<html lang="en">

<head>

<meta charset="utf-8">

<title>Advanced Networking - Module 2 Chapter 11 - Network Address Translation for IPv4</title>

<meta name="description" content="Abilitante alle certificazioni Cisco CCENT e CCNA">

<meta name="author" content="Hacklab Cosenza">

<meta name="apple-mobile-web-app-capable" content="yes">

<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">

<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

<link rel="stylesheet" href="css/reveal.css">

<link rel="stylesheet" href="css/theme/black.css" id="theme">

<!-- Code syntax highlighting -->

<link rel="stylesheet" href="lib/css/zenburn.css">

<!-- Printing and PDF exports -->

<script>

var link = document.createElement( 'link' );

var link = document.createElement( 'link' );

link.rel = 'stylesheet';

link.type = 'text/css';

link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';

document.getElementsByTagName( 'head' )[0].appendChild( link );

</script>

<!--[if lt IE 9]>

</head>

<body>

<div class="reveal">

<!-- Any section element inside of this container is displayed as a slide -->

<div class="slides">

<section>

<h1>Advanced Networking</h1>

<h2>Routing &amp; Switching:<h2>

<h2>Routing &amp; Switching Essentials</h2>

<h3>Chapter 11: Network Address Translation for IPv4</h3>

<p>

<small><a href="http://hlcs.it">Hacklab Cosenza</a> / Centro di Ricerca su Tecnologia e Innovazione</small>

</p>

</section>

<section>

<h2>[R] IPv4 Private Address Space</h2>

<p>In <a href="https://tools.ietf.org/html/rfc1918">RFC 1918</a>, several subnets from the whole IPv4 address space has been <strong>reserved for private use</strong>. They are the:</p>

<ul>

<li>10/8 address space (10.0.0.0 - 10.255.255.255).</li>

<li>172.16/12 address space (172.16.0.0 - 172.31.255.255).</li>

<li>192.168/16 address space (192.168.0.0 - 192.168.255.255).</li>

</ul>

<p><em>Reserved for private use</em> implies that these addresses:</p>

<ul>

<li>are reserved for use in local network(s) within sites belonging to an entity or organization.</li>

<li>don't have to be assigned from an authority and thus...</li>

<li>... they don't have to be globally unique. This is possible because...</li>

<li>... these addresses <strong>are not routable on the Internet</strong>.</li>

</ul>

</section>

<section>

<h2>IPv4 Address Depletion</h2>

<!-- Maybe "map ip address to another" is better? -->

<p><strong>The entire IPv4 address space consists of 4.3 billion addresses</strong>. It seemed more than enough, but the incredible growth of the Internet proved this assumption wrong.</p>

<p>Without a solution, all the IPv4 addresses would have been exhausted way before year 2000.</p>

<p><strong>IPv6 solves this</strong> problem, but only in the long term.</p>

<p>RFC 1918 allows to conserve a huge amount of public Internet addresses, but it has to be <strong>coupled with a mechanism to provide these private networks with access to the public Internet</strong>.</p>

<p>This mechanism is the <strong><em>Network Address Translation</em></strong> (<strong>NAT</strong>).</p>

</section>

<section>

<h2>What is NAT and Why We use It</h2>

<p><strong><em>Network Address Translation</em></strong> is a technique used in a routing device that <strong>rewrites the source and/or destination IP address of a packet</strong> before forwarding it.</p>

<p>Its <strong>main use</strong> is to allow private networks to access the Internet, by replacing their RFC 1918 addresses with public IPv4 addresses. We are using NAT <u>right now</u>.</p>

<p>To do this, it will use a set of one or more public IPv4 addresses (the <em>NAT pool</em>) that are configured on the NAT-enabled router.</p>

<p>These public IPv4 addresses are assigned by the ISP, or directly assigned to an organization by an Internet Registry.</p>

