Erstellt von John Dedios
vor mehr als 8 Jahre
|
||
Frage | Antworten |
IPv4 Private Address Space All public IPv4 addresses that transverse the Internet must be registered with a Regional Internet Registry (RIR) NAT provides the translation of private addresses to public addresses. This allows a device with a private IPv4 address to access resources outside of their private network, such as those found on the Internet | |
What is NAT? NAT has many uses, but its primary use is to conserve public IPv4 addresses. NAT has an added benefit of adding a degree of privacy and security to a network, because it hides internal IPv4 addresses from outside networks. NAT-enabled routers can be configured with one or more valid public IPv4 addresses. These public addresses are known as the NAT pool. Ej: A NAT router typically operates at the border of a stub network. A "stub network" is a network that has a single connection to its neighboring network, one way in and one way out of the network | |
NAT Terminology NAT includes four types of addresses: Inside local address Inside global address Outside local address Outside global address | |
NAT Terminology Ej: Inside global address when In this case, R2 changes the IPv4 source address from 192.168.10.10 to 209.165.200.226. In NAT terminology, the inside local address of 192.168.10.10 is translated to the inside global address of 209.165.200.226. * Outside global address - Most often the outside local and outside global addresses are the same. * Outside local address - The address of the destination as seen from the inside network Note: The use of the outside local address is outside the scope of this course. | |
How NAT Works When the packet arrives at R2, the NAT-enabled router for the network, R2 reads the source IPv4 address of the packet to determine if the packet matches the criteria specified for translation. In this case, the source IPv4 address does match the criteria and is translated from 192.168.10.10 (inside local address) to 209.165.200.226 (inside global address). R2 adds this mapping of the local to global address to the NAT table. | R2 sends the packet with the translated source address toward the destination. The web server responds with a packet addressed to the inside global address of PC1 (209.165.200.226). R2 receives the packet with destination address 209.165.200.226. R2 checks the NAT table and finds an entry for this mapping. R2 uses this information and translates the inside global address (209.165.200.226) to the inside local address (192.168.10.10), and the packet is forwarded toward PC1. |
1. Static NAT There are three types of NAT translation: One-to-one address mapping between local and global addresses. Ej: When these devices send traffic to the Internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices have public IPv4 addresses. Static NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions. | |
There are three types of NAT translation: 1. Static address translation (static NAT) - One-to-one address mapping between local and global addresses. 2. Dynamic address translation (dynamic NAT) - Many-to-many address mapping between local and global addresses. 3. Port Address Translation (PAT) - Many-to-one address mapping between local and global addresses. This method is also known as overloading (NAT overloading). | Static NAT is particularly useful for web servers or devices that must have a consistent address that is accessible from the Internet, such as a company web server. It is also useful for devices that must be accessible by authorized personnel when offsite, but not by the general public on the Internet. * For example, a network administrator from PC4 can SSH to Svr1’s inside global address (209.165.200.226). R2 translates this inside global address to the inside local address and connects the administrator’s session to Svr1. |
2. Dynamic NAT Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When an inside device requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool. * Similar to static NAT, dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions. | |
Port Address Translation (PAT) known as NAT overload, maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses. Ej: PAT ensures that devices use a different TCP port number for each session with a server on the Internet. When a response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines to which device the router forwards the packets. ** The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session. | |
PAT - Next Available Port PAT attempts to preserve the original source port. However, if the original source port is already used, PAT assigns the first available port number starting from the beginning of the appropriate port group: 0–511, 512–1,023, or 1,024–65,535. When there are no more ports available and there is more than one external address in the address pool, PAT moves to the next address to try to allocate the original source port. This process continues until there are no more available ports or external IP addresses. | |
Comparing NAT and PAT With PAT, there is generally only one or a very few publicly exposed IPv4 addresses. Incoming packets from the public network are routed to their destinations on the private network by referring to a table in the NAT router. This table tracks public and private port pairs. This is called connection tracking. | |
PAT - Packets without a Layer 4 Segment What about IPv4 packets carrying data other than a TCP or UDP segment? These packets do not contain a Layer 4 port number. PAT translates most common protocols carried by IPv4 that do not use TCP or UDP as a transport layer protocol. The most common of these is ICMPv4. Each of these types of protocols is handled differently by PAT | For example, ICMPv4 query messages, echo requests, and echo replies include a Query ID. ICMPv4 uses the Query ID to identify an echo request with its corresponding echo reply. The Query ID is incremented with each echo request sent. PAT uses the Query ID instead of a Layer 4 port number. Note: Other ICMPv4 messages do not use the Query ID. These messages and other protocols that do not use TCP or UDP port numbers vary and are beyond the scope of this curriculum. |
