Cisco - Expanding ISP and Enterprise Connectivity with Cisco IOS NAT 1306

327 41 1MB

English Pages 36 Year 1998

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers
Enabling Enterprise Miltihoming with Cisco IOS Network Address Translation (NAT)
Enabling Enterprise Miltihoming with Cisco IOS Network Address Translation (NAT)

398 94 344KB Read more

Cisco ISP Essentials 1-57870-0233-X
Cisco ISP Essentials 1-57870-0233-X

Contributors from Cisco explain the company's IOS software, concentrating on features in everyday use in major Inte

364 100 3MB Read more

Securing Cisco IOS Networks
Securing Cisco IOS Networks

Cisco is moving aggressively into the network security arena by unveiling a line-up of a dozen new security products and

684 91 9MB Read more

Cisco IOS Essentials 9780071347433, 0071347437
Cisco IOS Essentials 9780071347433, 0071347437

This comprehensive and easy-to-use reference provides invaluable information on Cisco's internetwork operating syst

457 109 375KB Read more

Cisco IOS. Конфигурирование функций Network Address Translation
Cisco IOS. Конфигурирование функций Network Address Translation

Cisco IOS. Конфигурирование функций Network Address Translation.

515 96 280KB Read more

Cisco - Enterprise Voice Update 1109
Cisco - Enterprise Voice Update 1109

884 94 1010KB Read more

Introducing Cisco Unified Computing System: Learn Cisco UCS with Cisco UCSPE 9781484289860, 9781484289853, 1484289854
Introducing Cisco Unified Computing System: Learn Cisco UCS with Cisco UCSPE 9781484289860, 9781484289853, 1484289854

The Cisco Unified Computing System (UCS) can be found in the majority of data centers across the world. However, getting

98 92 14MB Read more

Cisco IOS Cookbook [2 ed.] 0596527225, 9780596527228
Cisco IOS Cookbook [2 ed.] 0596527225, 9780596527228

Never has something cried out for a cookbook quite as much as Cisco's Internetwork Operating System (IOS). IOS is p

445 62 2MB Read more

Building VPN tunnels using IKE between NetScreen and Cisco IOS
Building VPN tunnels using IKE between NetScreen and Cisco IOS

523 100 334KB Read more

Cisco - Enterprise Management Product Update 1110
Cisco - Enterprise Management Product Update 1110

440 10 1MB Read more

Cisco - Expanding ISP and Enterprise Connectivity with Cisco IOS NAT 1306

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

1306 0957_05F9_c1

1

© 1999, Cisco Systems, Inc.

Expanding ISP and Enterprise Connectivity with Cisco IOS® NAT Session 1306

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

2

1

Agenda • Benefits • Definition • Availability • Terminology • Types of Translations • Overlapping Networks Example 1306 0957_05F9_c1

3

© 1999, Cisco Systems, Inc.

Motivation for NAT • Market consolidation Mergers Acquisitions

• ISP changes • IP address management • RFC 1918 usage • IP address conservation • Network privacy 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

4

2

Cisco IOS NAT—Benefits • Enables a privately addressed network to access registered networks, such as the Internet, without requiring registered IP addresses on end hosts • Enables connectivity between networks with overlapping addresses • Eliminates the need for host renumbering when changing ISPs or addressing schemes • Reduces time and costs associated with IP address management tasks • PAT conserves registered IP addresses • Enhances network privacy since “real” addresses are hidden 1306 0957_05F9_c1

5

© 1999, Cisco Systems, Inc.

What Is NAT? • First described in RFC 1631 • Technique of rewriting IP addresses in headers and application data streams according to a defined policy • Based on traffic source and/or destination IP address • Cisco IOS NAT is superset of that described in RFC 1631 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

6

3

Availability and Platform Support • Introduced in Cisco IOS software release 11.2(1) • Available in 11.2, 11.2P, 11.3, 11.3T, 12.0, 12.0T • Supported on the following router platforms: Cisco 800 Series Cisco 1000 Series Cisco 1600 Series Cisco 1700 Series Cisco 2500 Series Cisco 2600 Series Cisco 3600 Series

Cisco MC3810 Cisco 4x00 Series Cisco AS5x00 Series Cisco RSP/RSP7000 Cisco 7200 Series Cisco uBR7246 Cisco 7500 Series Cisco RSM

• Not supported on Cisco 7000 series (unless in RSP7000) 1306 0957_05F9_c1

7

© 1999, Cisco Systems, Inc.

