Introduction
Network Address Translation, defined by RFC 1631, is becoming very popular in today's networks as it's supported by almost every operating system, firewall appliance and application. NAT was born thanks to the fast depletion of public IP Addresses, in other words real IP Addresses that can only exist on the Internet.
As IP Addresses are 32 Bit, in theory we could have upto 4,294,967,296 IP Addresses (that's 2^32) ! In practice though the number is a lot smaller, somewhere around 3.2 billion, because of the way the IP Addresses are separated into Classes (Class A, B , C e.t.c) and the need to set aside special addresses for multicasting (also known as Class D), broadcasting and other functions.
You might have heard or read about IPv6. This new addressing scheme has been designed to make sure we don't face the same problem as IPv4, but its implementation requires the modification of the entire Internet infustructure, so don't expect anytime soon to deal with IPv6. Chances are it's going to co-exist with IPv4, since IPv6 isn't the best solution for small to medium sized companies or small private networks.
This exciting section will show, and explain in detail, what NAT is, its different modes and how they work. We will also see how NAT helps protect your network and minimise network security threats.
Oh, and keep in mind...
You should also be up to scratch in your IP Addressing and Subnetting topics. In the following sections, there are new concepts introduced which will require you to a have basic understanding on IP Addressing and Subnetting. Please check the relevant sections if you think you need to brush up on these before proceeding!
There's more to NAT than meets the eye !
When NAT was released, it was created to provide solutions to almost every type of network configuration. This is achieved by the various modes in which NAT can function. Depending on your network structure, your available real (public) IP Addresses and the results you need, you can enable NAT in 3 different modes! Now don't assume it's hard to understand this cool stuff, cause I'm telling you it's definitely not! Once you get the hang of the NAT Concept, the rest is easy to digest, even late at night :)
So What's Covered ?
As with most cool networking topics, it's impossible to cover NAT on one page and if you happen to find another site that covers NAT in one page, I assure you you're missing out on a lot of important information, so stick to http://new2networking.blogspot.com/:)
With all this in mind, I've split NAT into 6 sections. Each section deals with a particular NAT mode or NAT topic, giving you an in-depth look on how each NAT mode works using a few examples, and its advantages over the rest available NAT modes. The information provided has been carefully selected and written to make sure it covers all ranges of user levels, meaning from intermediate to advanced.
Section 1: NAT Concepts. A good introduction to NAT followed by its basic functions, how it works and which devices in a network usually implement NAT. Simple, clear and colourful diagrams will ensure you grasp this concept without any trouble.
Section 2: NAT Table. This section will introduce the NAT Table, which is the heart of NAT. Here you will learn the purpose of the NAT table, where it's stored along with a lot of other interesting information.
Section 3: Static NAT Mode. Learn what Static NAT is and how it functions. Two pages of detailed diagrams, well thought examples and their analysis along with other rich information ensures you will learn everything there is about Static NAT.
Section 4: Dynamic NAT Mode. Learn what Dynamic NAT is and how it functions. Simple diagrams are available to help you understand how Dynamic NAT works and what its advantages are over Static NAT. Dynamic NAT is analysed over two pages using examples and step by step analysis, ensuring to capture all the required information and answer every question you might have.
Section 5: NAT Overload Mode. Also known as IP Masquerading (in the Linux world), Port Address Translation (PAT) or Dynamic NAT with PAT. Discover the most common NAT mode for small networks. This NAT mode is used by most Internet sharing software. This section will help you understand how NAT Overload works and what its benefits are over the rest. Again, simple diagrams have been designed to make sure you grasp all this cool stuff :)
Section 6: Advanced NAT (Coming Soon). This pages deals with more advanced NAT concepts and analysis. It contains more detailed and technical information about NAT, thus requires a slightly more advanced level of networking knowledge and TCP/IP. It also outlines security concerns and using NAT through VPN's and other complex network configurations.
The type of NAT mode you choose to use, depends on your network resources, capabilities of your NAT-enabled device and, lastly, your needs. Together we will discover the power of NAT and understand why its become so popular.
Network Address Translation (NAT) Concepts
Introduction
Before we dive into the deep waters of NAT, we need to make sure we understand exactly what NAT does. So let me give you the background of NAT, why it's here today and how it works. Even though there are different modes of NAT they are all basically extensions to the original concept.
NAT has become so popular that almost all small routers, firewall software and operating systems support at least one NAT mode. This shows how important it is to understand NAT.
The NAT Concept
NOTE: NAT is not only used for networks that connect to the Internet. You can use NAT even between private networks as we will see in the pages to follow, but because most networks use it for their Internet connection, we are focusing on that.
