Scribd Logo
Upload

Welcome to Scribd!

  • NAT: Network Address Translation and Private versus Legal Addressing

    Uploaded by

    msuhas
    83 views17 pages
    NAT allows private IP addresses to connect to the Internet by translating private IP addresses to public, routable IP addresses. There are several types of NAT including static NAT which maps a private IP to a single public IP, and dynamic NAT which maps a range of private IPs to a public IP by also translating ports. Proxy ARP is used to allow connections destined to a virtual public IP on the NAT device.

    Original Description:

    Original Title

    NAT.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    NAT allows private IP addresses to connect to the Internet by translating private IP addresses to public, routable IP addresses. There are several types of NAT including static NAT which maps a private IP to a single public IP, and dynamic NAT which maps a range of private IPs to a public IP by also translating ports. Proxy ARP is used to allow connections destined to a virtual public IP on the NAT device.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    83 views17 pages

    NAT: Network Address Translation and Private versus Legal Addressing

    Uploaded by

    msuhas
    NAT allows private IP addresses to connect to the Internet by translating private IP addresses to public, routable IP addresses. There are several types of NAT including static NAT which maps a private IP to a single public IP, and dynamic NAT which maps a range of private IPs to a public IP by also translating ports. Proxy ARP is used to allow connections destined to a virtual public IP on the NAT device.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 17

    NAT

    Network Address Translation

    Private versus Legal addressing


    RFC1918 specifies private addressing space :
    Class A
    10.0.0.0

    Class B
    172.16.0.0 172.31.255.255

    Class C
    192.168.0.0 192.168.255.255

    Private addressing
    Private addressing
    can be used freely
    cannot be used / routed on the internet

    Types of address translation


    Static Source NAT
    Static Destination NAT
    Hide NAT

    Static Source NAT


    The source IP address of the IP packets are
    address translated
    1 private internal source IP address is mapped to
    1 external legal source IP address !
    No TCP/UDP ports are used
    private
    private

    legal
    legal

    IPspr1 / IPd-> IPsle1 / IPd


    IPspr2 / IPd -> IPsle2 / IPd
    IPspr3 / IPd -> IPsle3 / IPd

    Static Destination NAT


    The destination IP address of the IP packets are
    address translated
    1 legal external destination IP address is mapped
    to 1 private destination IP address !
    No TCP/UDP ports are used

    IPs / IPdpr1 <- IPs / IPdle1


    IPs / IPdpr2 <- IPs / IPdle2
    IPs / IPdpr3 <- IPs / IPdle3

    private
    private

    legal
    legal

    Hide NAT
    The source IP addresses of the IP packets are
    address translated
    A full range of source IP addresses are mapped to
    1 external legal source IP address !
    TCP/UDP ports are used

    private
    private

    legal
    legal

    IPspr1+ Spx -> IPsle1+ Spx+1


    IPspr2 + Spy -> IPsle1 + Spx+2
    IPspr3 + Spz -> IPsle1 + Spx+3

    Proxy ARP
    NAT'ting behind a virtual IP address
    IP address is not bound to the TCP/IP stack

    Firewall answers with external MAC address


    for ARP request directed to virt. IP address
    Router

    ARP for MAC address mapping to Virtual IP address

    Proxy ARP
    How to activate PROXY ARP in 4.1/NG
    Linux/Solaris
    arp s virt_ip mac_ext_fw -pub

    Nokia IPxxx
    Use voyager to proxy arp

    NT/W2K
    local.arp in %FWDIR%\state directory (4.1)
    a.b.c.d<TAB>xx-xx-xx-xx-xx-xx<CR><LF>

    local.arp in %FWDIR%\ conf directory (NG)


    a.b.c.d<TAB>xx:xx:xx:xx:xx:xx<CR><LF>

    cpstop; cpstart
    Automatic ARP configuration
    Only NG
    Only for automatic address translation rules

    Fwparp.exe

    Operation in 4.1
    Forwarding

    IN OUT

    Eth0

    Eth1

    NAT
    Eth2

    Eth3

    Hide, Static source and


    destination NAT is always
    performed here !!!

    Operation in NG only
    Forwarding
    NAT
    STATIC DESTINATION
    NAT happens here,
    if TRANSLATE
    DESTINATION ON
    CLIENT SIDE is enabled

    IN OUT

    Eth0

    Eth1

    STATIC DESTINATION NAT happens here , if


    TRANSLATE DESTINATION ON CLIENT SIDE is
    NOT enabled
    (4.1 mode)

    NAT
    Eth2

    Eth3
    Hide and static source NAT is
    always performed here !!!

    Impact of NAT changes


    In FW-1/VPN-1 4.1
    A host specific route was needed for destination NAT
    A spoofing configuration change was needed on the
    internal interface, to prevent outgoing spoofing errors.

    In FW-1/VPN-1 NG
    Due to TRANSLATE DESTINATION ON CLIENT SIDE , no
    route is needed.
    Destination NAT on the Firewalls external IP address has
    become possible.
    Outgoing spoofing control is no longer enforced.

