Upload File

nat.ppt

17
NAT Network Address Translation

Upload: msuhas

Post on 20-Sep-2015

213 views

Category:

Documents


1 download

Report

TRANSCRIPT

  • NATNetwork Address Translation

  • Private versus Legal addressingRFC1918 specifies private addressing space :Class A10.0.0.0Class B172.16.0.0 172.31.255.255Class C192.168.0.0 192.168.255.255

  • Private addressingPrivate addressing can be used freely cannot be used / routed on the internet

  • Types of address translationStatic Source NATStatic Destination NATHide NAT

  • Static Source NATThe source IP address of the IP packets are address translated1 private internal source IP address is mapped to 1 external legal source IP address !No TCP/UDP ports are used

    legalprivateIPspr1 / IPd-> IPsle1 / IPd IPspr2 / IPd -> IPsle2 / IPd IPspr3 / IPd -> IPsle3 / IPd

  • Static Destination NATThe destination IP address of the IP packets are address translated1 legal external destination IP address is mapped to 1 private destination IP address !No TCP/UDP ports are used

    legalprivate IPs / IPdpr1

  • Hide NATThe source IP addresses of the IP packets are address translatedA full range of source IP addresses are mapped to 1 external legal source IP address !TCP/UDP ports are used

    legalprivateIPspr1+ Spx -> IPsle1+ Spx+1 IPspr2 + Spy -> IPsle1 + Spx+2 IPspr3 + Spz -> IPsle1 + Spx+3

  • Proxy ARPNAT'ting behind a virtual IP addressIP address is not bound to the TCP/IP stackRouterARP for MAC address mapping to Virtual IP addressFirewall answers with external MAC address for ARP request directed to virt. IP address

  • Proxy ARPHow to activate PROXY ARP in 4.1/NGLinux/Solarisarp s virt_ip mac_ext_fw -pubNokia IPxxxUse voyager to proxy arpNT/W2Klocal.arp in %FWDIR%\state directory (4.1)a.b.c.dxx-xx-xx-xx-xx-xxlocal.arp in %FWDIR%\ conf directory (NG) a.b.c.dxx:xx:xx:xx:xx:xxcpstop; cpstartAutomatic ARP configurationOnly NGOnly for automatic address translation rulesFwparp.exe

  • Operation in 4.1ForwardingEth0Eth1Eth2Eth3INOUTNATHide, Static source and destination NAT is always performed here !!!

  • Operation in NG onlyForwardingEth0Eth1Eth2Eth3INOUTNATNATSTATIC DESTINATION NAT happens here, if TRANSLATE DESTINATION ON CLIENT SIDE is enabledSTATIC DESTINATION NAT happens here , if TRANSLATE DESTINATION ON CLIENT SIDE is NOT enabled (4.1 mode)Hide and static source NAT is always performed here !!!

  • Impact of NAT changesIn FW-1/VPN-1 4.1A host specific route was needed for destination NATA spoofing configuration change was needed on the internal interface, to prevent outgoing spoofing errors.In FW-1/VPN-1 NGDue to TRANSLATE DESTINATION ON CLIENT SIDE , no route is needed.Destination NAT on the Firewalls external IP address has become possible.Outgoing spoofing control is no longer enforced.

  • STATIC SOURCE NATEl90x3:i[1500]: 172.29.109.1 -> 172.21.101.100 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb ack=47147205El90x3:I[1500]: 172.29.109.1 -> 10.1.1.101 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb ack=47147205DE5281:o[1500]: 172.29.109.1 -> 10.1.1.101 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb ack=47147205DE5281:O[1500]: 172.29.109.1 -> 10.1.1.101 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb ack=47147205DE5281:i[40]: 10.1.1.101 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205 ack=5eff9753DE5281:I[40]: 10.1.1.101 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205 ack=5eff9753El90x3:o[40]: 10.1.1.101 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205 ack=5eff9753El90x3:O[40]: 172.21.101.100 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205 ack=5eff9753

  • STATIC DEST NAT (TRANSLATE DESTINATION ON CLIENT SIDE ENABLED)El90x3:i[48]: 172.29.109.1 -> 172.21.101.100 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1 ack=00000000El90x3:I[48]: 172.29.109.1 -> 10.1.1.101 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1 ack=00000000DE5281:o[48]: 172.29.109.1 -> 10.1.1.101 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1 ack=00000000DE5281:O[48]: 172.29.109.1 -> 10.1.1.101 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1 ack=00000000DE5281:i[48]: 10.1.1.101 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82 ack=641928e2DE5281:I[48]: 10.1.1.101 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82 ack=641928e2El90x3:o[48]: 10.1.1.101 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82 ack=641928e2El90x3:O[48]: 172.21.101.100 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82 ack=641928e2

  • STATIC DEST NAT (TRANSLATE DESTINATION ON CLIENT SIDE DISABLED)El90x3:i[293]: 172.29.109.1 -> 172.21.101.100 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85 ack=4f47f94dEl90x3:I[293]: 172.29.109.1 -> 172.21.101.100 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85 ack=4f47f94dDE5281:o[293]: 172.29.109.1 -> 172.21.101.100 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85 ack=4f47f94dDE5281:O[293]: 172.29.109.1 -> 10.1.1.101 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85 ack=4f47f94dDE5281:i[257]: 10.1.1.101 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d ack=67144e82DE5281:I[257]: 172.21.101.100 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d ack=67144e82El90x3:o[257]: 172.21.101.100 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d ack=67144e82El90x3:O[257]: 172.21.101.100 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d ack=67144e82

  • NATted FTP connection exampleip330[admin]# fw tab -u -t connections | grep 15

    dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 25000, hashsize 32768, kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function c5f7637c 0

    -> (00000006) -> (00000016) -> (00000005) -> (00000002)ip330[admin]# 0192.168.0.1503665193.109.185.1622160001c00100806080 Rule 8 TimeOut 3600 C11 49 c12 1046116859 C13 0 C14 4116303811 C15 1974 cl_int_in 0 cl_int_out 0 srv_int_in 1 srv_int_out 10193.109.185.16221195.207.89.2441389660192.168.0.1503665193.109.185.162216 0193.109.185.16221192.168.0.150366560192.168.0.1503665193.109.185.162216 193.109.185.16221192.168.0.150366560192.168.0.1503665193.109.185.1622161192.168.0.1503665193.109.185.1622160192.168.0.1503665193.109.185.162216


How Computer Keyboards Work

Steve Jobs' Commencement Speech at Stanford

The Dutch Republic In International Trade

Do you admire Leonardo da Vinci?

Chapter 23

The Best American Humorous Short Stories

Who Killed God

Tragic Heroes

xCDC14a

Plato - Symposium

Aesops Fables

Cakes Recipes

Oedipus The King: The Ideal Tragic Play

Star Wars Trivia!

Jan Van Eyck and the Man In A Red Turban

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Explore The Levels of Creation

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Introduction to Six Sigma

Iron Mills Essay

Algorithms

One Flew Over the Cuckoo's Nest

Chapter-01

Bhagavad Gita

Venture Capital

18 Tricks to Teach Your Body

Keyboard Shortcuts for the Opera Browser for Mac OS X

Life Is Just A Dream - Or Is It?

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Fortran

Barclays1

Acetone Peroxide

Personality Development

I Am a Holocaust Denier and I Am Unafraid

Basic Buffer Overflows Explained