NAT Terminology • Inside Local (IL)—The IP address assigned to a host on the inside network, this address may be globally unique, allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization • Inside Global (IG)—The IP address of an inside host as it appears to the outside world, these addresses can also be allocated out of the private address space defined in RFC 1918, or may be officially allocated to some other organization, or allocated from a globally-unique address space, typically provided by the ISP (if the enterprise is connected to the global internet) 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

8

4

NAT Terminology (Cont.) • Outside Local (OL)—The IP address of an outside host as it appears to the inside network, these addresses can be allocated from the RFC 1918 space if desired • Outside Global (OG)—The IP address assigned to a host on the outside network 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

9

Types of Translations • Static Statically configured one-to-one mapping between inside local and global addresses

• Dynamic Dynamic mapping between the inside local and global addresses Translations are created when needed 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

10

5

Types of Translations (Cont.) • Simple Network Address Translation (NAT) Maps one IP address to another One-to-one translation Works bi-directionally

• Port Address Translation (PAT) Maps one IP address and port pair to another Unique port numbers identify translations on single IP address One-to-N translation Conserves registered IP addresses Works uni-directionally Also called “Extended Network Address Translation” 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

11

Which Addresses Can Be Translated with NAT?

• Inside source addresses • Outside source addresses

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

12

6

“Inside Source” Address Translation “Inside” Network

“Outside” Network NAT

SA 10.0.0.2

10.0.0.2

SA 192.69.1.1

Internet/Intranet

10.0.0.3

SA = Source Address

NAT Table

Inside Local IP Address

Inside Global IP Address

10.0.0.2 10.0.0.3

192.69.1.1 192.69.1.2

• All “internal” hosts use different registered IP addresses as seen from the “outside” network 1306 0957_05F9_c1

13

© 1999, Cisco Systems, Inc.

“Outside Source” AddressTranslation “Inside” Network

10.0.0.2

SA 10.0.0.2

“Outside” Network NAT

SA 192.69.1.1

Internet/Intranet

10.0.0.3

SA = Source Address

NAT Table

Inside Local IP Address

Inside Global IP Address

171.68.1.1 171.68.1.2

10.0.0.20 10.0.0.21

• Enables one to use internal address which “overlap” with external addresses • Equivalent to “outside destination” translation for inside to outside traffic 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

14

7

Port Address Translation (PAT) “Inside” Network

10.0.0.2

“Outside” Network NAT

SA 10.0.0.2

SA 192.69.1.1

Internet/Intranet

10.0.0.3

SA = Source Address

NAT Table

Inside Local IP Address

Inside Global IP Address

10.0.0.2 10.0.0.3

192.69.1.1:5001 192.69.1.1:5002

• Port-multiplexed “inside source” translation • All “internal” hosts use different registered IP addresses as seen from the “outside” network 1306 0957_05F9_c1

15

© 1999, Cisco Systems, Inc.

Cisco IOS NAT Traffic Support Traffic Types/Applications Supported Any TCP/UDP Traffic that Does Not Carry Source and/or Destination IP Addresses in the Application Data Stream

H.323/NetMeeting—12.0(1)/12.0(1)T

HTTP

VDOLive—11.3(4)/11.3(4)T

TFTP

Vxtreme—11.3(4)/11.3(4)T IP Multicast—12.0(1)T—Source Translation Only

Telnet Archie Finger

Traffic Types/Applications Supported

NTP rlogin, rsh, rcp

BOOTP

NFS

Talk, Ntalk NetShow

Although the Following Traffic Types Carry IP Addresses in the Application Data Stream, they Are Supported by Cisco IOS® NAT: Routing Table Updates ICMP

DNS Zone Transfers

SMTP

SNMP

FTP (Including PORT and PASV Commands) NetBIOS over TCP/IP (Datagram, Name, and Session Services) Progressive Networks’ RealAudio White Pines’ CuSeeMe DNS "A" and "PTR" Queries Xing Technologies’ StreamWorks 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

16

8

Overlapping Networks—Example 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside Outside

DNS

bar.com Domain

Host y.bar.com 10.1.1.1 (IL)

ns.foo.com 10.1.1.10 (OG) DNS

NAT

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

foo.com Domain

Host x.foo.com 10.1.1.1 (OG)

Use both “Inside Source” and “Outside Source” Translations 1306 0957_05F9_c1

17

© 1999, Cisco Systems, Inc.

