NAT

NAT (Network Address Translation).
+ cho phép host ở private giao  tiếp host ngoài internet.
+ chuyển đổi giữa 2 địa chỉ IP với nhau.
NAT :
Static: chuyển đổi 1 <--> 1
Inside source: 1pool <--> 1pool
PAT: dynamip n <--->  1 . Nhờ thêm có port


Note: NAT thay đổi cấu trúc của gói tin, thay đổi địa chỉ IP, checksum trong phần header gói tin vì vậy
Việc sử dụng NAT rất dễ làm lỗi gói tin.


Cấu hình NAT.





1. Static:
 Example, internal host 192.168.12.1 will always be seen on the internet as 10.1.23.3


#ip nat inside source static 192.168.12.1  10.1.23.3 extendable


Test: ping 10.1.23.3


R2#show ip nat tra
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.23.2:6       192.168.12.1:6     10.1.23.3:6        10.1.23.3:6
--- 10.1.23.2          192.168.12.1       ---                ---
R2#debug ip nat
IP NAT debugging is on
R2#
*Mar  1 00:05:43.967: NAT*: s=192.168.12.1->10.1.23.2, d=10.1.23.3 [37]
*Mar  1 00:05:44.023: NAT*: s=10.1.23.3, d=10.1.23.2->192.168.12.1 [37]


• Instead of NATing whole IPs, NAT could also be used to on individual TCP/UDP ports, also known as NAT port-redirection.
 Example, traffic on port-25 from host 192.168.12.1 will always be seen on the internet as 10.1.23.3 coming from port-2525


#ip nat inside source static tcp 192.168.12.1 25 10.1.23.3 252


R2#show ip nat translations tcp
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.1.23.3:252      192.168.12.1:25    ---                ---


2. Inside source.
Chuyển đổi từ 1 pool địa chỉ private sang 1 pool địa chỉ public tương ứng.
Note: các chỉ số chuyển đổi giống nhau.


#access-list 40 permit 192.168.12.0 0.0.0.15
#ip nat pool NAT_240 10.1.23.0 10.1.23.15 netmask 255.255.255.240
#ip nat inside source list 40 pool NAT_240


R2#debug ip nat
*Mar  1 00:20:56.563: NAT*: i: icmp (192.168.12.1, 14) -> (10.1.23.3, 14) [240]
*Mar  1 00:20:56.563: NAT*: i: icmp (192.168.12.1, 14) -> (10.1.23.3, 14) [240]
*Mar  1 00:20:56.563: NAT*: s=192.168.12.1->10.1.23.1, d=10.1.23.3 [240]
*Mar  1 00:20:56.639: NAT*: o: icmp (10.1.23.3, 14) -> (10.1.23.1, 14) [240]
*Mar  1 00:20:56.639: NAT*: s=10.1.23.3, d=10.1.23.1->192.168.12.1 [240]
R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.23.1:14      192.168.12.1:14    10.1.23.3:14       10.1.23.3:14
--- 10.1.23.1          192.168.12.1       ---                ---


R2(config)#no ip nat inside source list 40 pool NAT_240
Dynamic mapping in use, do you want to delete all entries? [no]: yes
*Mar  1 00:29:13.659: NAT: deleting alias for 10.1.23.1
*Mar  1 00:29:13.663: NAT: deleting alias from redundancy list for 10.1.23.1
*Mar  1 00:29:13.663: NAT: deleting alias for 10.1.23.2


3. Overload Implementation
>> Many IP addresses PRIVATE are mapped to ONE IG (public) IP address using different source ports to keep track of connections.
>> Config example:
#access-list 50 permit 192.168.12.0 0.0.0.255
#access-list 50 permit 1.1.1.0 0.0.0.255
#ip nat inside source list 50 interface f0/0 overload


R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.23.2:26      1.1.1.1:26         10.1.23.3:26       10.1.23.3:26
icmp 10.1.23.2:27      192.168.12.1:27    10.1.23.3:27       10.1.23.3:27
R2#
*Mar  1 00:37:10.375:  mapping pointer available mapping:0
*Mar  1 00:37:10.375: NAT: [0] Allocated Port for 192.168.12.1 -> 10.1.23.2: wanted 28 got 28
*Mar  1 00:37:10.375: NAT*: i: icmp (192.168.12.1, 28) -> (10.1.23.3, 28) [284]
*Mar  1 00:37:10.379: NAT*: i: icmp (192.168.12.1, 28) -> (10.1.23.3, 28) [284]
*Mar  1 00:37:10.379: NAT*: s=192.168.12.1->10.1.23.2, d=10.1.23.3 [284]
*Mar  1 00:37:10.467: NAT*: o: icmp (10.1.23.3, 28) -> (10.1.23.2, 28) [284]
*Mar  1 00:37:10.467: NAT*: s=10.1.23.3, d=10.1.23.2->192.168.12.1 [284]
R2#
*Mar  1 00:37:15.211:  mapping pointer available mapping:0
*Mar  1 00:37:15.211: NAT: [0] Allocated Port for 1.1.1.1 -> 10.1.23.2: wanted 29 got 29
*Mar  1 00:37:15.211: NAT*: i: icmp (1.1.1.1, 29) -> (10.1.23.3, 29) [285]
*Mar  1 00:37:15.215: NAT*: i: icmp (1.1.1.1, 29) -> (10.1.23.3, 29) [285]
*Mar  1 00:37:15.215: NAT*: s=1.1.1.1->10.1.23.2, d=10.1.23.3 [285]
*Mar  1 00:37:15.315: NAT*: o: icmp (10.1.23.3, 29) -> (10.1.23.2, 29) [285]
*Mar  1 00:37:15.315: NAT*: s=10.1.23.3, d=10.1.23.2->1.1.1.1 [285]


4.  Outside Source
> Conceptually just the opposite of Inside Source.
> The words 'outside source' emphasize the fact that the OG will be changed before entering the network to the OL.
> Config example:
>> Traffic from outside host (10.1.23.3) will appear to be coming from a source 192.168.12.1 to local hosts.


#ip nat outside source static 10.1.23.3 192.168.12.1 extendable

NAT Order of Operation                                                                                    // note: chu y phan nay
> The order in which transactions are processed using NAT is based on whether a packet is going from the inside network to the outside network, or from the outside
network to the inside network


1.  Inside-to-Outside order:
>>  If IPSec then check input access list.
>>  Decryption - for CET (Cisco Encryption Technology) or IPSec.
>>  Check input access list.
>>  Check input rate limits.
>>  Input accounting.
>>  Policy routing.
>>  Routing.
>>  Redirect to web cache.
>>  NAT inside to outside (local to global translation).
>>  Crypto (check map and mark for encryption).
>>  Check output access list.
>>  Inspect (Context-Based Access Control (CBAC)).
>>  TCP intercept.
>>  Encryption.
>>  Queueing.
2.  Outside-to-Inside order:
>>  If IPSec then check input access list.
>>  Decryption - for CET or IPSec.
>>  Check input access list.
>>  Check input rate limits.
>>  Input accounting.
>>  NAT outside to inside (global to local translation).
>>  Policy routing.
>>  Routing.
>>  Redirect to web cache.
>>  Crypto (check map and mark for encryption).
>>  Check output access list.
>>  Inspect CBAC.
>>  TCP intercept.
>>  Encryption.
>>  Queueing.