Monday 22 May 2017

CISCO - NETWORK ADDRESS TRANSLATION (NAT):

INTRODUCTION:

Address translation substitutes the real address in a packet with a mapped address that is Routable on the destination network. NAT is comprised of two steps: the process in which a real address is translated into a mapped address, and then the process to undo translation for returning traffic.

The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops.

In that context I want to try to explain the role NAT currently has and that it might gain in the future, proving that it is more than a short term solution and that it will stay with us for much longer, especially when we look at the current state of the IPv6 implementation. Experiments done by some people have shown that the IPv6 protocol itself does not cause many problems so migration could be swift, but lots of applications cause problems and it is therefore likely that IPv4 will be the major Internet- and Intranet-protocol for longer than expected.

Before we begin explaining NAT's role in todays and future networks I want to show in what different areas NAT is being used today. The explanations will be made from a technological point of view.

CLASSIFICATION OF NAT:

NAT (Network Address Translation) is a method that allows the translation (modification) of IP addresses while packets/datagrams are traversing the network. NAT Overload, also known as PAT (Port Address Translation) is essentiallyNAT with the added feature of TCP/UDP ports translation.

NAT

NAT is the process of modifying network address information in datagram (IP) packet headers while in transit across a traffic routing device for the purpose of remapping one IP address space into another.

Most often today, NAT is used in conjunction with network masquerading (or IP masquerading) which is a technique that hides an entire IP address space, usually consisting of private network IP addresses (RFC 1918), behind a single IP address in another, often public address space.

NAT allows a single device, such as a router, to act as agent between the Internet or public network and a local or private network. Network Address Translation is used for many purposes, including but certainly not limited to, saving IP addresses.(NAT save IP address space on the Internet).

Nat is short for network address translation, an internet standard that enables a local-area network (LAN) to use one set of ip addresses for internal traffic and a second set of addresses for external traffic. Nat was developed by Cisco.

HOW NAT IS WORK:

USING NAT TO CONNECT TO THE INTERNET ALLOWS YOU TO:
  • Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
  • Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
  • Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.
When a computer running NAT receives a packet from an internal client, it replaces the packet header and translates the client's port number and internal IP address to its own port number and external IP address. It then sends the packet to the destination host on the Internet, and keeps track of the mapping information in a table, so that it can route the reply to the appropriate client computer. When the computer running NAT receives a reply from the Internet host, it again replaces te packet header and sends the packet to the client. Both the client computer and the Internet host appear to be communicating directly with each other.

NAT WITH PAT:

When we talk about NAT are actually talking about pat, or port address translation. This is quite easy to remember: pat translates ports, as the name implies, and likewise, NAT Translates Addresses. Sometimes pat is also called overloaded nat.

THERE ARE TWO LEVELS OF NETWORK ADDRESS TRANSLATION.
  • Basic NAT. This involves IP address translation only, not port mapping.
  • PAT (Port Address Translation). Also called simply "NAT" or "Network Address Port Translation, NAPT". This involves the translation of both IP addresses and port numbers.


All Internet packets have a source IP address and a destination IP address. Both or either of the source and destination addresses may be translated.

SOME INTERNET PACKETS DO NOT HAVE PORT NUMBERS.FOR EXAMPLE: ICMP packets. However, the vast bulk of Internet traffic is TCP and UDP packets, which do have port numbers. Packets which do have port numbers have both a source port number and a destination port number.

BOTH OR EITHER OF THE SOURCE AND DESTINATION PORTS MAY BE TRANSLATED:

·      NAT WHICH INVOLVES TRANSLATION OF THE SOURCE IP ADDRESS and/or source port is called SOURCE NAT OR SNAT. This re-writes the IP address and/or port number of the computer which originated the packet.

·      NAT WHICH INVOLVES TRANSLATION OF THE DESTINATION IP ADDRESS and/or destination port number is called DESTINATION NAT OR DNAT. This re-writes the IP address and/or port number corresponding to the destination computer.

SNAT and DNAT may be applied simultaneously to Internet packets.

