Network security

Firewall 1/2
 Network Address Translation (NAT)

Overview

In its simplest configuration, the Network Address

Translator (NAT) operates on a router connecting two
networks together; one of these networks (designated as
inside) is addressed with either private or obsolete
addresses that need to be converted into legal addresses
before packets are forwarded onto the other network
(designated as outside).
In order to extend the life of the IPv4 address space,
address registries are requiring more justification than
ever before, making it harder for organizations to acquire
additional address space [RFC1466].

Security Considerations
Public/official/legal address versus Private address

RFC 1918

The Internet Assigned Numbers Authority (IANA) has

reserved the following three blocks of the IP address
space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
 Private addressing

• 172.16.0.0 – 172.31.255.255: 172.16.0.0/12

– Where does the /12 come from?

12 bits in common
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0
10101100 . 00011111 . 11111111 . 11111111 – 172.31.255.255
-------------------------------------------------------------
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0/12
Because private addresses have no global meaning,
routing information about private networks shall
not be propagated on inter-enterprise links, and
packets with private source or destination
addresses should not be forwarded across such
links. Routers in networks not using private
address space, especially those of Internet service
providers, are expected to be configured to reject
(filter out) routing information about private
networks. If such a router receives such
information the rejection shall not be treated as a
routing protocol error.
NAT concepts
NAT Terminology "Inside Addressing"
•Inside local; Configured IP address assigned to a
host on the inside network. Address may be globally
unique, allocated out of the private address space
defined in RFC 1918, or might be officially allocated
to another organization.

•Inside global; The IP address of an inside host as it

appears to the outside network, "Translated IP
Address." Addresses can be allocated from a globally
unique address space, typically provided by the ISP
(if the enterprise is connected to the global Internet).
 NAT Example
1 2

DA SA DA SA

128.23.2.2 10.0.0.3 .... Data 128.23.2.2 179.9.8.80 .... Data

IP Header IP Header
1 2
• The translation from Private source IP address to Public source IP address.
 NAT Example
4 3

DA SA DA SA

10.0.0.3 128.23.2.2 .... Data 179.9.8.80 128.23.2.2 .... Data

4 IP Header 3 IP Header

• Translation back, from Public destination IP address to Private destination IP address.

NAT Terminology "Outside Addressing"
•Outside local; The IP address of an outside host as
it appears to the inside network. These addresses can
be allocated from the RFC 1918 space if desired.

•Outside global; The configured IP address assigned

to a host in the outside network
 NAT Example

• Inside local address – The IP address assigned to a host on the inside network. This
address is likely to be an RFC 1918 private address.
• Inside global address – A legitimate (Internet routable or public) IP address assigned the
service provider that represents one or more inside local IP addresses to the outside world.
• Outside local address – The IP address of an outside host as it is known to the hosts on
the inside network.
• NAT is designed to conserve IP addresses and enable networks to use private IP addresses
on internal networks.
• These private, internal addresses are translated to routable, public addresses.
• NAT, as defined by RFC 1631, is the process of swapping one address for another in the IP
packet header.
• In practice, NAT is used to allow hosts that are privately addressed to access the Internet.
• NAT translations can occur dynamically or statically.
• The most powerful feature of NAT routers is their capability to use port address translation
(PAT), which allows multiple inside addresses to map to the same global address.
• This is sometimes called a many-to-one NAT.
 Main Features

Static Address Translation

The user can establish a one-to-one mapping between local
and global addresses
Configuring Static NAT
Dynamic Address Translation
The user can establish dynamic mapping between the
local and global addresses. This is done by describing
the local addresses to be translated and the pool of
addresses from which to allocate global addresses, and
associating the two.

Match Host
The ability to configure NAT to assign the same Host portion of an
IP Address and only translate the Network prefix portion of the
IP Address. Useful where you are using the host portion as a
means to identify or number users uniquely
 Configuring Dynamic NAT
The network address space you
have received from your ISP is
In ISP’s routing table:
179.9.8.0/24.
179.9.8.0/24 via 192.168.1.1

ISP

Translate to these
outside addresses

Start
here

Source IP address
must match here
0.0.255.255
 Main Features
•NAT allows you to have more than your allocated number of IP
addresses by using RFC 1918 address space with smaller mask.
•However, because you have to use your Public IP addresses for
the Internet, NAT still limits the number of hosts you can have
access the Internet at any one time (depending upon the number
of hosts in your public network mask.)