Benefits of NAT NAT provides many benefits, including: * NAT conserves the legally registered addressing scheme - by allowing the privatization of intranets. NAT conserves addresses through application port-level multiplexing * NAT increases the flexibility of connections to the public network. -- multiple pools, backup pools, and load-balancing pools can be implemented to ensure reliable public network connections. | * NAT provides consistency for internal network addressing schemes. - NAT allows the existing private IPv4 address scheme to remain while allowing for easy change to a new public addressing scheme. This means an organization could change ISPs and not need to change any of its inside clients. * NAT provides network security - Because private networks do not advertise their addresses or internal topology, they remain reasonably secure when used in conjunction with NAT to gain controlled external access. |
Disadvantages of NAT * Performance is degraded. - One disadvantage of using NAT is related to network performance, particularly for real time protocols such as VoIP. NAT increases switching delays because the translation of each IPv4 address within the packet headers takes time. The router must alter the IPv4 header, and possibly alter the TCP or UDP header. The IPv4 header checksum, along with the TCP or UDP checksum must be recalculated each time a translation is made. Remaining packets go through the fast-switched path if a cache entry exists; otherwise, they too are delayed. | * End-to-end functionality is degraded. - Some applications do not work with NAT. For example, some security applications, such as digital signatures, fail because the source IPv4 address changes before reaching the destination. Applications that use physical addresses, instead of a qualified domain name, do not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings. |
Disadvantages of NAT * End-to-end IPv4 traceability is also lost. - It becomes much more difficult to trace packets that undergo numerous packet address changes over multiple NAT hops, making troubleshooting challenging. * NAT also complicates tunneling protocols, such as IPsec, because NAT modifies values in the headers that interfere with the integrity checks done by IPsec and other tunneling protocols. | * Initiating TCP connections can be disrupted. - Services that require the initiation of TCP connections from the outside network, or stateless protocols, such as those using UDP, can be disrupted. Unless the NAT router has been configured to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts (passive mode FTP, for example), but fail when both systems are separated from the Internet by NAT. |
Verifying Static NAT "show ip nat translations" Ej: the translation is always present in the NAT table regardless of any active communications. If the command is issued during an active session, the output also indicates the address of the outside device | |
Verifying Static NAT " show ip nat statistics" Ej: displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and the number of addresses that have been allocated. To verify that the NAT translation is working, it is best to clear statistics from any past translations using the: "clear ip nat statistics command" before testing. | |
Dynamic NAT Operation * Note: Translating between public and private IPv4 addresses is by far the most common use of NAT. However, NAT translations can occur between any pair of addresses. The pool of public IPv4 addresses (inside global address pool) is available to any device on the inside network on a first-come first-served basis If all of the addresses in the pool have been used, a device must wait for an available address before it can access the outside network. | |
Verifying Dynamic NAT "show ip nat translations" The command displays all static translations that have been configured and any dynamic translations that have been created by traffic. Adding the "verbose" keyword displays additional information about each translation, including how long ago the entry was created and used. By default, translation entries time out after 24 hours, unless the timers have been reconfigured with the "ip nat translation timeout (timeout-seconds)" command in global configuration mode. | |
Verifying Dynamic NAT Specific entries can be cleared to avoid disrupting active sessions. Use the "clear ip nat translation *" privileged EXEC command to clear all translations from the table. Note: Only the dynamic translations are cleared from the table. Static translations cannot be cleared from the translation table. | |
Verifying Dynamic NAT "show ip nat statistics" Ej: displays information about the total number of active translations, NAT configuration parameters, the number of addresses in the pool, and how many of the addresses have been allocated. | |
Configuring PAT for a Single Public IPv4 Address The "interface" keyword identifies which interface IP address to use when translating inside addresses. The "overload" keyword directs the router to track port numbers with each NAT entry. The configuration is similar to dynamic NAT, except that instead of a pool of addresses, the interface keyword is used to identify the outside IPv4 address. Therefore, no NAT pool is defined. | |
Verifying PAT "show ip nat translations" Ej: displays the translations from two different hosts to different web servers. Notice that two different inside hosts are allocated the same IPv4 address of 209.165.200.226 (inside global address). The source port numbers in the NAT table differentiate the two transactions. | |
Verifying PAT "show ip nat statistics" Ej: verifies that NAT-POOL2 has allocated a single address for both translations. Included in the output is information about the number and type of active translations, NAT configuration parameters, the number of addresses in the pool, and how many have been allocated. | |
Port Forwarding Typically, peer-to-peer file-sharing programs and operations, such as web serving and outgoing FTP, require that router ports be forwarded or opened to allow these applications to work. Because NAT hides internal addresses, peer-to-peer only works from the inside out where NAT can map outgoing requests against incoming replies. | The problem is that NAT does not allow requests initiated from the outside. This situation can be resolved with manual intervention. Port forwarding can be configured to identify specific ports that can be forwarded to inside hosts. When a request is sent to the IPv4 address of the WAN port via the Internet, the router forwards the request to the appropriate server on the LAN. For security reasons, broadband routers do not by default permit any external network request to be forwarded to an inside host. |