PORT ADDRESS TRANSLATION (PAT):

Short for PORT ADDRESSES TRANSLATION, a type of network address translation. During PAT, each computer on LAN is translated to the same IP address, but with a different port number assignment.


NAT translates IP addresses only. PAT translates ports only, but is always used with NAT - never alone. This means you can configure a router for pure NAT, or NAT with PAT. 

NAT (ONE To ONE Translation) - Utilizes Source IP addresses and maps them to outside Internet IP address. This is also called Static NAT.

NAT WITH PAT (MANY TO ONE TRANSLATION - OVERLOAD) - utilizes Source Port IP addresses and ports to uniquely identify user workstations by their socket. A socket is simply an IP address and a port number. This allows mapping of up to 65,536 inside "socket" addresses to 1 outside address (hence the term 'overload'). This is also called Dynamic NAT. 

NAT WITH PAT IS ALSO GIVEN YET ANOTHER NAME - NAPT (Network Address Port Translation) and may be used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers as well as IP addresses.

FOR EXAMPLE: Suppose local private hosts 10.0.0.1 and 10.0.0.2 both send packets from source port 2000. A NAPT device might translate these to a single public IP address 207.29.194.28 but two different source ports, say 2998 and 2999. Response traffic received for port 2998 is routed to 10.0.0.1 while port 2999 traffic is routed to 10.0.0.2.

THERE ARE THREE TYPES OF NATTHE NAT WORKS IN MANY DIFFERENT WAYS.

·        STATIC NAT
·        DYNAMIC NAT

·        OVERLOAD NAT (OFTEN REFERRED TO AS PORT ADDRESS TRANSLATION, OR PAT)



Dynamic NAT, which directs unregistered IP addresses to registered ones from a collective of registered IP addresses. NAT can also use overloading, whereby multiple unregistered IP addresses are directed to a single address using various ports. Each computer on the private network uses the same address but is given a different port number. Basically, the port is an extension of the IP address.

1. DYNAMIC NAT: SEVERAL MACHINES USE ONE INTERNET IP ADDRESS.
The type of NAT just described is called One-to-Many NAT. This is because one IP address is shared by many hosts.

FOR OVERLOADING - requires ONE outside Internet IP address - assign unique, unregistered local IP addresses to all users.  Must use unique ports for each user!

DYNAMIC NAT ALLOWS OVERLOADING:

Multiple users access the Internet via one IP address. This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected.  In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT.

SOURCE
COMPUTER
SOURCE
COMPUTER'S
IP ADDRESS
SOURCE
COMPUTER'S PORT
NAT ROUTER'S
IP ADDRESS
A
10.0.0.1
400
215.37.32.201
B
10.0.0.2
50
215.37.32.201
C
10.0.0.3
3750
215.37.32.201

UNREGISTERED IP RANGES:

IANA has actually set aside specific ranges of IP addresses for use as non-routable internal network addresses. These addresses are considered unregistered, ( for more information check out RFC 1918: Address Allocation for Private Internets which defines these address ranges) which means that no company or agency can claim ownership of them and use them on public computers. Routers are designed to not forward unregistered addresses. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to.

THERE IS A RANGE FOR EACH OF THE THREE CLASSES OF IP ADDRESSES USED FOR NETWORKING.

·      Range 1 is for Class A: 10.0.0.0 through 10.255.255.255
·      Range 2 is Class B: 172.16.0.0 through 172.31.255.255
·      Range 3 is Class C: 192.168.0.0 through 192.168.255.255

Although each range is in a different class, there is no requirement that you use any particular range for your internal network. It is good practice though because it greatly diminishes the chance of an IP address conflict.



2. STATIC NAT, which directs an unregistered IP address to a registered IP address. This is very useful when a computer needs to access another computer from outside the network.

STATIC NAT: MACHINE WILL HAVE ONE LOCAL IP, WHICH WILL BE MAPPED TO ONE UNIQUE INTERNET IP.

