NAT (Network
Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address
translation reduces the need for IPv4 public addresses and it also hides
private network address ranges. NAT generally operates on a router or
firewall.
Public IP addresses
are routable through the internet but Private IP addresses are intended for use
within an organization but not routable on the internet unless using NAT. Network
address translation allows the private IP address to be translated into routable on the internet.
How NAT works?
Network address translation
allows Private IP address range devices to access the Internet with a single Public IP
address, NAT makes the corresponding entries of IP address and port number in
the NAT table. Network Address Translation NAT is running out of IP
addresses means no address is left in the pool then packets will be dropped and an ICMP packet is sent.
Why do we need Network Address Translation NAT?
Network Address Translation NAT was originally developed to solve two problems:
To help us to solve and handle a shortage of ipv4 addresses.
Hide network addressing schemes.
What
are the types of NAT: -
Static NAT (SNAT)-
Dynamic NAT (DNAT)
Port address translation (PAT)
Static NAT- a single private IP address is mapped
with a public IP address. One-to-one mapping is done manually. Every private IP
address is need to be mapped with a registered IP address. Static NAT is used for
Web hosting not for organizations because there are many devices, that want to access the internet, and to provide the internet we need many registered legal IP
addresses which will be costly.
Dynamic DNAT- In DNAT Private IP address is
translated into Public IP address dynamically from the pool of registered IP addresses
(public). When the IP address in the pool is full and not free, The IP packet will
be dropped and ICMP is sent. Let’s say we have a pool with 3 IP addresses (public) then only 3 3 private IP addresses
can be translated from private to public. If we want the 4th IP (private)
need to access the internet then the packet will be dropped and ICMP sent host
is unreachable. DNAT is also very costly because here we need to buy lots of
registered IP addresses (public). Of course, mapping is done dynamically.
Port Address
Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of
users can access to the internet using only one real global registered public
IP address. PAT maps thousands to one by using ports. PAT is the only reason or
solution we have not run out of valid IP addresses on the internet. This PAT is
cost-effective because of single public IP is used; the port number is used to
distinguish the traffic means which traffic belongs to which IP address.
There are
certain addresses in each class of IP address that is reserved for private
networks. These addresses are called private addresses.
Class a 10.0.0.0 to 10.255.255.255
Class b
172.16.0.0 to 172.31.255.255
Class c 192.168.0.0 to 192.168.255.255
How does PAT work with the Port number?
Whenever
our client sends an IP packet, the packet has a source IP address, destination IP
address, and also the source port number and destination port number. These port
numbers keep the track separate. The different communication flows are kept separate
in the router NAT translation table by considering port numbers.
when PC 1 with an IP address 20.1.1.1 sends a packet to the web server with an IP address 203.0.113.2,the client ephemeral port number 15000. The router notes that port number and translates the inside local address of 20.1.1.1 with a port number of 15000 to an inside global address of 198.50.100.1 with a port number of 13000.
If our PC 2 wants to access the same web server, its private IP address is 20.1.1.2 with a port number of 16000 is translated into and outside the local address of 198.50.100.1 with a port number of 13001.
now notice both of the PCs have the same global inside address 198.50.100.1. when our web server sends back traffic to clients those packets are destined for the same IP address which 198.50.100.1. now when the router receives the packets, our router knows which traffic belongs to which client because of the port number. understand if the packet from the web server 200.0.133.2 arrived at the router with the destination IP address 198.51.100.1 and also the destination port number 13000. router understands this packet belongs to PC1.
let's see the configuration of SNAT, DNAT, and PAT and understand it better.
Topology: -
Configure the
topology as per the diagram
Assign the
IP addresses as per the topology
Configure static
route from ISP to the router
Configure default
route toward ISP
Configure Static
NAT on router mapping with 50.0.0.0
Configure implementation
on the inside interface and outside interface
Ping from the client
and send traffic from the server back to a router
Access-List or ACL is a set
of rules which will allow or deny the specific traffic moving through the
router. ACL is defined as controlling network traffic and reducing network attacks.ACLs are used to filter traffic based on the set of rules defined for the IN to the router or OUT to the router of the network. An ACL would be your tool of choice for decision-making for example you can set them to allow certain hosts to access web resources on the internet while others are restricted.
