This text is an attempt at translation of the original French text. Please excuse me its imperfections. Thank you to announce me these imperfections when you see them so that I can correct them.
To create functional separations of type teachers, students, administration, we had organized the 3 C classes in sub-networks. We approached the limit of several of the definite sub-networks and we envisaged to make a new request for C classes.
The introduction of a class C address was going to oblige us to juggle with the addressing of the site and this for one unspecified duration. To help us in the choice of the procedure, we made a statistical study of the use of the addresses of the campus and we tried to evaluate the number of connections to come.
We thus wrote a script which recurringly tested the presence of the hosts on the network (using simple ping ).This script showed that on average only 40% of the declared hosts were under operation, therefore 60% of IP addresses were unutilised. In addition, the rate of connection to the network, observed over the last months was approximately 13 new hosts per week. The number of rooms which were not connected yet to the network was significant, we thus knew that we would need a new class C address at the end of 4 months approximately.
| Nat Router | Router on whom NAT was activated | |
| Nat Site | Site having set up a NAT router at the point of connection of its network with the Internet | |
| The following terminology is that presented by the working group on NAT set up jointly by CRU 4 and the UREC 5 on mechanism NAT in February 1998 6 This terminology results directly from that employed by Cisco: | ||
| Public space addressing | The space of the addresses managed by the IANA 7 These addresses are overall single, they are routées on the Internet. | |
| Private Space addressing | The space of the addresses used in-house by a NAT site. These addresses are generally those defined by the RFC1918 8 but not obligatorily. | |
| In the following terms, the words internal and external indicate the origin of an address compared to the NAT router . The wordslocal and global indicate the side of the router where this address evolves/moves. | ||
| Local Internal IP Address : ALI | Address IP allotted in the space of private addressing, it acts of address IP of a host on a NAT site | |
| Global Internal IP Address: AGI | Address IP allotted in the space of public addressing. Seen outside, it acts of IP address of a host located inside a NAT site . | |
| Global External IP Address : AGE | Address IP allotted in the space of public addressing. It is that of a host on Internet, apart from NAT site | |
| Local External IP Address : ALE | It acts of address IP of an external host to the site such as it is seen by the hosts inside. It acts normally of the same address that external address IP total of this host, except in the case of sites having implemented the overlapping | |
The university has a site router of type Cisco 4500. To implement NAT, we had to modify 2 times its memory configuration . Once to pass from 8 Mb to 16 Mb, two years ago, modification necessary to make turn the version of the IOS implementing NAT, another time to pass to 32 Mb some month ago to implement a version 12.0(4)T.
If a static translation were defined for ALI, one single AGI is associated for it. That is particularly useful for the hosts which lodge Internet Services which must be accessible from outside with a fixed address. This is also useful for the hosts making access to paying databases practising an authentification on IP address.
If a host is not intended to receive connections, it is not necessary that it has one fixed AGI. When it wants to connect to outside, its ALI will be associated with one AGI taken in a pool.In this case, it is a dynamic translation.The pool is traversed from th bottom to th top by the router until it finds an address free of any association. When it found it, it adds an input to the table of the translations in the shape of a pair (local internal ip@, global internal ip@). A time (timeout)is associated to this input. The association will be destroyed into table if beyond this timeout the host to which it was allotted does not make more access outside. When a packet arrives on the internal interface of the router with one source IP@ the router seeks this address in his table of translations. If it finds it, the router replaces this address by the AGI which is associated to him, if it does not find it, it create the association before making the replacement. He makes the opposite operation when he sees arriving on an external interface a packet bound for one AGI associated in his table.
Let us admit that the host with ALI 10.1.1.1 is connected on the Web
server having address IP 128.5.3.9. The router rewrites the packet by changing
the source address. For that, it takes the first free address in the AGI
pool, say address 193.49.96.64. It adds to the table of the dynamic translations
the pair (10.1.1.1, 193.49.96.64). The packet outgoing of the site now
has for source address, the AGI 193.49.96.64, it reaches the Web server
which answers the request. The router seeing arriving a packet bound for
host 193.49.96.64 reads the table of correspondence, finds the ALI associated,
it rewrites the package and sends the package modified to host 10.1.1.1.