It is also possible to implement ONE-TO-ONE NAT. This is where a host with a private IP address is given a dedicated public IP address in the NAT device. One-to-One NAT is used to support some poorly designed protocols which do not work well over NAT.

Same as DYNAMIC NATTING PLUS it will allow other internet systems to access this system
FOR SECURITY - requires n Internet IP addresses -  assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well.  Users can all use the same port!

STATIC NAT OFFERS ENHANCED SECURITY - The actual IP address of the user is hidden.  A router running NAT (RFC1631) allows the users to maintain anonymity, because their addresses are not sent out to the world.  Users will typically use addresses from one of three reserved address spaces, the most famous being the “10” Class A address range.

SOURCE
COMPUTER
SOURCE
COMPUTER'S
IP ADDRESS
NAT ROUTER'S
IP ADDRESS
A
10.0.0.1
215.37.32.201
B
10.0.0.2
215.37.32.202
C
10.0.0.3
215.37.32.203

3. NAT OVERLOAD DOES:

NAT OVERLOAD IS A MIX OF STATIC & DYNAMIC NAT with a few enhancements thrown in (PAT- PORT ADDRESS TRANSLATION) to make it work the way we need. By now you understand how both Static & Dynamic NAT work.

NAT OVERLOAD TAKES A STATIC OR DYNAMIC IP ADDRESS that is bound to the public interface of the gateway (this could be a PC, router or firewall appliance) and allows all PCs within the private network to access the Internet.

THE MOST POPULAR PART OF USING NAT IN THE CISCO IOS IS GETTING A HANDLE ON THESE FOUR KEY TERMS:

  • INSIDE LOCAL - > This is the local IP address of the private host on your network (i.e., your PC’s IP address).
  • INSIDE GLOBAL - >     This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.
  • OUTSIDE LOCAL - >    This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
  • OUTSIDE GLOBAL - > This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).

SO NOW WE UNDERSTAND A NAT DEVICE CAN TRANSLATE A SINGLE "REAL" OR PUBLIC IP ADDRESS INTO A VERY LARGE NUMBER OF PRIVATE ADDRESSES, SO A LARGE NUMBER OF COMPUTERS CAN SHARE THAT SINGLE PUBLIC ADDRESS. THE IMMEDIATE BENEFIT OF NAT IS THAT IT ALLOWS A SINGLE INTERNET CONNECTION WITH A SINGLE IP ADDRESS TO BE SHARED.

 

NAT INSIDE TO NAT OUTSIDE:

For packets going from the NAT inside to the NAT outside interface (local to global translation), when you check the Cisco order of operations guide, you will find that routing occurs before translation.  In this case, you’ll need a route for the untranslated network or address. This can be added statically if no dynamic routing protocol is configured.

NAT INCOMING PACKET NAT OUTSIDE TO INSIDE: 
                                                                                                                                     
For packets going from the NAT outside to the NAT inside interface (global to local translation), routing occurs only after translation.  In this case, you’ll need a route to the post-translation address. NOT the global address as you might expect.

There are other aspects of the NAT order of operation that affect the NAT configuration but by far the routing is the most important to have a functional NAT configuration.  Some other parts of the NAT process such as when the ACLs are checked are also important, and I’ll cover this in an article sometime in future.

 

THE USAGE OF NAT ALSO CARRIES CERTAIN DRAWBACKS:

 

1. NETWORK ADDRESS TRANSLATION DOES NOT ALLOW A TRUE END-TO-END CONNECTIVITY THAT IS REQUIRED BY SOME REAL TIME APPLICATIONS. A NUMBER OF REAL-TIME APPLICATIONS REQUIRE THE CREATION OF A LOGICAL TUNNEL TO EXCHANGE THE DATA PACKETS QUICKLY IN REAL-TIME.

It requires a fast and seamless connectivity devoid of any intermediaries such as a proxy server that tends to complicate and slow down the communications process.

2. NAT CREATES COMPLICATIONS IN THE FUNCTIONING OF TUNNELING PROTOCOLS. ANY COMMUNICATION THAT IS ROUTED THROUGH A PROXY SERVER TENDS TO BE COMPARATIVELY SLOW AND PRONE TO DISRUPTIONS.

