Every intelligent MSP technician has an understanding of the three-letter acronyms that enable networks to function and allow traffic to flow. Network address translation, commonly referred to as “NAT”, is one of them. Without network address translation, traffic would never be able to make it past the routing device. Here is a quick breakdown of what NAT is and why we need it, and an overview of NAT tools and the security issues that go along with it. Show
Network Address Translation DefinitionNetwork address translation is the remapping of IP addresses, be it by single address or subnet, via routing devices. As IP addresses are remapped, or translated, they are effectively hidden behind another IP address. This translation happens at layer three, the network layer, of the OSI model. The most common example of this is on a home or business network. Opening a command prompt and using the ‘ipconfig’ command returns the local IP address of the device, often something in the privately designated 192.168.1.0/24 subnet. From the same device, visiting a site such as Google and using the “What is my IP address” search query returns a public IP address; generally, the IP address is assigned to the public side of the gateway router. Types of Network Address TranslationThere are three different types of NAT: static, dynamic, and port address translation. Here is a breakdown of each of them.
Further reading Guide to Subnets and IP Addressing How NAT Helps Average UsersThe most basic concept in order to understand the power of network address translation is this: there is a finite number of IP addresses available for use - 4,294,967,296, to be specific. If every PC on the internet was assigned an individual, public-facing IP address, they would run out pretty quickly.
Thanks to network address translation, we don’t need to worry about this. Rather than each internet-facing device having a public IP address, NAT allows gateway routing devices to be assigned one public-facing IP address which “represents” all of the devices behind it. How NAT Helps Network AdministratorsNetwork administrators can use network address translation to direct traffic. Networks that host servers that need to be publicly available, such as web and FTP servers, can make these easily accessible to the outside world, thanks to NAT. This can either be done simply via one-to-one static NAT or with security in mind via port address translation. With port address translation, traffic direction can be set up with non-standard ports. This adds a new layer of security, making it harder for bad actors to find these servers that are being made accessible via NAT. While network security generally should be approached at multiple levels, this is a great way to deflect intrusion attempts from the front end of the network.
Guide to Network Racks and Termination Points
Get tips for keeping your networks clean and well-organized, including:
NAT ToolsThe most popular way to administer network address translation is through network routing devices. The simplest way to break this down is with three different class levels.
Security ConsiderationsAs with any other networking protocol, every managed service provider technician should have security in mind when implementing and administering network address translation. Here is a breakdown of things to consider: Man-in-the-Middle AttacksThe name is fairly self-explanatory: an intruder accesses the configuration and redirects traffic or retranslates addresses, all with the intent of disruption or some other evil aim. Man-in-the-middle attacks are best prevented by following standard security measures. All network address translation devices should be protected with a strong password that is changed often and only accessible to the public from selected sources and over non-standard ports. Out of Date ConfigurationsMSPs should have a quality assurance team available to make sure that all routing policies, including network address translation, are kept up to date and accurate. Furthermore, whenever changes are made to a NAT server, the technician involved should review to be sure that the changes that are being made don’t render other rules out of date. Further reading Network Security Best Practices ConclusionNetwork address translation, when used appropriately, is a valuable resource to managed service providers. It can be used to direct traffic as needed and helps to conserve IP addresses in the public space. While there are different types of network address translation based on need, there are tools to use and security considerations to be made for each case. Now that we’ve made network address translation easier to understand, this is a great time to do a little research to see how it can be better used to help your managed service provider and its clients today.
This eBook provides an overview of how to design an efficient and effective network:
IntroductionThis document provides answers to frequently asked questions about Network Address Translation (NAT). Generic NATQ. What is NAT?
Q. How does NAT work?
Q. How do I configure NAT?
Q. What are the main differences between the Cisco IOS® Software and Cisco PIX Security Appliance implementations of NAT?
Q. On which Cisco routing hardware is Cisco IOS NAT available? How can the hardware be ordered?
Q. Does NAT occur before or after routing?
Q. Can NAT be deployed in a public wireless LAN environment?
Q. Does NAT do TCP load-balancing for Servers on the internal network?
Q. Can I rate limit the number of NAT translations?
Q. How is routing learned or propagated for IP subnets or addresses that are used by NAT?
Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?
Q. What kind of routing performance can be expected when using Cisco IOS NAT?
Q. Can Cisco IOS NAT be applied to subinterfaces?
Q. Can Cisco IOS NAT be used with Hot Standby Router Protocol (HSRP) to provide redundant links to an ISP?
Q. Does Cisco IOS NAT support inbound translations on a Frame Relay interface? Does it support outbound translations on the Ethernet side?
Q. Can a single NAT-enabled router allow some users to use NAT and other users on the same Ethernet interface to continue to use their own IP addresses?
