CCNA CCNA Karteikarten am E2_11 NAT, erstellt von John Dedios am 21/07/2016.
|
Erstellt von John Dedios
vor mehr als 8 Jahre
|
|
Schließen
|
|
Erstellt von John Dedios
vor mehr als 8 Jahre
|
|
IPv4 Private Address Space
All public IPv4 addresses that transverse the Internet must be registered with a Regional Internet Registry (RIR)
NAT provides the translation of private addresses to public addresses. This allows a device with a private IPv4 address to access resources outside of their private network, such as those found on the Internet
What is NAT?
NAT has many uses, but its primary use is to conserve public IPv4 addresses.
NAT has an added benefit of adding a degree of privacy and security to a network, because it hides internal IPv4 addresses from outside networks.
NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are known as the NAT pool.
Ej: A NAT router typically operates at the border of a stub network. A "stub network" is a network that has a single connection to its neighboring network, one way in and one way out of the network
NAT Terminology
NAT includes four types of addresses:
Inside local address
Inside global address
Outside local address
Outside global address
NAT Terminology
Ej: Inside global address when In this case, R2 changes the IPv4 source address from 192.168.10.10 to 209.165.200.226. In NAT terminology, the inside local address of 192.168.10.10 is translated to the inside global address of 209.165.200.226.
* Outside global address - Most often the outside local and outside global addresses are the same.
* Outside local address - The address of the destination as seen from the inside network
Note: The use of the outside local address is outside the scope of this course.
How NAT Works
When the packet arrives at R2, the NAT-enabled router for the network, R2 reads the source IPv4 address of the packet to determine if the packet matches the criteria specified for translation.
In this case, the source IPv4 address does match the criteria and is translated from 192.168.10.10 (inside local address) to 209.165.200.226 (inside global address).
R2 adds this mapping of the local to global address to the NAT table.
1. Static NAT
There are three types of NAT translation:
One-to-one address mapping between local and global addresses.
Ej: When these devices send traffic to the Internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices have public IPv4 addresses.
Static NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.
There are three types of NAT translation:
1. Static address translation (static NAT) - One-to-one address mapping between local and global addresses.
2. Dynamic address translation (dynamic NAT) - Many-to-many address mapping between local and global addresses.
3. Port Address Translation (PAT) - Many-to-one address mapping between local and global addresses. This method is also known as overloading (NAT overloading).
2. Dynamic NAT
Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis.
When an inside device requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool.
* Similar to static NAT, dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.
Port Address Translation (PAT)
known as NAT overload, maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses.
Ej: PAT ensures that devices use a different TCP port number for each session with a server on the Internet.
When a response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines to which device the router forwards the packets.
** The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session.
PAT - Next Available Port
PAT attempts to preserve the original source port. However, if the original source port is already used, PAT assigns the first available port number starting from the beginning of the appropriate port group:
0–511, 512–1,023, or 1,024–65,535.
When there are no more ports available and there is more than one external address in the address pool, PAT moves to the next address to try to allocate the original source port. This process continues until there are no more available ports or external IP addresses.
Comparing NAT and PAT
With PAT, there is generally only one or a very few publicly exposed IPv4 addresses.
Incoming packets from the public network are routed to their destinations on the private network by referring to a table in the NAT router. This table tracks public and private port pairs.
This is called connection tracking.
PAT - Packets without a Layer 4 Segment
What about IPv4 packets carrying data other than a TCP or UDP segment? These packets do not contain a Layer 4 port number.
PAT translates most common protocols carried by IPv4 that do not use TCP or UDP as a transport layer protocol.
The most common of these is ICMPv4. Each of these types of protocols is handled differently by PAT
Benefits of NAT
NAT provides many benefits, including:
* NAT conserves the legally registered addressing scheme - by allowing the privatization of intranets. NAT conserves addresses through application port-level multiplexing
* NAT increases the flexibility of connections to the public network. -- multiple pools, backup pools, and load-balancing pools can be implemented to ensure reliable public network connections.
Disadvantages of NAT
* Performance is degraded. - One disadvantage of using NAT is related to network performance, particularly for real time protocols such as VoIP. NAT increases switching delays because the translation of each IPv4 address within the packet headers takes time.
The router must alter the IPv4 header, and possibly alter the TCP or UDP header. The IPv4 header checksum, along with the TCP or UDP checksum must be recalculated each time a translation is made. Remaining packets go through the fast-switched path if a cache entry exists; otherwise, they too are delayed.
Disadvantages of NAT
* End-to-end IPv4 traceability is also lost. - It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops, making troubleshooting challenging.
* NAT also complicates tunneling protocols, such as IPsec, because NAT modifies values in the headers that interfere with the integrity checks done by IPsec and other tunneling protocols.
Verifying Static NAT
"show ip nat translations"
Ej: the translation is always present in the NAT table regardless of any active communications. If the command is issued during an active session, the output also indicates the address of the outside device
Verifying Static NAT
" show ip nat statistics"
Ej: displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and the number of addresses that have been allocated.
To verify that the NAT translation is working, it is best to clear statistics from any past translations using the:
"clear ip nat statistics command" before testing.
Dynamic NAT Operation
* Note: Translating between public and private IPv4 addresses is by far the most common use of NAT. However, NAT translations can occur between any pair of addresses.
The pool of public IPv4 addresses (inside global address pool) is available to any device on the inside network on a first-come first-served basis
If all of the addresses in the pool have been used, a device must wait for an available address before it can access the outside network.
Verifying Dynamic NAT
"show ip nat translations"
The command displays all static translations that have been configured and any dynamic translations that have been created by traffic.