In this mode, it is not only any more the ALI who is translated, but also the source port of the connection. The table of the translations grows rich, it does not reflect more of the pairs of addresses but quadruplets (local internal ip@ , port 1, global internal ip@, port 2). The port number before translation is not inevitably that used after translation.
To take again our example, if the host having the ALI 10.1.1.1 establishes a HTTP connection (80) towards the Web server 128.5.3.9 starting from the port 1503, the router will associate the pair (10.1.1.1, 1503) with the pair (193.49.96.64, 1503). When the server returns a packet, the router rewrites this packet by replacing the destination address and the destination port (193.49.96.64, 1503) in (10.1.1.1, 1503).
Once PAT put in work and excluding the reserved ports, a router Cisco
can associate approximately 4000 ALI to the same AGI taken in the pool.
Another translation table is made necessary which binds the external local addresses (ALE) to the external global addresses (AGE). Indeed, if a host of the site is connected towards a distant server whose AGE forms part of the range of address usurped by the site, a translation of this address is necessary. Indeed, a host of the NAT site could not interpret it like external and would not send its packets to the site router but to the host of the site having the same address.
Let us take another example in which we will eliminate the translation from the internal addresses to exclusively focus on the the external addresses. A NAT site addressed the hosts of its site with public IP addresses allotted by the IANA to the titi.com domain. The user of the host having the ALI 128.2.1.3 wishes to connect himself on the Web server of the titi.com domain. He types the URL http://www.titi.com /.Its navigator makes a request for a DNS resolution to the internal DNS server of the site. It retransmits the request to an external server which returns the AGE 128.2.1.5. When this answer arrives to the router, it modifies the data part of the DNS answer, it replaces the address 128.2.1.5 by the first free address of the pool of ALE, say address 192.2.2.3. It sends the modified DNS response to the internal DNS server having made the request. The server returns the DNS response to the client host. This one initiates an HTTP connection towards the server www.titi.com while trying to connect to the address 192.2.2.3. When the router sees arriving of the packet of this connection, it changes the ALE 192.2.2.3 into the AGE 128.2.1.5.
Of course, it rewrites also the ALI of the station, 128.2.1.3 in one
AGI, say address 193.49.96.64.
ip nat inside static source 10.1.1.1 193.49.96.1This command defines a simple static translation between the ALI the 10.1.1.1 and the AGI 193.49.96.1
ip nat inside source static TCP 10.1.65.1 80 193.49.96.30 3000Defines an extended static translation (10.1.65.1, 80, 193.49.96.30, 3000)
ip nat pool adrpub 193.49.96.64 193.49.96.191 netmask 255.255.255.0This command defines a pool of dynamic addresses starting in address 193.49.96.64 and finishing with address 193.49.96.191. The pool by default allots the addresses from the bottom to the top by always choosing the smallest free address. One can select two other types of pool by adding to the preceding command the standard word followed of one of the following words:
access-list 2 deny 10.1.1.1The access-list which precedes selects all the addresses of the class A network 10.0.0.0/8. These ALIs will be translated into AGIs. The address 10.1.1.1 is excluded from the selection access-list because a static translation was already defined for it.
access-list 2 allowed 10.0.0.0 0.255.255.255
ip nat inside source list 2 pool adrpubThis command activates the adress translation on the router. It binds the pool of AGI adrpub to the selection access-list number 2. The translation implemented in this case is a simple translation. To implement the extended translation (PAT), it is enough to add the word overload
ip nat inside source list 2 pool adrpub overloadDefinition of the internal and external interfaces of the router, it is between these interfaces that NAT takes up duty.
ip nat insideMark an interface as being internal.
ip nat outsideMark an interface as being external.
ip nat pool adrext 192.2.2.3 192.2.2.254 netmask 255.255.255.0The preceding commands set up the example that we took earlier to illustrate the overlapping. We establish an ALE pool from 192.2.2.3 to 192.2.2.254. We select AGE 128.2.0.0/16 to transform them into their local internal correspondence.
ip nat outside source list 1 pool adrext
access-list 1 allowed 128.2.0.0 0.0.255.255
In the result of the command, we see 3 extended dynamic translations (PAT) of which a HTTP connection and a FTP connection. One sees also a simple static translation associating the ALI 10.1.65.14 with the AGI 193.49.96.14 and one extended static translation associating TCP port 3000 of the AGI 193.49.96.30 and the TCP port 80 of the ALI 10.1.65.1.