</section>

<section>

<section>

<h2>NAT: Basic Operations</h2>

<img src="http://i.imgur.com/dn8PygJ.gif">

<p>NAT builds <strong><em>mappings</em> between one address and another</strong> and use them to translate incoming and outgoing traffic.</p>

<p>It is therefore a two-way process.</p>

<p>These mappings are stored to/consulted from a <strong>NAT table</strong>.</p>

</section>

<section>

<h2>NAT: Basic Operations</h2>

<img src="http://i.imgur.com/MwCKvH8.gif">

<ul>

<li>The figure shows an <strong>example translation</strong> for outgoing traffic.</li>

<li>The process is reversed for the reply.</li>

<li>In this simple example, the NAT pool is a single address.</li>

</ul>

</section>

<section>

<h2>NAT: Basic Operations</h2>

<img src="http://i.imgur.com/xTLlucx.gif">

<ul>

<li>Because of the NAT process, an outside network (like the Internet) sees the <strong>all the hosts on the <em>masqueraded</em> network as they are a single one</strong>, source/destination of all traffic.</li>

<li><strong>NAT hides the details of the internal network</strong> from the outside perspective.</li>

</ul>

</section>

</section>

<section>

<section>

<h2>NAT Terms</h2>

<img src="http://i.imgur.com/IH0GRtg.png">

<ul>

<li><strong>Inside/Outside</strong> - These attributes for an address involved in the NAT process refer to its <em>location</em>. They are the answer to the question "<em>On which side of the NAT-enabled router this address logically exist</em>?".</li>

<li><strong>Local/Global</strong> - These attributes for an address involved in the NAT process refer to the <em>perspective</em> being used. They are the answer to the question "<em>Who is observing this address</em>?"</li>

</ul>

</section>

<section>

<h2>NAT Terms</h2>

<ul>

<li><strong><em>Inside local</em></strong>: address of inside host as seen from inside.</li>

<li><strong><em>Inside global</em></strong>: address of inside host as seen from outside.</li>

<li><strong><em>Outside local</em></strong>: address of outside host as seen from inside.</li>

<li><strong><em>Outside global</em></strong>: address of outside host as seen from outside.</li>

</ul>

<p>The definitions <strong>only depends on the NAT operations</strong>, and are therefore valid for both outgoing and incoming traffic.</p>

<p>Almost always (and in every case we'll see), <strong>outside local and outside global addresses coincide</strong>.</p>

<p>Generally, local addresses are in the private IPv4 space and global addresses are in the public IPv4 space. However, <strong>NAT is a mechanism that can work for any pair of addresses</strong>.</p>

</section>

<section>

<h2>NAT Terms</h2>

<img src="http://i.imgur.com/MwCKvH8.gif">

<ul>

<li><strong>Inside local</strong> - 192.168.0.12</li>

<li><strong>Inside global</strong> - 203.31.220.134</li>

<li><strong>Outside local</strong> - 135.250.24.10</li>

<li><strong>Outside global</strong> - 135.250.24.10</li>

</ul>

</section>

</section>

<section>

<h2>NAT Types</h2>

<p>There are several types of NAT based on how the <strong>mappings between local and global addresses</strong> in the NAT table are produced. </p>

<ul>

<li><strong>Static NAT</strong> - One-to-one mapping.</li>

<li><strong>Dynamic NAT</strong> - Many-to-many mapping.</li>

<li><strong>NAT Overloading</strong> - Many-to-one mapping. It is also known as <em>Port Address Translation (PAT)</em>.</li>

</ul>

</section>

<section>

<section>

<h2>Static NAT</h2>

<img src="http://i.imgur.com/LG9bpHl.gif" style="width: 509px; height: 231px;">

<ul>

<li>In Static NAT, <strong>each local address is statically mapped by the administrator to a single global address</strong>.</li>

<li>This means that the number of public addresses must <strong>at least match</strong> the number of inside hosts to be NATted. </li>