Q. When configuring for PAT (overloading), what is the maximum number of translations that can be created per inside global IP address?
Q. How does PAT work?
Q. What are NAT IP pools?
Q. What is the maximum number of configurable NAT IP pools (ip nat pool "name")?
Q. What is the advantage of using route-map vs ACL on a NAT pool?
Q. What is IP address "overlapping" within the context of NAT?
Q. What are static NAT translations?
Q. What is meant by the term NAT overloading; is this PAT?
Q. What are dynamic NAT translations?
Q. What is ALG?
Q. Is it possible to build a configuration with both static and dynamic NAT translations?
Q. When a traceroute is done through a NAT router, should traceroute show the NAT-Global address or should it leak the NAT-Local address?
Q. How does PAT allocate port?
Q. What is the difference between IP fragmentation and TCP segmentation?
Q. Does NAT support out-of-order for IP fragmentation and TCP segmentation?
Q. How to debug IP fragmentation and TCP segmentation?
Q. Is there a supported NAT MIB?
Q. What is TCP timeout, and how does it relate to the NAT TCP timer?
Q. Can I change the amount of time it takes for a NAT tranlation to time out from the NAT tranlation table?
Q. How do I stop Lightweight Directory Access Protocol (LDAP) from attaching extra bytes to each LDAP reply packet?
Q. What is the route recommendation for the inside global/outside local IP address on the NAT box ?
Q. Does Cisco IOS NAT support ACLs with a "log" keyword?
Voice-NATQ. Does NAT support Skinny Client Control Protocol (SCCP) v17 which is shipped with Cisco Unified Communications Manager (CUCM) V7?
Q. Which CUCM /SCCP/firmware load versions are supported by NAT?
Q. What is Service Provider PAT Port Allocation Enhancement for RTP and RTCP?
Q. What is Session Initiation Protocol (SIP) and can SIP packets be NATted?
Q. What is Hosted NAT Traversal support for Session Border Controller (SBC)?
Q. How many SIP, Skinny, and H323 calls can a routers memory and CPU handle with NAT?
Q. Does a NAT router suppport TCP segmentation of Skinny and H323 packets?
Q. Are there any caveats to watch out for when using a NAT overload configuration in a voice deployment?
Q. Are there any known problems caused by issuing the clear ip nat trans * command or the clear ip nat trans forced command in a voice deployment?
Q. Does NAT support voice co-located solution?
Q. Does NVI support Skinny ALG, H323 ALG, and TCP SIP ALG?
NAT with VRF/MPLSQ. Will a NAT router ever support NATting the same address space in a VRF as is being NATted in a global address space? Currently, I receive this warning: "% similar static entry (1.1.1.1 ---> 22.2.2.2) already exists" when I attempt to configure the following: 72UUT(config)#ip nat inside source static 1.1.1.1 22.2.2.2 72UUT(config)#ip nat inside source static 1.1.1.1 22.2.2.2 vrf RED
Q. Does legacy NAT support VRF-Lite (NATting from a VRF to a different VRF)?
NAT NVIQ. What is NAT NVI?
Q. Should NAT NVI be used when NATting between an interface in global and an interface in a VRF?
Q. Is TCP segmentation for NAT-NVI supported?
Q. Does NVI support Skinny ALG, H323 ALG, and TCP SIP ALG?
Q. Does TCP segmentation supported with SNAT?
SNATQ. What is Stateful NAT (SNAT)?
Q. Is TCP segmentation supported with SNAT?
Q. Is SNAT support for asymetric routing?
NAT-PT (v6 to v4)Q. What is NAT-PT?
Q. Is NAT-PT supported in the Cisco Express Forwarding (CEF) path?
Q. What ALGs are supported in NAT-PT?
Q. Does ASR 1004 support NAT-PT?
Platform-Dependent Cisco 7300/7600/6kQ. Is Stateful NAT (SNAT) available on Catalyst 6500 on the SX train?
Q. Is VRF-aware NAT supported in hardware on the 6k?
Q. Do the 7600 and Cat6000 support VRF-aware NAT?
Platform-Dependent Cisco 850Q. Does the Cisco 850 support Skinny NAT ALG in release 12.4T?
NAT DeploymentQ. How do I implement NAT?
Q. How do I implement NAT with voice?
Q. How do I integration NAT with MPLS VPNs?
Q. Does NAT static mapping support HSRP for high availability?
Q. How do I implemet NAT NVI?
Q. How do I implement load balancing with NAT?
Q. How do I implement NAT in conjucntion with IPSec?
Q. How do I implement NAT-PT?
Q. How do I implement multicast NAT?
Q. How do I implement stateful NAT (SNAT)?
NAT Best PracticesQ. Are there any NAT best practices?
Related Information
|