NAT on Cisco. Part 1
Good afternoon, colleagues!
judging by the numerous questions on the forum (link at the end of the post), from listeners and colleagues, NAT work on Cisco routers (I will omit the firewalls, Fedia has described his work in some detail in his Cisco ASA series) is poorly described, so I will try describe their experience and their understanding of this technology in most of its incarnations. I do not pretend to be a comprehensive description and 100% accuracy, but who are interested - well-known for cat.
So, for the structure of the description let's deal with the definition of what is NAT.
')
Definition NAT (Network Address Translation) is a network address translation technology, i.e. spoofing addresses in the header of an IP packet (sometimes it can also change a port in TCP / UDP headers, but more on that later).
In other words, a packet passing through a router can change its source and / or destination address.
Why do you need it ?
1. To provide access from a LAN, where private IP addresses are most often used, to the Internet, where only global IP addresses are routed.
2. ( to a lesser extent ) to hide the network topology and create some protective barrier for penetration inside the network (we will discuss this later with an example).
NAT can be different :) And although a lot has already been written about this, there is a desire to send newbies with questions about NAT to a specific address, so I’ll still give you some classification .
1. Static NAT — Static NAT defines an unambiguous correspondence of one address to another. In other words, when passing through a router, the address (s) change to a strictly specified address, one-to-one. (for example, 10.1.1.1 is always replaced by 11.1.1.1 and vice versa, but never by 12.1.1.1). A record of such a broadcast is stored indefinitely as long as there is a line in the config.
2. Dynamic NAT - when passing through a router, a new address is selected dynamically from a certain piece of addresses, called a pool. The broadcast record is kept for some time so that the response packets can be delivered to the addressee. If for some time the traffic on this broadcast is missing, the broadcast is deleted and the address is returned to the pool. If you want to create a broadcast, and there are no free addresses in the pool, the packet is dropped. In other words, it would be good for the number of internal addresses to be slightly more than the number of addresses in the pool, otherwise there is a high probability of problems with access to the outside.
3. Dynamic NAT with overload or PAT . It works almost the same as dynamic NAT, but it does a multi-to-one translation, enabling the transport layer capabilities. More on this in the example below.
Since I most often work with Cisco hardware, I will describe in the article exactly the features of work and possible NAT options on these pieces of hardware.
Let's see what we have in this case.
The most common and fairly simple option. Suppose we have this topology:
In other words,
a) subnet of internal addresses - 10.0.0.0/8
b) the subnet of external addresses - 11.0.0.0/8
and we want to somehow translate internal addresses to external addresses when traffic passes through the router.
1. We explicitly indicate what we want to broadcast. Those. what traffic and from what hosts.
2. We explicitly indicate what we want to translate into, i.e. a pool of external addresses (or a single address for static translation).
3. Mark the internal and external interfaces.
4. Turn on the broadcast.
On p.3, I will allow myself to dwell in more detail, because it is here that misunderstanding often happens.
So, let's say we decided that we will broadcast the entire 10th network as a whole into the 11th. Set them accordingly (settings later, first theory). And we marked our interfaces as inside (outside) and outside (outside).
Now, let's see what exactly inside source NAT does. In fact, half of the action is sewn up in the name :) namely: the package that came to the inside interface has a source :). But remember, we said that response packets should reach our internal host? Hence the second half of the action: the packet that came to the outside interface changes destination .
Consider the live broadcast .
1. The traffic coming to the interface marked as inside, if it corresponds to what we want to broadcast, is marked as possible_translated . It is often assumed that a broadcast occurs at this point, but this is not the case.
2. The next stage, traffic is routed routing (PBR and normal). And if this traffic is sent to the interface, marked as outside - only then is broadcast. If the translation is dynamic, the router checks its presence in the translation table. If it is not there, it creates; if it is already there, it resets the inactivity counter. If the packet hits an interface output that is not marked as outside, the translation does NOT occur.
Now back translation .
1. Traffic, hitting the outside interface, as opposed to live broadcast, is first exposed to NAT. If the broadcast exists (whether it is dynamic or static), in the case of inside source NAT, its destination changes. And only after that the traffic is routed and redirected to the destination.