Certain critical applications offer no room for such inadequacies. Examples include telemedicine and teleconferencing. Such applications find the process of network address translation as a bottleneck in the communication network creating avoidable distortions in the end-to-end connectivity.

3. NAT ACTS AS A REDUNDANT CHANNEL IN THE ONLINE COMMUNICATION OVER THE INTERNET.

The twin reasons for the widespread popularity and subsequent adoption of the network address translation process were a shortage of IPv4 address space and the security concerns. Both these issues have been fully addressed in the IPv6 protocol.

As the IPv6 slowly replaces the IPv4 protocol, the network address translation process will become redundant and useless while consuming the scarce network resources for providing services that will be no longer required over the IPv6 networks.

NOTE: MANY ORGANIZATIONS FEEL THAT THE ADVANTAGES OUTWEIGH THE DISADVANTAGES, ESPECIALLY IF THEY DO USE THE INTERNET IN PRIMARILY A CLIENT/SERVER FASHION, AS MOST DO. FOR THIS REASON NAT HAS BECOME QUITE POPULAR.

THE USAGE OF NAT ALSO CARRIES CERTAIN ADVANTAGES:
  • Reduce the need of public addresses
  • Ease the internal addressing plan
  • Transparent to some applications
  • “Security” vs obscurity
  • Clear delimitation point for ISPs.
  • Extends the longevity of IPv4 by optimizing the current number of IP addresses
  • Adds security by blanketing an entire network to appear as a single client

COMMAND REFFRENCE FOR IP NAT:

ip nat [inside outside | Stateful | create | piggyback-support | pool | portmap | service | sip-sbc | source | log | translations | syslog | allow-static-host]

no ip nat [inside outside | Stateful | create | piggyback-support | pool | portmap | service | sip-sbc | source | log | translations | syslog | allow-static-host]

SYMPLE EXAMPLE FOR NAT CONFIGURATION: 

NAT

NAT

Enable an interface on the router with an IP Address and mark it as nat inside interface. This is the interface that connects to your internal private network

ROUTER (config)# int fastethernet0/1
ROUTER (config-if)# ip address 192.168.1.1 255.255.255.0
ROUTER (config-if)# ip nat inside

2. ENABLE NAT OUTSIDE INTERFACE

ROUTER (config)# int serial0/0/0
ROUTER (config-if)# ip address 100.100.100.100 255.255.255.0
ROUTER (config-if)# ip nat outside

3. CONFIGURE NAT POOL

This will be a pool of legal Public IPs that is bought by the organization. This could anything from one to many IP Address

ROUTER (config)# ip nat pool WANPOOL 100.100.100.10 100.100.100.10 netmask 255.255.255.0

THIS CREATES POOL WHICH HAS JUST ONE IP ADDRESS. THE SYNTAX IS
startip endip {netmask netmask | prefix prefix-length}

 4. ACCESS LIST TO ALLOW LIST OF IP ADDRESSES TO NAT TRANSLATE

ROUTER (config)# ip access-list 10 permit 192.168.1.0 0.0.0.255


NAT

ROUTER (config)# ip access-list 10 permit 192.168.2.0 0.0.0.255
ROUTER (config)# ip access-list 10 permit 192.168.3.0 0.0.0.255

NAT

ROUTER (config)# ip nat inside source list 10 pool WANPOOL overload


IF THIS IS AN INTERNET CONFIGURATION THEN ENSURE THAT A DEFAULT ROUTE ON THE IP TO THE OUTSIDE IP ADDRESS OR OUTSIDE INTERFACE.

ROUTER (config)# ip route 0.0.0.0. 0.0.0.0 serial0/0/0
or
ROUTER (config)# ip route 0.0.0.0 0.0.0.0 100.100.100.100

NOTE:The NAT setup is now complete.We have setup the router to translate LAN private IPs into the Internet public IPs.


