Document Details
Uploaded by ProdigiousQuantum
null
Tags
Full Transcript
JTO PH-II IT RIP 5 NETWORK ADDRESS TRANSLATION 5.1 OBJECTIVE The objectives of this chapter is to understand Concept of NAT Types of NAT Working of...
JTO PH-II IT RIP 5 NETWORK ADDRESS TRANSLATION 5.1 OBJECTIVE The objectives of this chapter is to understand Concept of NAT Types of NAT Working of NAT NAT Advantage and Disadvantage 5.2 INTRODUCTION TO NAT Network Address Translation (NAT) is a technology that is useful to many network administrator‘s because it saves time and money when dealing with network IP addresses. NAT allows a single network device, such as a router or firewall, to act as an agent between the public network space and a private network space. The NAT-enabled agent makes it possible to use a single IP address to represent an entire group of networked computers. NAT also helps network administrators manage the private and public portions of their network because with NAT, administrators can separate the private and public address spaces. The address separation means that NAT makes the physical device in the private network independent of the IP address hosts in the public network. NAT is defined in RFC 3022. With NAT, an enterprise does not need to register large, expensive IP address blocks from IANA. Since address blocks are a limited resource, network address space might not even be available. Although NAT prevents hosts in the public network from seeing any internal IP addresses, NAT is not a method of securing the private network. At best, NAT can hide, or obscure, network devices. For a network to be secure, you must at least have a firewall at the border of your network. Essentially, the available IPv4 address space was on the verge of being exhausted in the mid 1990s, but organizations still needed address blocks for their private network spaces. The address blocks listed below are reserved for private address space and are not routable on the backbone network. Private Address Blocks Address Range CIDR Notation 10.0.0.0 - 10.255.255.255 10/8 172.16.0.0 - 172.31.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 192.168/16 The first address block is a 24-bit block, the second block is a 20-bit block, and the third is a 16-bit block. In pre-CIDR notation, the first block is nothing but a single class A network number, the second block is a set of 16 contiguous class B network numbers, and the third block is a set of 256 contiguous class C network numbers. Any enterprise that uses IP addresses from the address space defined in Private address range can do so without contacting or paying IANA (Internet assigned numbers authority) or an Internet service provider. Addresses within the private address space are JTO-PH-II IT Version Page 54 of 136 For Restricted Circulation JTO PH-II IT NAT only unique within an enterprise or multiple enterprises that choose to cooperate over this space to communicate with each other in their own private internet. Note: NAT is not restricted to private-to-public address translation, though that is the most common application. NAT can also perform public-to-public address translation, as well as private-to-private address translation.NAT is only a temporarily solution to the address shortage problem. IPv4 will eventually be replaced with IPv6, which supports a vast address space. Both Cisco IOS devices and PIX/ASA firewalls support NAT. 5.3 TYPES OF NAT NAT can be implemented using one of three methods: Static NAT – Static NAT (Network Address Translation) is one-to-one mapping of a private IP address to a public IP address. Static NAT (Network Address Translation) is useful when a network device inside a private network needs to be accessible from internet. Static NAT is a potential security risk. If the network security policy is configured incorrectly, the private network device mapped to the public IP address might be fully exposed to the public network. Figure 29: Static NAT Dynamic NAT – Dynamic NAT can be defined as mapping of a private IP address to a public IP address from a group of public IP addresses called as NAT pool. Dynamic NAT establishes a one-to-one mapping between a private IP address to a public IP address. Here the public IP address is taken from the pool of IP addresses configured on the end NAT router. The public to private mapping may vary based on the available public IP address in NAT pool. JTO PH-II IT Version Page 55 of 136 For Restricted Circulation JTO PH-II IT NAT Figure 30: Dynamic NAT NAT Overload or Port Address Translation (PAT) – Port Address Translation (PAT) is another type of dynamic NAT which can map multiple private IP addresses to a single public IP address by using a technology known as Port Address Translation. Here when a client from inside network communicate to a host in the internet, the router changes the source port (TCP or UDP) number with another port number. These port mappings are kept in a table. When the router receive from internet, it will refer the table which keep the port mappings and forward the data packet to the original sender. Figure 31: PAT 5.4 HOW DOES NAT WORK As Figure shows, the private network uses private addresses. The router that connects the network to the global address uses one private address and one global JTO PH-II IT Version Page 56 of 136 For Restricted Circulation JTO PH-II IT NAT address. The private network is transparent to the rest of the Internet; the rest of the Internet sees only the NAT router with the address 200.24.5.8. Figure 32: NAT Implementation Address Translation All the outgoing packets go through the NAT router, which replaces the source address in the packet with the global NAT address. All incoming packets also pass through the NAT router, which replaces the destination address in the packet (the NAT router global address) with the appropriate private address. Figure shows an example of address translation. Figure 33: Addresses in NAT Translation Table Translating the source addresses for outgoing packets is straightforward. But how does the NAT router know the destination address for a packet coming from the Internet? There may be tens or hundreds of private IP addresses, each belonging to one specific host. The problem is solved if the NAT router has a translation table. Using One IP Address -- In its simplest form, a translation table has only two columns: the private' address and the external address (destination address of the packet). When the router translates the source address of the outgoing packet, it also makes note of the destination address-where the packet is going. When the response comes back from JTO PH-II IT Version Page 57 of 136 For Restricted Circulation JTO PH-II IT NAT the destination, the router uses the source address of the packet (as the external address) to find the private address of the packet. Figure 19.12 shows the idea. Note that the addresses that are changed (translated) are shown in color. In this strategy, communication must always be initiated by the private network. The NAT mechanism described requires that the private network start the