Therefore, marking interfaces as inside or outside is necessary taking into account the mechanism of operation.
Remarks and consequences .
1. For backward translation, it is not necessary to have an inside label on any interface. Anyway, if the live broadcast exists, the reverse translation will work before routing. But when will such a broadcast exist, after all, we discussed that traffic should go through the inside interface to create a live broadcast? From here
2. The traffic of the router itself is broadcast if it hits the interface marked as outside and satisfies the NAT rule . And this is both useful and dangerous. On the one hand, we can broadcast the traffic of a router like any other. On the other hand, many people want to describe the traffic to be translated as permit any , but then, for example, packets of routing protocols will be broadcast, which will lead to a failure.
3. The loopback interfaces of the router are treated like any others, we can mark them as inside or outside, wrap traffic on them and get profit from it :)
Now we will look at the general configuration, and then a few more special cases.
1. Specify what to broadcast. To do this, create an access-list listing the traffic. For example, in our case one line is enough:
Remark The ACL may contain deny lines. Contrary to a common misconception, the traffic satisfying this line does not drop, but simply does not undermine the broadcast. Also, the ACL can be standard and extended, numbered and named.
2. Create a pool of addresses, indicating the starting and ending address. For example:
Remarks .
1. The start and end address in the pool may be the same, then the translation will be in 1 address.
2. The option netmask, although it is mandatory, in my opinion - a rudiment. It allows you to cut from the range of addresses in the pool those addresses that are subnet addresses or broadcasted with this mask.
3. Mark the interfaces. In our case, enough
and
4. create the actual broadcast:
voila :) If we now turn for example from host 10.1.1.1 to host 11.1.1.2, then we will get this broadcast:
Interestingly, although the source port and destination port are explicitly recorded in the table, the translation is created entirely for the address. And for the time of its life in the table translation, packets outside can go to the external address (inside global)
For example, pinging from some address in the external network to our inside global will be successful (for the duration of the broadcast life):
In other words, a broadcast is opened once and to a certain host, after which it acts for some time for any address from the outside.
P. 1,2 and 3 - as in the previous section.
4. Create the actual broadcast:
We see that just one word was added: overload. But it significantly changed the scheme of the broadcast.
As mentioned, PAT is a multi-to-little or even many-to-one translation. But in order to distinguish the traffic of one connection from another, the router will change not only IP addresses, but also TCP / UDP ports.
Remark The scheme of work with ports (when source changes, when destination changes) is the same as the scheme of work with IP addresses.
In other words, when accessing from inside to outside, the source IP and source port change, an entry about this is entered into the broadcast table. During the reverse broadcast - everything changes the other way around.
Let's see what has changed:
We see that different internal addresses (10.0.1.1 and 10.0.2.1) were bundled into one external address (11.1.1.11).
Remarks .
1. It seems that the source-port was not changed, as promised, a mess :). In fact, the router tries to keep the source port by all available means. In particular, if the inside global address of the global address has already been taken, it will take the next address in the pool and check its port for busy. And just not finding an address with a free port will take the next free one.
2. The behavior of such a translation is different from the behavior of normal dynamic NAT in that access outside the inside global address is impossible. This is what I meant when I talked about some increased security when using PAT, since in fact, all connections are initiated from within our network, and outside we can only receive answers to them.
3. If we received from the provider not a whole block of addresses, but one unfortunate address, which was immediately assigned to the external interface of the router, you can not make a garden with a pool in one address, but immediately write like this:
A lot was mentioned about static broadcasts, let's finally discuss them.
Why do you need it?
We discussed that if in the case of a dynamic NAT the translation is not created and in the case of PAT, external access is impossible. If even in the case of dynamic NAT translation is created, then inside global address may change. And it is impossible to contact our internal host at some external address.
Nevertheless, there are frequent situations when there is a server inside the corporate network that is vital for access from outside to a static external address. In this case, you can set it straight to the Internet by assigning a global address. But often this is not very convenient, for example for security reasons. And in such cases, static NAT comes to the rescue.
