1 / 101

NAT/PAT Config & Troubleshooting

NAT/PAT Config & Troubleshooting. Agenda. NAT Overview NAT Operations NAT Config & Troubleshooting NAT Redundancy NAT in MPLS/VRF environment. Inside. Outside. SA 10.1.1.1. Internet. 10.1.1.1. NAT border router. 10.1.1.2. SA 200.1.1.1. Why Use NAT?. Typical examples of NAT :

lacyn
Télécharger la présentation

NAT/PAT Config & Troubleshooting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NAT/PAT Config & Troubleshooting

  2. Agenda • NAT Overview • NAT Operations • NAT Config & Troubleshooting • NAT Redundancy • NAT in MPLS/VRF environment

  3. Inside Outside SA 10.1.1.1 Internet 10.1.1.1 NAT borderrouter 10.1.1.2 SA 200.1.1.1 Why Use NAT? • Typical examples of NAT : • You need to connect to the Internet and your hosts do not have globally unique IP addresses • You change over to a new ISP that requires you to renumber your network • Two intranets with duplicate addresses merge

  4. NAT Implementation Considerations Advantages Conserves legally registered addressesHide internal network Increases flexibility in IP addressing design Eliminates address renumbering as ISP changes Disadvantages Translation introduces switching path delaysCertain applications will not function with NAT enabled

  5. Private IP address ranges Class A - 10.0.0.0/8 Class B - 172.16.0.0/19 Class C – 192.168.0.0/16 • These IP addresses are not advertised on Internet. • Defined in RFC 1918 N.B. Even though NAT is typically used to translate a private IP to a public IP, there are scenarios where NAT is used to translate a private IP to another private IP or a public IP to private IP, etc…

  6. Agenda • NAT Overview • NAT Operations • NAT Config & Troubleshooting • NAT Redundancy • NAT in MPLS/VRF environment

  7. C A A B NAT table Outside LocalIP Address Inside LocalIP Address Outside Global IP Address Inside GlobalIP Address 200.1.1.1 10.1.1.1 150.1.1.1 150.1.1.1 NAT Address Terminology Inside DA 200.1.1.1 B Host B 150.1.1.1 DA 10.1.1.1 SA 200.1.1.1 C Internet 10.1.1.2 SA 10.1.1.1 10.1.1.1 B

  8. NAT & Routing • Inside Local (IL)→ Typically learnt via IGP • Inside Global (IG)→ ‘owned’ by NAT router, no local route, should be known Outside • Outside Global (OG) → Typically using a default route • Outside Local (OL) → ‘owned’ by NAT router, need local route pointing to Outside, should be advertised Inside Default route IGP Outside (Internet) Inside (Private IP) B

  9. Inside Internet 10.1.1.2 10.1.1.1 NAT table Inside Local Inside Global IP Address IP Address 10.1.1.1 200.1.1.1 10.1.1.2 200.1.1.2 NAT Operations • NAT functions: • Dynamic NAT • Dynamic NAT with overloading • Static NAT • Translation outside global addresses

  10. 4 Translating Inside Local AddressesDynamic NAT • A pool of public IP is defined [200.1.1.x] • Need as many public IP as internal hosts ! • Traffic should be initiated from Inside • Not used oftenly in practice Inside DA 200.1.1.1 5 3 10.1.1.3 Host B 150.1.1.1 DA 10.1.1.1 SA 200.1.1.1 Internet 10.1.1.2 10.1.1.2 SA 10.1.1.1 1 2 NAT table Inside Global Inside Local IP Address IP Address 10.1.1.1 10.1.1.3 200.1.1.3 10.1.1.2 200.1.1.2 10.1.1.1 200.1.1.1

  11. Dynamic NAT with Overloading Inside Same address is used for different internal users ! 4 DA 200.1.1.1 Host B 5 3 10.1.1.3 150.1.1.1 DA 10.1.1.1 4 SA 200.1.1.1 Internet DA 200.1.1.1 Host C 10.1.1.2 150.1.2.1 1 2 NAT table SA 10.1.1.1 Inside Local IP Inside Global IP Outside Global Protocol Address: Port Address: Port IP Address: Port 10.1.1.1 TCP 10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23 TCP 10.1.1.2:1723 200.1.1.1:1723 150.1.1.1:23 TCP 10.1.1.3:1024 200.1.1.1:11024 150.1.1.1:23 TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23

  12. Inside NAT 10.1.1.5 Internet 75.1.1.1 Host B 150.1.1.1 10.1.1.1 Web Mail Server Server Translating Inside Local AddressesStatic NAT • Typically used to provide access from Outside to internal servers • Can map TCP/UDP ports to different Internal servers 10.1.1.5  75.1.1.1:80 10.1.1.1  75.1.1.1:25

  13. SA 10.1.1.100 SA 150.1.1.1 DA 200.1.1.1 DA 10.1.1.1 DA 150.1.1.1 SA 200.1.1.1 1 SA 10.1.1.1 1 Translating Outside Global Addresses Inside Host B should appear as an inside host 4 5 3 10.1.1.3 Host B 150.1.1.1 Internet 10.1.1.2 10.1.1.2 1 DA 10.1.1.100 2 NAT table Outside Local IP Address Inside Local IP Address Outside Global IP Address Inside Global IP Address 10.1.1.1 200.1.1.1 10.1.1.1 10.1.1.100 150.1.1.1 N.B. there should be a route for 10.1.1.100 pointing to outside