TO CHECK THE NAT STATUS AND STATISTICS

ROUTER # show ip nat statistics

SEE

ROUTER # show ip nat translations




EXAMPLE FOR STATIC NAT CONFIGURATION:

A STATIC NAT IMPLEMENTATION IS ONE IN WHICH EACH PRIVATE INTERNAL IP ADDRESS IS MAPPED TO UNIQUE PUBLIC EXTERNAL IP ADDRESS. STATIC NAT MAPPING AN UNREGISTERED IP ADDRESS TO A REGISTERED IP ADDRESS ON A ONE-TO-ONE BASIS. PARTICULARLY USEFUL WHEN A DEVICE NEEDS TO BE ACCESSIBLE FROM OUTSIDE THE NETWORK.

LAB

1        Is NATconfiguration. 
2        Is Firewall configuration.

INTERFACES:
  • Router inside interface E0/0: IP 10.1.1.1
  • Router outside interface S0/0: IP 63.63.63.1
  • Web/mail server private IP: 10.1.1.2
  • Web/mail server public IP: 63.63.63.2
Now that we’ve covered the background info, let’s get started with configuring static NAT. For our example, let’s say we start out with this basic configuration:


interface Serial0/0
  ip address 63.63.63.1 255.255.255.0
  ip nat outside 
interface Ethernet0/0
  ip address 10.1.1.1 255.255.255.0
  ip nat inside



We need the NAT translations to translate the outside IP address of the Web/mail server from 63.63.63.2 to 10.1.1.2 (and from 10.1.1.2 to 63.63.63.2). Here’s the missing link between the outside and inside NAT configurations:


router (config)# ip nat inside source static tcp 10.1.1.2 25 63.63.63.2 25
router (config)# ip nat inside source static tcp 10.1.1.2 443 63.63.63.2 443
router (config)# ip nat inside source static tcp 10.1.1.2 80 63.63.63.2 80
router (config)# ip nat inside source static tcp 10.1.1.2 110 63.63.63.2 110



We used the above port numbers because they fit the description of what we wanted to do, but keep in mind that your port numbers may be different. I chose port 25 for SMTP (sending mail), port 443 for HTTPS (secure Web), port 80 for HTTP (Web traffic), and port 110 for POP3 (receiving mail from the mail server when out on the Internet).


This configuration assumes you have a block of IP addresses. If you don’t, you can use the outside IP address on your router (Serial 0/0 in our case), and you could configure it like this:


router (config)# ip nat inside source static tcp 10.1.1.2 25 interface serial 0/0 25
You can even use this command if you have a dynamic DHCP IP address from your ISP on the outside of your router.


We also need to register the IP address of the mail and Web server in the global Internet DNS registry. So when users enter www.mywebserver.com in their Web browser, the browser would translate it to 63.63.63.2, and the router would then translate it to 10.1.1.2. The Web server would receive that request and respond back through the router, which would translate it back to the global IP address.


In addition to configuring static NAT, you may want to use DYNAMIC NAT at the same time


EXAMPLE FOR DYNAMIC NAT CONFIGURATION: 

Dynamic NAT enables multiple internal hosts access to the Internet by assigning each host a unique real (Public) IP address for the duration of the session.

Dynamic NAT maps an unregistered ip address to a registered ip address from a group of registered ip addresses. Dynamic nat also establishes a one-to-one mapping between unregistered and registered ip address, but the mapping could vary depending on the registered address available in the pool, at the time of communication.

THE FIRST STEP IN ANY NAT CONFIGURATION IS TO DEFINE THE INSIDE AND OUTSIDE INTERFACES. IT IS IMPERATIVE THAT WE DEFINE THESE INTERFACES FOR THE DYNAMIC NAT SERVICE TO FUNCTION.