It creates a two-way and permanent broadcast. So our host will always be available at the same external address and this broadcast will never fly out of the broadcast table by timeout.
proper setting.
Immediately create a broadcast:
Mark the interfaces and voila!
As you can see, there are two entries - one constant, the other (purely informative) - temporary, caused by traffic from the inside to the outside.
Remark The appearance of such informative records can be disabled with the command
Go ahead. It often happens that you need to expose not the whole address, but only one port (for example, the 80th for the www-server). No problem, you can create a static PAT-translation for some ports:
We see that the ports of the same external address can be forwarded to different ports on the inside, and it is also possible to control the broadcast of the ports.
In conclusion, I will add that you can change various timeouts for NAT with the command
Bulky little article turned out, will have to be divided into several parts. Of course, inside source NAT has been repeatedly discussed and written, but I hope that even not completely newbies will be able to find something useful in the article. It was necessary to start from a certain base, albeit well-known.
In the next article we will discuss the inside destination NAT, if of course the article will find a response and support.
Respectfully,
Podkopaev Ilya
PS I am open to suggestions for improving the article and correcting inaccuracies / errors.
PPS Links:
1. forum site anticisco.ru
2. Cisco NAT order of operations
judging by the numerous questions on the forum (link at the end of the post), from listeners and colleagues, NAT work on Cisco routers (I will omit the firewalls, Fedia has described his work in some detail in his Cisco ASA series) is poorly described, so I will try describe their experience and their understanding of this technology in most of its incarnations. I do not pretend to be a comprehensive description and 100% accuracy, but who are interested - well-known for cat.
So, for the structure of the description let's deal with the definition of what is NAT.
')
Definition NAT (Network Address Translation) is a network address translation technology, i.e. spoofing addresses in the header of an IP packet (sometimes it can also change a port in TCP / UDP headers, but more on that later).
In other words, a packet passing through a router can change its source and / or destination address.
Why do you need it ?
1. To provide access from a LAN, where private IP addresses are most often used, to the Internet, where only global IP addresses are routed.
2. ( to a lesser extent ) to hide the network topology and create some protective barrier for penetration inside the network (we will discuss this later with an example).
NAT can be different :) And although a lot has already been written about this, there is a desire to send newbies with questions about NAT to a specific address, so I’ll still give you some classification .
1. Static NAT — Static NAT defines an unambiguous correspondence of one address to another. In other words, when passing through a router, the address (s) change to a strictly specified address, one-to-one. (for example, 10.1.1.1 is always replaced by 11.1.1.1 and vice versa, but never by 12.1.1.1). A record of such a broadcast is stored indefinitely as long as there is a line in the config.
2. Dynamic NAT - when passing through a router, a new address is selected dynamically from a certain piece of addresses, called a pool. The broadcast record is kept for some time so that the response packets can be delivered to the addressee. If for some time the traffic on this broadcast is missing, the broadcast is deleted and the address is returned to the pool. If you want to create a broadcast, and there are no free addresses in the pool, the packet is dropped. In other words, it would be good for the number of internal addresses to be slightly more than the number of addresses in the pool, otherwise there is a high probability of problems with access to the outside.
3. Dynamic NAT with overload or PAT . It works almost the same as dynamic NAT, but it does a multi-to-one translation, enabling the transport layer capabilities. More on this in the example below.
Since I most often work with Cisco hardware, I will describe in the article exactly the features of work and possible NAT options on these pieces of hardware.
Let's see what we have in this case.
1. inside source NAT
The most common and fairly simple option. Suppose we have this topology:
In other words,
a) subnet of internal addresses - 10.0.0.0/8
b) the subnet of external addresses - 11.0.0.0/8
and we want to somehow translate internal addresses to external addresses when traffic passes through the router.
What is needed for this?
1. We explicitly indicate what we want to broadcast. Those. what traffic and from what hosts.
2. We explicitly indicate what we want to translate into, i.e. a pool of external addresses (or a single address for static translation).
3. Mark the internal and external interfaces.
4. Turn on the broadcast.
On p.3, I will allow myself to dwell in more detail, because it is here that misunderstanding often happens.
How it works?