Access-list is to filter unwanted packets when implementing security policies. ACL is a layer 3 security that controls the flow of traffic from one router to another. it is also called a packet-filtering firewall.
How access-list works.
The packet is always
compared with each line of the access list in sequential order. This means the set of rules defined are matched serial wise i.e. matching starts with the first
line of the access list, then move to 2nd line, then 3rd, and so on.
The packet is
compared with lines of the given access list only until a match is made. Once it matches the condition on the line of the access list or rules are matched then
no further comparison takes place and that rule will be performed.
There is an
implicit deny at the end of each access list because if no condition or rules
matches then the packet will be discarded.
Types of Access- List
Mainly there are two types
of access lists:
Standard access listsThese
ACLs use only the source IP address in an IP packet as the condition test. All decision
is made based on the source IP address. This means that a standard access list
basically permits or denies an entire suite of protocols. They do not distinguish between
any of the many types of IP traffic such as web, talent, UDP, HTTP, and so on.By using numbers 1-99 or
1300-1999, the router will understand it as a standard ACL and the specified
address as the source IP address.
Key: -
All decision is made based on the
source IP address.
The access list number is 1-99 or
1300-1999
Can block a network, host, and subnet
All services are blocked.
Implemented closet to the
destination.
do not distinguish between any of the many
types of IP traffic.
An extended access list can evaluate many of the other fields in the layer 3 and layer 4
headers of an IP packet. These
are the ACLs that use source IP, Destination IP, source port, and Destination
port. we
can also mention which IP traffic should be allowed or denied. This
gives the extended access list the ability to make much more granular decisions when
controlling traffic. These uses range from 100-199 and 2000-2699.
key: -
The access-list number range is 100-199 and 2000-2699.
We can allow or deny a network, host, subnet, and service
Selected services can be blocked
Implemented closest to the source.
Filtering is done based on source IP, destination IP,
Protocol, and port no.
Named access list a name is assigned for the identification. Named access lists are either standard or extended and not actually a distinct type. we can delete a named access list, unlike a number.
key: -
Access-list are identified using names rather than
numbers.
Names are case-sensitive.
No limitation of numbers here.
One main advantage is the editing of ACL is possible (i,e)
removing a specific statement from the ACL is possible.
Numbered
access-list – These are the access list that cannot be deleted
specifically once created i.e if we want to remove any rule from an Access-list
then this is not permitted in the case of the numbered access list.
when we create an access list on the router. it is not going to do anything until you apply it on the interface, sure it's on the router but inactive. we have to tell the router what to do with these ACLs. To use the access list as
a packet filter, you need to apply it to an interface on the router where you
want the traffic filter. And you have got to specify which direction of traffic
you want the access list applied to. Once we create the access list, then it should be applied to the inbound or outbound of the interface.
Inbound ACLs- When
an access list is applied on inbound packets of the interface. First, those packets are processed through the ACLs before being routed to the outbound
interface. Any packet denial will not be routed or discarded.
Outbound ACLs- When
an access list is applied to outbound packets on the interface, packets are routed to the outbound interface and
then processed through the access list before being queued.
How to write an ACL statement
First understand the situation what we want to do and on
which router we are going to implement ACls, and identify the source address and
destination. Traffic direction Inbound or outbound. Make sure the router we
implementing ACLs must be the transit router.
What is a time-based ACL?
The time-based access list is a type of access list that allows network access on the basis of a given time period. It is useful when you want to place restrictions on outbound or inbound traffic on the basis of particular days and time periods.
Sometimes it may be useful if you want to block particular traffic on specific days or during business hours.
