deploying and troubleshooting network address · pdf filenms-2102 7954_05_2003_c1 cisco ios...
TRANSCRIPT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
2© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Deploying and Troubleshooting Network Address Translation
Session NMS-2102
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Agenda—The WWW of NAT
• The Why, the What, and the Where
• Pitfalls and How to Avoid
• Tools for Deployment
• VPN and Network Address Translation, Can They Get Along?
• Dealing with Voice Elements
• Question and Answers?
444© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Why Use Network Address Translation?
• IPv4 shortage
• IPv6 is still the future
• Security benefits
• Make network administrators’ lives miserable!
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
What Is NAT, NAPT, PAT, Masquerading…
• NAT—NetworkAddress Translation
• All IP Traffic
• Layer 3 address rewrite
• 1-1 Mapping of Traffic (1 inside to 1 outside)
• Think—direct telephone line
• NAPT—Network Address Port Translation (PAT)
• Originally planned for TCP, UDP and ICMP traffic
• Layer 3 and 4 address/port rewrite
• Many-1 Mapping of Traffic(multiple inside to 1 outside)
• Think—phone numberwith an extension
RFC : 1631RFC : 1631
666© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Why NAT or NAPT?
• NAT has a better chance of not breaking network applications over NAPT.
• Using NAT for internet use is rare to find these days since most ISPs are only giving out one address at a time which limits you to using NAPT only.
• NAPT is getting better with application fixup support, so test first and deploy second.
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Basic Concept of NAT—Example
• NAT changes the IP address in the IP header
Local Remote
10.6.1.20
NATAfter NAT
Outbound PacketAfter NAT
Outbound Packet
Src Addr14.38.50.1Src Addr14.38.50.1
Dest Addr172.16.1.1Dest Addr172.16.1.1
After NATReturn Packet
After NATReturn Packet
Src Addr172.16.1.1Src Addr
172.16.1.1Dest Addr10.6.1.20
Dest Addr10.6.1.20
Before NATOutbound Packet
Src Addr10.6.1.20Src Addr10.6.1.20
Dest Addr172.16.1.1Dest Addr172.16.1.1
Before NATReturn Packet
Src Addr172.16.1.1Src Addr172.16.1.1
Dest Addr14.38.50.1Dest Addr14.38.50.1
172.16.1.1
888© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Dest Port23
Dest Port23
After NAPTOutbound Packet
After NAPTOutbound Packet
Src Addr14.38.50.1Src Addr14.38.50.1
Dest Addr172.16.1.1Dest Addr172.16.1.1
Src Port1506
Src Port1506
Before NAPTOutbound Packet
Basic Concept of NAPT—Example
• Port Address Translation (NAPT) extends NAT from “one-to-one” to “many-to-one” by associating the port information with each flow
NAPTLocal
10.6.1.20
10.6.1.1011
Before NAPTInbound Packet
Src Addr172.16.1.1Src Addr
172.16.1.1Src Port
23Src Port
23Dest Port
1506Dest Port
1506Dest Addr14.38.50.1Dest Addr14.38.50.1
Src Addr172.16.1.1Src Addr172.16.1.1
Port1506Port1506
Dest Addr10.6.1.10
Dest Addr10.6.1.10
After NAPTInbound Packet
After NAPTInbound Packet
Port23
Port23
Remote
11Dest Port
23Dest Port
23Src Addr10.6.1.10Src Addr10.6.1.10
Src Port1506
Src Port1506
Dest Addr172.16.1.1Dest Addr172.16.1.1
Src Addr14.38.50.1Src Addr14.38.50.1
Src Port1507
Src Port1507
Dest Port23
Dest Port23
Dest Addr172.16.1.1Dest Addr172.16.1.1
22Dest Addr172.16.1.1Dest Addr172.16.1.1
Src Addr10.6.1.10Src Addr10.6.1.10
Src Port1506
Src Port1506
Dest Port23
Dest Port23
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
999© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Translation Boundary
Src Addr10.6.1.20Src Addr10.6.1.20
Dest AddrRemote Host
Dest AddrRemote Host
Nat Inside Nat OutsideNat Outside
The Life of a Translated Packet—In the Beginning…
1
No Translation Exists—Table Is EmptyNo Translation Exists—Table Is Empty
2
Remote
Host10.6.1.20
Local
101010© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
The Life of a Translated Packet—The Evolution
3
Local IP 10.6.1.20 = Global IP 14.38.50.1Translation
Mapping
Translation Boundary
Src Addr14.38.50.1Src Addr
14.38.50.1Dest Addr
Remote HostDest Addr
Remote Host
Nat Inside Nat OutsideNat Outside
Remote
Host10.6.1.20
Local
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111111© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
What Does the Translation Table Contain?
