NAT - PowerPoint PPT Presentation

About This Presentation

Title:

NAT

Description:

NAT. Network Address Translation. Private versus ... can be used freely. cannot be used / routed on the internet. Types of ... tab -u -t connections | grep 15 ... – PowerPoint PPT presentation

Number of Views:93

Avg rating:3.0/5.0

Slides: 18

Provided by: philippe4

Category:

Tags: nat | grep

more less

Transcript and Presenter's Notes

Title: NAT

1
NAT

Network Address Translation

2
Private versus Legal addressing

RFC1918 specifies private addressing space
Class A
10.0.0.0
Class B
172.16.0.0 ?172.31.255.255
Class C
192.168.0.0 ? 192.168.255.255

3
Private addressing

Private addressing
can be used freely
cannot be used / routed on the internet

4
Types of address translation

Static Source NAT
Static Destination NAT
Hide NAT

5
Static Source NAT

The source IP address of the IP packets are
address translated
1 private internal source IP address is mapped to
1 external legal source IP address !
No TCP/UDP ports are used

legal
private
IPspr1 / IPd-gt IPsle1 / IPd IPspr2 / IPd -gt
IPsle2 / IPd IPspr3 / IPd -gt IPsle3 / IPd
6
Static Destination NAT

The destination IP address of the IP packets are
address translated
1 legal external destination IP address is mapped
to 1 private destination IP address !
No TCP/UDP ports are used

legal
private
IPs / IPdpr1 lt- IPs / IPdle1 IPs / IPdpr2 lt-
IPs / IPdle2 IPs / IPdpr3 lt- IPs / IPdle3
7
Hide NAT

The source IP addresses of the IP packets are
address translated
A full range of source IP addresses are mapped to
1 external legal source IP address !
TCP/UDP ports are used

IPspr1 Spx -gt IPsle1 Spx1IPspr2 Spy -gt
IPsle1 Spx2 IPspr3 Spz -gt IPsle1 Spx3
legal
private
8
Proxy ARP

NAT'ting behind a virtual IP address
IP address is not bound to the TCP/IP stack

Firewall answers with external MAC addressfor
ARP request directed to virt. IP address
Router
ARP for MAC address mapping to Virtual IP address
9
Proxy ARP

How to activate PROXY ARP in 4.1/NG
Linux/Solaris
arp s virt_ip mac_ext_fw -pub
Nokia IPxxx
Use voyager to proxy arp
NT/W2K
local.arp in FWDIR\state directory (4.1)
a.b.c.dltTABgtxx-xx-xx-xx-xx-xxltCRgtltLFgt
local.arp in FWDIR\ conf directory (NG)
a.b.c.dltTABgtxxxxxxxxxxxxltCRgtltLFgt
cpstop cpstart
Automatic ARP configuration
Only NG
Only for automatic address translation rules
Fwparp.exe

10
Operation in 4.1
Forwarding
IN
OUT
NAT
Eth0
Eth1
Eth2
Eth3
Hide, Static source and destination NAT is always
performed here !!!
11
Operation in NG only
Forwarding
NAT
STATIC DESTINATION NAT happens here, if
TRANSLATE DESTINATION ON CLIENT SIDE is enabled
IN
OUT
NAT
Eth0
Eth1
Eth2
Eth3
STATIC DESTINATION NAT happens here , if
TRANSLATE DESTINATION ON CLIENT SIDE is NOT
enabled (4.1 mode)
Hide and static source NAT is always performed
here !!!
12
(No Transcript)
13
Impact of NAT changes

In FW-1/VPN-1 4.1
A host specific route was needed for destination
NAT
A spoofing configuration change was needed on the
internal interface, to prevent outgoing spoofing
errors.
In FW-1/VPN-1 NG
Due to TRANSLATE DESTINATION ON CLIENT SIDE , no
route is needed.
Destination NAT on the Firewalls external IP
address has become possible.
Outgoing spoofing control is no longer enforced.