SET THE FAST ETHERNET 0/0 INTERFACE AS THE INSIDE INTERFACE:
  
R1# configure terminal
R1(config)#

INTERFACE FASTETHERNET0/0

R1(config-if)# ip nat inside

NEXT STEP IS TO SET THE SERIAL INTERFACE S0/0 AS THE OUTSIDE INTERFACE:

R1(config-if)#
INTERFACE SERIAL0/0
R1(config-if)# ip nat outside
R1(config-if)# exit

Next step is to create our pool of Public IP addresses that will be handed out by the router to our internal hosts trying to connect to the Internet. Each time a host sends a packet destined for the Internet, the router will automatically allocate one of the Public IP addresses for the length of that session.

NAT

R1(config)# ip nat pool Public-IPS 200.2.2.2 200.2.2.5 prefix-length 29

WE NOW NEED TO CREATE AN ACCESS CONTROL LIST (ACL) THAT WILL INCLUDE LOCAL (PRIVATE) HOSTS OR NETWORK(S), DEPENDING ON HOW LARGE THE INTERNAL NETWORK IS.

ACL

You Can Use Standard Or Extended Access Lists Depending On Your Requirements:

R1(config)# ip nat inside source list 100 pool Public-IPS
R1(config)# access-list 100 remark == [Control NAT Pool Service]== R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

The Above Command Instructs The Router To Allow The 192.168.0.0/24 Network To Use The Nat Pool And Provide Each Host With A Unique Dynamic Public Ip Address. Note That Cisco Router Standard And 
  
Extended Acls Always Use Wildcards (0.0.0.255).

VERIFYING DYNAMIC NAT OPERATION

BY VIEWING THE DYNAMIC NAT TABLE YOU CAN EASILY VERIFY THAT THE INTERNAL HOSTS ARE CORRECTLY BEING ASSIGNED A DYNAMIC IP ADDRESS FROM THE CONFIGURED POOL:

R1# show ip nat translations
R1# clear ip nat translation * 
   
ASSUMING NO REQUEST HAS BEEN SENT RIGHT AFTER THE COMMAND WAS ENTERED, THE NAT TRANSLATION TABLE SHOULD BE EMPTY:


R1# show ip nat translations

Configure NAT Overload - PAT (Port Address Translation)

'Overloading' means that the single public IP assigned to your router can be used by multiple internal hosts concurrently. This is done by translating source UDP/TCP ports in the packets and keeping track of them within the translation table kept in the router (R1 in our case). This is a typical NAT configuration for almost all of today's networks.

The First Step In Any NAT Configuration Is To Define The Inside And Outside Interfaces. It Is Imperative That We Define The Interfaces For NAT Overload To Function.

SET THE FAST ETHERNET 0/0 INTERFACE AS THE INSIDE INTERFACE:

R1# configure terminal
R1(config)#

INTERFACE FASTETHERNET0/0

R1(config-if)# ip nat inside

NEXT STEP IS TO SET THE SERIAL INTERFACE S0/0 AS THE OUTSIDE INTERFACE:

R1(config-if)#
interface serial0/0
R1(config-if)# ip nat outside
R1(config-if)# exit

We now need to create an Access Control List (ACL) that will include local (private) hosts or network(s). This ACL will later on be applied to the NAT service command, effectively controlling the hosts that will be able to access the Internet. You can use standard or extended access lists depending on your requirements:

 R1(config)# access-list 100 remark == [Control NAT Service]==
R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

The above command instructs the router to allow the 192.168.0.0/24 network to reach any destination. Note that Cisco router standard and extended ACLs always use wildcards (0.0.0.255).

All that's left now is to enable NAT overload and bind it to the outside interface previously selected:

R1(config)# ip nat inside source list 100 interface serial 0/0 overload
From this point onward, the router will happily create all the necessary translations to allow the 192.168.0.0/24 network access to the Internet.

Verifying NAT Overload operation

Viewing the NAT translation table can sometimes reveal a lot of important information on your network's activity. Here you'll be able to identify traffic that's not supposed to be routed to the Internet or traffic that seems suspicious.