The NAT concept is simple: it allows a single device to act as an Internet gateway for internal LAN clients by translating the clients' internal network IP Addresses into the IP Address on the NAT-enabled gateway device.
In other words, NAT runs on the device that's connected to the Internet and hides the rest of your network from the public, thus making your whole network appear as one device (or computer, if you like) to the rest of the world.
NAT is transparent to your network, meaning all internal network devices are not required to be reconfigured in order to access the Internet. All that's required is to let your network devices know that the NAT device is the default gateway to the Internet.
NAT is secure since it hides your network from the Internet. All communications from your private network are handled by the NAT device, which will ensure all the appropriate translations are performed and provide a flawless connection between your devices and the Internet.
The diagram below illustrates this:
As you can see, we have a simple network of 4 hosts (computers) and one router that connects this network to the Internet. All hosts in our network have a private Class C IP Address, including the router's private interface (192.168.0.1), while the public interface that's connected to the Internet has a real IP Address (203.31.220.134).
If you're having trouble understanding, the following diagram shows how the Internet would see the above setup:
As you can see, the idea behind NAT is really simple. Remember that we have mentioned there are 3 different NAT modes to suit all types of network configurations. If required you can use NAT to allow the Internet to see specific machines on your internal network !
Such configurations will allow the Internet to access an internal webserver or ftp server you might have, without directly compromising your network security. Of course special actions need to be taken to ensure that your visitors are restricted to the resources you want and that's where the firewall comes into the picture. We'll discover how all this is possible in the next pages, so be patient and keep reading !
How NAT works
There are 3 different ways in which NAT works. However, the principle is the same for all 3 modes. To help understand it we need a good, simple example and the first one at the beginning of this page will do the job just fine.
The trick to understanding how NAT works is to realise that only the device (router, firewall or pc) that connects directly to the Internet performs NAT. For our example this device happens to be a router, but it could even be a simple PC; it makes no difference for us.
As you already know, all requests the workstations generate are sent to the Internet via the router. The router will then perform NAT on these packets and send them to their destination. As each packet arrives into the router's private interface, the router will strip the source IP Address from the 3rd layer (network layer) e.g 192.168.0.10 and place its own public IP address (203.31.220.134) before sending it to the Internet.
This is how the packet then seems to have originated from the router itself. In some cases, depending on the NAT mode, the source and destination port numbers (layer 4) will be changed as well but we examine that on the pages that follow. For now, we'll just look at the simple IP translation within the router.
The illustration below shows how the router modifies the packets:
In this illustration, a workstation from our network has generated a packet with a destination IP Address 135.250.24.10. Logically, this packet is first sent to the gateway, which performs NAT on this packet and then sends it to the Internet to finally make its way to the destined host.
Looking more closely at the gateway (router) during the initial NAT operation, the original packet's Source IP is changed from 192.168.0.12 to that of the router's public interface, which is 203.31.220.134, then the router stores this information in a special address within its memory (also called NAT Table - explained next), so when the expected reply arrives it will know to which workstation within its network it needs to forward it.
The next page will show you the heart of NAT, the NAT Table, and briefly explain the function of each NAT mode.
The Network Address Translation Table
Introduction
After that simple and informative introduction to the NAT concept, it's time to find out more about how it works and this is where the NAT table comes in.
The NAT Table
The NAT table is the heart of the whole NAT operation, which takes place within the router (or any NAT-enabled device) as packets arrive and leave its interfaces. Each connection from the internal (private) network to the external (public-Internet) network, and vice versa, is tracked and a special table is created to help the router determine what to do with all incoming packets on all of its interfaces; in our example there are two. This table, known as the NAT table, is populated gradually as connections are created across the router and once these connections are closed the entries are deleted, making room for new entries.
The NAT table works differently depending on the NAT mode. This is explained in greater detail on each NAT mode's page. For now, we just need to get the feeling for this table to facilitate understanding of each NAT mode.
The larger the NAT table (which means the more memory it occupies), the more bi-directional connections it can track. This means that a NAT-enabled device with a big NAT table is able to serve more clients on the internal network than other similar devices with smaller NAT tables.
The illustration below shows you a typical table of a NAT-enabled device while internal clients are trying access resources on the Internet:
Let's explain what's happening here: The above illustration shows two requests from the private LAN, hosts 192.168.0.5 and 192.168.0.21, arriving at the NAT-enabled device's (router in this example) private interface. These packets are temporarily stored in a special area in the router's memory until small changes are made to them. In this example the router will take each packet's Source IP (which is the PC the packets have come from) value and replace it with its own Public IP (203.31.220.134).
