Using and Configuring Features Version 3.4

Using Network Address Translator

Network Address Translator (NAT) and its extension Network Address and Port Translator (NAPT) can expand the number of IP addresses available to an organization and can prevent users in the public network from becoming aware of some of the addresses in the private network. NAT works by using public IP addresses to represent private IP addresses.

Public IP addresses are the valid addresses of hosts in the IP public network and they must be unique within the public network. If the public network is the Internet, the public IP addresses must be unique Internet addresses provided by the Network Information Center (NIC).

The private addresses are known to the router, but not to the public network. The addresses within each private network must be unique; however, the same address can be duplicated in two different private networks. The private addresses are assigned to hosts within stub networks. Stub networks are networks that have access to the public network through one router only.

NAT expands the number of available IP addresses in several ways:

• It allows each public address to represent multiple private addresses by rotating the use of the public addresses.
• It allows the duplication of addresses as long as each duplicate address is used in a different private network.
• It allows the network administrator to use any IP addresses in the private networks, instead of the NIC addresses that are becoming limited resources.

Using private addresses also hides these addresses from the outside world. This feature of NAT makes it useful as a type of firewall to protect the private addresses from being known.

Important:

As stated in section 5.4 of the Internet Draft which defines NAT, "any application that carries (and uses) the IP address (and TCP/UDP port, in the case of NAPT) inside the application will not work through NAT...". It should be noted that DLSw and XTP make decisions based on the end-point IP addresses -- specifically which partner has the higher address. Since the application (such as DLSw or XTP) that is running through NAT thinks that its address is the private address, but the partner application in the other router thinks that the application's address is the public address, incorrect decisions can be made.

See Figure 44 for a drawing of a workstation in a stub network. In this example, the stub network consists of an IP subnet that has the IP address 10.33.96.0 with the subnet mask 255.255.255.0.

Figure 44. Network Running NAT

To use NAT, the network administrator assigns one or more public IP addresses to a public address pool in the 2212 and assigns a private IP address to each workstation in the stub network. The public IP addresses are assigned to a reserve pool and the private IP addresses are assigned to the translate range.

The NAT function first binds the private address of a station in the private network to one of the public addresses. Binding means that every packet with that private address will be translated to that public IP address when the packet is outbound. Inbound packets have the public IP address as their destination. NAT recognizes the public address, translates it to the private IP address, and forwards the packet. After traffic stops, the binding is maintained until a timer that you can set times out. At this time, NAT ends the binding and makes the public address available for reuse.

In this example, a packet is transmitted from sending private source address 10.33.96.5 to a destination address in the Internet, 167.71.13.4. NAT in the 2212 translates private address 10.33.96.5 to public address 198.76.29.7. This translation hides the private address 10.33.96.5 from the public network, so that no incoming packet is addressed directly to private address 10.33.96.5. Instead, incoming packets from 167.71.13.4 are addressed to public address 198.76.29.7. When the NAT router receives packets addressed to 198.76.29.7, NAT translates the destination public address to the private address 10.33.96.5 and forwards the packets.

Network Address Port Translator

NAPT can be used only for TCP and UDP traffic. In NAPT, multiple private addresses can use a single public address simultaneously. While NAT maps one public address to one private address, NAPT maps the NAPT public address and the public port number to a private address and private port number. Only one NAPT address can be configured for each public address pool.

NAPT is configured simply by specifying one public address or a Dynamic-Address interface (which is using PPP/IPCP to retrieve a public address) that will be used for NAPT traffic. The advantage of NAPT is that it can enable one address from the pool of public IP addresses to support many private IP addresses simultaneously.

Static Address Mappings

Sometimes you may want to configure a station or server in the private network that can be directly accessed from the public network. In this case, you should make a static mapping of the private address of the station to a particular public address. All messages outbound from the private address are translated to the designated public address and all messages inbound for the designated public address are automatically forwarded to the associated private address. There are two kinds of static address mappings: NAT and NAPT.