14
STATIC SOURCE NAT
DE5281i40 10.1.1.101 -gt 172.29.109.1 (TCP)
len40 id61986 TCP 3138 -gt 80 ....A.
seq47147205 ack5eff9753 DE5281I40
10.1.1.101 -gt 172.29.109.1 (TCP) len40 id61986
TCP 3138 -gt 80 ....A. seq47147205
ack5eff9753 El90x3o40 10.1.1.101 -gt
172.29.109.1 (TCP) len40 id61986 TCP 3138 -gt
80 ....A. seq47147205 ack5eff9753 El90x3O40
172.21.101.100 -gt 172.29.109.1 (TCP) len40
id61986 TCP 3138 -gt 80 ....A. seq47147205
ack5eff9753
El90x3i1500 172.29.109.1 -gt 172.21.101.100
(TCP) len1500 id9705 TCP 80 -gt 3138 ....A.
seq5eff9beb ack47147205 El90x3I1500
172.29.109.1 -gt 10.1.1.101 (TCP) len1500 id9705
TCP 80 -gt 3138 ....A. seq5eff9beb
ack47147205 DE5281o1500 172.29.109.1 -gt
10.1.1.101 (TCP) len1500 id9705 TCP 80 -gt 3138
....A. seq5eff9beb ack47147205 DE5281O1500
172.29.109.1 -gt 10.1.1.101 (TCP) len1500 id9705
TCP 80 -gt 3138 ....A. seq5eff9beb ack47147205
15
STATIC DEST NAT (TRANSLATE DESTINATION ON CLIENT
SIDE ENABLED)
El90x3i48 172.29.109.1 -gt 172.21.101.100
(TCP) len48 id9722 TCP 2981 -gt 80 .S....
seq641928e1 ack00000000 El90x3I48
172.29.109.1 -gt 10.1.1.101 (TCP) len48 id9722
TCP 2981 -gt 80 .S.... seq641928e1
ack00000000 DE5281o48 172.29.109.1 -gt
10.1.1.101 (TCP) len48 id9722 TCP 2981 -gt 80
.S.... seq641928e1 ack00000000 DE5281O48
172.29.109.1 -gt 10.1.1.101 (TCP) len48 id9722
TCP 2981 -gt 80 .S.... seq641928e1 ack00000000
DE5281i48 10.1.1.101 -gt 172.29.109.1 (TCP)
len48 id63694 TCP 80 -gt 2981 .S..A.
seq4c33ba82 ack641928e2 DE5281I48
10.1.1.101 -gt 172.29.109.1 (TCP) len48 id63694
TCP 80 -gt 2981 .S..A. seq4c33ba82
ack641928e2 El90x3o48 10.1.1.101 -gt
172.29.109.1 (TCP) len48 id63694 TCP 80 -gt
2981 .S..A. seq4c33ba82 ack641928e2 El90x3O48
172.21.101.100 -gt 172.29.109.1 (TCP) len48
id63694 TCP 80 -gt 2981 .S..A. seq4c33ba82
ack641928e2
16
STATIC DEST NAT (TRANSLATE DESTINATION ON CLIENT
SIDE DISABLED)
El90x3i293 172.29.109.1 -gt 172.21.101.100
(TCP) len293 id9764 TCP 2985 -gt 80 ...PA.
seq67144d85 ack4f47f94d El90x3I293
172.29.109.1 -gt 172.21.101.100 (TCP) len293
id9764 TCP 2985 -gt 80 ...PA. seq67144d85
ack4f47f94d DE5281o293 172.29.109.1 -gt
172.21.101.100 (TCP) len293 id9764 TCP 2985 -gt
80 ...PA. seq67144d85 ack4f47f94d DE5281O293
172.29.109.1 -gt 10.1.1.101 (TCP) len293 id9764
TCP 2985 -gt 80 ...PA. seq67144d85 ack4f47f94d
DE5281i257 10.1.1.101 -gt 172.29.109.1 (TCP)
len257 id65467 TCP 80 -gt 2985 ...PA.
seq4f47f94d ack67144e82 DE5281I257
172.21.101.100 -gt 172.29.109.1 (TCP) len257
id65467 TCP 80 -gt 2985 ...PA. seq4f47f94d
ack67144e82 El90x3o257 172.21.101.100 -gt
172.29.109.1 (TCP) len257 id65467 TCP 80 -gt
2985 ...PA. seq4f47f94d ack67144e82 El90x3O257
172.21.101.100 -gt 172.29.109.1 (TCP) len257
id65467 TCP 80 -gt 2985 ...PA. seq4f47f94d
ack67144e82
17
NATted FTP connection example
ip330admin fw tab -u -t connections grep
15 dynamic, id 8158, attributes keep, sync,
expires 60, refresh, limit 25000, hashsize 32768,
kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29
30, free function c5f7637c 0 lt00000000, c0a80096,
00000e51, c16db9a2, 00000015, 00000006 0001c001,
00806080, 00000008, 00000e10, 00000031, 3e5a79fb,
00000000, f559cfc3, 000007b6, 00000000, 00000000,
00000001, 00000001, 00000000, 22000000, 00000000,
00000000, ab4c6800, 08aee000, 00000000, c5d09000,
610f2000, 00000000, 00000000, 00000000
3518/3600gt lt00000000, c16db9a2, 00000015,
c3cf59f4, 00003648, 00000006gt -gt lt00000000,
c0a80096, 00000e51, c16db9a2, 00000015, 00000006gt
(00000006) lt00000000, c16db9a2, 00000015,
c0a80096, 00000e51, 00000006gt -gt lt00000000,
c0a80096, 00000e51, c16db9a2, 00000015, 00000006gt
(00000016) lt00000001, c16db9a2, 00000015,
c0a80096, 00000e51, 00000006gt -gt lt00000000,
c0a80096, 00000e51, c16db9a2, 00000015, 00000006gt
(00000005) lt00000001, c0a80096, 00000e51,
c16db9a2, 00000015, 00000006gt -gt lt00000000,
c0a80096, 00000e51, c16db9a2, 00000015, 00000006gt
(00000002) ip330admin

0 192.168.0.150 3665 193.109.185.162 21 6 0001c001
00806080 Rule 8 TimeOut 3600 C11 49 c12
1046116859 C13 0 C14 4116303811 C15 1974
cl_int_in 0 cl_int_out 0 srv_int_in 1
srv_int_out 1
0 193.109.185.162 21 195.207.89.244 13896 6 0 192.
168.0.150 3665 193.109.185.162 21 6
0 193.109.185.162 21 192.168.0.150 3665 6 0 192.16
8.0.150 3665 193.109.185.162 21 6
193.109.185.162 21 192.168.0.150 3665 6 0 192.168.
0.150 3665 193.109.185.162 21 6
1 192.168.0.150 3665 193.109.185.162 21 6 0 192.16
8.0.150 3665 193.109.185.162 21 6