AS PACKETS START TRAVERSING THE ROUTER IT WILL GRADUALLY BUILD UP ITS NAT/PAT TRANSLATION TABLE AS SHOWN BELOW:

R1# show ip nat translations
Pro Inside global ...........Inside local .........Outside local .......Outside global
udp 200.2.2.1:53427 .192.168.0.6:53427 ..74.200.84.4:53 ...74.200.84.4:53
udp 200.2.2.1:53427 .192.168.0.6:53427 ..195.170.0.1:53 ...195.170.0.1:53
tcp 200.2.2.1:53638 .192.168.0.6:53638 ..64.233.189.99:80 .64.233.189.99:80
tcp 200.2.2.1:57585 .192.168.0.7:57585 ..69.65.106.48:110 .69.65.106.48:110
tcp 200.2.2.1:57586 .192.168.0.7:57586 ..69.65.106.48:110 .69.65.106.48:110

As shown, the first 2 translations directed to 74.200.84.4 & 195.170.0.1 are DNS requests from internal host 192.168.0.6. The third entry seems to be an http request to a web server with IP address 64.233.189.99.
Looking at the fourth and fifth translation entry, you should identify them as pop3 requests to an external server, possibly generated by an email client.

Because these entries are all dynamically created, they are temporary and will be removed from the translation table after some time.

Another point you might want to keep in mind is that when we use programs that create a lot of connections e.g Utorrent, Limewire, etc., you might see sluggish performance from the router as it tries to keep up with all connections. Having thousands of connections running through the router can put some serious stress on the CPU.

In these cases, we might need to clear the IP NAT table completely to free up resources.
This is easily done using the following command:

R1# clear ip nat translation *
Assuming no request has been sent right after the command was entered, the NAT translation table should be empty:

 R1# show ip nat translations

Pro Inside global ...........Inside local .....Outside local .......Outside global
Lastly, you can obtain statistics on the overload NAT service. This will show you the amount of current translations tracked by our NAT table, plus a lot more:

R1# show ip nat statistics
Total active translations: 200 (0 static, 200 dynamic; 200 extended)
Outside interfaces:
Serial 0/0
Inside interfaces:
FastEthernet0/0
Hits: 163134904 Misses: 0
CEF Translated packets: 161396861, CEF Punted packets: 3465356
Expired translations: 2453616
DYNAMIC MAPPINGS:
-- Inside Source
[Id: 2] access-list 100 interface serial 0/0 refcount 195
Appl doors: 0
Normal doors: 0
Queued Packets: 0


ABOVE ARTICLE SUMMARY: In this article we've covered configuration of NAT Overload on Cisco routers. We also saw how you can control the NAT Overload service using ACLs and obtain detailed statistics on the NAT service. The configuration and commands presented here is compatible with all Cisco router models and IOS's.




SUMMARY:
NETWORK ADDRESS TRANSLATION (NAT) enables devices connected to private (inside) IP networks that use reserved IP addresses (as defined by RFC 1918) to connect to the public (outside) Internet.


NAT


This effectively hides the internal network from the world.

Network Address Translation in simple terms translates an IP address into another. Network Address Translation is of different types like

Static NAT (One to One)
NAT
Overloading (Many to One)

Policy NAT:

Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses.

For example, you can use translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.

STATIC NAT:

Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there is an access list that allows it).

The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

PAT:

PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection.

STATIC PAT:

Static PAT is the same as static NAT, Except it lets you specify the protocol (TCP or UDP) and port for the real and mapped addresses.

This feature lets you identify the same mapped address across many different static statements, so long as the port is different for each statement (you cannot use the same mapped address for multiple static NAT statements).

For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.


TIPS: If you want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, you can specify static PAT statements for each server that uses the same mapped IP address, but different ports.

CONCLUSION:

I think The ABOVE examples in this document demonstrate quick start steps can help you configure and deploy NAT. These quick start steps include:


1.       Defining NAT inside and outside interfaces.
2.       Defining what you are trying to accomplish with NAT.
3.       Configuring NAT in order to accomplish what you defined in Step 2.
4.       Verifying the NAT operation.

This Article Written Author By: Premakumar Thevathasan.CCNA, CCNP, CCIP, MCSA, MCSE, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...