NAT Static Address Mapping

In a NAT mapping, all IP protocols can access the host. This is an example of the configuration of a NAT mapping:

Private address	10.1.1.2
Private port	0
Public NAT address	9.67.1.1
Public port	0

NAPT Static Address Mapping

To specify a TCP or UDP application, you have the option to specify a NAPT mapping that includes a private well-known port. For NAPT static address mapping, a NAPT public address must be configured. For example, to configure a Telnet host at private address 10.1.1.1 to use the NAPT public address 9.67.1.2, the static mapping would be configured as follows:

Private address	10.1.1.1
Private port	23
Public NAPT address	9.67.1.2
Public port	23

The private and public ports are mapped to port 23, which is the well-known port for Telnet. Now, if the administrator also has an FTP server (well-known address 21) at the same private address 10.1.1.1 to map to the NAPT public address 9.67.1.2, that mapping can look like this:

Private address	10.1.1.1
Private port	21
Public NAPT address	9.67.1.2
Public port	21

The server at address 10.1.1.1 has the same NAPT public address (9.67.1.2) for both applications, but NAPT can distinguish between the two by using the different port numbers (23 and 21). However, NAPT cannot distinguish between two servers that use the same NAPT public address and have the same application and port number. For example, if the NAPT public address and well-known port are the same for 10.1.1.3 port 21 as for 10.1.1.1 port 21, NAPT cannot tell whether to send incoming FTP traffic to server 10.1.1.3 or 10.1.1.1. To configure more than one server with the same NAPT address and application, you must use a port other than the well-known port at the server (for example, start the FTP daemon on port 200).

Setting Packet Filters and Access Control Rules for NAT

In addition to identifying the range of private addresses to be translated by NAT or NAPT, the administrator must set up packet filters and access control rules for IP in the 2212. NAT configuration requires you to configure one inbound and one outbound packet filter on the interface that is connected to the public network. You need to configure one or more access control rules on the inbound packet filter and one or more access control rules on the outbound packet filter. The inbound filter access control rules pass inbound packets with the appropriate defined public addresses to NAT. The outbound filter access control rules pass outbound packets with the appropriate defined private addresses to NAT.

The access control rules that are applied for NAT have the access control rule types I and N for inclusive and NAT. Refer to the Protocol Configuration and Monitoring Reference Volume 1 for information about configuring IP access controls.

Note:

NAT can also be configured in conjunction with an IPsec tunnel. A sample of this configuration is found in Configuring Packet Filter Access Control Rules for Router A.

Example: Configuration of NAT With IP Filters and Access Control Rules

This example shows how to configure NAT for the stub router in the network pictured in Figure 45. See "Configuring and Monitoring Network Address Translator" for descriptions of the commands.

Figure 45. Network Running NAT

Follow this procedure:

1. Set up pools of public addresses for use by NAT and NAPT. To do this, use the reserve command.

   NAT config> reserve No 198.76.29.7 255.255.255.0 6 pool1 198.76.29.7
   NAT config> reserve No 198.76.29.15 255.255.255.0 3 pool1 0.0.0.0
   

   In this example, a pool called pool1 is established. The NAPT address in the pool is 198.76.29.7. The addresses 198.76.29.13 and 198.76.29.14 are not available, so the pool is set up to exclude them. The parameters entered are: public-address, mask, number-in-group, name, and napt-address. The value 0.0.0.0 for the NAPT address means that none of the addresses in this group is the NAPT address. Use 0.0.0.0 for the NAPT address in all groups if you do not configure NAPT for the pool.

2. Use the translate command to establish the ranges of private addresses to be translated by the public addresses in pool1. The parameters entered are: private-address, mask, and name.