So, let's say we decided that we will broadcast the entire 10th network as a whole into the 11th. Set them accordingly (settings later, first theory). And we marked our interfaces as inside (outside) and outside (outside).
Now, let's see what exactly inside source NAT does. In fact, half of the action is sewn up in the name :) namely: the package that came to the inside interface has a source :). But remember, we said that response packets should reach our internal host? Hence the second half of the action: the packet that came to the outside interface changes destination .
Consider the live broadcast .
1. The traffic coming to the interface marked as inside, if it corresponds to what we want to broadcast, is marked as possible_translated . It is often assumed that a broadcast occurs at this point, but this is not the case.
2. The next stage, traffic is routed routing (PBR and normal). And if this traffic is sent to the interface, marked as outside - only then is broadcast. If the translation is dynamic, the router checks its presence in the translation table. If it is not there, it creates; if it is already there, it resets the inactivity counter. If the packet hits an interface output that is not marked as outside, the translation does NOT occur.
Now back translation .
1. Traffic, hitting the outside interface, as opposed to live broadcast, is first exposed to NAT. If the broadcast exists (whether it is dynamic or static), in the case of inside source NAT, its destination changes. And only after that the traffic is routed and redirected to the destination.
Therefore, marking interfaces as inside or outside is necessary taking into account the mechanism of operation.
Remarks and consequences .
1. For backward translation, it is not necessary to have an inside label on any interface. Anyway, if the live broadcast exists, the reverse translation will work before routing. But when will such a broadcast exist, after all, we discussed that traffic should go through the inside interface to create a live broadcast? From here
2. The traffic of the router itself is broadcast if it hits the interface marked as outside and satisfies the NAT rule . And this is both useful and dangerous. On the one hand, we can broadcast the traffic of a router like any other. On the other hand, many people want to describe the traffic to be translated as permit any , but then, for example, packets of routing protocols will be broadcast, which will lead to a failure.
3. The loopback interfaces of the router are treated like any others, we can mark them as inside or outside, wrap traffic on them and get profit from it :)
Now we will look at the general configuration, and then a few more special cases.
Inside source NAT configuration
inside source dynamic NAT
1. Specify what to broadcast. To do this, create an access-list listing the traffic. For example, in our case one line is enough:
(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 anyRemark The ACL may contain deny lines. Contrary to a common misconception, the traffic satisfying this line does not drop, but simply does not undermine the broadcast. Also, the ACL can be standard and extended, numbered and named.
2. Create a pool of addresses, indicating the starting and ending address. For example:
(config)# ip nat pool NAME_OF_POOL 11.1.1.10 11.1.1.20 netmask 255.255.255.0Remarks .
1. The start and end address in the pool may be the same, then the translation will be in 1 address.
2. The option netmask, although it is mandatory, in my opinion - a rudiment. It allows you to cut from the range of addresses in the pool those addresses that are subnet addresses or broadcasted with this mask.
3. Mark the interfaces. In our case, enough
(config)# interface fa 0/0
(config-if)# ip nat insideand
(config)# interface fa 0/1
(config-if)# ip nat outside4. create the actual broadcast:
ip nat inside source list 100 pool NAME_OF_POOLvoila :) If we now turn for example from host 10.1.1.1 to host 11.1.1.2, then we will get this broadcast:
Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 11.1.1.10:55209 10.0.1.1:55209 11.1.1.2:23 11.1.1.2:23Interestingly, although the source port and destination port are explicitly recorded in the table, the translation is created entirely for the address. And for the time of its life in the table translation, packets outside can go to the external address (inside global)
For example, pinging from some address in the external network to our inside global will be successful (for the duration of the broadcast life):
R4#ping 11.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.1.1.10, timeout is 2 seconds:
!!!!!In other words, a broadcast is opened once and to a certain host, after which it acts for some time for any address from the outside.
inside source dynamic NAT with overload
P. 1,2 and 3 - as in the previous section.
4. Create the actual broadcast:
ip nat inside source list 100 pool NAME_OF_POOL overloadWe see that just one word was added: overload. But it significantly changed the scheme of the broadcast.