    STATIC SOURCE NAT

    DE5281:i[40]: 10.1.1.101 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205
    ack=5eff9753
    DE5281:I[40]: 10.1.1.101 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205
    ack=5eff9753
    El90x3:o[40]: 10.1.1.101 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205
    ack=5eff9753
    El90x3:O[40]: 172.21.101.100 -> 172.29.109.1 (TCP) len=40 id=61986 TCP: 3138 -> 80 ....A. seq=47147205
    ack=5eff9753
    El90x3:i[1500]: 172.29.109.1 -> 172.21.101.100 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb
    ack=47147205
    El90x3:I[1500]: 172.29.109.1 -> 10.1.1.101 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb
    ack=47147205
    DE5281:o[1500]: 172.29.109.1 -> 10.1.1.101 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb
    ack=47147205
    DE5281:O[1500]: 172.29.109.1 -> 10.1.1.101 (TCP) len=1500 id=9705 TCP: 80 -> 3138 ....A. seq=5eff9beb
    ack=47147205

    STATIC DEST NAT


    (TRANSLATE DESTINATION ON CLIENT SIDE
    ENABLED)

    El90x3:i[48]: 172.29.109.1 -> 172.21.101.100 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1
    ack=00000000
    El90x3:I[48]: 172.29.109.1 -> 10.1.1.101 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1
    ack=00000000
    DE5281:o[48]: 172.29.109.1 -> 10.1.1.101 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1
    ack=00000000
    DE5281:O[48]: 172.29.109.1 -> 10.1.1.101 (TCP) len=48 id=9722 TCP: 2981 -> 80 .S.... seq=641928e1
    ack=00000000
    DE5281:i[48]: 10.1.1.101 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82
    ack=641928e2
    DE5281:I[48]: 10.1.1.101 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82
    ack=641928e2
    El90x3:o[48]: 10.1.1.101 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82
    ack=641928e2
    El90x3:O[48]: 172.21.101.100 -> 172.29.109.1 (TCP) len=48 id=63694 TCP: 80 -> 2981 .S..A. seq=4c33ba82
    ack=641928e2

    STATIC DEST NAT


    (TRANSLATE DESTINATION ON CLIENT SIDE
    DISABLED)

    El90x3:i[293]: 172.29.109.1 -> 172.21.101.100 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85
    ack=4f47f94d
    El90x3:I[293]: 172.29.109.1 -> 172.21.101.100 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85
    ack=4f47f94d
    DE5281:o[293]: 172.29.109.1 -> 172.21.101.100 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85
    ack=4f47f94d
    DE5281:O[293]: 172.29.109.1 -> 10.1.1.101 (TCP) len=293 id=9764 TCP: 2985 -> 80 ...PA. seq=67144d85
    ack=4f47f94d
    DE5281:i[257]: 10.1.1.101 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d
    ack=67144e82
    DE5281:I[257]: 172.21.101.100 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d
    ack=67144e82
    El90x3:o[257]: 172.21.101.100 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d
    ack=67144e82
    El90x3:O[257]: 172.21.101.100 -> 172.29.109.1 (TCP) len=257 id=65467 TCP: 80 -> 2985 ...PA. seq=4f47f94d
    ack=67144e82

    NATted FTP connection example


    ip330[admin]# fw tab -u -t connections | grep 15
    dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 25000, hashsize 32768, kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function
    c5f7637c 0
    <00000000, c0a80096, 00000e51, c16db9a2, 00000015, 00000006; 0001c001, 00806080, 00000008, 00000e10, 00000031, 3e5a79fb, 00000000, f559cfc3,
    000007b6, 00000000, 00000000, 00000001, 00000001, 00000000, 22000000, 00000000, 00000000, ab4c6800, 08aee000, 00000000, c5d09000, 610f2000,
    00000000, 00000000, 00000000; 3518/3600>
    <00000000, c16db9a2, 00000015, c3cf59f4, 00003648, 00000006> -> <00000000, c0a80096, 00000e51, c16db9a2, 00000015, 00000006> (00000006)
    <00000000, c16db9a2, 00000015, c0a80096, 00000e51, 00000006> -> <00000000, c0a80096, 00000e51, c16db9a2, 00000015, 00000006> (00000016)
    <00000001, c16db9a2, 00000015, c0a80096, 00000e51, 00000006> -> <00000000, c0a80096, 00000e51, c16db9a2, 00000015, 00000006> (00000005)
    <00000001, c0a80096, 00000e51, c16db9a2, 00000015, 00000006> -> <00000000, c0a80096, 00000e51, c16db9a2, 00000015, 00000006> (00000002)
    ip330[admin]#
    0
    0
    0
    1
    1

    192.168.0.150
    TimeOut 3600
    srv_int_in 1
    193.109.185.162
    193.109.185.162
    193.109.185.162
    193.109.185.162
    193.109.185.162
    193.109.185.162
    192.168.0.150
    193.109.185.162

    3665
    C11 49
    srv_int_out 1
    21
    21
    21
    21
    21
    21
    3665
    21

    193.109.185.162 21
    c12 1046116859 C13 0

    6
    0001c001
    C14 4116303811 C15 1974

    00806080
    cl_int_in 0

    Rule 8
    cl_int_out 0

    195.207.89.244
    6
    192.168.0.150
    6
    192.168.0.150
    6
    193.109.185.162
    6

    13896

    192.168.0.150

    3665

    3665

    192.168.0.150

    3665

    3665

    192.168.0.150

    3665

    21

    192.168.0.150

    3665

    You might also like