cs 540 computer networks ii sandy wang [email protected]

CS 540Computer Networks II

Sandy [email protected]

11. NETWORK ADDRESS TRANSLATION – NAT

Topics

1. Overview2. LAN Switching3. IPv44. IPv65. Routing Protocols -- RIP, RIPng, OSPF6. Routing Protocols -- ISIS, BGP7. MPLS8. Midterm Exam9. Transport Layer -- TCP/UDP10. Congestion Control & Quality of Service (QoS)11. Access Control List (ACL)12. Application Layer Protocols13. Application Layer Protocols continue14. Others – Multicast, SDN15. Final Exam

Reference Books

• Cisco CCNA Routing and Switching ICND2 200-101 Official Cert Guide, Academic Edition by Wendel Odom -- July 10, 2013. ISBN-13: 978-1587144882

• The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference by Charles M. Kozierok – October 1, 2005. ISBN-13: 978-1593270476

• Data and Computer Communications (10th Edition) (William Stallings Books on Computer and Data Communications) by Williams Stallings – September 23, 2013. ISBN-13: 978-0133506488

http://class.svuca.edu/~sandy/class/CS540/

http://class.svuca.edu/~sandy/class/CS540/

Agenda

• Basic Concept of • Network Address Translation (NAT) • Port Address Translation (PAT)

• Definition, Benefits, Availability and Application Support

• NAT Concepts and Terminology• Port Address Translation (PAT)• NAT Technical Information

6

Private Network

• Private IP network is an IP network that is not directly connected to the Internet

• IP addresses in a private network can be assigned arbitrarily. • Not registered and not guaranteed to be globally unique

• Generally, private networks use addresses from the following experimental address ranges (non-routable addresses):

• 10.0.0.0 – 10.255.255.255• 172.16.0.0 – 172.31.255.255• 192.168.0.0 – 192.168.255.255

7

Private Addresses

H1

R1

H2

10.0.1.3

10.0.1.1

10.0.1.2

H3

R2

H4

10.0.1.310.0.1.2

Private network 1

Internet

H5

10.0.1.1Private network 1

213.168.112.3

128.195.4.119 128.143.71.21

Network Address Translation (NAT)

• RFC 1631• A short term solution to the problem of the depletion of IP

addresses• Long term solution is IPv6• CIDR (Classless InterDomain Routing ) is a possible short term

solution• NAT is another

• NAT is a way to conserve IP addresses• Can be used to hide a number of hosts behind a single IP address• Uses private addresses:

• 10.0.0.0-10.255.255.255, • 172.16.0.0-172.32.255.255 or • 192.168.0.0-192.168.255.255

8

9

Network Address Translation (NAT)

• NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network

• NAT is a method that enables hosts on private networks to communicate with hosts on the Internet

• NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair.

10

Basic Operation of NAT

• NAT device has address translation table• One to one address translation

H1

private address: 10.0.1.2public address: 128.143.71.21

H5

Privatenetwork

Internet

Source = 10.0.1.2Destination = 213.168.112.3


public address: 213.168.112.3NATdevice



PrivateAddress

PublicAddress

10.0.1.2 128.143.71.21

11

Pooling of IP Addresses

• Scenario: Corporate network has many hosts but only a small number of public IP addresses

• NAT solution:• Corporate network is managed with a private address space• NAT device, located at the boundary between the corporate network and the

public Internet, manages a pool of public IP addresses • When a host from the corporate network sends an IP datagram to a host in

the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host

12

Pooling of IP Addresses

H1

private address: 10.0.1.2public address:

H5

Privatenetwork

Internet



public address: 213.168.112.3NATdevice

PrivateAddress

PublicAddress

10.0.1.2

Pool of addresses: 128.143.71.0-128.143.71.30

13

Supporting Migration between Network Service Providers

• Scenario: In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network.

• NAT solution:• Assign private addresses to the hosts of the corporate network• NAT device has static address translation entries which bind the

private address of a host to the public address. • Migration to a new network service provider merely requires an

update of the NAT device. The migration is not noticeable to the hosts on the network.

Note:• The difference to the use of NAT with IP address pooling is that the

mapping of public and private IP addresses is static.