communication. NAT is used mostly by ISPs which assign one single address to a customer. The customer, however, may be a member of a private network that has many private addresses. In this case, communication with the Internet is always initiated from the customer site, using a client program such as HTTP, TELNET, or FTP to access the corresponding server program. For example, when e-mail that originates from a noncustomer site is received by the ISP e-mail server, the e-mail is stored in the mailbox of the customer until retrieved. A private network cannot run a server program for clients outside of its network if it is using NAT technology. Using a Pool of IP Addresses Since the NAT router has only one global address, only one private network host can access the same external host. To remove this restriction, the NAT router uses a pool of global addresses. For example, instead of using only one global address (200.24.5.8), the NAT router can use four addresses (200.24.5.8, 200.24.5.9,200.24.5.10, and 200.24.5.11). In this case, four private network hosts can communicate with the same external host at the same time because each pair of addresses defines a connection. JTO PH-II IT Version Page 58 of 136 For Restricted Circulation JTO PH-II IT NAT However, there are still some drawbacks. In this example, no more than four connections can be made to the same destination. Also, no private-network host can access two external server programs (e.g., HTTP and FfP) at the same time. Using Both IP Addresses and Port Numbers To allow a many-to-many relationship between private-network hosts and external server programs, we need more information in the translation table. For example, suppose two hosts with addresses 172.18.3.1 and 172.18.3.2 inside a private network need to access the HTTP server on external host 25.8.3.2. If the translation table has five columns, instead of two, that include the source and destination port numbers of the transport layer protocol, the ambiguity is eliminated. Figure 34: Five Column Translation Table Note that when the response from HTTP comes back, the combination of source address (25.8.3.2) and destination port number (1400) defines the-private network host to which the response should be directed. Note also that for this translation to work, the temporary port numbers (1400 and 1401) must be unique. 5.5 NAT TERMINOLOGY Specific terms are used to identify the various NAT addresses: Inside Local – the specific IP address assigned to an inside host behind a NAT- enabled device (usually a private address). Inside Global – the address that identifies an inside host to the outside world (usually a public address). Essentially, this is the dynamically or statically-assigned public address assigned to a private host. Outside Global – the address assigned to an outside host (usually a public address). Outside Local – the address that identifies an outside host to the inside network. Often, this is the same address as the Outside Global. Let‘s explain these NAT terms with an example JTO PH-II IT Version Page 59 of 136 For Restricted Circulation JTO PH-II IT NAT Here, we will explain NAT terms from host A‘s perspective. Host A will reach Server C and Host B over internet. And on Router A, NAT is enabled. Host A has a private ip address, 10.1.1.10 and this is our Inside Local Address. With this address Host A cannot reach to Internet. So, it uses Router A‘s public ip address, 55.1.1.1 and this is our Inside Global Address. Figure 35: NAT Terms There is a Router B and Server C on the above screen. The interface ip addresses of these devices are Outside Global Addresses. These addresses are 88.1.1.1 and 99.1.1.1. Host B has a private ip address that is used in its local network. But Host A sees its global ip address as Outside Local Address. So, our outside local address is also 99.1.1.1. As a summary our NAT terms will be like below: Inside Local Address– 10.1.1.10 Inside Global Address– 55.1.1.1 Outside Global Address– 88.1.1.1, 99.1.1.1 Outside Local Address– 99.1.1.1 However, it is occasionally necessary to translate an outside (usually public) address to an inside (usually private) address. For simplicity sake, it is generally acceptable to associate global addresses with public addresses, and local addresses with private addresses. However, remember that public-to-public and private-to-private translation is still possible. Inside hosts are within the local network, while outside hosts are external to the local network. JTO PH-II IT Version Page 60 of 136 For Restricted Circulation JTO PH-II IT NAT 5.6 NAT ADVANTAGES AND DISADVANTAGE Network Address Translation (NAT) technology has many advantages and disadvantages. Main advantages and disadvantages of NAT (Network Address Translation) are listed below. Advantages of NAT The main advantage of NAT (Network Address Translation) is that it can prevent the depletion of IPv4 addresses. NAT (Network Address Translation) can provide an additional layer of security by making the oringinal source and destination addresses hidden. NAT (Network Address Translation) provides increased flexibility when connecting to the public Internet NAT (Network Address Translation) allows to use your own private IPv4 addressing system and prevent the internal address changes if you change the service provider. DISADVANTAGES OF NAT NAT (Network Address Translation) is a processor and memory resource consuming technology, since NAT (Network Address Translation) need to translate IPv4 addresses for all incoming and outgoing IPv4 datagrams and to keep the translation details in memory. NAT (Network Address Translation) may cause delay in IPv4 communication. NAT (Network Address Translation) cause loss of end-device to end-device IP traceability Some technologies and network applications will not function as expected in a NAT (Network Address Translation) configured network. 5.7 CONCLUSION: The rapid growth of the Internet resulted in a shortage of available IPv4 addresses. In response, a specific subset of the IPv4 address space was designated as private, to temporarily alleviate this problem. A public address can be routed on the Internet. Thus, devices that must be Internet-accessible must be configured with (or reachable by) public addresses. A private address is intended for internal use within a home or organization, and can be freely used by anyone. However, private addresses can never be routed on the Internet. In fact, Internet routers are configured to immediately drop traffic with private addresses. It is possible to translate between private and public addresses, using Network Address Translation (NAT). NAT allows a host configured with a private address to be stamped with a public address, thus allowing that host to communicate across the Internet. It is also possible to translate multiple privately-addressed hosts to a single public address, which conserves the public address space.NAT provides an additional benefit – hiding the specific addresses and addressing structure of the internal (or private) network. JTO PH-II IT Version Page 61 of 136 For Restricted Circulation