Assumptions • ns.bar.com, a DNS server authoritative for the bar.com domain exists on the internal network • ns.foo.com, a DNS server authoritative for the foo.com domain exists on the outside network • Both servers handle DNS queries recursively • Clients in the internal network use the ns.bar.com DNS server as their default DNS server • Clients in the outside network use the ns.foo.com DNS server as their default DNS server 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

18

9

Assumptions (Cont.) • The ns.bar.com DNS server is a forwarder to the ns.foo.com DNS server* • The ns.foo.com DNS server has root connectivity • The internal network administrator wants all internal hosts accessible to both internal and outside hosts via DNS • The outside network administrator wants all outside hosts accessible to both internal and outside hosts via DNS * Not Strictly Necessary; One could Configure ns.bar.com to Utilize the Root DNS Servers, Using OL Addresses

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

19

Assumptions (Cont.) • The remote office or subsidiary (“inside” network) is either using addresses from the RFC 1918 space, or is using addresses in use by some other organization, as a result, no inside local addresses can ever be advertised to the outside network • Overlapping addresses exist among the “inside” and “outside” networks, addresses in the bar.com and foo.com domains are not unique 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

20

10

Assumptions (Cont.)

• It is neither permissible nor desirable to advertise and cache “outside global” addresses within the “inside” network, outside global addresses may not be advertised to the inside network • Seamless connectivity is required between the “inside” and “outside” networks without the use of static translations for each host on each network 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

21

Bi-Directional Address Translation Rules

• Dynamically translate all internally originated traffic with 10/8 (IL) source addresses to 140.16.1/24 (IG) pool • Dynamically translate all externally originated traffic source addresses (OG) to 192.168.1/24 (OL) pool 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

22

11

NAT Configuration ip nat inside source static 10.1.1.10 140.16.1.254

! Static translation for ns.bar.com DNS server

ip nat outside source static 10.1.1.10 192.168.1.254

! Static translation for ns.foo.com DNS server

ip nat pool iga 140.16.1.1 140.16.1.253 netmask 255.255.255.0 ! Dynamic IL->IG address xlations ip nat pool ola 192.168.1.1 192.168.1.253 netmask 255.255.255.0 ! Dynamic OG->OL address xlations ip nat inside source list 1 pool iga ip nat outside source list 2 pool ola access-list 1 permit 10.0.0.0 0.255.255.255

! Translate all traffic from 10/8 internal hosts

access-list 2 permit any

! Translate all externally originated traffic

! interface ip address ip nat inside ! interface ip address ip nat outside ! ip route 0.0.0.0 0.0.0.0 1306 0957_05F9_c1

! Default route from in to out 23

© 1999, Cisco Systems, Inc.

Initial NAT Table

Original Address (OA)

Type

Translated Address (TA)

Type

10.1.1.10 140.16.1.254 10.1.1.10 192.168.1.254

IL IG OG OL

140.16.1.254 10.1.1.10 192.168.1.254 10.1.1.10

IG IL OL OG

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

Static, DNS Bindings

24

12

Internal DNS Configuration In ns.bar.com’s .boot file: primary primary primary forwarders options

bar.com 10.in-addr.arpa 1.168.192.in-addr.arpa. 192.168.1.254 forward-only

In ns.bar.com (bar.com primary DNS server) db.bar file: ; @ IN SOA ns.bar.com. 2 : Serial number 21600 : Refresh every 6 hours 900 : Retry every 15 minutes 7776000 : Expire every 90 days 86400 : Minimum TTL of 1 day) ; ; Name Servers bar.com. IN NS ; ; Addresses ns.bar.com. IN A y.bar.com. IN A

1306 0957_05F9_c1

db.bar db.10 db.192.168.1 ; Slave mode on

hostmaster.ns.bar.com. (

ns.bar.com. 10.1.1.10 10.1.1.1

; Inside Local address; ; Inside Local address

25

© 1999, Cisco Systems, Inc.