<li>These mappings remain fixed as configured by the admin.</li>

<li>Ideal when <strong>inside hosts need to be accessible from the Internet</strong> using reliable public addressing.</li>

</ul>

</section>

<section>

<h2>Static NAT - Operations</h2>

<img src="http://i.imgur.com/S5o1cl8.gif">

</section>

<section>

<h2>Static NAT - Configuration</h2>

<ol>

<li>Specify a static mapping between a local and a global address.</li>

<pre><code class="no-highlight">R1(config)# ip nat inside source static {local_ip global_ip}</code></pre>

<li>Mark the <em>inside interface</em> of the NAT.</li>

<pre><code class="no-highlight">R1(config)# interface [id]

R1(config-if)# ip nat inside

R1(config-if)# exit</code></pre>

<li>Mark the <em>outside</em> interface of the NAT.</li>

<pre><code class="no-highlight">R1(config)# interface [id]

R1(config-if)# ip nat outside

R1(config-if)# exit</code></pre>

<li>Repeat for each address to be statically mapped.</li>

</ol>

</section>

<section>

<h2>Static NAT - Verification</h2>

<p>To show <strong>currently active translations</strong> (static one are always reported in the NAT table):</p>

<pre><code class="no-highlight">R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 203.31.218.208 192.168.0.1 160.97.54.39 160.97.54.39

--- 203.31.218.209 192.168.0.2 ---- -----

--- 203.31.218.210 192.168.0.3 149.3.176.11 149.3.176.11</code></pre>

<p>To verify that the NAT is working, we can check how many translation have occured:</p>

<pre><code class="no-highlight">R1# clear ip nat statistics

R1# show ip nat statistics

Total active translations: 3 (3 statics, 0 dynamic; 0 extended)

Peak translations: 2, occured 00:01:37 ago

Outside interfaces:

Serial 0/0/0

Inside interfaces:

Serial 0/1/0

Hits: 6 Misses: 0</code></pre>

</section>

</section>

<section>

<section>

<h2>Dynamic NAT</h2>

<img src="http://i.imgur.com/DN169eS.gif" style="width: 453px; height: 246px;">

<ul>

<li>Dynamic NAT works similarly to Static NAT, except that <strong>the admin doesn't configure the mapping explicitely</strong>.</li>

<li>Instead, the global addresses available (must be enough to match inside hosts) are <strong>added into a <em>NAT pool</em></strong>.</li>

<li>Available one-to-one mappings are assigned on a <em>first come, first served</em> basis, resulting in many-to-many mappings.</li>

</ul>

</section>

<section>

<h2>Dynamic NAT - Configuration</h2>

<ol>

<li>Create the NAT pool that will be used for translation:</li>

</ol>

<pre><code class="no-highlight">R1(config)# ip nat pool {name start_ip end_ip} [netmask mask | prefix-length prefix]</code></pre>

<ol start="2">

<li>Allow inside hosts to be translated in a specific ACL:</li>

</ol>

<pre><code class="no-highlight">R1(config)# access-list {acl_num} permit {src_ip} [src_wildcard]</code></pre>

<ol start="3">

<li>Bind the ACL to the pool </li>

</ol>

<pre><code class="no-highlight">R1(config)# ip nat inside source list {acl_num} pool {name}</code></pre>

<ol start="4">

<li>Mark <em>inside</em> and <em>outside</em> interfaces:</li>

</ol>

<pre><code class="no-highlight">R1(config)# interface [id]

R1(config-if)# ip nat inside

R1(config-if)# exit

R1(config)# interface [id]

R1(config-if)# ip nat outside</code></pre>

</section>

<section>

<h2>Dynamic NAT - Verification</h2>

<ul>

<li>To show active static translations and dyamic ones created when allowed host wants to reach outside networks:</li>

</ul>

<pre><code class="no-highlight">R1# show ip nat translations

R1# show ip nat translations verbose</code></pre>

<ul>

<li>By default, dynamic translations expire after 24h. To edit this timeout:</li>