The packets are then sent out through the Public interface to their destinations, in this case 120.0.0.2 and 124.0.0.1. In addition, before the packets leave the router, an entry is made for each packet into the router's NAT table. These entries enable the router to behave appropriately when the reply for each outgoing packet hits its Public interface.
| The above example covers only one specific NAT scenario. Depending on your NAT mode, the router would have dealt with the packets in a different way. This is analysed later in each NAT mode's page but, for now, you simply need to understand what the NAT table is and the purpose it serves. |
So what happens when replies come back from the Internet ?
Well, strictly speaking, exactly the opposite from when they are received from the internal network and sent to the Internet:
When the reply comes back, the router will consult the NAT table, locate the correct entries and perform another change to the incoming (for the Internet) packets by replacing the "destination IP" value from 203.31.220.134 to 192.168.0.5 for the first packet, and 192.168.0.21 for the second. The new packets are then sent to their destination, which are hosts 192.168.0.5 and 192.168.0.21 so the router can then delete their NAT table entries.
With most NAT devices, the NAT session limit is bound by the available memory in the device. Each NAT translation consumes about 160 bytes in the device's memory. As a result, 10,000 translations (a lot more than would normally be handled by a small router) will consume about 1.6 MB of memory. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations but in practice the story (as always) is different.
Typically on smaller Cisco routers, e.g 700, 800, 1600 series, that have an IOS with NAT capabilities, the number of NAT sessions they are able to track is around 2000 without much trouble but this also depends on the NAT mode being used. Pump that up to something like 3000 to 4000 sessions and you start having major problems as the NAT table gets too big for the router's CPU to manage. As you see, it's not only a memory issue :) This is when you start to see big delays in ping replies and eventually an exponential increase in packet loss.
I've actually seen Cisco routers having some problems while handling NAT translations (NAT Overload mode in particular). I also confirmed this with Mike Sweeney - a good friend of mine and webmaster of www.packetattack.com, so keep in mind that the Cisco IOS seems sometimes to behave a bit weird with NAT. Personally I don't like performing NAT on routers that connect directly to the Internet, but sometimes your options are limited.
To give you the right idea, having a huge NAT table on a small router is like having a Windows machine and opening 20 CPU and memory intensive applications at once.... Your PC tries to open all programs together but, because the CPU is processing so much information, they take hours to finally start and even then the PC is so slow you can't do any work. I'm sure everyone has experienced something similar !
The larger router models and dedicated gateway/firewall appliances are able to track a lot more connections simultaneously (8000 to 25000), which makes them ideal for large corporations that need such capacity.
Static Network Address Translation (Part 1)
Introduction
Static NAT (also called inbound mapping) is the first mode we're going to talk about and also happens to be the most uncommon between smaller networks.
was mainly created to allow hosts on your private network to be direcly accessible via the Internet using real public IPs; we'll see in great detail how this works and is maintained. is also considered a bit dangerous because a misconfiguration to your firewall or other NAT-enabled device can result in the full exposure of the machine on your private network to which the public IP Address maps, and we'll see the security risks later on this page.
What exactly does Static NAT do ?
As mentioned in the introduction, Static NAT allows the mapping of public IP Addresses to hosts inside the internal network. In simple english, this means you can have a computer on your private network that exists on the Internet with its own real IP.
The diagram below has been designed to help you understand exactly how Static NAT works:
In this diagram you can see that we have our private network connected to the Internet via our router, which has been configured for Static NAT mode. In this mode each private host has a single public IP Address mapped to it, e.g private host 192.168.0.1 has the public IP Address 203.31.218.208 mapped to it. Therefore any packets generated by 192.168.0.1 that need to be routed to the Internet will have their source IP field replaced with IP Address 203.31.218.208.
All IP translations take place within the router's memory and the whole process is totally transparent to both internal and external hosts. When hosts from the Internet try to contact the internal hosts, their packets will either be dropped or forwarded to the internal hosts depending on the router's & firewall configuration.
But where would Static NAT be used?
Everyone's needs are different and with this in mind Static NAT could be the solution for many companies that require a host on their internal network to be visible and accessible from the Internet.
Let's take a close look at a few examples of places where Static NAT could be used.
Implementation of Static NAT - Example 1
We have a development server (192.168.0.20) that needs to be secure, but also allow certain customers to gain access to various services it offers for development purposes. At the same time, we need to give the customers access to a special database located on our main file server (192.168.0.10):
In this case, Static NAT, with a set of complex filters to make sure only authorised IP Addresses get through, would do the job just fine.