• NAT INSIDE traveling to NAT OUTSIDE
• Simple translation
• Extended translation
• Packet will pass, altered or not
• Source interface and destination interface
• Extended translation
• Packet dropped if not translated
IT Depends…Cisco IOS-Based Device PIX
121212© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Cisco IOS Simple Translation
• Uses only the source IP to make its decisions
• Configuration options are limited to standard or extended access-list
Source IPTranslated IP
Router#show ip nat translationPro Inside global Inside local Outside local Outsi de global--- 14.38.50.1 10.6.1.20 --- ---
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
131313© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Cisco IOS Extended Translation
• Uses the source IP, destination IP, port number, and protocol to make its decisions
• Will always be used if NAPT is involved (hint: “overload” keyword)
• Will also be used if using route-maps
ProtocolProtocol PortPort
Destination IPDestination IPRouter#show ip nat translationPro Inside global Inside local Outside local Outside globaltcp 14.38.50.1:11012 10.6.1.20:11012 172.17.1.1:23 172.17.1.1:23tcp 14.36.40.1:11011 10.6.1.20:11011 172.16.1.1:23 172.16.1.1:23
141414© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
PIX Translation
• Looks at the source interface and the interface it will be routed out of to make its translation decision
• No translation? no packet flow!
pixfirewall(config)# show xlate detail 3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static TCP PAT from inside:10.6.1.20/1026 to outside:14.38.50.1/1024 flags riUDP PAT from inside:10.6.1.20/1028 to outside:14.38.50.1/1024 flags riICMP PAT from inside:10.6.1.20/21505 to outside:14.38.50.1/0 flags ri
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
151515© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Different Kinds of Translation Mappings
• Static
• Dynamic
• Inside source
• Outside sourcePerspective
TimersTimers
161616© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
• Using:
ip nat inside source static 10.6.1.20 14.38.50.1
• The packet enters the “ip nat inside” interface, since we have a permanent mapping the source address 10.6.1.20 is changed to 14.38.50.1
Inside Static Translation
Before NAT
Src Addr10.6.1.20Src Addr10.6.1.20
Dest Addr172.16.1.1Dest Addr172.16.1.1
After NATAfter NAT
Src Addr14.38.50.1Src Addr14.38.50.1
Dest Addr172.16.1.1Dest Addr172.16.1.1
NAT Inside NAT Outside
Remote
172.16.1.1
Local
10.6.1.20
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
171717© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
• Using:
ip nat outside source static 172.16.1.1 10.1.1.1
• A packet enters the “ip nat outside” interface, from the mapping the source address 172.16.1.1 is changed to 10.1.1.1
Before NAT
Src Addr10.1.1.1
Src Addr10.1.1.1
Dest Addr10.6.1.20
Dest Addr10.6.1.20
After NATAfter NAT
Src Addr172.16.1.1Src Addr
172.16.1.1Dest Addr10.6.1.20
Dest Addr10.6.1.20
NAT Inside NAT Outside
Remote
172.16.1.1
Local
10.6.1.20
Outside Static Translation
181818© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Decision Process
• Existing translation
• Static translation
• Dynamic translation
• Packet routed if possible
• Existing translation
• NAT 0 access-list <#>
• Static
• NAT 0 <network>
• NAT <#>/Global <#>
• Dropped packet
Cisco IOS-Based Device PIX Firewall
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
191919© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT or NAPT Selection
• If you NAT only it will always NAT
• If you NAPT only it will NAPT
• For mixed mode (NAT and NAPT)
Cisco IOS-Based Device PIX
• NAPT ALL TCP/UDP/ICMP-based traffic
• NAT all other protocols
• Use all available NAT pools
• NAT Pools exhausted, NAPT all new connections until a NAT is freed up
202020© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
We Recommend That You Do Not Change These Values Since It Will Affect the Router on a Global Basis
We Recommend That You Do Not Change These Values Since It Will Affect the Router on a Global Basis
Setting the Timers
NAT-vpn-2503(config)# ip nat translation?dns-timeout Specify timeout for NAT DNS flowsfinrst-timeout Specify timeout for NAT TCP flows after a FIN or RSTicmp-timeout Specify timeout for NAT ICMP flowsmax-entries Specify maximum number of NAT entriesport-timeout Specify timeout for NAT TCP/UDP port specific flowssyn-timeout Specify timeout for NAT TCP flows after a SYN and no
further datatcp-timeout Specify timeout for NAT TCP flowstimeout Specify timeout for dynamic NAT translationsudp-timeout Specify timeout for NAT UDP flows
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
212121© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
pixfirewall(config)# show xlate1 in use, 1 most usedPAT Global 14.48.43.2(1024) Local 192.168.1.10(3729)
pixfirewall(config)# show conn1 in use, 1 most usedTCP out 14.48.44.11:3389 in 192.168.1.10:3729 idle 0:00:00 Bytes35788 flags UIO
pixfirewall(config)# show timeouttimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
Destination AddressDestination Address
Translated Source AddressTranslated Source Address
On the PIX
222222© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Where Should Address Translation Be Used?