As mentioned, PAT is a multi-to-little or even many-to-one translation. But in order to distinguish the traffic of one connection from another, the router will change not only IP addresses, but also TCP / UDP ports.
Remark The scheme of work with ports (when source changes, when destination changes) is the same as the scheme of work with IP addresses.
In other words, when accessing from inside to outside, the source IP and source port change, an entry about this is entered into the broadcast table. During the reverse broadcast - everything changes the other way around.
Let's see what has changed:
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 11.1.1.11:21545 10.0.1.1:21545 11.1.1.2:23 11.1.1.2:23
tcp 11.1.1.11:49000 10.0.2.1:49000 11.1.1.2:23 11.1.1.2:23We see that different internal addresses (10.0.1.1 and 10.0.2.1) were bundled into one external address (11.1.1.11).
Remarks .
1. It seems that the source-port was not changed, as promised, a mess :). In fact, the router tries to keep the source port by all available means. In particular, if the inside global address of the global address has already been taken, it will take the next address in the pool and check its port for busy. And just not finding an address with a free port will take the next free one.
2. The behavior of such a translation is different from the behavior of normal dynamic NAT in that access outside the inside global address is impossible. This is what I meant when I talked about some increased security when using PAT, since in fact, all connections are initiated from within our network, and outside we can only receive answers to them.
3. If we received from the provider not a whole block of addresses, but one unfortunate address, which was immediately assigned to the external interface of the router, you can not make a garden with a pool in one address, but immediately write like this:
(config)# ip nat inside source list 100 interface fa0/1 overloadinside source static NAT and PAT
A lot was mentioned about static broadcasts, let's finally discuss them.
Why do you need it?
We discussed that if in the case of a dynamic NAT the translation is not created and in the case of PAT, external access is impossible. If even in the case of dynamic NAT translation is created, then inside global address may change. And it is impossible to contact our internal host at some external address.
Nevertheless, there are frequent situations when there is a server inside the corporate network that is vital for access from outside to a static external address. In this case, you can set it straight to the Internet by assigning a global address. But often this is not very convenient, for example for security reasons. And in such cases, static NAT comes to the rescue.
It creates a two-way and permanent broadcast. So our host will always be available at the same external address and this broadcast will never fly out of the broadcast table by timeout.
proper setting.
Immediately create a broadcast:
(config)# ip nat inside source static 10.0.1.1 11.1.1.21Mark the interfaces and voila!
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 11.1.1.21:14 10.0.1.1:14 11.1.1.2:14 11.1.1.2:14
--- 11.1.1.21 10.0.1.1 --- ---As you can see, there are two entries - one constant, the other (purely informative) - temporary, caused by traffic from the inside to the outside.
Remark The appearance of such informative records can be disabled with the command
(config)# no ip nat create flow-entriesGo ahead. It often happens that you need to expose not the whole address, but only one port (for example, the 80th for the www-server). No problem, you can create a static PAT-translation for some ports:
(config)# ip nat inside source static tcp 10.0.1.1 80 11.1.1.21 80
(config)# ip nat inside source static udp 10.0.1.1 5060 11.1.1.21 7877We see that the ports of the same external address can be forwarded to different ports on the inside, and it is also possible to control the broadcast of the ports.
In conclusion, I will add that you can change various timeouts for NAT with the command
Router(config)#ip nat translation ?
arp-ping-timeout Specify timeout for WLAN-NAT ARP-Ping
dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
pptp-timeout Specify timeout for NAT PPTP flows
routemap-entry-timeout Specify timeout for routemap created half entry
syn-timeout Specify timeout for NAT TCP flows after a SYN and no
further data
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flowsBulky little article turned out, will have to be divided into several parts. Of course, inside source NAT has been repeatedly discussed and written, but I hope that even not completely newbies will be able to find something useful in the article. It was necessary to start from a certain base, albeit well-known.
In the next article we will discuss the inside destination NAT, if of course the article will find a response and support.
Respectfully,
Podkopaev Ilya
PS I am open to suggestions for improving the article and correcting inaccuracies / errors.
PPS Links:
1. forum site anticisco.ru
2. Cisco NAT order of operations
Source: https://habr.com/ru/post/108931/
All Articles