   NAT config> translate 10.33.96.0 255.255.255.0 pool1
    
   

3. Set up static mappings for stations inside the private network that are to be permanently mapped to one of the public addresses. The following commands identify one machine (10.33.96.5) that will receive any type of traffic from the public network. A second machine (10.33.96.4) is both a Telnet and an HTTP server. The parameters are private-address, private-port-number, public-address, and public-port-number. Note that the NAPT address for pool1 is used as the public address for the host that is configured with two port numbers.

   NAT config> map 10.33.96.5 0 198.76.29.8 0
   NAT config> map 10.33.96.4 23 198.76.29.7 23
   NAT config> map 10.33.96.4 80 198.76.29.7 80
   

4. Enable NAT.

   NAT config> enable NAT
    
   

5. Create two IP packet filters so that IP will pass packets to NAT. These are inbound and outbound packet filters for interface 0, which is the interface connected to the public network.

   IP Config> add packet-filter outbound out-0 0
   IP Config> add packet-filter inbound in-0 0
   

6. Use the update command to bring up the packet-filter 'filter-name' Config> prompt. Add an access control rule for NAT to the inbound filter. Packets received over the public interface (net 0) that are destined for an address in NAT's reserved public address pool should be passed to NAT. NAT will replace the public address (and the public port if the packet is destined for the NAPT address) with the correct private address (and the private port if the packet is destined for the NAPT address). The 0.0.0.0 address and mask for the Internet source indicate that any source addresses from the public network will be passed to NAT.

   IP Config>update packet-filter
   Packet-filter name [ ]? in-0
   Packet-filter 'in-0' Config> add access
   Enter type [E]? IN
   Internet source [0.0.0.0]?
   Source mask [255.255.255.255]? 0.0.0.0
   Internet destination [0.0.0.0]? 198.76.29.0
   Destination mask [255.255.255.255]?255.255.255.0
   Enter starting protocol number ([0] for all protocols) [0]?
   Enable logging? (Yes or [No]):
   Packet-filter 'in-0' Config>
    
   

   The range of addresses in the access control rule is greater than the range of addresses defined in pool1. If the address of the packet passed to NAT is in the range defined in the access control rule but is not one of the ones in the public address pool, NAT passes the packet back to IP unchanged.

7. If you wish the router to pass the packets that do not match the access control rule, rather than drop them, you can create a wildcard access control rule. The following example shows such an access control rule:

   Packet-filter 'in-0' Config> add access
   Enter type [E]? I
   Internet source [0.0.0.0]? 0.0.0.0
   Source mask [255.255.255.255]? 0.0.0.0
   Internet destination [0.0.0.0]? 0.0.0.0
   Destination mask [255.255.255.255]?0.0.0.0
   Enter starting protocol number ([0] for all protocols) [0]?
   Enable logging? (Yes or [No]):
   Packet-filter 'in-0' Config>
   

8. Add an access control rule for NAT to the outbound packet filter. Packets to be forwarded from the net 0 interface that have a source address on the private network are identified so that IP can pass them to NAT. NAT replaces the private address with one of the public addresses in pool1.

   Packet-filter 'out-0' Config> add access
   Enter type [E]? IN
   Internet source [0.0.0.0]? 10.33.96.0
   Source mask [255.255.255.255]? 255.255.255.0
   Internet destination [0.0.0.0]?
   Destination mask [255.255.255.255]?0.0.0.0
   Enter starting protocol number ([0] for all protocols) [0]?
   Enable logging? (Yes or [No]):
   Packet-filter 'out-0' Config>
    
   

   With this packet filter as with filter in-0, you can add a wildcard inclusive access control rule as the last access control rule if you plan to forward packets that do not match the access control rule.

9. You can use the list packet-filter filter-name command from the IP Config> prompt to check the accuracy and sequence of the access control rules in each packet filter.
10. Enable the access controls for IP.

    IP Config> set access-control on
    

11. Reset IP and NAT using talk 5. Until now, you have created changes in the router configuration, but these changes have not affected the router. The reset commands for IP and NAT cause the router to read in the new configuration and run with the rules defined in the configuration.

    NAT> reset NAT
    IP> reset IP