• Corporate network and the Internet
• Corporate network and business partner
• Corporate network and home office
• Test Labs and corporate networks
Between…
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
232323© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Agenda—The WWW of NAT
• The Why, the What, and the Where
• Pitfalls and How to Avoid
• Tools for Deployment
• VPN and Network Address Translation, Can They Get Along?
• Dealing with Voice Elements
• Question and Answers?
242424© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
* Only if the Packet Is Encrypted
NATNAT
Inside Outside
InboundACL*
NAT
Routing
OutboundACL
Decryption
InboundACL
Cisco IOS PITFALL—Packet Flow Outside/Inside
Packet FlowPacket Flow
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
252525© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
InboundACL
PolicyRouting
NAT
Routing
OutboundACL
Cisco IOS PITFALL—Packet Flow Outside/Inside
Encryption
Packet FlowPacket Flow
Inside OutsideNATNAT
262626© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
PIX Pitfalls
• Translations must be built in order for the packet to traverse the firewall
• Do not forget the PIX is a firewall also so you need to include appropriate access rules to allow traffic flow
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
272727© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Deployment—Things to Know
• Which networking device being used
• Application-layer, embedded IP information in the payload
• Transport and network layer compliant
Applications (5-7)
Transport (4)Transport (4)
Network (3)Network (3)
Datalink (2)Datalink (2)
Physical (1)Physical (1)
282828© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IP HDR: Src IP = 10.1.1.1IP HDR: Src IP = 10.1.1.1 Data: IP = 10.1.1.1Data: IP = 10.1.1.1
Considerations—Embedded IP
IP HDR: Src IP = x.x.x.x IP HDR: Src IP = x.x.x.x Data: IP = 10.1.1.1Data: IP = 10.1.1.1
AddressTranslation
Inside
Outside
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
292929© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Some Applications that Embed IP Address Information
• DNS “A” and “PTR” queries
• NetBIOS over TCP/IP (datagram, name, and session services)
• NetMeeting 2.1, 2.11 (4.3.2519) and 3.01 (4.4.3385)
• FTP PORT and PASV commands
• Voice elements: SIP, Skinny, MGCP, H.323, CTI, …
303030© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Overlapping Addresses
• Static and global translations should not overlap with any interface address
• Static translation should not be included in a dynamic pool range
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
313131© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IP NAT INSIDE SOURCE LIST 1 INTERFACE <interface>
Cisco IOS—Overlapping with the Interface
Interface <interface>ip address 14.48.50.1 255.255.255.0
If You Have:
Option #2
IP NAT POOL SWIM 14.48.50.1 15.48.50.1IP NAT INSIDE SOURCE LIST 1 POOL SWIM
Option #1
323232© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Agenda—Steps of Deployment
• The Why, the What, and the Where
• Pitfalls and How to Avoid
• Steps for Deployment
• VPN and Network Address Translation, Can They Get Along?
• Dealing with Voice Elements
• Question and Answers?
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333333© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
10.0.0.0/8
Available Addresses:209.165.201.0/27
Available Addresses:172.16.1.0/24
192.168.1.0/24
Serial 1 Serial 0
Ethernet 0
NAT Based on Destination—Putting Criteria on the NAT Pools
PartnersPartnersInternet
NATNAT
Your Company
343434© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT by Destination—Goals
• You must have Internet connectivity by utilizing only ONE of the 209.165.201.0/27 address space (hint: NAPT)
• You must have partner access to the 192.168.1.0/24 network but you cannot use your current 10.0.0.0/8 or Internet addresses
• You partner is using 172.16.1.0/24 as the address range for the point-2-point serial link back to your corporate site
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
353535© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
.1.1
Available Addresses:172.16.1.0/24
Available Addresses:172.16.1.0/24
10.0.0.0/8
192.168.1.0/24
Serial 1
Ethernet 0router(config)# ip nat poolpartners 172.16.1.3
172.16.1.254 netmask255.255.255.0
router(config)# ip nat poolpartners 172.16.1.3
172.16.1.254 netmask255.255.255.0
NAT by Destination—Working on One Side at a Time: the Partners, Step 1
.2.2
NATNAT
PartnersPartners
Your Company
363636© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Your Company
10.0.0.0/8
Available Addresses:209.165.201.0/27
Serial 0
Ethernet 0
NAT by Destination—Working on the Internet Side, Step 1
.1
.2
Since Our Goal Was to Only Use One IP Address from the Available Range, We Will Use the IP of Serial
0 and Use NAPT; Therefore, No Pool Is Required
Since Our Goal Was to Only Use One IP Address from the Available Range, We Will Use the IP of Serial
0 and Use NAPT; Therefore, No Pool Is Required
NATNAT
Internet
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
373737© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
