Lesson 52 - Network Address Translation Part 2

Lesson 52 - Network Address Translation Part 2
Di Posting Oleh : Simple Learning
Kategori : Layer3 Security

NAT Principles in a Nutshell
Now, that you realize there are not enough addresses for all devices in the global network, we can proceed with the general principles behind NAT.

The idea is quite simple when you think about it. The role of the edge router (the one that connects our private network to ISP) is to replace the original, source address in the IP header (private) with the one that is globally unique.

When the packet comes back, the edge router must have enough information to replace the globally unique address used (which now is the destination address) with the same one that was used by the sender originally (private).

NAT Principles - Detailed Explanation
Using our proper terminology, when the IP packet enters the router's inside interface (connected to the LAN), and is sent out the outside interface (connected to the Internet), it removes the inside local address (private, e.g. 192.168.1.1), makes a note what it did in the so called NAT table, and inserts the inside global address (public) in the IP header instead.

So for instance, the original source 192.168.1.1 becomes 86.46.1.10 when the packet is sent towards the Internet (apologies if I use somebody's real IP address here) .

Then, when the destination host sends the reply back to the original sender, this 86.46.1.10 (former source) becomes the destination address. Our edge router receives it on its 'outside interface'. Since, the outbound interface is now our 'inside interface' the router will need to find the appropriate entry in the NAT table which will allow it to identify the original sender's address (our 192.168.1.1). Its address will be now inserted in the destination field of IP header so the packet will be sent to the appropriate host originating this transmission. Check the step-by-step procedure below to see that more clearly.

Step 1
PC (Src=192.168.1.1) is sending packet towards Cisco web server (Dst=72.163.4.161). Since, the destination is not on the same network, the packet is sent towards the default gateway (MAC address of the router's F0/0). If you have problems with this, try to look back at the lessons about TCP/IP traffic flow.

Step 2
The router R1 receives the frame, checks the MAC address and realizes it is the destination for this Layer 2 frame (its MAC address shows in the destination field of the Ethernet header). Layer 2 frame is stripped off and the IP header is read. The destination IP (72.163.4.161) is not listed in the routing table, but the router has a default route (0.0.0.0/0) which tells it to send it to the ISP's router (here: R2). The packet is moved to the outbound interface (S1/0).

Now comes the tricky part. Both interfaces have been assigned special roles in NAT configuration. The interface F0/0 is configured as 'nat inside' which tells the router that packets sourced here belong to the 'inside local' group of addresses (candidates for translation). And the S1/0 interface is configured as 'nat outside'. This interface cannot send packets out with their original 'inside local' numbers (private addresses defined in RFC 1918). The router must perform the translation (address replacement) as per Step 3.

Step 3
R1 is removing 192.168.1.1 address from the IP header (source), and inserts 'inside global' address given to us by our ISP (for example: 86.46.1.10). You're probably waving your hands right now in protest saying: but my ISP does not give me many addresses. Stick with me for now, I will address this issue in my next post. For now, let's just assume that our ISP is generous and gives us a whole bunch of public IP addresses.

After removing 192.168.1.1 and replacing it with 86.46.1.10, the packet is sent out towards its destination (72.163.4.161). R1 creates a special entry in the NAT Table which will allow it to replace it back to 192.168.1.1 when the packet is sent back from www.cisco.com (72.163.4.161). Look at this action below:

Pic. 1 - Inside Local Address Replaced with Inside Global.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Step 4
The Cisco web server (72.163.4.161) is replying back to the sender. So, the IP header has the following addresses:
Src = 72.163.4.161
Dst = 86.46.1.10

The routers on the Internet send it back to our ISP (don't ask how it's done), which in turn, sends this towards S1/0 interface. At this stage, tTake this action for granted. The packet arrives on the 'nat outside' interface of R1 (S1/0). This is where the router is going to look into the NAT table, that should have the proper entry created before, allowing it to remove 86.46.1.10 and inserting the previously used address (192.168.1.1). This action allows to send this packet out its 'nat inside' interface (F0/0) back to the host which originated this transmission and expects to receive the reply.

After translation, the header looks as follows:
Src = 72.163.4.161
Dst = 192.168.1.1

The PC receives the reply packet from 72.168.4.161 as expected.

Pic. 2 - Inside Global Replaced with Inside Local.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

If you have many public addresses (inside global) you can configure this type of translation using two methods:
  • Static Translation - one-to-one translation (one inside local is represented by the same inside global address). This allows 24/7 access to that computer (e.g. www, ftp, smtp, etc.) since the entry never ages out.
  • Dynamic Translation - computers can use the public addresses from the pool of available ones. Then, after the transmission ends and the entry ages out, this public (inside global) address is sent back to the pool and other computer can use it. There is not permanent one-to-one translation using this method.
The problem is that in 99.999% cases, ISP only gives you a one public address which is applied on the router's interface facing the Internet ('nat outside'). How does NAT handles this problem?

In such situations we use Port Address Translation (Cisco also calls this method NAT overload). This method I leave for my next post.

0 Response to "Lesson 52 - Network Address Translation Part 2"

Post a Comment