Also, if you wanted a similar setup for the purpose of using only one service, e.g http, then you're better off using a different NAT mode simply because it offers better security and is more restrictive.
Let me remind you that Static NAT requires one public IP Address for each mapping to a private IP Address. This means that you're not able to map a public IP Address to more than one private IP Address.
Implementation of Static NAT - Example 2
Another good example of using Static NAT is in a DMZ zone. The principle of having a DMZ zone is when you require certain machines e.g webservers, email servers, to be directly accessible to the Internet but at the same time, should these machines be compromised, all data can be restored without much trouble and they won't expose the internal private network to the Internet.
The diagram above might seem very complex, but it's actually extremely simple. Breaking it down will help you see how simple it is. If we focus on Firewall No.1 we see that it's connected to 3 networks, first one is the Internet (203.31.218.X), second one the DMZ (192.168.100.X) and the third is the small private network between our two Firewalls (192.168.200.X)
Firewall No.1 is configured to use Static NAT for 3 different hosts - that's two from the DMZ zone and one for Firewall No.2. Each interface of the Firewall must be part of a different network in order to route traffic between them. This explains why we have so many different IP Addresses in the diagram, resulting in the complex appearance.
With this setup in mind, the Static NAT table of Firewall No.1 would look like this:
Firewall No.1 Static NAT Table | |
External Public IP Address | Mapped to Internal Private IP Address |
203.31.218.2 | Firewall No.1 Public Interface |
203.31.218.3 | 192.168.100.2 - Public WebServer in DMZ |
203.31.218.4 | 192.168.100.3 - Public MailServer in DMZ |
203.31.218.5 | 192.168.200.2 - Firewall No.2 of Private Net. |
As you can see, this table is a good summary of what is happening in the diagram above. Each external IP Address is mapped to an internal private IP Address and if we want to restrict access to particular hosts then we can simply put an access policy (packet filters) on Firewall No.1. This type of firewall setup is actually one of my favourites :)
Static Network Address Translation (Part 2)
Introduction
The previous page helped us understand what exactly happens with Static NAT and how it works, and we saw a few examples of how to use it in various network configurations.
This page will deal with the transformations the packets undertake as they pass through the Static NAT device, which is normally a router or firewall appliance.
So let's get started ! Now would be a good time to fill that cup of yours and reload yourself with your special edible supplies :)
How NAT translations take place
So what exactly happens to the packet that enters or exits the Static NAT -enabled device ? Well it's not that complicated once you get the hang of it. The concept is simple and we're going to see it and analyse it using an example, which is really the best possible approach.
The process of the Static NAT translation is the same for every device that supports it (assuming the manufacturer has followed the RFCs). This means that whether we use a router or a firewall appliance to perform Static NAT they'll both follow the same guidelines.
Consider our example network:
As the diagram describes we have Workstation No.1, which sends a request to the Internet. Its gateway is the router that connects the LAN to the Internet and also performs Static NAT .
The diagram below shows us how the Workstation's packet is altered as it transits the router before it's sent to the Internet (outgoing packet):
As you can see, the only thing that changes is the Source IP, which was 192.168.0.3 and was given the value of 203.31.220.135, which is a real IP Address on the Internet. The Destination IP Address, Source Port and Destination Port are not modified.
Assuming the packet arrives at its destination, we would most likely expect to see a reply. It would be logical to assume that the reply, or incoming packet, will require some sort of modification in order to successfully arrive at the originating host located on our private network (that's Workstation 1).
Here is how the incoming packet is altered as it transits the router:
The diagram above shows the part of the incoming packet that is altered by the router. Only the destination IP Address is changed, from 203.31.220.135 to 192.168.0.3 so the packet can then be routed to the internal workstation. Source IP Address, Source Port and Destination Port remain the same.
And in case you're wondering why the ports have changed in comparison to the original outgoing packet, this is not because of NAT but the way IP communications work and happens to be way out of the scope of this topic.
Now, because I understand that even a simple diagram can be very confusing, here's one more that summarises all the above. The diagram below shows you what the outgoing and incoming packets looked like before and after transiting the router:
So there you have it, Static NAT should now make sense to you :)
As you've seen, the concept is very simple and it varies slightly depending on the NAT mode you're working with. So NAT is not that difficult to understand after all ! If there are still a few things that are unclear to you, please try reading the page again and keep in mind the forum to which you can post your questions and doubts !
Next up is Dynamic NAT! So sit tight and let's rock and roll.... :)
Posts
1 comment:
nice blog CISCO Meraki Switches Firewal
Post a Comment