# show ip nat translations Pro Total Inside Local Inside Local Outside Total Outside UDP 193.49.96.64:1555 10.1.65.41:1555 205.188.179.42:4000 205.188.179.42:4000 TCP 193.49.96.64:1431 10.65.1.30:1329 207.137.153.46:80 207.137.153.46:80 TCP 193.49.96.14:2527 10.1.65.14:2527 147.215.1.5:21 147.215.1.5:21 --- 193.49.96.14 10.1.65.14 --- --- TCP 193.49.96.30:3000 10.1.65.1:80 --- ---
This command can give more information on the translations in progress with the key word verbose
# show ip nat translations verbose Pro Total Inside Local Inside Local Outside Total Outside UDP 193.49.96.64:1555 10.1.65.41:1555 205.188.179.42:4000 205.188.179.42:4000 create 00:20:16, uses 00:00:05, left 00:04:54,
flags:
extended, use_count: 0
# show ip nat statisticsThese statistics show that 159 translations are in hand on the router, 20 are static translations whereas 139 are dynamic translations. One among it is a simple translation whereas the router is parameterized to allocate extended translations. This is due to the processing of certain protocols by the router, such as H 323, which require that a simple translation is carried out instead of an extended translation. There are 2 externals interfaces and 5 internals interfaces defined. Hits indicates the number of times where the router read the table of the translations and found an association existing, put indicates the number of failures leading to the creation of a new translation. Expired translations indicate the number of translations having been destroyed since the last starting of the router.
Total activates translations: 159 (20 static, 139 dynamic; 138 extended)
Outside interfaces:
Ethernet3, Tunnel1
Inside interfaces:
Ethernet0, Ethernet1, Serial0, Serial1, Serial2
Hits: 236911482 Put: 1382867
Expired translations: 1503247
Dynamic mappings:
-- Inside Source
access-list 1 pool adrpub refcount 120
pool adrpub: netmask 255.255.255.0
start 193.49.96.64 end 193.49.96.191
generic type, total addresses 128, allocated 1 (0%), put 0
clear ip nat translation TCP 193.49.96.64 1431 10.65.1.30 1329 207.137.153.46 80 207.137.153.46 80This command erases the second translation displayed by the command show ip nat translations above.
network 193.49.96.0If the range of address used for the translations is completely virtual, i.e. if no interface of the router uses this address, it will not be redistributed outside. To avoid this problem, it should be connected to the interface Null0 and it should be redistributed.
ip route 193.49.96.0 255.255.255.0 permanent Null0
To enter the adequate command ip nat static source
To exclude ALIs from the access-list of selection of the dynamic translations
When a translation must be destroyed, it is enough to achieve the opposite tasks by cancelling the translation and by again selecting the host for the dynamic translations.
To modify the rules of the dynamic translations or to reload the configuration of the router, it is necessary to enter a command clear ip nat translations *. If not, the router does not accept the modifications. This command causes to remove all the translations in progress. To prevent that new translations are not immediately created, the commands iP nat inside should also be removed on the internal interfaces. Obviously these commands cut connections in progress. To avoid this nuisance with the users, it is useful to take the practice to modify the configuration per pieces and not to do one more configure network to change a single access-list.
The following protocols transport IP addresses in the data part but are supported by NAT on Cisco routers because they treat the data part of the packets : ICMP, ftp, NetBios, RealAudio, CuSeeMe, StreamWorks, A and PTR DNS requests , H 323, Netmeeting, VDOLive, Vxtreme.