Port Address Translation (PAT)

Several internal addresses can be NATed to only one or a few
external addresses by using a feature called Port Address
Translation (PAT) which is also referred to as "overload," a
subset of NAT functionality.
PAT uses unique source port numbers on the Inside Global IP
address to distinguish between translations. Because the port
number is encoded in 16 bits, the total number could
theoretically be as high as 65,536 per IP address.
Basic Concepts of PAT
PAT will attempt to preserve the original source port, if
this source port is already allocated PAT will attempt to
find the first available port number starting from the
beginning of the appropriate port group 0-511, 512-
1023, or 1024-65535.
If there is still no port available from the appropriate
group and more than one IP address is configured, PAT
will move to the next IP address and try to allocate the
original source port again.

This continues until it runs out of available ports and IP

addresses.
 PAT – Port Address Translation

• PAT (Port Address Translation) allows you to use a single Public IP address and assign it up to
65,536 inside hosts (4,000 is more realistic).
• PAT modifies the TCP/UDP source port to track inside Host addresses.
• Tracks and translates SA, DA and SP (which uniquely identifies each connection) for each stream
of traffic.
 PAT Example

NAT/PAT table
maintains translation
of:
DA, SA, SP
DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data

IP Header TCP/UDP IP Header TCP/UDP

1 Header 2 Header

DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data

IP Header TCP/UDP IP Header TCP/UDP

Header Header
 PAT Example

NAT/PAT table maintains

translation of:
SA (DA), DA (SA), DP (SP)
DA SA DP SP DA SA DP SP

10.0.0.3 128.23.2.2 1331 80 Data 179.9.8.80 128.23.2.2 3333 80 Data

IP Header TCP/UDP IP Header TCP/UDP

4 Header 3 Header

DA SA DP SP DA SA DP SP

10.0.0.2 128.23.2.2 1555 80 Data 179.9.8.80 128.23.2.2 2222 80 Data

IP Header TCP/UDP IP Header TCP/UDP

Header Header
 PAT – Port Address Translation

• With PAT a multiple private IP addresses can be translated by a single public

address (many-to-one translation).
• This solves the limitation of NAT which is one-to-one translation.
 PAT – Port Address Translation
DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data

IP Header TCP/UDP IP Header TCP/UDP

1 Header 2 Header

DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data

IP Header TCP/UDP IP Header TCP/UDP

Header Header

• As long as the inside global port numbers are unique for each inside
local host, NAT overload will work. For example, if the host at
10.1.1.5 and 10.1.1.6 both use TCP port 1234, the NAT router can
create the extended table entries mapping 10.1.1.5:1234 to
171.70.2.2:1234 and 10.1.1.6:1234 to 171.70.2.2:1235.
Destination Address Rotary Translation
A dynamic form of destination translation can be
configured for some outside-to-inside traffic. Once a
mapping is set up, a destination address matching one of
those on an access list will be replaced with an address
from a rotary pool. Allocation is done in a round-robin
basis, performed only when a new connection is opened
from the outside to the inside. This feature was designed to
provide protocol translation load distribution. It is not
designed to be used as a substitute technology for Cisco's
LocalDirector product. If a Web server were to become
offline, the destination address rotary translation feature
would continue to send requests to the downed server.
 Cisco Configuration Commands

Interface Configuration Commands

ip nat { inside | outside }

Interfaces need to be marked whether they are on the

inside or the outside.
Only packets arriving on a marked interface will be subject
to translation.
Defining a pool

ip nat pool <name> <start-ip> <end-ip> netmask

<netmask> [ type { rotary } ]

Defines a pool of addresses using start address, end

address, and netmask.
These addresses will be allocated as needed.
Enabling translation of inside source addresses
ip nat inside source { list <acl> pool <name> [overload] |
static <local-ip><global-ip> }