Outside DNS Configuration In ns.foo.com’s .boot file: primary primary primary

foo.com 10.in-addr.arpa 1.16.140.in-addr-arpa

In ns.foo.com (foo.com primary DNS server) db.foo file: ; @ IN SOA ns.foo.com. 2 : Serial number 21600 : Refresh every 6 hours 900 : Retry every 15 minutes 7776000 : Expire every 90 days 86400 : Minimum TTL of 1 day) ; ; Name Servers foo.com. IN NS ; ; Addresses ns.foo.com. IN A ; x.foo.com. IN A

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

db.foo db.10 db.140.16.1

hostmaster.ns.foo.com. (

ns.foo.com. 10.1.1.10

; Outside Global address

10.1.1.1

; Outside Global address

26

13

Two-Phase Connectivity

• Initial DNS query to resolve hostname • Host-to-host packet flow • Occurs bi-directionally Internally initiated Externally initiated 1306 0957_05F9_c1

27

© 1999, Cisco Systems, Inc.

Internally Originated DNS Query for External Host 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL) DNS

Outside

ns.foo.com 10.1.1.10 (OG)

3

2

DNS

NAT

1

6

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

4

5

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

Host x.foo.com 10.1.1.1 (OG)

28

14

DNS Query: Step 1 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

1

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.1

IL

10.1.1.10

IL 29

© 1999, Cisco Systems, Inc.

DNS Query: Step 2 10/8 (IL) ns.bar.com 10.1.1.10 (IL) DNS

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG) DNS

2 NAT

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.10

IL

192.168.1.254

OL

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

30

15

DNS Query: Step 3 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

3

DNS

DNS

NAT

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

140.16.1.254

IG

10.1.1.10

OG 31

© 1999, Cisco Systems, Inc.

DNS Query: Step 4 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

4

DNS

DNS

NAT

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.10

OG

140.16.1.254

IG

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

32

16

DNS Response Payload Translation

• Between steps 4 and 5, the OG address 10.1.1.1 returned in the DNS “A” RR response for x.foo.com is dynamically translated to an address from the OL pool, here we assume the address 192.168.1.75 1306 0957_05F9_c1

33

© 1999, Cisco Systems, Inc.

DNS Query: Step 5 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

5

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

192.168.1.254

OL

10.1.1.10

IL

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

34

17

DNS Query: Step 6 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

6

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.10

IL

10.1.1.1

IL 35

© 1999, Cisco Systems, Inc.

DNS Query—Summary Inside Outside

ns.bar.com 10.1.1.10 (IL)

3

DNS 1

ns.foo.com 10.1.1.10 (OG)

2

6

NAT

DNS 4

5

Host y.bar.com 10.1.1.1 (IL)

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Step

Source Address

Type

Destination Address

Type

*Between Steps 4 and 5, the OG

1

10.1.1.1

IL

10.1.1.10

IL

2 3 4

10.1.1.10 140.16.1.254 10.1.1.10

IL IG OG

192.168.1.254

OL

OL OG IG IL

Address 10.1.1.1 Returned in the DNS “A” RR Response for

5*

192.168.1.254 10.1.1.10 140.16.1.254 10.1.1.10

6

10.1.1.10

IL

10.1.1.1

IL

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

x.foo.com Is Dynamically Translated to an Address from the OL Pool; Here We Assume the Address 192.168.1.75 36

18

DNS Resolution Result

• y.bar.com identifies x.foo.com’s IP address as 192.168.1.75 (OL) • Remember, x.foo.com’s “real” address is 10.1.1.1 (OG)

1306 0957_05F9_c1

37

© 1999, Cisco Systems, Inc.

NAT Table After DNS Resolution Original Address (OA)

Type

Translated Address (TA)

Type

10.1.1.10 140.16.1.254 10.1.1.10 192.168.1.254

IL IG OG OL

140.16.1.254 10.1.1.10 192.168.1.254 10.1.1.10

IG IL OL OG

Static, DNS Bindings

10.1.1.1 192.168.1.75

OG OL

192.168.1.75 10.1.1.1

OL OG

Dynamic, x.foo.com

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

38

19

Packet Flow 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

1

2 3

4 Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

39

© 1999, Cisco Systems, Inc.

Packet Flow: Step 1 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

1

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.1

IL

192.168.1.75

OL

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

40

20

Packet Translation

• Because no entry for 10.1.1.1 (IL) exists in the NAT table for y.bar.com at step 1, a dynamic translation to an address from the IG pool is created; here we assume the address is 140.16.1.55 (IG) 1306 0957_05F9_c1

41

© 1999, Cisco Systems, Inc.

Packet Flow: Step 2 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

2

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

140.16.1.55

IG

10.1.1.1

OG

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

42

21

Packet Flow: Step 3 10/8 (IL)

10/8 (OG)

ns.bar.com 10.1.1.10 (IL)

Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

3 Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.1

OG

140.16.1.55

IG 43

© 1999, Cisco Systems, Inc.

