Scaling IP Addresses
From Mycomputer Notes
(→Introduction to NAT | PAT) |
(→Introduction to NAT | PAT) |
||
Line 12: | Line 12: | ||
;Outside local address: -THe IP address of an outside host as it is known to the hosts ont he inside network. | ;Outside local address: -THe IP address of an outside host as it is known to the hosts ont he inside network. | ||
;Outside global address: - The IP address assigned to a host on the outside network. The owner of the host assigns this address. | ;Outside global address: - The IP address assigned to a host on the outside network. The owner of the host assigns this address. | ||
- | |||
;Stub Network: This is a network that has a single connection to its neightbor network. | ;Stub Network: This is a network that has a single connection to its neightbor network. | ||
+ | |||
+ | ==NAT & PAT Features== | ||
+ | |||
+ | *Static NAT is used to allow one 2 one mapping of local and global address. One private address -> one public address. This is useful when a host needs to have a consistent address that is accessible from the outside. | ||
+ | |||
+ | *Dynamic NAT is used to map a private IP address to a public address, any ip address from a pool of public IP addresses is assigned to a network hosts. | ||
+ | |||
+ | *Port Addreee Translation PAT (Overloading) this maps multiple private IP Addresses to a single public IP address; | ||
+ | multiple addresses can be mapped to a single adddress because each private addres is tracked by a port number. | ||
+ | |||
+ | Ranged of port numbers used by PAT: | ||
+ | # 0-511 | ||
+ | # 512-1023 | ||
+ | # 1024-65535 | ||
==Configuring NAT== | ==Configuring NAT== |
Revision as of 02:44, 16 November 2006
Contents |
Introduction to NAT | PAT
The Network Address Translation (NAT) is the process of translating private internal addresses to routable public addresses (assigned by ARIN). This is accomplished by internetwork devices running specialized NAT softwares which can increase network privacy by hiding internal IP adddresses.
A NAT enabled device typically operates at the border of a stub network; when a host inside the stub network wants to transmit to a host outside the stub network, it fowards the packet to the border gateway router. The border gateway router performs NAT process. The border router translate the internal private address to an external routable address.
NAT Terminology:
- Inside local address
- -The IP address assigned to a host on the inside network, The address is usually not an IP address assigned by the InterNIC or serivce provider. This address is likely to be an RFC 1918 private address.
- Inside global address
- -A legitimate (Routable) IP address assigned by the InterNIC or service provider that represents onoe or more inside local IP address to the outside world.
- Outside local address
- -THe IP address of an outside host as it is known to the hosts ont he inside network.
- Outside global address
- - The IP address assigned to a host on the outside network. The owner of the host assigns this address.
- Stub Network
- This is a network that has a single connection to its neightbor network.
NAT & PAT Features
- Static NAT is used to allow one 2 one mapping of local and global address. One private address -> one public address. This is useful when a host needs to have a consistent address that is accessible from the outside.
- Dynamic NAT is used to map a private IP address to a public address, any ip address from a pool of public IP addresses is assigned to a network hosts.
- Port Addreee Translation PAT (Overloading) this maps multiple private IP Addresses to a single public IP address;
multiple addresses can be mapped to a single adddress because each private addres is tracked by a port number.
Ranged of port numbers used by PAT:
- 0-511
- 512-1023
- 1024-65535
Configuring NAT
Static Translations
Stattic Trasnlation are entered direclty into the configuration and are always entered in the translation table. To configured static inside source address translation perform the task below:
- - Establish static translation between an inside local address and an insie global address in Global Configuration Mode.
Router(Config)#ip nat inside source static <LOCAL-IP> <GLOBAL-IP>
- - Enter the interface mode and specify the inside interface & Mark the interface as connected to the inside
Router(config)#interface <TYPE> <NUMBER> Router(config)#ip nat inside
- - Specify the outside inteface & Mark the interface as connected to the outised
Router(config)#interface <TYPE> <NUMBER> Router(config)#ip nat outside
Dynamic Translations
Access lists are used by NAT to select addresses for dynamic translation, dynamic translation used the addresses permitted by the access list to be translated; only those addresses are to be translated. Cisco advises againtst configuring access list referenced by NAT command with permit any command. Using permit any can result in NAT consuming too many router resources, which can cause network problems. To configure dynamic inside source address translation, perform the tasks below
Router(config)#access-list 1 permit 10.0.0.0 0.0.255.255 Router(config)#ip nat inside source list 1 pool <POOL-NAME>
- - Enter global configuration mode and define a pool of global addresses to be allocated as needed.
Router(config)#ip nat pool <POOL-NAME><START-IP><END-IP> netmask <NETMASK>
- - Define a standard access list permitting those addresses that are to be translated
Router(config)#access-list <ACL-NUMBER> permit <IP-SOURCE> <WILDCARD>
- - Establish dynamic source translating specifying the access list defined in prior step.
Router(config)#ip nat inside source list <ACL-NUMBER> pool <POOL-NAME>
- - Enter the interface mode and specify the inside interface & Mark the interface as connected to the inside
Router(config)#interface <TYPE> <NUMBER> Router(config)#ip nat inside
- - Specify the outside inteface & Mark the interface as connected to the outised
Router(config)#interface <TYPE> <NUMBER> Router(config)#ip nat outside
Configuring PAT
Overloading is configured when an IPS has allocated one public ip address to an entire private network.
Define a standard IP access list permitting those inside local addresses that are to be translated.
Router (config)#access-list 1 permit 10.0.0.0 0.0.255.255
Establish overload translation by specifying the IP address to be overloaded as that assigned to an outside interface.
Router (config)#ip nat inside source list 1 interface serial0/0 overload.