Benefits

• Problem: Merging corporations with conflicting private IP address space need connectivity to each other and/or the Internet

• Solution: NAT provides transparent, scalable, and bi-directional connectivity between corporate headquarters and acquisitions

Corporate Acquisition

10.6.1.20 10.6.1.51

NATBefore NATOutbound Packet

Before NATOutbound Packet

Src Addr10.6.1.20Src Addr10.6.1.20

Dest AddrAcquisitionDest Addr

Acquisition

After NATOutbound Packet


Src Addr192.168.7.10

Src Addr192.168.7.10

Dest AddrAcquisitionDest Addr

Acquisition



Src Addr172.21.58.10

Src Addr172.21.58.10

Dest AddrCorporateDest AddrCorporate




Dest AddrCorporateDest AddrCorporate

X

15

Supporting Migration between network service Providers

H1

private address: 10.0.1.2public address: 128.143.71.21

128.195.4.120


NATdevice

PrivateAddress

PublicAddress

10.0.1.2128.143.71.21128.195.4.120

128.143.71.21

128.195.4.120



ISP 2allocates address block

128.195.4.0/24 to privatenetwork:

Privatenetwork

ISP 1allocates address block

128.143.71.0/24 to privatenetwork:

16

IP Masquerading

• Also called: Network address and port translation (NAPT), port address translation (PAT).

• Scenario: Single public IP address is mapped to multiple hosts in a private network.

• NAT solution:• Assign private addresses to the hosts of the corporate network• NAT device modifies the port numbers for outgoing traffic

17

IP Masquerading

H1

private address: 10.0.1.2

Private network

Source = 10.0.1.2Source port = 2001


NATdevice

PrivateAddress

PublicAddress

10.0.1.2/2001 128.143.71.21/2100

10.0.1.3/3020 128.143.71.21/4444

H2

private address: 10.0.1.3


Internet

Source = 128.143.71.21Destination = 4444

128.143.71.21

18

Load Balancing of Servers

• Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address

• NAT solution:• Here, the servers are assigned private addresses • NAT device acts as a proxy for requests to the server from the public network• The NAT device changes the destination IP address of arriving packets to one

of the private addresses for a server• A sensible strategy for balancing the load of the servers is to assign the

addresses of the servers in a round-robin fashion.

19

Load Balancing of Servers

Private network


NATdevice

PrivateAddress

PublicAddress

10.0.1.2 128.143.71.21

Inside network

10.0.1.4 128.143.71.21

Internet128.143.71.21

S1

S2

S3

10.0.1.4

10.0.1.3

10.0.1.2

PublicAddress

128.195.4.120

Outside network

213.168.12.3


20

Concerns about NAT

• Performance:• Modifying the IP header by changing the IP address requires that NAT boxes

recalculate the IP header checksum• Modifying port number requires that NAT boxes recalculate TCP checksum

• Fragmentation• Care must be taken that a datagram that is fragmented before it reaches the

NAT device, is not assigned a different IP address or different port numbers for each of the fragments.

21

Concerns about NAT

• End-to-end connectivity:• NAT destroys universal end-to-end reachability of hosts on the Internet.

• A host in the public Internet often cannot initiate communication to a host in a private network.

• The problem is worse, when two hosts that are in a private network need to communicate with each other.

22

Concerns about NAT

• IP address in application data:• Applications that carry IP addresses in the payload of the application data

generally do not work across a private-public network boundary.

• Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address

translation table.

Agenda

• Basic Concept of NAT and PAT• Definition, Benefits, Availability

and Application Support• NAT Concepts and Terminology• PAT• NAT Technical Information

NAT Concepts

• An interface on the router can be defined as inside or outside

• Translations occur only from inside to outside interfaces or vice versa—never between the same type of interface

NATInside

InterfaceInside

Interface

Inside Network Outside Network

ip nat inside ip nat outsideInside Host Outside Host

OutsideInterfaceOutsideInterface

NAT Concepts

• NAT translations are static or dynamic

• Static translation are entered directly into the configuration and are always in the translation table

• ip nat inside source static 10.6.1.20 171.69.68.10

• Dynamic translations use access lists to identify IP addresses that NAT should create translations for

• ip nat inside source list 1 pool nat-pool

• access-list 1 permit 10.0.0.0 0.255.255.255

Static vs. Dynamic Translations

• Static translations

• When you need to be able to initiate a connection from both the inside and outside interfaces (e.g. SMTP, Web)

• Or you want a specific host to be translated to a specific IP address

• Dynamic translations

• When you want to initiate a connection from only the inside or only the outside

NAT Concepts

• An IP address is either local or global• Local IP addresses are seen in the inside network• Global IP addresses are seen in the Outside network

My Network Internet

Inside Host Outside Host



Src AddrInside Local


Dest AddrOutside Host




Src AddrInside Global




After NATInbound Packet


Src AddrOutside Local


Dest AddrInside HostDest Addr

Inside Host

Before NATInbound Packet


Src AddrOutside Global


Dest AddrInside HostDest Addr

Inside Host

Inside Local/Inside Global Example

NAT Address PoolNAT Address Pool

171.69.68.11171.69.68.11

171.69.68.12171.69.68.12

171.69.68.13171.69.68.13

For Outbound Packets an AddressIs Dynamically Allocated from the NAT Address Pool