router(config)# route-map topartners permit 10router(config-map)# match interface serial 1
Serial 1Serial 1
10.0.0.0/8
Ethernet 0
Your Company
NAT by Destination—Partners Side Route Map Declaration, Step 2
Available Addresses:209.165.201.0/27
Available Addresses:172.16.1.0/24
192.168.1.0/24Serial 0
PartnersPartners Internet
383838© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Serial 1 Serial 0
Your Company
NATNAT
NAT by Destination—Internet Side Route Map Declaration, Step 2
Available Addresses:209.165.201.0/27
Available Addresses:172.16.1.0/24
192.168.1.0/24
PartnersPartners Internet
10.0.0.0/810.0.0.0/8
Ethernet 0Ethernet 0
router(config)# route-map topartners permit 10router(config-map)# match interface serial 0
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
393939© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Your Company
InternetPartnersPartners
router(config)# ip nat inside source route-map topartners pool partnersrouter(config)# ip nat inside source route-map tointernet interface serial 0
NAT by Destination—Both Sided, Step 3 and 4
router(config)# interface ethernet 0router(config-if)# ip nat insiderouter(config-if)# interface serial 0router(config-if)# ip nat outsiderouter(config-if)# interface serial 1router(config-if)# ip nat outside
10.0.0.0/8
Available Addresses:209.165.201.0/27
Available Addresses:172.16.1.0/24
192.168.1.0/24
Serial 1 Serial 0
Ethernet 0
NATNAT
404040© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Alternative to the Cisco IOS Match Interface
Access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
Access-list 100 permit ip 10.0.0.0 0.255.255.255 anyRoute-map to internet permit 10
match ip address 100
Internet Side:
Partner Side:Access-list 100 permit ip 10.0.0.0 0.255.255.255
192.168.1.0 0.0.0.255Route-map to partner permit 10
match ip address 110
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
414141© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
10.1.1.0/24Ethernet 0
Serial 0
Two Pools on a Single Interface—Goal
• To pull from the NAT pool if the destination is 1.1.1.1
• Use Serial 0 interface for everything else
Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27
Client Remote Host1.1.1.1Internet
NATNAT
424242© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Two Pools on a Single Interface—Rules
router(config)# access-list 100 deny ip 10.1.1.0 0.0.0.255host 1.1.1.1
router(config)# access-list 100 permit ip 10.1.1.0 0.0.0.255any
10.1.1.0/24Ethernet 0
Serial 0
Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27
Client Remote Host1.1.1.1Internet
NATNAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
434343© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Two Pools on a Single Interface—Overload
10.1.1.0/24Ethernet 0
Serial 0
Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27
Client Remote Host1.1.1.1Internet
NATNAT
router(config)# route-map napt2internet permit 10router(config-map)# match address 100router(config)# ip nat inside source route-map
napt2internet interface serial 0 overload
444444© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Two Pools on a Single Interface—Pool
router(config)# ip nat pool natpool 209.165.201.10 209.165.201.30 netmask 255.255.255.224
router(config)# access-list 110 permit ip 10.1.1.0 0.0.0.255host 1.1.1.1
router(config)# route-map vpnusenat permit 10router(config-map)# match address 110router(config)# ip nat inside source route-map vpnusenat
pool natpool
10.1.1.0/24Ethernet 0
Serial 0
Pool: 209.165.201.0 /27Pool: 209.165.201.0 /27
Client Remote Host1.1.1.1Internet
NATNAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
454545© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
How to Troubleshoot Address Translation Issues
• Always make sure your project works before adding Address Translation
• Verify proper routing (e.g. asymmetrical routing is not coming into play)
• Gather traces and debugs to support the test conditions
464646© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Extended Translation—Using NAPTExtended Translation—Using NAPT
Simple Translation—Using NATSimple Translation—Using NAT
Showing the Active Translations—show ip nat translations
NAT-vpn-2503#show ip nat translationsPro Inside global Inside local Outside local Outside global--- 209.165.201.10 10.6.1.10 --- ------ 209.165.201.11 10.6.1.20 --- ---
NAT-vpn-2503#show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 209.165.201.10:6269 10.6.1.10:6269 1.1.1.1:6269 1.1.1.1:6269tcp 209.165.201.11:11000 10.6.1.20:11000 1.1.1.1:23 1.1.1.1:23
Tip: You Can Use “show ip nat translation | include 10.6.1.10” to Show Only the 10.6.1.10 Hosts Translation Entries
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
474747© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT-vpn-2503#show ip nat translations verbosePro Inside global Inside local Outside local Outside globalicmp 209.165.201.10:6269 10.6.1.10:6269 1.1.1.1:6269 1.1.1.1:6269
create 00:00:02, use 00:00:02, left 00:00:57,flags: extended, use_count: 0
NAT-vpn-2503#show ip nat translations verbosePro Inside global Inside local Outside local Outside global--- 209.165.201.11 10.6.1.20 --- ---