The following protocols are not supported: Update of the routing tables, DNS zone tranfers, BOOTP, talk & ntalk, SNMP, Netshow.
Multicast IP is supported recently. We could test a version of a IOS allowing the multicast at the university of Toulon, which explains why in the result of the command show IP nat statistics one of the interface external is Tunnel1 which is an interface towards the MBONE 9
In the facts, only the DNS must be deeply modified by the installation
of NAT. Before the installation of NAT on a site, names were allotted to
the hosts of the site, NFS mounting, the client-server applications were
parameterized, etc After the implementation, all must continue to function
in the same way, ALI must thus be managed by an internal DNS server. In
addition, the names of the Internet Servers of the site must always be
solved and the reverses resolution of the AGI must continue to function,
one thus needs an external DNS server. Cisco NAT Routers by translating
requests A and PTR of the DNS allow certain sites to implement one server.
Indeed, if the router sees arriving on its internal interface of a response
to a DNS request containing an ALI for whom it has a translation in progress,
it replaces in the answer the ALI by the AGI associated.
A contrario, if it receives on an external interface a PTR request
for one AGI for which it has a translation in progress, it replaces
it by the ALI associated.
In our community, we use secondary servers DNS outside our sites to avoid ruptures of services. The primary and secondary servers communicate by zone transfers 10 . However NAT does not treat this type of transfer, which prohibits us to use one server only.
We must thus implement 2 DNS servers, one internal, the other with a public IP address, generally in a DMZ. The hosts inside the NAT site only use the internal DNS server, they do not have to use nor to know the existence of the external server. The external hosts do not have to know the existence and to use internal DNS server, they use only external DNS server.
Technology offers a real advantage, since the administrator can have at moment given the list of all connections in progress. That enables him to detect the attacks in progress. If usually the router of a given site allocates on average only one hundred simultaneous translation, by detecting that there is at a time given more than 1000 translations, that can be the sign of an attack from the interior towards outside.
But NAT poses real security problems. It is impossible to the administrator of a NAT site to go up at the origin of an attack coming from its site. Indeed, except static translation, which by definition is rare, the IP address which the external administrator will have detected as posing a problem will not make it possible to go back to the host to the origin of the problem. The only command making it possible to trace the translations carried out by the router is the command debug ip nat which produces far too many results to be able to be used and logged. That would collapse the router.
It is thus necessary to take measures to avoid these problems. The majority of the following consultings are already implemented on sites not having a NAT router.
It is necessary to prohibit at output of its site what is not strictly necessary by giving a detailed attention to the dangerous protocols like the rcommands such rsh rlogin etc
The messages with insultd which the users of a site can send by email or by form on the WEB can also cause problems, accentuated by the installation of NAT. To always be able to go back with the host to the origin of such messages, the following precautions are necessary:
To prohibit outgoing SMTP connections, except starting from the official MX on which versions of sendmail writing in the logs and the headings of the messages the IP address of the transmitting host when this one is a fake must be installed :
Received: from mail.univ-tln.fr (mail.univ-tln.fr [ 193.49.96.2 ])Information which is in this heading makes it possible to go up with the genuine host expediting the message but it is enough that one of the SMTP servers of the site accepts messages without logging this information so that it is impossible to go up with the shipper.
by mailimailo.univ-rennes1.fr (8.9.3/jtpda-5.3.1) with ESMTP id QAA22893
for < echo@univ-rennes1.fr >; Wed, 15 Sep 1999 16:53:02 +0200 (MET DST)
Received: from idonotexists.univ-tln.fr (pc-benza.univ-tln.fr [ 10.1.65.216 ])
by mail.univ-tln.fr (8.9.3/Universite of Toulon and the VAr) with smtp id QAA06751
for echo@univ-rennes1.fr; Wed, 15 Sep 1999 16:52:39 +0200 (MET DST)
To install a proxy WEB server which logs accesses to the WEB to be able to go up with a host posting of the insults on forms. We had the case 2 times in two years at the university of Toulon and we could go up once at the culprit. In the second case we found the host but it was in free access.