Access-list rules
ACLs work in sequential order
standard ACLs are applied close to the destination not always.
extended ACLs are applied close to the source not always.
We can assign only one ACL per interface per protocol per
direction, i.e., only one inbound and outbound ACL is permitted per interface.
All deny statements have to be given first (best practice)
you cannot remove a rule from ACLs if you are configuring
numbered ACLs. when we try to remove a rule then the whole access list will be removed unless named ACLS then we can delete it.
An implicit deny blocks all the traffic by default when there
is no match (an invisible statement).
Any time a new entry is added to the access list, it will be
placed at the bottom of the list, using a text editor for access lists is
highly suggested.
you cannot remove one line from an access list.
Standard access lists and extended access lists cannot have
the same name.
Wild card mask Tell the router which
portion of the bits to match or ignore. 0= must match and 1=ignore. The wild card mask for the network will be an inverse mask, Wild card mask for a
host will be always 0.0.0.0.
In this article, we are going to configure standard ACLs, extended ACLs, Named ACLs, Routing ACLs, and Time-based ACLs.
Topology: - Standard ACLs
Goal:
configure the topology as per the diagram.
assign the IP addresses as per the topology including PC
configure routing (EIGRP) and make sure all the computers can communicate with each other using PING.
deny the host 10.1.1.2 communicate with 20.1.1.2 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
deny the host 10.1.1.4 communicate with 20.1.1.4 but the rest of the 10.0.0.0 network can communicate with the 20.0.0.0 network.
deny the network 40.0.0.0 communicate with 20.1.1.0 network
permit all the remaining traffic.
(Starting from configuring IP addresses as per the topology)
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
(From the above output host 40.1.1.2 can ping 10.1.1.4)
Router-ONE(config)#ip access-list extended cisco
Router-ONE(config-ext-nacl)#deny ip 30.1.1.2 0.255.255.255 host 10.1.1.4
Router-ONE(config-ext-nacl)#deny ip 40.1.1.2 0.255.255.255 host 10.1.1.4
Router-ONE(config-ext-nacl)#permit ip any any
Router-ONE(config-ext-nacl)#exit
Router-ONE(config)#interface fastEthernet 1/0
Router-ONE(config-if)#ip access-group cisco out
Router-ONE(config-if)#exit
Router-ONE#show access-lists cisco
Extended IP access list cisco
deny ip 30.0.0.0 0.255.255.255 host 10.1.1.4 (4 match(es))
deny ip 40.0.0.0 0.255.255.255 host 10.1.1.4 (4 match(es))
permit ip any any (8 match(es))
(Now we try to ping from 40.1.1.2 to 10.1.1.4 and 10.1.1.2)
C:\>ipconfig
IP Address......................: 40.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 40.1.1.1
C:\>ping 30.1.1.2
Pinging 30.1.1.2 with 32 bytes of data:
Reply from 30.1.1.2: bytes=32 time=1ms TTL=126
Reply from 30.1.1.2: bytes=32 time=1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
Reply from 30.1.1.2: bytes=32 time<1ms TTL=126
C:\>ping 30.1.1.14
Pinging 30.1.1.14 with 32 bytes of data:
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Ping statistics for 30.1.1.14:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
(From the above output you can see when we try to ping the 30.1.1.2 host from the 40.1.1.2, the communication is smooth but when we try to ping the 30.1.1.4, the result is destination host unreachable because of Named ACLs)
(Now we try to ping from 30.1.1.2 to 10.1.1.4 and 10.1.1.2)
C:\>ipconfig
IP Address......................: 30.1.1.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 30.1.1.1
C:\>ping 10.1.1.4
Pinging 10.1.1.4 with 32 bytes of data:
Reply from 1.1.1.1: Destination host unreachable.
Reply from 1.1.1.1: Destination host unreachable.
Reply from 1.1.1.1: Destination host unreachable.
Reply from 1.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.4:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