create 00:00:05, use 00:00:05, left 23:59:54,flags: none, use_count: 0
Extended Translation—Using NAPTExtended Translation—Using NAPT
Simple Translation—Using NATSimple Translation—Using NAT
Shows when the Translation Was First Created, Last Used,
and Time Left before Expiring
Shows when the Translation Was First Created, Last Used,
and Time Left before Expiring
Showing the Active Translations—show ip nat translations verbose
484848© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Show Commands—show ip nat statistics
NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0
Inside interfaces:Ethernet0
Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224
start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
494949© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Number of translations active on the system; this number is incremented each time a translation is created and is decremented each time a translation is cleared or times out
Number of translations active on the system; this number is incremented each time a translation is created and is decremented each time a translation is cleared or times out
NAT Show Commands—Total Translations
NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0
Inside interfaces:Ethernet0
Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224
start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0
505050© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Show Commands—Outside/Inside
Interfaces that have an IP NAT {Inside/Outside}
designation
Interfaces that have an IP NAT {Inside/Outside}
designation
NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0
Inside interfaces:Ethernet0
Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224
start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
515151© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Show Commands—Hits/Misses
NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0
Inside interfaces:Ethernet0
Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224
start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0
Hits: Number of times the software does a translations table lookup and finds an existing translation(Fast/CEF Switched Packet)
Misses: Number of times the table lookup fails and needs to create a new translation(Process Switched Packet)
Hits: Number of times the software does a translations table lookup and finds an existing translation(Fast/CEF Switched Packet)
Misses: Number of times the table lookup fails and needs to create a new translation(Process Switched Packet)
525252© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT Show Commands—Overview
Cumulative count of translations that have expired since the router was restarted
Cumulative count of translations that have expired since the router was restarted
NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0
Inside interfaces:Ethernet0
Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224
start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
535353© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
NAT-vpn-2503#sh ip nat statisticsTotal active translations: 1 (0 static, 1 dynamic; 0 extended)Outside interfaces:Serial0
Inside interfaces:Ethernet0
Hits: 9 Misses: 1Expired translations: 0Dynamic mappings:-- Inside Sourceaccess-list 10 pool natpool refcount 1pool natpool: netmask 255.255.255.224
start 209.165.201.10 end 209.165.201.30type generic, total addresses 21, allocated 1 (4%), misses 0
NAT Show Commands—Mapping Information
Dynamic inside source mappings using access-list 10; the pool of addressesavailable, 209.165.201.10 - .30, total 21;since only 1 translation is being usedof the available 21, that equates to 4%
Dynamic inside source mappings using access-list 10; the pool of addressesavailable, 209.165.201.10 - .30, total 21;since only 1 translation is being usedof the available 21, that equates to 4%
The number of times a translation could not be created when one should haveThe number of times a translation could not be created when one should have
545454© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Levels of Debugging NAT—debug ip nat {detailed}
NAT-vpn-2503# debug ip nat6d01h: NAT: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [15]6d01h: NAT*: s=1.1.1.1, d=209.165.201.10->10.6.1.10 [15]6d01h: NAT*: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [16]6d01h: NAT*: s=1.1.1.1, d=209.165.201.10->10.6.1.10 [16]
NAT-vpn-2503# debug ip nat detailed6d01h: NAT: installing alias for address 209.165.201.106d01h: NAT: i: icmp (10.6.1.10, 7584) -> (1.1.1.1, 7584) [20]6d01h: NAT: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [20]6d01h: NAT*: o: icmp (1.1.1.1, 7584) -> (209.165.201.10, 7584) [20]6d01h: NAT*: s=1.1.1.1, d=209.165.201.10->10.6.1.10 [20]6d01h: NAT*: i: icmp (10.6.1.10, 7585) -> (1.1.1.1, 7585) [21]6d01h: NAT*: s=10.6.1.10->209.165.201.10, d=1.1.1.1 [21]6d01h: NAT*: o: icmp (1.1.1.1, 7585) -> (209.165.201.10, 7585) [21]
* = IP Fast/CEFSwitched Packet* = IP Fast/CEFSwitched Packet
Warning: Debugging at any level could be fatal to a router if done incorrectly