10.6.1.20 Outside Host


Src Addr10.6.1.20



Src Addr171.69.68.10


ProPro Inside LocalInside Local Outside LocalOutside Local Outside GlobalOutside GlobalInside GlobalInside Global

------ ------ ------171.69.68.10171.69.68.10 10.6.1.2010.6.1.20

171.69.68.10171.69.68.10


- - -- - -

171.69.68.11171.69.68.11

171.69.68.12171.69.68.12

171.69.68.13171.69.68.13

My Network Internet

Inside Local/Inside Global Example

The NAT Address Translation Entryin the Translation Table Is Used toTranslate Return Packets

10.6.1.20 Outside Host

NATAfter NATReturn Packet

After NATReturn Packet




Before NATReturn PacketBefore NAT

Return Packet

Src Addr171.69.68.10

Src Addr171.69.68.10




------ ------ ------171.69.68.10

171.69.68.10

10.6.1.2010.6.1.20


------ ------ ------------ ------

My Network Internet


- - -- - -

171.69.68.11171.69.68.11

171.69.68.12171.69.68.12

171.69.68.13171.69.68.13


171.69.68.10171.69.68.10

171.69.68.11171.69.68.11

171.69.68.12171.69.68.12

171.69.68.13171.69.68.13

NAT Terminology

• Inside local• Configured IP address assigned to a host on the inside network;

address may be globally unique, allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization

• Inside global• The IP address of an inside host as it appears to the outside

host and network, “Translated IP Address”; addresses can be allocated from a globally unique address space, typically provided by the ISP (if the enterprise is connected to the global Internet)

NAT Concepts

• Local IP addresses are seen on the inside network while global IP addresses are seen on the outside network

My Network

Inside Host Outside Host

NAT



Dest AddrOutside Global




Internet







------ ------ ------------ ------

------ ------ ------------ ------ProPro Inside LocalInside Local Outside LocalOutside Local Outside GlobalOutside GlobalInside GlobalInside Global

------ ------ ------

------ ------ ------------ ------

------ ------ ------------ ------

------ ------

------ ------ ------------ ------


------ ------ ------

------ ------ ------------ ------

------ ------ ------------ ------

171.69.70.15171.69.70.15 192.168.1.80192.168.1.80

NAT Concepts

Router# show ip nat translations

• A NAT translation is 1 to 1 or many to 1

1 to 1 translations (NAT) assign a different IP address for each translation

Many to 1 (PAT) translations can assign the same IP address for each translation

------ ------ ------------ ------


------ ------ ------171.69.70.15171.69.70.15 192.168.1.80192.168.1.80

171.69.68.10:1202171.69.68.10:1202 10.6.15.2:120210.6.15.2:1202 204.71.200.67:80204.71.200.67:80 204.71.200.67:80204.71.200.67:80

171.69.68.10:1460171.69.68.10:1460 10.8.20.25:1460

10.8.20.25:1460

204.71.200.69:80204.71.200.69:80 204.71.200.69:80204.71.200.69:80

tcptcp

tcptcp

PAT

• PAT (Port Address Translation) includes ports in addition to IP addresses

• Many-to-one translation• Maps multiple IP addresses to 1 or a few IP addresses• Unique source port number identifies each session• Conserves registered IP addresses• Also called NAPT in IETF documents

Router# show ip nat translations


171.69.68.5:1405171.69.68.5:1405 10.6.15.2:140510.6.15.2:1405 204.71.200.69:80204.71.200.69:80tcptcp 204.71.200.69:80204.71.200.69:80

NAT vs. PAT

• NAT• When there is sufficient number of IP addresses for 1 to 1

translations• PAT

• When there are an insufficient number of IP addresses available to translate all of the inside addresses

NAT Order of Operation

• NAT always checks translation table for entry before access lists

• For a full NAT order of operation see http://www.cisco.com/warp/public/556/5.html









Dst AddrOutside Local

Dst AddrOutside Local







Dest AddrInside LocalDest Addr

Inside Local





Dest AddrInside Global

Dest AddrInside Global

Inside Interface Outside Interface

RoutingRouting NATNAT

Summary

• NAT provides transparent and bi-directional connectivity between networks having arbitrary addressing schemes

• NAT eliminates costs associated with host renumbering

• NAT eases IP address management• NAT enhances network privacy

cs 540 computer networks ii sandy wang [email protected]

Documents