Notes6:NAT - echadbourne/NET-330 GitHub Wiki

Network Address Translation

Lots of networks used private addresses because we've run out of public ips

  • These are not routable on the internet

NAT is a method of remapping one IP address space into another

  • We do this by modifying network address information in IP packet headers while they are in transit across a router
  • The general rule: Clients make outbound connections so they can share public IPs
  • A NAT router will track these translations to make sure reply packets go to the right place

What is a NAT router actually doing?

Based on what we know about networking, what functions must the NAT router provide?

Rewrite layer 3 header

  • Source IP rewrite for outbound packets - ex 192.168.3.100 to 216.93.145.200
  • Destination IP rewrite for inbound packets - ex 216.93.145.200 to 192.168.3.100

And, keep track of those translations in a table so it knows how to send inbound packets back to the right client

  • This may also require rewriting layer 4 headers
  • source port TCP/UDP often used to track translations

OSI Model

Devices performing NAT:

  • Are in-between the sender and receiver
  • will rewrite the layer 3 (and often layer 4) headers as a packet travels between the sender and receiver

Security

NAT can also provide some security

  • Hosts can also provide IPs cannot typically be directly accessed from outside the network

IP Masquerading

In Cyber Labs, we use IP Masquerading for our NAT setup

  • the private source IP address that is changed into a Public address as the "new" source address of the outgoing IP packet
  • This enables communication through the router only when the conversation originates inside the masqueraded network

Masquerading routers keep stateful translation tables of each conversation to "remember" the original source address when packets return during this conversation

  • The translation tables are flushed after a defined period unless new traffic refreshes their state to prevent port exhaustion and free state table resources

{13CCF656-DAF0-4886-8F25-0EAB5423BCD8}

Types of NAT

{FCD35718-93BB-4E20-ADD7-30C9DE432C4D}

Static NAT

Allows the network administrator to configure translation table entries for permanent use

This feature is often referred to as port forwarding and allows traffic originating in the "outside" network to reach designated hosts in the masqueraded network

  • Simple to configure
  • Useful to allow access to a few servers, hosts, or applications
  • Does not scale well - as each entry has to be manually configured

Dynamic NAT

Maps unregistered private IP address to registered public IP address by selecting public IP from a pool of registered IP address

  • Many to many mapping

Used when PAT is not supported

  • Some hardware and protocols don't support PAT

Dynamic NAT has limitations

  • Public pool is smaller than # of private IPs
  • So a pool can get used up
  • Clients have to wait for a public IP
  • Also, can still use many public IPs

Port Address Translation (PAT)

A common implementation of IP Masquerading NAT

  • Permits multiple devices on a local area network (LAN) to be mapped to a single public IP address

PAT devices use the Source TCP port number as a way to keep track of different sessions

  • Usually picked randomly

Our table tracks the mapping between the original IP/port and new IP/port

Configuring NAT in Cisco

Define the "inside" and "outside" interfaces

  • Typically inside is the interface connected to the Private Addresses
  • Outside is the interface connected to the Public address

#interface serial 0/0/0

(config-if)#ip nat outside

Set NAT Rules

  • Static Mappings
  • PAT Dynamic pool assignments

Wildcard Subnet Masks

  • Yet another way to write a subnet mask
  • Basically switch the ones and zeroes

So:

  • 255.255.255.0 (11111111.11111111.11111111.00000000)
  • 0.0.0.255 (00000000.00000000.00000000.11111111)

255.255.255.252 becomes 0.0.0.3

255.255.240.0 becomes 0.0.15.255