Warning: Debugging at any level could be fatal to a router if done incorrectly
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555555© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Logging the Built Translations
Cisco IOS Commands:
ip nat log translations sysloglogging host 10.6.1.30logging trap debug
What the SYSLOG Server Sees:
03-14-2002 13:42:16 Local7.Debug 10.6.1.1 30: 00:12:13: NAT:Created tcp 10.6.1.20:11010 172.16.1.4:11010 192.168.1.1:23 192.168.1.1:23
03-14-2002 13:43:22 Local7.Debug 10.6.1.1 31: 00:13:19: NAT:Deleted tcp 10.6.1.20:11010 172.16.1.4:11010 192.168.1.1:23 192.168.1.1:23
03-14-2002 13:36:25 Local7.Debug 10.6.1.1 20: 00:06:22: NAT:Created icmp 10.6.1.20:1000 172.16.1.3:1000 192.168.1.1:1000 192.168.1.1:1000
03-14-2002 13:37:25 Local7.Debug 10.6.1.1 25: 00:07:22: NAT:Deleted icmp 10.6.1.20:1000 172.16.1.3:1000 192.168.1.1:1000 192.168.1.1:1000
565656© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Stateful NAT (SNAT)—Cisco IOS
• New feature as of 12.2.13T code
• Platform independent
• Support for only peer-to-peer
• Works with/without an HSRP environment for true fault tolerance
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
575757© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Without SNAT—The ProblemR1 NAT Translation Table
R2 NAT Translation Table
ILIL IGIG OLOL OGOG
R1-NATR1-NAT
R2-NATR2-NAT
ILIL IGIG OLOL OGOG
Network3—R1 Fails
10.1.1.34
1
10.1.1.310.1.1.3 192.168.1.3192.168.1.3 192.168.1.3192.168.1.3172.16.1.3172.16.1.3
2
585858© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
ILIL IGIG OLOL OGOG
With SNAT—The Solution
R2 NAT Translation Table
R1 NAT Translation Table
10.1.1.310.1.1.3 192.168.1.3192.168.1.3 192.168.1.3192.168.1.3172.16.1.3172.16.1.3
*2
2*2*
10.1.1.3 192.168.1.3 192.168.1.3172.16.1.3
4—R1 Fails
R1-NATR1-NAT
R2-NATR2-NAT
Network
10.1.1.3
ILIL IGIG OLOL OGOG
1*1*
3
56
*1
10.1.1.310.1.1.3 192.168.1.3192.168.1.3 192.168.1.3192.168.1.3172.16.1.3172.16.1.3
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
595959© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
SNAT Options
• Primary/backup mode (non-HSRP)Only peer-to-peer
• Redundancy (HSRP)Single peer only
• Updates/communication between the SNAT routers is done via TCP/15555
606060© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
LocalCorrelation
LocalCorrelation
With SNAT—Primary/Backup ModePrimary Configuration
10.1.1.0/24.1
.2
You Are on This RouterYou Are on This Router
Network10.1.1.3
R1-NATR1-NAT
R2-NATR2-NAT
R1(config)# access-list 1 permit 10.1.1.0 0.0.0.255R1(config)# ip nat pool P1 172.16.1.1 172.16.1.254
netmask 255.255.255.0R1(config)# ip nat inside source list 1 pool P1 mapping-id 11R1(config)# ip nat stateful ID 101R1(config-ipnat-snat)# primary 10.1.1.1R1(config-ipnat-snat-pri)# peer 10.1.1.2R1(config-ipnat-snat-pri)# mapping-id 11
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
616161© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
With SNAT—Primary/Backup ModeBackup Configuration
R2(config)# access-list 1 permit 10.1.1.0 0.0.0.255R2(config)# ip nat pool P1 172.16.1.1 172.16.1.254
netmask 255.255.255.0R2(config)# ip nat inside source list 1 pool P1 mapping-id 11R2(config)# ip nat stateful ID 101R2(config-ipnat-snat)# backup 10.1.1.1R2(config-ipnat-snat-bkp)# peer 10.1.1.2R2(config-ipnat-snat-bkp)# mapping-id 11
10.1.1.0/24.1
.2
You Are on This RouterYou Are on This Router
Network10.1.1.3
R1-NATR1-NAT
R2-NATR2-NAT
626262© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
R2(config)# interface Ethernet 0R2(config-if)# standby 1 ip 10.1.1.10R2(config-if)# standby 1 name snatR2(config)# ip nat pool P1 172.16.1.1 172.16.1.254
netmask 255.255.255.0R2(config)# ip nat inside source list 1 pool P1 mapping-id 11R2(config)# ip nat stateful ID 101R2(config-ipnat-snat)# redundancy snatR2(config-ipnat-snat-bkp)# mapping-id 11
With SNAT—Redundant Mode
.10 Virtual
10.1.1.0/24.1
.2
You Are on This RouterYou Are on This Router
Network10.1.1.3
R1-NATR1-NAT
R2-NATR2-NAT
Link HSRPto SNAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
636363© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Stateful Failover—Cisco IOS
• Unlike Cisco IOS, PIX will swap IP and MAC addresses instead of using a virtual address
• PIX has had failover since 3.x
• PIX added stateful failover in 5.x
• Must use a dedicated interface for updates
646464© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
10.1.1.0/24.1
.2
Network10.1.1.3
PIX1-NATPIX1-NAT
PIX2-NATPIX2-NAT
With SNAT—Primary/Backup ModeBackup Configuration
Pixfirewall(config)# nameif ethernet2 failover-int 50Pixfirewall(config)# ip address failover-int 172.16.1.1
255.255.255.0Pixfirewall(config)# failover ip address failover-int 172.16.1.2Pixfirewall(config)# failover link failover-int
Dedicated LANInterface172.16.1.x / 24
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
656565© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Agenda—VPN’s and Address Translation
• The Why, the What, and the Where
• Pitfalls and How to Avoid
• Tools for Deployment
• VPN and Network Address Translation, Can They Get Along?
• Dealing with Voice Elements
• Question and Answers?