Packet Flow: Step 4 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

4 Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

192.168.1.75

OL

10.1.1.1

IL

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

44

22

Packet Flow—Summary Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS NAT 1

2 3

4 Host y.bar.com 10.1.1.1 (IL)

Step

Source Address

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Type

Destination Address

Type

1

10.1.1.1

IL

192.168.1.75

OL

2 3

140.16.1.55* 10.1.1.1

IG OG

10.1.1.1

OG

4

192.168.1.75

OL

140.16.1.55* 10.1.1.1

IG IL

1306 0957_05F9_c1

Host x.foo.com 10.1.1.1 (OG)

*Because no Entry for IL Address 10.1.1.1 Exists in the NAT Table for y.bar.com at Step 1, a Dynamic Translation to an Address from the IG Pool Is Created; Here we Assume the Address Is 140.16.1.55 (IG) 45

© 1999, Cisco Systems, Inc.

NAT Table After Packet Flow

Original Address (OA)

Type

Translated Address (TA)

Type

10.1.1.10 140.16.1.254 10.1.1.10 192.168.1.254

IL IG OG OL

140.16.1.254 10.1.1.10 192.168.1.254 10.1.1.10

IG IL OL OG

Static, DNS Bindings

10.1.1.1 140.168.1.7

OG OL

192.168.1.75 10.1.1.1

OL OG

Dynamic, x.foo.com

10.1.1.1 140.16.1.55

IL IG

140.16.1.55 10.1.1.1

IG IL

Dynamic, y.bar.com

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

46

23

Internally Originated DNS PTR Query for External Host

• Similar process as for ARRs • NAT translates IP addresses in headers and in PTR QNAME field

1306 0957_05F9_c1

47

© 1999, Cisco Systems, Inc.

Internally Originated DNS Query for Internal Host 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL) DNS

Outside

ns.foo.com 10.1.1.10 (OG)

2

3 NAT

DNS

5

4

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

6

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

1

Host x.foo.com 10.1.1.1 (OG)

48

24

DNS Query: Step 1 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

1

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.1

OG

10.1.1.10

OG 49

© 1999, Cisco Systems, Inc.

DNS Query: Step 2 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

2

DNS

DNS

NAT

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.10

OG

140.16.1.254

IG

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

50

25

DNS Query: Step 3 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL) DNS

Outside

ns.foo.com 10.1.1.10 (OG) DNS

3 NAT

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

192.168.1.254

OL

10.1.1.10

IL 51

© 1999, Cisco Systems, Inc.

DNS Query: Step 4 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

4

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.10

IL

192.168.1.254

OL

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

52

26

DNS Response Payload Translation

• Between steps 4 and 5, the IL address 10.1.1.1 returned in the DNS “A” RR response for y.bar.com is dynamically translated to an address from the IG pool, here we assume the IG address 140.16.1.27 1306 0957_05F9_c1

53

© 1999, Cisco Systems, Inc.

DNS Query: Step 5 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

5

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

140.16.1.254

IG

10.1.1.10

OG

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

54

27

DNS Query: Step 6 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

6

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Host x.foo.com 10.1.1.1 (OG)

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Source IP

Type

Destination IP

Type

10.1.1.10

OG

10.1.1.1

OG 55

© 1999, Cisco Systems, Inc.

DNS Query—Summary Inside Outside

ns.bar.com 10.1.1.10 (IL)

ns.foo.com 10.1.1.10 (OG) 2

DNS

3

NAT

DNS 5

4

Host y.bar.com 10.1.1.1 (IL)

6

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Step

Source Address

Type

Destination Address

Type

1

10.1.1.1

OG

10.1.1.10

OG

2 3 4

10.1.1.10 192.168.1.254 10.1.1.10

OG OL IL

5*

140.16.1.254*

IG

140.16.1.254 10.1.1.10 192.168.1.254* 10.1.1.10

IG IL OL OG

6

10.1.1.10

OG

10.1.1.1

OG

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

1

Host x.foo.com 10.1.1.1 (OG)

*Between Steps 4 and 5, the IL Address 10.1.1.1 Returned in the DNS “A” RR Response for y.bar.com Is Dynamically Translated to an Address from the IG Pool; Here We Assume the Address 140.16.1.27 56

28

DNS Resolution Result

• x.foo.com identifies y.bar.com’s IP address as 140.16.1.27 (IG) • Remember, y.bar.com’s “real” IP address is 10.1.1.1 (IL)

1306 0957_05F9_c1

57

© 1999, Cisco Systems, Inc.