</ul>

<pre><code class="no-highlight">R1(config)# ip nat translation timeout [seconds]</code></pre>

<ul>

<li>To erase dynamic translations in the NAT table (<strong>static translations can't be deleted)</strong>:</li>

</ul>

<pre><code class="no-highlight">R1(config)# clear ip nat translation *

R1(config)# clear ip nat translation inside {glo_ip loc_ip} [outside loc_ip glo_ip]</code></pre>

</section>

</section>

<section>

<section>

<h2>PAT - Port Address Translation</h2>

<img src="http://i.imgur.com/W6THnd6.gif">

<ul>

<li>PAT (<em>NAT Overloading</em>) doesn't use static mappings or NAT pools, because multiple inside hosts are <strong>translated with a single global address</strong>.</li>

<li>By far <strong>the most common form of NAT</strong> (home routers).</li>

</ul>

</section>

<section>

<h2>PAT - Overloading with Source Ports</h2>

<ul>

<li>Using a single address, it would be <strong>impossible to distinguish</strong> NAT translations.</li>

<li>PAT solves this ambiguity by <strong>using the TCP/UDP source ports to identify specific translations</strong>. </li>

<li>The NAT table will keep track of the source port used by the inside hosts.</li>

<li>When a reply comes with <strong>that port as destination port on the single inside global address</strong>, the router will use it to match the traffic to the right translation.</li>

<li>PAT also checks that replies belong to <em>established</em> connections.</li>

</ul>

</section>

<section>

<h2>PAT - Available Ports</h2>

<ul>

<li>PAT <strong>tries no to alter the source port number</strong> during translation and merely keeps track of it in the NAT table.</li>

<li>If there's an host with an already active translation using the same port, <strong>PAT must change it to the next available port</strong>.</li>

<li>This <em><strong>connection tracking</strong></em> based on private/public source ports pair only works for TCP and UDP. For other protocols, <strong>PAT must rely on a protocol-specific identifier</strong>.</li>

<ul>

<li>For instance, ICMPv4 Echo Requests and Replies include a <em>Query ID</em> that can be used to uniquely <em>overload</em> multiple hosts to a single inside global address.</li>

</ul>

</ul>

</section>

<section>

<h2>PAT - Configuration</h2>

<ol>

<li>Allow inside hosts to be translated in a specific ACL:</li>

<pre><code class="no-highlight">R1(config)# access-list {acl_num} permit {src_ip} [src_wildcard]</code></pre>

<li>Bind the ACL to the pool </li>

<pre><code class="no-highlight">R1(config)# ip nat inside source list {acl_num} interface {id} overload</code></pre>

<li>Mark <em>inside</em> and <em>outside</em> interfaces.</li>

</ol>

<p><strong>PAT can also be used to translate using more than one address</strong>: the needed variation are the creation of the pool and the enabling of NAT overloading on the pool:</p>

<pre><code class="no-highlight">R1(config)# ip nat pool {name start_ip end_ip} [netmask mask | prefix-length prefix]

R1(config)# ip nat inside source list {acl_num} pool {name} overload</code></pre>

<p>For PAT, translation table also shows the port numbers involved.</p>

</section>

</section>

<section>

<section>

<h2>NAT Advantages</h2>

<ul>

<li>The obvious: it can <strong>conserve many addresses</strong>.</li>

<li>Increases flexibility and performance in connections to outside networks, enabling <em>load balancing</em> using multiple pools.</li>

<li>With NAT, a change in the public IPv4 address scheme is much simpler because <strong>readdressing</strong> is an operation <strong>performed on fewer hosts</strong> and on address pools: the bulk of the network keeps its private IPv4 addresses.</li>

<li>Thanks to the NAT, the network can <strong>hide addressing and topology details</strong> and it's a first stage of access control. Keep in mind that NAT are not a replacement for firewalls and proper security.</li>