The first form enables dynamic translation. Packets from

addresses that match those on the simple access list are
translated using global addresses allocated from the
named pool. The optional keyword overload enables
port translation for UDP and TCP. The term overload is
equivalent to Port Address Translation (PAT).
The second form of the command sets up a single static
translation.
Enabling translation of inside destination addresses

ip nat inside destination { list <acl> pool <name> |

static <global-ip> <local-ip> }

This command is similar to the source translation

command.
For dynamic destination translation to make any sense, the
pool should be a rotary-type pool.
Enabling translation of outside source addresses

ip nat outside source { list <acl> pool <name> | static

<global-ip> <local-ip> }

The first form (list..pool..) enables dynamic translation.

Packets from addresses that match those on the simple
access list are translated using local addresses allocated
from the named pool.

The second form (static) of the command sets up a

single static translation.
Cisco Access-list

Standard Access-list (1 – 99)

access-list access-list-number {deny | permit} source
[source-wildcard]
no access-list access-list-number

Extended Access-list (100 – 199)

access-list access-list-number {deny | permit} protocol
source source-wildcard destination destination-wildcard
operator operand
Operator = lt, eq, neq, gt – Operand = port number

Wildcard mask notion

>199 : protocol dependent (other than IP)
ip access-group access-list-number in|out (interface subcommand)
Configuration Example 1
This sample configuration translates between inside hosts
addressed from either the 192.168.1.0 or 192.168.2.0 nets
to the globally-unique 171.69.233.208/28 network.

ip nat pool net-20 171.69.233.208 171.69.233.223 netmask

255.255.255.240
ip nat inside source list 1 pool net-20
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
interface Ethernet1
ip address 192.168.1.94 255.255.255.0
ip nat inside
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Configuration example 2

Exam example …
Configuration Example 3

Translating to interface's address

As a convenience for users wishing to translate all
inside addresses to the address assigned to an interface
on the router, the NAT code allows one to simply
name the interface when configuring the dynamic
translation rule:
ip nat inside source list <number> interface
<interface> overload
If there is no address on the interface, or it the interface
is not up, no translation will occur.
Example:
ip nat inside source list 1 interface Serial0 overload
 Configure PAT – Overload
192.168.1.1 is the address your ISP has assigned you.
Instead of a host, you put a router there, running PAT
so you can have multiple hosts share that same
192.168.1.1 address.

10.1.0.0

• In this example a single Public IP addresses is used, using PAT, source ports, to
differentiate between connection streams.
Configure PAT – Overload

This is a different
example, using the IP
address of the outside
interface instead
specifying an IP
address
Showing active translations
   show ip nat translations

Showing translation statistics

show ip nat statistics

Clearing dynamic translations

clear ip nat translation
Clears all dynamic translations.
clear ip nat translation <global-ip>
Clears a simple translation.

Debugging
debug ip nat [ <list> ] [ detailed ]
NAT/PAT Clear Commands
Sometimes you receive these messages when you
change the Network Address Translation (NAT)
configuration:
Dynamic mapping in use, cannot remove
%Pool outpool in use, cannot destroy

Use clear previously

Verifying NAT/PAT
Troubleshooting NAT/PAT
NAT limitations

Application traffic is transparent to Cisco IOS NAT unless

There are embedded IP addresses in the data portion.

With embedded IP addresses, Cisco IOS NAT needs to know

the messages that contain embedded addresses and the offset
within these messages. If the embedded addresses match the
configured rules, they will be translated according to the
configuration. An application that embeds IP addresses that
Cisco IOS NAT does not know about will not work properly in
a Cisco IOS NAT configuration.
 NAT/PAT limits

Traffic Types/Applications Supported

Any TCP/UDP traffic that does not carry source and/or
destination IP addresses in the application data stream
HTTP

TFTP

telnet, …
 Issues with NAT/PAT

• NAT also forces some applications that use IP addressing to stop functioning because it
hides end-to-end IP addresses.
• Applications that use physical addresses instead of a qualified domain name will not
reach destinations that are translated across the NAT router.
• Sometimes, this problem can be avoided by implementing static NAT mappings.
• Furthermore, many application protocols carry IP
addresses in an application-level protocol . In such
cases, an Application-Level Gateway (ALG) is
needed to complete the translation. For example:

• Many Internet Control Message Protocol (ICMP)

packets (for instance, "Destination Unreachable")
carry embedded IP packets in ICMP payload.
These require both address translation and
checksum regeneration.
• A File Transfer Protocol (FTP) ALG is needed to rewrite IP addresses
carried by FTP PORT and PASV control commands. In the IP header,
these addresses are fixed-length words. Unfortunately, in the FTP
protocol, these IP addresses are carried as human-readable, variable-
length strings; rewriting can change the length of the TCP segment. If the
segment is shortened, it can be padded. If the segment is lengthened, SEQ
and ACK numbers must be transformed for the duration of the
connection.

• Protocols like H.323 use multiple TCP connections or UDP streams to

form "session bundles." H.323 presents challenges, including ephemeral
ports and embedded, ASN.1-encoded IP addresses in application payload.
• Simple Network Management Protocol (SNMP) packets also
carry IP addresses that identify trap source and object
instance. Perhaps more important, dynamic NAT makes it
impossible to uniquely identify hosts by IP address; public
addresses are transient and shared. Remote management of
private hosts can thus be impeded by NAT.

• Obviously DNS, responsible for domain name/IP address

mapping, is impacted by NAT. A robust DNS ALG is
defined by RFC 2694 .
• NAT-sensitive protocols such as Kerberos,
X-Windows, remote shell, Session Initiation
Protocol (SIP), and others are further
described in the Internet Draft "Protocol
Complications with the IP Network Address
Translation".
• Another Internet Draft, "NAT Friendly
Application Design Guidelines ", explains
how new application protocols can integrate
smoothly with NAT.
• But there are still cases where ALGs simply
cannot "fix" packets modified by NAT.
• The IPSec Authentication Header (AH) is an another
example. AH runs the entire IP packet, including invariant
header fields such as source and destination IP address,
through a message digest algorithm to produce a keyed hash.
This hash is used by the recipient to authenticate the packet.
• If any field in the original IP packet is modified,
authentication will fail and the recipient will discard the
packet. AH is intended to prevent unauthorized
modification, source spoofing, and man-in-the-middle
attacks. But NAT, by definition, modifies IP packets.
Therefore, AH + NAT simply cannot work.
• The IPSec Encapsulating Security Payload
(ESP) also employs a message digest
algorithm for packet authentication. But,
unlike AH, the hash created by ESP does
not include the packet header fields. This
solves one problem, but leaves others.
• IPSec supports two "modes."

• Transport mode provides end-to-end security

between hosts, while tunnel mode protects
encapsulated IP packets between security
gateways--for example, between two firewalls or
between a roaming host and a remote access
server.
IPSEC
Tunnel
Transport mode
• Because NAT modifies the TCP packet, NAT must
also recalculate the checksum used to verify integrity.
If NAT updates the TCP checksum, ESP
authentication will fail. If NAT does not update the
checksum (for example, payload encrypted), TCP
verification will fail.
• If the transport endpoint is under your control, you
might be able to turn off checksum verification. In
other words, ESP can pass through NAT in tunnel
mode, or in transport mode with TCP checksums dis-
abled or ignored by the receiver
Cisco IOS NAT will translate the addresses that appear in DNS
responses to name lookups (A queries) and inverse lookups
(PTR queries). Therefore, if an outside host sends a name
lookup to a DNS server on the inside, and that server responds
with a local address, the NAT code will translate that local
address to a global address. The opposite is also true. This is
how Cisco supports IP addresses overlapping: an inside host
queries an outside DNS server and the response contains an
address that matches the access list specified on the outside
source command, so the code translates the outside global
address to an outside local address.
Time-to-live (TTL) values on all DNS resource records, which
receive address translations in resource records payloads, are
automatically set to zero.
Note: Cisco IOS NAT does not translate IP addresses embedded
in DNS zone transfers.
Conclusion

Although NAT can be combined with IPSec and other NAT-

sensitive protocols in certain scenarios, NAT tampers with end-to-
end message integrity.

