Router(config)#interface fastEthernet 0/0 0 Router(config-if)#ip address 20.0.0.1 255.0.0.0 0 Router(config-if)#no shutdown 0 Router(config-if)#exit 0 Router(config)#hostname R2 0 R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0 By Joud Khattab 80
  • 81. Configure Dynamic PAT 0 Now go on pc and ping to 20.0.0.2 By Joud Khattab 81
  • 82. Configure Dynamic PAT 0 To verify PAT go on R1 and run show ip nat translations 0 R1#show ip nat translations 0 Pro Inside global Inside local Outside local Outside global icmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1 icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2 icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3 icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4 0 As you can see this time address translation is done with port address instead of IP By Joud Khattab 82
  • 83. Thank You By Joud Khattab 83