</ul>

</section>

<section>

<h2>NAT Disadvantages</h2>

<ul>

<li>Hosts on the <strong>outside network cannot initiate connection</strong> with hosts behind a NAT.</li>

<li>NAT is a very <strong>resourceful process</strong> because every packet to/from the outside network needs to be analyzed and rewritten.</li>

<li>If a protocol requires <strong>end-to-end addressing</strong>, or relies on IPv4 addresses (like IPsec does for security), it <strong>won't work behind a NAT</strong>.</li>

</ul>

</section>

</section>

<section>

<section>

<h2>Port Forwarding</h2>

<img src="http://i.imgur.com/gHHOxrc.jpg">

</section>

<section>

<h2>Port Forwarding</h2>

<p>Because NAT hides internal addresses, <strong>P2P only works from the inside out</strong> where NAT can map outgoing requests against incoming replies.</p>

<p>The problem is that NAT does not allow requests initiated from the outside. Is is possible to mitigate this problem through <strong>manual intervention</strong> with <em>port forwarding</em>.</p>

<p>Port forwarding is the act of forwarding <strong>a network port from one network node to another</strong>, allowing an external user to reach a port on a private IPv4 address (inside a LAN) from the outside, through a NAT-enabled router.</p>

</section>

<section>

<h2>Port Forwarding: Configuration</h2>

<p>Port Forwarding is very similar to static NAT, only with the a TCP or UDP port number added as a parameter.</p>

<pre><code class="no-highlight">R1(config)# ip nat inside source static {tcp | udp local_ip local_port global_ip global_port} </code></pre>

<p>As usual, <em>inside</em> and <em>outside</em> interfaces need to be marked as such.</p>

<p>Basically <strong>every home router</strong> includes a section about port forwarding.</p>

</section>

</section>

<section>

<h2>IPv6 and NAT</h2>

<p>IPv6 has an unconceivable number of addresses available, so address exhaustion is not an issue. NAT, as conceived for IPv4, <strong>is not needed in IPv6</strong>.</p>

<p>In fact, IPv6 was the long term solution that NAT wasn't, and so is designed not to need NAT.</p>

<p>Nevertheless, <strong>IPv6 has both NAT and private address space</strong>, but they are <strong>implemented for entirely different reasons</strong> and in an entirely different way.</p>

<p>NAT for IPv6 (for which there are several mechanism) is used as a <strong>temporary mechanism to aid migration from IPv4</strong>.</p>

</section>

<section>

<h2>IPv6 Unique Local Addresses</h2>

<img src="http://i.imgur.com/PR2topB.png">

<p>IPv6 ULA (RFC 4193), also known as <em>local IPv6 addresses</em> are the closest thing there is to RFC 1918 in the IPv6 protocol.</p>

<p>ULAs have a prefix of FC00::/7 (so a first hextet range from FC00 to FDFF).</p>

<ul>

<li>Meant to be used for privately interconnected site, in order to <strong>maintain addressing independence</strong> from a central authority.</li>

<li><strong>Not routable across the Internet</strong>.</li>

</ul>

</section>

<section>

<h1>End of Lesson</h1>

</section>

</div>

</div>

<script src="lib/js/head.min.js"></script>

<script src="js/reveal.js"></script>

<script>

// More info https://github.com/hakimel/reveal.js#configuration

Reveal.initialize({

controls: true,

progress: true,

history: true,

center: true,

transition: 'slide', // none/fade/slide/convex/concave/zoom

// More info https://github.com/hakimel/reveal.js#dependencies

dependencies: [

{ src: 'lib/js/classList.js', condition: function() { return !document.body.classList; } },

{ src: 'plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },

{ src: 'plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },

{ src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },

{ src: 'plugin/zoom-js/zoom.js', async: true },

{ src: 'plugin/notes/notes.js', async: true }

]

});

</script>

</body>