Despite its origin as a short-term solution, NAT is unlikely to

disappear in the very near future. Until it does, understanding the
relationship between NAT and IPSec and alternatives for safe
combined deployment will remain an important aspect of VPN
design.
Originally introduced in Cisco IOS Software Release 11.2,
NAT was only available in the "Plus" images.

With introduction of Cisco IOS Software Release 11.3, Port

Address Translation (PAT) became available in all IP
images, while full NAT (1-1 and PAT) was still available
only in "Plus" images.

With Cisco IOS Software Release 12.0, all IP images

provide full NAT capability.
How many concurrent NAT sessions are supported in Cisco
IOS NAT?

The NAT session limit is bounded by the amount of

available DRAM in the router. Each NAT translation
consumes about 312 bytes in DRAM. As a result, 10,000
translations (more than would generally be handled on a
single router) would consume about 3 MB. Therefore,
typical routing hardware has more than enough memory to
support thousands of NAT translations.

Degradation of performance due to NAT should be negligible

Can Cisco IOS NAT be applied to subinterfaces?

Yes Source and/or destination NAT translations can be

applied to any interface or subinterfaces having an IP
address (including dialer interfaces).

Can Cisco IOS NAT be used with Hot Standby Router

Protocol (HSRP) to provide redundant links to an ISP?

No In this scenario, the standby router would not have the

translation table of the active router. When the cutover
occurs, connections will time out and fail.
Can a single NAT-enabled router allow some users to use
NAT and other users on the same Ethernet interface to
continue with their own IP addresses?

Yes This can be accomplished through the use of an access

list that describes the set of hosts or networks that require
NAT.

All sessions on the same host will either be translated or will

pass through the router and not be translated.
Access lists, extended access lists, and route maps can be
used to define "rules" by which IP devices get translated.
The network address and appropriate subnet mask should
always be specified.
Network Address Translation - Protocol Translation (NAT-PT)
is an IPv6-IPv4 translation mechanism, as defined in RFC 2765
and RFC 2766, allowing IPv6-only devices to communicate
with IPv4-only devices and vice versa.

NAT-PT for Cisco IOS software was designed using RFC 2766
and RFC 2765 as a migration tool to help customers transition
their IPv4 networks to IPv6 networks. Using a protocol
translator between IPv6 and IPv4 allows direct communication
between hosts speaking a different network protocol.
Static NAT-PT Operation
Static NAT-PT uses static translation rules to map one IPv6 address
to one IPv4 address. IPv6 network nodes communicate with IPv4
network nodes using an IPv6 mapping of the IPv4 address
configured on the NAT-PT router.
The NAT-PT device is configured to map the source IPv6 address
for node A of 2001:0db8:bbbb:1::1 to the IPv4 address
192.168.99.2.
NAT-PT is also configured to map the source address of IPv4 node
C, 192.168.30.1 to 2001:0db8::a. When packets with a source IPv6
address of node A are received at the NAT-PT router they are
translated to have a destination address to match node C in the IPv4-
only network.
NAT-PT can also be configured to match a source IPv4 address and
translate the packet to an IPv6 destination address to allow an IPv4-
only host communicate with an IPv6-only host.
If you have multiple IPv6-only or IPv4-only hosts that need to
communicate, you may need to configure many static NAT-PT
mappings. Static NAT-PT is useful when applications or
servers require access to a stable IPv4 address.

Accessing an external IPv4 DNS server is an example where

static NAT PT can be used.
interface Ethernet3/1
ipv6 address 2001:0db8:3002::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.30.1 2001:0db8:0::2
ipv6 nat v6v4 source 2001:0db8:bbbb:1::1 10.21.8.10
Port Address Translation (PAT) or Overload
Port Address Translation (PAT), also known as Overload, allows
a single IPv4 address to be used among multiple sessions by
multiplexing on the port number to associate several IPv6 users
with a single IPv4 address.

The Port Address Translation can be accomplished through a

specific interface or through a pool of addresses.

Next figure shows multiple IPv6 addresses from the IPv6

network linked to a single IPv4 interface into the IPv4 network.