Wireless Router Example Ej: HTTP service requests, coming into wireless router, are forwarded to the web server with the inside local address of 192.168.1.254. If the external WAN IPv4 address of the wireless router is 209.165.200.225, the external user can enter http://www.example.com and the wireless router redirects the HTTP request to the internal web server at IPv4 address 192.168.1.254, using the default port number 80. http://www.portforward.com | |
Configuring Port Forwarding with IOS Implementing port forwarding with IOS commands is similar to the commands used to configure static NAT. Port forwarding is essentially a static NAT translation with a specified TCP or UDP port number. Ej: when the router receives the packet with the inside global IPv4 address of 209.165.200.225 and a TCP destination port 8080, the router performs a NAT table lookup using the destination IPv4 address and destination port as the key. The router then translates the address to the inside local address of host 192.168.10.254 and destination port 80 | |
NAT for IPv6? NAT has significant disadvantages, and in January of 2011, IANA allocated the last of its IPv4 addresses to RIRs. IPv6, with a 128-bit address, provides (340 sextillones / 340 undecillion) addresses. IPv6 does implement a form of NAT. IPv6 includes both its own IPv6 private address space and NAT, which are implemented differently than they are for IPv4. | In RFC 5902, the Internet Architecture Board (IAB) included the following quote concerning IPv6 network address translation: “It is commonly perceived that a NAT box provides one level of protection because external hosts cannot directly initiate communication with hosts behind a NAT. However, one should not confuse NAT boxes with firewalls. As discussed Section 2.2 in RFC4864, the act of translation does not provide security in itself. The stateful filtering function can provide the same level of protection without requiring a translation function.” |
IPv6 Unique Local Addresses Ej: ULA have the prefix FC00::/7, which results in a first hextet range of FC00 to FDFF. The next 1 bit is set to 1 if the prefix is locally assigned. Set to 0 may be defined in the future. The next 40 bits is a global ID followed by a 16-bit Subnet ID. These first 64 bits combine to make the ULA prefix. This leaves the remaining 64 bits for the interface ID, or in IPv4 terms, the host portion of the address. Note: The original IPv6 specification allocated address space for site-local addresses, defined in RFC 3513. Site-local addresses have been deprecated by the IETF in RFC 3879 because the term “site” was somewhat ambiguous. Site-local addresses had the prefix range of FEC0::/10 and may still be found in some older IPv6 documentation. | |
IPv6 Unique Local Addresses Unique local addresses are defined in RFC 4193. ULAs are also known as local IPv6 addresses (not to be confused with IPv6 link-local addresses) and have several characteristics including: 1. Allows sites to be combined or privately interconnected, without creating any address conflicts or requiring renumbering of interfaces that use these prefixes. | 2. Independent of any ISP and can be used for communications within a site without having any Internet connectivity. 3. Not routable across the Internet, however, if accidentally leaked by routing or DNS, there is not conflict with other addresses. |
NAT for IPv6 NAT for IPv6 is used in a much different context than NAT for IPv4. The varieties of NAT for IPv6 are used to transparently provide access between IPv6-only and IPv4-only networks. It is not used as a form of private IPv6 to global IPv6 translation. Over the years, there have been several types of NAT for IPv6 including Network Address Translation-Protocol Translation (NAT-PT). NAT-PT has been deprecated by IETF in favor of its replacement, NAT64. NAT64 is beyond the scope of this curriculum. | |
NAT for IPv6 Ideally, IPv6 should be run natively wherever possible. This means IPv6 devices communicating with each other over IPv6 networks. However, to aid in the move from IPv4 to IPv6, the IETF has developed several transition techniques to accommodate a variety of IPv4-to-IPv6 scenarios, including dual-stack, tunneling, and translation | Dual-stack is when the devices are running protocols associated with both the IPv4 and IPv6. Tunneling for IPV6 is the process of encapsulating an IPv6 packet inside an IPv4 packet. This allows the IPv6 packet to be transmitted over an IPv4-only network. NAT for IPv6 should not be used as a long term strategy, but as a temporary mechanism to assist in the migration from IPv4 to IPv6. |
Troubleshooting NAT: show commands The first step in solving the problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected: Step 1. Based on the configuration, clearly define what NAT is supposed to achieve. This may reveal a problem with the configuration. | Step 2. Verify that correct translations exist in the translation table using the: " show ip nat translations " Step 3. Use the "clear" and "debug" commands to verify that NAT is operating as expected. Check to see if dynamic entries are recreated after they are cleared. Step 4. Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet. |
Troubleshooting NAT: debug command "debug ip nat detailed" Generates a description of each packet considered for translation. This command also provides information about certain errors or exception conditions, such as the failure to allocate a global address. * (asterisk) - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists. [xxxx] - The value in brackets is the IP identification number. This information may be useful for debugging in that it enables correlation with other packet traces from protocol analyzers. | |
Case Study Ej: notice that the router interfaces are incorrectly defined as NAT inside or NAT outside. The current NAT interface configuration must be deleted from the interfaces before applying the correct configuration. | |
Case Study "show access-lists" Ej: is used to determine whether the ACL that the NAT command references is permitting all of the necessary networks. Examining the output indicates that an incorrect wildcard bit mask has been used in the ACL that defines the addresses which need to be translated. The wildcard mask is only permitting the 192.168.0.0/24 subnet. The access list is first removed and then reconfigured using the correct wildcard mask. |
Möchten Sie mit GoConqr kostenlos Ihre eigenen Karteikarten erstellen? Mehr erfahren.