Adding the "verbose" keyword displays additional information about each translation, including how long ago the entry was created and used.
By default, translation entries time out after 24 hours, unless the timers have been reconfigured with the "ip nat translation timeout (timeout-seconds)" command in global configuration mode.
Verifying Dynamic NAT
Specific entries can be cleared to avoid disrupting active sessions. Use the
"clear ip nat translation *"
privileged EXEC command to clear all translations from the table.
Note: Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table.
Verifying Dynamic NAT
"show ip nat statistics"
Ej: displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and how many of the addresses have been allocated.
Configuring PAT for a Single Public IPv4 Address
The "interface" keyword identifies which interface IP address to use when translating inside addresses.
The "overload" keyword directs the router to track port numbers with each NAT entry.
The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IPv4 address. Therefore, no NAT pool is defined.
Verifying PAT
"show ip nat translations"
Ej: displays the translations from two different hosts to different web servers.
Notice that two different inside hosts are allocated the same IPv4 address of 209.165.200.226 (inside global address). The source port numbers in the NAT table differentiate the two transactions.
Verifying PAT
"show ip nat statistics"
Ej: verifies that NAT-POOL2 has allocated a single address for both translations. Included in the output is information about the number and type of active translations, NAT configuration parameters, the number of addresses in the pool, and how many have been allocated.
Port Forwarding
Typically, peer-to-peer file-sharing programs and operations, such as web serving and outgoing FTP, require that router ports be forwarded or opened to allow these applications to work.
Because NAT hides internal addresses, peer-to-peer only works from the inside out where NAT can map outgoing requests against incoming replies.
Wireless Router Example
Ej: HTTP service requests, coming into wireless router, are forwarded to the web server with the inside local address of 192.168.1.254. If the external WAN IPv4 address of the wireless router is 209.165.200.225, the external user can enter http://www.example.com and the wireless router redirects the HTTP request to the internal web server at IPv4 address 192.168.1.254, using the default port number 80.
http://www.portforward.com
Configuring Port Forwarding with IOS
Implementing port forwarding with IOS commands is similar to the commands used to configure static NAT. Port forwarding is essentially a static NAT translation with a specified TCP or UDP port number.
Ej: when the router receives the packet with the inside global IPv4 address of 209.165.200.225 and a TCP destination port 8080, the router performs a NAT table lookup using the destination IPv4 address and destination port as the key. The router then translates the address to the inside local address of host 192.168.10.254 and destination port 80
NAT for IPv6?
NAT has significant disadvantages, and in January of 2011, IANA allocated the last of its IPv4 addresses to RIRs.
IPv6, with a 128-bit address, provides (340 sextillones / 340 undecillion) addresses.
IPv6 does implement a form of NAT. IPv6 includes both its own IPv6 private address space and NAT, which are implemented differently than they are for IPv4.
IPv6 Unique Local Addresses
Ej: ULA have the prefix FC00::/7, which results in a first hextet range of FC00 to FDFF. The next 1 bit is set to 1 if the prefix is locally assigned. Set to 0 may be defined in the future. The next 40 bits is a global ID followed by a 16-bit Subnet ID. These first 64 bits combine to make the ULA prefix. This leaves the remaining 64 bits for the interface ID, or in IPv4 terms, the host portion of the address.
Note: The original IPv6 specification allocated address space for site-local addresses, defined in RFC 3513. Site-local addresses have been deprecated by the IETF in RFC 3879 because the term “site” was somewhat ambiguous. Site-local addresses had the prefix range of FEC0::/10 and may still be found in some older IPv6 documentation.
IPv6 Unique Local Addresses
Unique local addresses are defined in RFC 4193. ULAs are also known as local IPv6 addresses (not to be confused with IPv6 link-local addresses) and have several characteristics including:
1. Allows sites to be combined or privately interconnected, without creating any address conflicts or requiring renumbering of interfaces that use these prefixes.
NAT for IPv6
NAT for IPv6 is used in a much different context than NAT for IPv4. The varieties of NAT for IPv6 are used to transparently provide access between IPv6-only and IPv4-only networks. It is not used as a form of private IPv6 to global IPv6 translation.
Over the years, there have been several types of NAT for IPv6 including Network Address Translation-Protocol Translation (NAT-PT). NAT-PT has been deprecated by IETF in favor of its replacement, NAT64. NAT64 is beyond the scope of this curriculum.
NAT for IPv6
Ideally, IPv6 should be run natively wherever possible. This means IPv6 devices communicating with each other over IPv6 networks. However, to aid in the move from IPv4 to IPv6, the IETF has developed several transition techniques to accommodate a variety of IPv4-to-IPv6 scenarios, including dual-stack, tunneling, and translation
Troubleshooting NAT: show commands
The first step in solving the problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:
Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration.
Troubleshooting NAT: debug command
"debug ip nat detailed"
Generates a description of each packet considered for translation. This command also provides information about certain errors or exception conditions, such as the failure to allocate a global address.
* (asterisk) - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists.
[xxxx] - The value in brackets is the IP identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers.
Case Study
Ej: notice that the router interfaces are incorrectly defined as NAT inside or NAT outside.
The current NAT interface configuration must be deleted from the interfaces before applying the correct configuration.
Case Study
"show access-lists"
Ej: is used to determine whether the ACL that the NAT command references is permitting all of the necessary networks. Examining the output indicates that an incorrect wildcard bit mask has been used in the ACL that defines the addresses which need to be translated. The wildcard mask is only permitting the 192.168.0.0/24 subnet.
The access list is first removed and then reconfigured using the correct wildcard mask.