To add to the traditional rules of IP masquerade which filter AGI, a filter against ALI, if your internal addressing is in conformity with the RFC1918, in the contrary case, this problem is regulated by the installation of the overlapping
By breaking the end to end connectivity, NAT prevents the installation of protocols of the IPSec type.
The current versions of the IOS, in particular the versions 12.0(5)T correct this problem 11. With these versions, if the router detects a host with an ALI who subscribes with a multicast group, it allots one AGI dynamically to it by a simple translation. I.e. it needs an address of the pool for each host subscribed for a group of the MBONE on the site.
The following translations are supported:
By eliminating the limits related to the dependence to the IPv4 addresses distributed to the dropper by an ISP, NAT makes it possible to the network administrator to create a design corresponding to the needs for its organization.
For a new site, it is probably preferable to adopt a IPv6 diagram immediately and to implement a router of the type NAT-PT 12 (still with the state of draft) for a result and an effort of implementation almost identical to NAT v4. Such solutions should be available soon to the catalogue of the large manufacturers. NAT-PT allows the communication of the worlds Ipv6 and Ipv4 by carrying out the translation of the v6 & v4 addresses and by adding a translation of protocol. For example, new commands EPRT and EPSV of FTP-IPv6 are translated into corresponding commands PORT and PASV and reciprocally. In the same way, DNS A IPv4 requests are translated into their equivalents IPv6, AAAA or A6 and reciprocally.
For an old site whose network became, with the wire of time, a true headache and in which each introduction of a new range of address obliges with the renumerotation of a part of its hosts; it is certain that the implementation of NAT makes it possible to increase the performances by letting the administrator introduce commutation of level 3 without fearing the shortage of IP addresses.
NAT will be probably implemented on many sites and for a long time still. Either in its current form, or in the shape of a router implementing NAT-PT for the limited period between IPv4 and IPv6. In the beginning of this period, this mechanism will allow sites having adopted IPv6 for their internal addressing to preserve connectivity with the IPv4 world. Later, there will allow sites remained IPv4 to chatter with a IPv6 world.
Therefore far from being competitor, these protocols are complementary one of the other, NAT allowing a transition carefully towards Ipv6.
2.RFC1631:
The IP Network Address Translator (NAT)
ftp://ftp.imag.fr/pub/archive/IETF/rfc/rfc1631.txt
Kjeld Borch Egevang, Paul Francis, May 1994
3.Cisco
IOS Software
http://www.cisco.com/public/sw-center/sw-ios.shtml
Comité Réseau des Universités
http://www.cru.fr /
5.
Unité Réseau du CNRS
http://www.urec.fr /
6.NAT
or Network Address Translation, report of the working group
http://www.urec.fr/nat /
Claudine Chassagne, August 1998
7.Internet
Authorithy Assigned number
http://www.iana.org /
8.RFC1918:
Address Allowance for Private Internets
ftp://ftp.imag.fr/pub/archive/IETF/rfc/rfc1918.txt
Yakov Rekhter, Robert G Moskowitz, Daniel Karrenberg, Geert Jan de
Groot, Eliot Lear, February 1996
9.La
diffusion multipoint, le MBONE
http://www.cru.fr/multicast
/
C Claveilera, September 1999
10.RFC2182:
Selection and Operation of Secondary DNS Servers
ftp://ftp.imag.fr/pub/archive/IETF/rfc/rfc2182.txt
Robert Elz, Randy Bush, Scott Bradner, Michael A. Patton, July 1997
11.Brief
Overview on multicast NAT (12.0T)
ftp://ftpeng.cisco.com/ipmulticast/Multicast-NAT.txt
Cisco Systems
12.Network
Address Translation - Protocol Translation (NAT-PT)
ftp://ftp.imag.fr/pub/archive/IETF/internet-drafts/draft-ietf-ngtrans-natpt-06.txt
George Tsirtsis, Pyda Srisuresh, June 1999
This Draft became a RFC : RFC 2766