NAT Table After DNS Resolution

Original Address (OA)

Type

Translated Address (TA)

Type

10.11.10 140.16.1.254 10.1.1.10 192.168.1.254

IL IG OG OL

140.16.1.254 10.1.1.10 192.168.1.254 10.1.1.10

IG IL OL OG

Static, DNS Bindings

10.1.1.1 140.16.1.27

IL IG

140.16.1.27 10.1.1.1

IG IL

Dynamic, y.bar.com

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

58

29

Packet Flow 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

2

1 3

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

4

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

59

© 1999, Cisco Systems, Inc.

Packet Flow: Step 1 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

1

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.1

OG

140.16.1.27

IG

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

60

30

Packet Translation

• Because no entry for OG address 10.1.1.1 exists in the NAT table for x.foo.com at step 1, a dynamic translation to an address from the OL pool is created; here we assume the address is 192.168.1.27 (OL) 1306 0957_05F9_c1

61

© 1999, Cisco Systems, Inc.

Packet Flow: Step 2 10/8 (IL)

10/8 (OG) Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

2

Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

192.168.1.27

OL

10.1.1.1

IL

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

62

31

Packet Flow: Step 3 10/8 (IL)

10/8 (OG)

ns.bar.com 10.1.1.10 (IL)

Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

3 Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

10.1.1.1

IL

192.168.1.27

OL 63

© 1999, Cisco Systems, Inc.

Packet Flow: Step 4 10/8 (IL) ns.bar.com 10.1.1.10 (IL)

10/8 (OG) Inside

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS

NAT

4 Host y.bar.com 10.1.1.1 (IL)

1306 0957_05F9_c1

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Host x.foo.com 10.1.1.1 (OG)

Source IP

Type

Destination IP

Type

140.16.1.27

OG

10.1.1.1

OG

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

64

32

Packet Flow—Summary Inside

ns.bar.com 10.1.1.10 (IL)

Outside

ns.foo.com 10.1.1.10 (OG)

DNS

DNS NAT 2

1 4

3 Host y.bar.com 10.1.1.1 (IL)

Step

Inside Global Outside Local Address Pool Address Pool 140.16.1/24 (IG) 192.168.1/24 (OL)

Source Address

Type

Destination Address

Type

1

10.1.1.1

OG

140.16.1.27

IG

2 3

192.168.1.27* 10.1.1.1

OL IL

10.1.1.1

IL

4

140.16.1.27

IG

192.168.1.27* 10.1.1.1

OL OG

1306 0957_05F9_c1

Host x.foo.com 10.1.1.1 (OG)

*Because No Entry for OG Address 10.1.1.1 Exists in the NAT Table for x.foo.com at Step 1, a Dynamic Translation to an Address from the OL Pool Is Created; Here We Assume the Address Is 192.168.1.27 (OL) 65

© 1999, Cisco Systems, Inc.

NAT Table After Packet Flow

Original Address (OA)

Type

Translated Address (TA)

Type

10.1.1.10 140.16.1.254 10.1.1.10 192.168.1.254

IL IG OG OL

140.16.1.254 10.1.1.10 192.168.1.254 10.1.1.10

IG IL OL OG

Static, DNS Bindings

10.1.1.1 140.16.1.27

IL IG

140.16.1.27 10.1.1.1

IG IL

Dynamic, y.bar.com

10.1.1.1 192.168.1.254

OG OL

192.168.1.27 10.1.1.1

OL OG

Dynamic, x.foo.com

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

66

33

Externally Originated DNS PTR Query for Internal Host

• Similar process as for A RRs • NAT translates IP addresses in headers and in PTR QNAME field

1306 0957_05F9_c1

67

© 1999, Cisco Systems, Inc.

Summary • NAT provides transparent and bi-directional connectivity between networks having arbitrary addressing schemes • NAT eliminates costs associated with host renumbering • NAT conserves IP addresses • NAT eases IP address management • NAT enhances network privacy 1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

68

34

Questions?

1306 0957_05F9_c1

69

© 1999, Cisco Systems, Inc.

Please Complete Your Evaluation Form Session 1306

1306 0957_05F9_c1

© 1999, Cisco Systems, Inc.

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

70

35

1306 0957_05F9_c1

Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr

71

36

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree Cookies