666666© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IP HDRIP HDR Data Layer 5-7Data Layer 5-7
Point-to-Point Tunneling Protocol (PPTP): Protocol 47: DataProtocol 6 (TCP) Port 1723: Authentication
PPTP 101
Original Packet
Encapsulation within GRE without MPPEIP HDRIP HDR DataDataTunnel IDTunnel IDNew IP HDRNew IP HDR
Layer 4Layer 4
Layer 4Layer 4
This Unique Number Is What Gives the Router the Ability to Determine what Flow Goes to what Systemwhen Being NAPT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
676767© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IP HDRIP HDR DataData
Authenticated
IP HDRIPSec HDRIPSec HDRNew IP HDRNew IP HDR DataData
Encapsulating Security Payload (ESP): Protocol 50Tunnel Mode Only
IPSec 101—ESP
EncryptedLayer 3
Original Packet
NATWORKS!
686868© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
ChecksumStored
IPSec HDRIPSec HDRIP HDRIP HDR
DataDataIP HDRIP HDR
Authentication Headers (AH):Protocol 51
IPSec 101—AH
Authenticated HDR + Data = Checksum
Layer 3
Breaks!Breaks!NAT
DataData
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
696969© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
What Is Being Done?
• PPTP over NAPT
• IPSec over UDP proprietary
• IPSec over TCP proprietary
• NAT-T (IPSec over UDP) standard
• IPSEC NAT transparency
707070© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Where Do We Stand Today?
Address Translation Support for VPN Traffic:
6.36.312.2.13T12.2.13TNATNAT--TT
6.36.312.2.13.T12.2.13.TIPSec NAT Transparency (Phase 1)*IPSec NAT Transparency (Phase 1)*
NONO
N/AN/A
N/AN/A
6.36.3
PIXPIX
12.2.15.T12.2.15.TIPSec NAT Transparency (Phase 2)IPSec NAT Transparency (Phase 2)
N/AN/AIPSec over TCP**IPSec over TCP**
N/AN/AIPSec over UDP**IPSec over UDP**
12.1.5T12.1.5TPPTP over NAPTPPTP over NAPT
Cisco IOSCisco IOS
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
717171© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
VPNGateway
RoamingUser
ISP
10.0.0.0/8
VPN Head End Problem Topology
router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255any
router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255??? Not Sure on the Destination ISP AddressNot Sure on the Destination ISP Address
IPSec TunnelIPSec Tunnel
NAT by Destination Rules Will Be Used
NAT/VPNNAT/VPNInternetYour
Company
727272© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
10.0.0.0/8
VPN Gatewaywith Mode
ConfigurationPool of
172.16.1.1-.254
router (config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255
router(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255any
VPN Head End Solution—Mode Config
IPSec Tunnel
IPSec Tunnel RoamingUser
NATNAT
Your Company
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
737373© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IPSec TunnelIPSec Tunnel
RoamingUser
ISPVPNGateway
10.6.1.20
VPN Head End Using Static Translation
router(config)# ip nat inside source static 10.6.1.20 209.165.201.5 route-map nonat
MAIL Server
NATNAT
Internet
747474© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Cisco IOS VPN Configuration
access-list 100 deny ip 10.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.255.255.255any
route-map nonat permit 10match address 100
Ip nat pool natpool 209.165.201.10 209.165.201.20 netmask 255.255.255.248
ip nat inside source route-map nonatpool natpool
ip nat inside source static 10.6.1.20 209.165.201.5 route-map nonat
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
757575© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
PIX VPN Configuration
Access-list 100 permit ip 10.0.0.0 255.0.0.0172.16.1.0 255.255.255.0
Global (outside) 1 209.165.201.10-209.165.201.20 netmask 255.255.255.248
Nat (inide) 1 10.0.0.0 255.0.0.0
Static (inside,outside) 209.165.201.5 10.6.1.20 netmask 255.255.255.255
Nat (inside) 0 access-list 100
767676© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Agenda—Dealing with Voice Elements
• The Why, the What, and the Where
• Pitfalls and How to Avoid
• Tools for Deployment
• VPN and Network Address Translation, Can They Get Along?
• Dealing with Voice Elements
• Question and Answers?