Follow the steps below to configured overloading: The first step os tje same as when configuring a dynamic translation.
- - Define a standard access list permitting those addresses that are to be translated.
Router(config)#access-list <ACL-NUMBER> permit <IP-SOURCE> <WILDCARD>
- - Establish dynamic source translating specifying the access list defined in prior step.
Router(config)#ip nat inside source list <ACL-NUMBER> interface <TYPE> <NUMBER> overload
- - Specify the Global address, as a pool to be used for overloading & overload translation. This is used when the ISP has provided a pool of public ip addresses to the private network.
Router(config)#ip nat pool <POOL-NAME><START-IP><END-IP> netmask <NETMASK> Router(config)#ip nat inside source list <ACL-NUMBER> pool <POOL-NAME> overload
- - Enter the interface mode and specify the inside interface & Mark the interface as connected to the inside
Router(config)#interface <TYPE> <NUMBER> Router(config)#ip nat inside
- - Specify the outside inteface & Mark the interface as connected to the outised
Router(config)#interface <TYPE> <NUMBER> Router(config)#ip nat outside
NAT Advantages
- Conserves the public addressing scheme by allowing the privatization of intranets.
- Increased flexibility of connections to the public network.
- Consistent Internal Networking scheme. The Internal scheme does not need to be changed when there is a communication stablished to the outside.
NAT Disavantages
- NAT Increased delay due to the translation of each IP addess within the packet headers.
- Performance is decrease because because the CPU must look at every packet to decide whether it must be translated.
- Major disavantage is the lost of end-to-end IP traceability. It is dificult to trace a packet from source to destination since the packet can be translate several times as it undergoes several NAT traslations. Applications that used that used the physical address instead of domain name will not reached destination that are translated accross the NAT rotuer.
Cisco IOS NAT Supports the followings:
- ICMP
- FTP (PORT & PASV)
- NetBIOS over TCP/IP (datagrame, name & session services)
Cisco IOS NAT DOES NOT Supports the followings:
- Routing Table Updates
- DNS zone transfers
- BOOTP
- Talk & NTalk protocols
- SNMP
Introduction to HDCP
DHCP Features
Three mechanism exist to assign an IP address to the client.
- Automatic Allocation -DHCP assign a permanent IP address to a client.
- Manual Allocation -The IP address for the client is assigned by the administrator. DHCP conveys the address to the client.
- Dynamic allocation -DHCP assigns, or leases, an IP address to the client for a limited period of time.
The CCNA curriculum will focus on the dynamic allocation mechanism. Some of the configuration parameters available are listed in IETF RFC 1533:
- Subnet mask
- Router
- Domain Name
- Domain Name Server(s)
- WINS Servers.
Configuring DHCP
Configuring DHCP on a router requires an adminsitrator to define a pool of addresses, ip_dhcp_pool commands defines the pool of addresses assigned to hosts. The ip_dhcp_excluded-address command configures the router to exclude an individual or a range of addresses when assigning addresses to clients. This command can be used to reserve addresses that are statically assigned to tkey hosts, interface on a router & enterpriser or workgroup server. The DHCP sever is also configured to assign much more then IP addresses. Other IP values such as default-gateway, address of DNS, WINS servers. The IOS DHCP sever can configure clients with virtually any TCP/IP information.
On a Cisco IOS the DHCP is enable by default, to disabled the service we used the no_service_dhcp in global configuration mode. If the administrator wants it back service_dhcp
List of key commands to used when configuring DHCP in a Cisco IOS:
- ip_dhcp_pool
- ip_dhcp_excluded-address
- default-router
- dns_server
- netbios-name-server
- network <A.A.A.A> [mask | /prefix length]
- Specifies the subnet network number and mask of the DHCP address pool. The prefix length specifies the number of bits that compormise the address prefix, instead of specified mask as 255.255.255.0 we can specified /24.
- default-router <A.A.A.A>
- Specifies the IP address of the defautl gateway for a DHCP client. Although one address is required, up to 8 addresses can be specified in one command line.
- netbios-name-server
- Specifies the NetBios WINS server that is available to a MS DHCP client. Although one address is required, up to 8 addresses can be specified in one command line.
- domain-name <NAME>
- Specifies the domain name for the client
- lease {days [hours][minutes]| infinite}
- Specifies the duration of the lease. The default is a one-day lease.
Router(config)#ip dhcp pool campus --> name of the pool of address Router(dhcp-config)#network 172.16.12.0 255.255.255.0 --> addresses assgined to PC Router(dhcp-config)#default-router 172.16.12.1 --> addresses assgined of the interface Router(dhcp-config)#dns-server 172.16.1.2 Router(dhcp-config)#domain-name foo.com Router(dhcp-config)#netbios-name-server 172.16.1.10
DHCP Relay
DHCP clients use IP broadcast to find the DHCP server on the segment and this is not a problem as long as the DHCP server is within the same segment. What happens when the server and the clients are not on the same segment and are separed by the router? Routers stop broadcast.
DHCP is not the only critical service that uses broadcast, CISCO routers and other devices may used broadcast to locate TFTP servers and other clients broadcast to locate a TACACS server. Since some clients can not be without a service such as DHCP so an administrator only has two choices:
- The administrator will need to place servers on all subnets.
- The adminstrator can used the Cisco IOS helper feature ip_helper_address
By using the helper address feature, a router can be configured to accept a broadcast request for a UDP service and then foward it as a unicast to a specific IP address. By default the ip_helper_address command fowards the following 8 UPD services:
- Time
- TACACS
- DNS
- BOOTP/DHCP Server
- BOOTP/DHCP Client
- TFTP
- NetBios Name Service
- NetBios datagram Service