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777777© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Voice Traffic vs. Address Translation Device
6.36.312.2.13T12.2.13TSkinnySkinny
6.36.3NoNoSkinny NAPTSkinny NAPT
6.36.3FutureFutureMGCPMGCP
6.36.3
6.36.36.36.34.24.2PIXPIX
NoNoCTI/TAPI/JTAPICTI/TAPI/JTAPI
12.2.11T12.2.11TSIPSIP12.3.1T*12.3.1T*H323v3v4H323v3v4
12.1.5T12.1.5TH323v1v2H323v1v2
Cisco IOSCisco IOS
*Compatibility Support—Algorithm Support Planned for Future Release
787878© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Prior to the Voice Fix Ups—Registration
NAT
Skinny Registration
SkinnyRegistration
209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
IP Phone AIP Phone B
NAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
797979© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Prior to the Voice Fix Ups—Dialing
NAT
Off HookDial Digits 5510
209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
IP Phone A5510
IP Phone B5505
Display Caller5505 and Start Ringing NAT
808080© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Prior to the Voice Fix Ups—Off Hook
NAT
209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
Stop Ring, Called Party Off Hook
IP Phone A5510
IP Phone B5505
Off Hook
NAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
818181© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Prior to the Voice Fix Ups—Media Offer
NAT 209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
Phone B Media—IP: 209.165.201.5 Port: 17000
IP Phone A5510
IP Phone B5505
Phone A Media—IP:10.1.1.10Port: 20000
.1
Internet
NAT
828282© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Prior to the Voice Fix Ups—Media Ports
NAT 209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
Phone A Media—IP: 10.1.1.10Port: 20000
IP Phone A5510
IP Phone B5505
Phone B Media—IP: 209.165.201.5 Port: 17000
.1
Internet
NAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
838383© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Prior to the Voice Fix Ups—One Way
NAT
209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
IP Phone A5510
IP Phone B5505
.1Internet
One Way AudioOne Way Audio
Phone A>B RTP Stream
Phone B>ARTP Stream
NAT
848484© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
With the Voice Fix Ups—Media Ports
NAT 209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
Phone A Media—IP: 10.1.1.10Port: 20000
IP Phone A5510
IP Phone B5505
Phone B Media—IP: 209.165.201.5 Port: 17000
IP Pool .10–.20
Phone A Media—IP: 209.165.201.10Port: 20000
NATNAT
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
858585© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
With the Voice Fix Ups—Final Solution
NAT
209.165.201.0/27
10.1.1.0/24
.10
.2
.1
.5
.30
IP Phone A5510
IP Phone B5505
.1Internet
Two Way AudioTwo Way Audio
Phone A>B RTP Stream
Phone B>A RTP Stream
868686© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Voice Summary
• Address translation devices need to be audio/video aware in order to process the packets correctly
• One-way audio is the typical problem when address translation is used
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
878787© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Call Manager Registration/Failover Issues
• Cisco IP phones can support SIP, Skinny, and MGCP
• TFTP fixup exists today for PIX and Cisco IOS
• So what is the issue?
888888© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IP Phone Configuration File
• Contains embedded information<authenticationURL>http://14.48.44.11/CCMCIP/authenticate.asp</authenticationURL><directoryURL>http://14.48.44.11/CCMCIP/xmldirectory.asp</directoryURL><idleURL></idleURL><informationURL>http://14.48.44.11/CCMCIP/GetTelecasterHelpText.asp</informationURL><messagesURL></messagesURL><proxyServerURL></proxyServerURL><servicesURL>http://14.48.44.11/CCMCIP/getservicesmenu.asp</servicesURL></device>
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
898989© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
IP Phones and NAT
• On the Cisco CallManagers use DNS instead of IP addresses
• Static NAT entries for CallManager Servers
• Either Split DNS or DNS Fixup can be used to properly resolve DNS entries for IP Phone Services
909090© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
DNS Fix Up with IP Phones
.10Cisco CallManager
.20 DNSNATNAT
.5 .1.1E0 E1
10.1.1.0/24209.165.201.0/27
Ip nat inside source static 10.1.1.10 209.165.201.10Ip nat inside source static udp 10.1.1.20 53 interface
Ethernet 0 53
Translation Boundary
Nat InsideNat OutsideNat Outside
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
919191© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
DNS Fix Up with IP Phones, the Query
What IP Is “CallManager.cisco.com”
.10
.20 DNSNATNAT
.5 .1.1E0 E1
DNS Query
Cisco CallManager
929292© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Response:209.165.201.10Response:209.165.201.10
DNS Fix Up with IP Phones, the Query
Cisco CallManager.cisco.com
Response:10.1.1.10
ip nat inside source static 10.1.1.10 209.165.201.10
.10
.20 DNSNATNAT
.5 .1.1E0 E1
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
939393© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Agenda—Questions and Answers
• The Why, the What, and the Where
• Pitfalls and How to Avoid
• Tools for Deployment
• VPN and Network Address Translation, Can They Get Along?
• Dealing with Voice Elements
• Question and Answers?
949494© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Useful URLs
• Cisco IOS NAT Product Support Page:
http://www.cisco.com/pcgi-in/Support/browse/psp_view.pl?p=Internetworking:NAT
• Cisco IOS NAT FAQ: CCO Document ID: 26704
• Cisco IOS NAT “order of operation”:
http://www.cisco.com/warp/public/556/5.html
• Cisco IOS NAT configuration:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdipadr.htm#xtocid1056050
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
959595© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Summary
• NAT/NAPT (PAT-overload) à one-to-one/many-to-one address mappings
• Know your applications and how they behave
• Cisco IOS need to match inside to outside address translation domain (and vice versa) otherwise packet will be forwarded without any address translation being performed
• PIX needs a translation otherwise packet is dropped
• Avoid asymmetrical routing!
969696© 2003, Cisco Systems, Inc. All rights reserved.NMS-21027954_05_2003_c1
Please Complete Your Evaluation Form
Session NMS-2102