  14. NAT – Order of Operations • Outside to Inside • If IPSec then check input access list • decryption for CET or IPSec • check input access list • check input rate limits • input accounting • NAT outside to inside (global to local translation) • policy routing • routing • redirect to web cache • crypto (check map and mark for encryption) • check output access list • inspect CBAC • TCP intercept • encryption Inside to Outside • If IPSec then check input access list • decryption for CET (Cisco Encryption Technology) or IPSec • check input access list • check input rate limits • input accounting • policy routing • Routing • redirect to web cache • NAT inside to outside (local to global translation) • crypto (check map and mark for encryption) • check output access list • inspect (Context based Access Control (CBAC)) • TCP intercept • encryption

  15. Agenda • NAT Overview • NAT Operations • NAT Config & Troubleshooting • NAT Redundancy • NAT in MPLS/VRF environment

  16. Translating Inside Local Addresses Inside 4 One public IP for every internal hosts ! DA 200.1.1.1 5 3 10.1.1.3 Host B 150.1.1.1 DA 10.1.1.1 SA 200.1.1.1 Internet 10.1.1.2 10.1.1.2 • Static NAT • Dynamic NAT SA 10.1.1.1 1 2 NAT table Inside Global Inside Local IP Address IP Address 10.1.1.1 10.1.1.3 200.1.1.3 10.1.1.2 200.1.1.2 10.1.1.1 200.1.1.1

  17. Static NAT Configuration Example ip nat inside source static 10.1.1.1 200.1.1.1 ! OR ip nat inside source static network 10.1.1.0 200.1.1.0 /24 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 120.16.2.1 255.255.255.0 ip nat outside This interface connected to the inside network. This interface connected to the outside world. NAT# sh ip nat translations Pro Inside global Inside local Outside local Outside global --- 200.1.1.1 10.1.1.1 --- --- NAT#

  18. Inside NAT 10.1.1.5 Internet 75.1.1.1 Host B 150.1.1.1 10.1.1.1 Web Mail Server Server Static NAT – Example 1 10.1.1.5  75.1.1.1:80 10.1.1.1  75.1.1.1:25 ip nat inside source static tcp 10.1.1.5 80 75.1.1.1 80 ip nat inside source static tcp 10.1.1.1 25 75.1.1.1 25 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 75.1.1.1 255.255.255.0 ip nat outside

  19. Inside NAT 10.1.1.2 Internet 75.1.1.1 Host B 150.1.1.1 10.1.1.8 Web TFTP Server Server Static NAT – Example 2 – Port Rewrite 10.1.1.2:8080 75.1.1.1:80 [tcp] 10.1.1.8:69 75.1.1.1:69 [udp] ip nat inside source static tcp 10.1.1.2 8080 75.1.1.1 80 ip nat inside source static udp 10.1.1.8 69 75.1.1.1 69 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 75.1.1.1 255.255.255.0 ip nat outside

  20. Static NAT – ARP cache ip nat inside source static 10.1.1.5 75.1.1.2 ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Ethernet1/0 ip address 75.1.1.1 255.255.255.0 ip nat outside N.B. For dynamic nat, ARP entry is created as soon as first NAT entry is created for the inside global Ethernet (75.1.1.0/24) → ARP entry created for inside global IN OUT Internet Eth0/0 Eth1/0 NAT#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.1.10 - aabb.cc00.6600 ARPA Ethernet0/0 Internet 10.1.1.1 122 aabb.cc00.6500 ARPA Ethernet0/0 Internet 75.1.1.1 - aabb.cc00.6601 ARPA Ethernet1/0 Internet 75.1.1.2 - aabb.cc00.6601 ARPA Ethernet1/0

  21. Static NAT Options NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 ? extendable Extend this translation when used mapping-id Associate a mapping id to this mapping no-alias Do not create an alias for the global address no-payload No translation of embedded address/port in the payload redundancy NAT redundancy operation route-map Specify route-map vrf Specify vrf <cr>

  22. ISP1 (200.1.1.0/24) User Server Internet ISP2 (100.1.1.0/24) User Static NAT Options - extendable NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 extendable NAT(config)#ip nat inside source static 10.1.1.1 100.1.1.1 extendable • Creates extended entries for every translated flows • Necessary to support 2 entries for same inside local IP • First packet sent by user creates the extended entry so traffic back from server could use same ISP • Rem : NAT has no influence on packet forwarding, i.e. packets coming in from ISP1 will be sent back with source IP of ISP1 but CEF might send packets through ISP2 link !!! NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.1.1.1:23 10.1.1.1:23 150.1.1.1:64493 150.1.1.1:64993 tcp 100.1.1.1:23 10.1.1.1:23 18.1.1.1:16564 18.1.1.1:16564 --- 200.1.1.1 10.1.1.1 --- --- --- 100.1.1.1 10.1.1.1 --- ---

  23. Extended entries • Extended entries are automatically created in all recent releases • Use following command to disable automatic creation of extended entries • Can use then extendable keyword to create extended entries for selected static NAT NAT(config)# no ip nat create flow-entries

  24. Ethernet (120.16.1.0/24) IN OUT Internet Eth0/0 Eth1/0 Static NAT Options – no-alias NAT(config)#ip nat inside source static 10.1.1.1 120.16.1.5 no-alias → no ARP entry created for inside global NAT#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.1.10 - aabb.cc00.6600 ARPA Ethernet0/0 Internet 10.1.1.1 122 aabb.cc00.6500 ARPA Ethernet0/0 Internet 120.16.2.2 122 aabb.cc00.6700 ARPA Ethernet1/0 Internet 120.16.2.1 - aabb.cc00.6601 ARPA Ethernet1/0 Internet 120.16.2.5 - aabb.cc00.6601 ARPA Ethernet1/0

  25. Static NAT Options NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 no-payload • Source IP/port appears in payload of many applications • IOS NAT code supports payload modification (ALG - Application Layer Gateway) for some applications (FTP, H323, DNS, …) BUT not all • Can specify port number used by application (if different from default) with “ip nat services” global configuration command • No-payload option disables ALG (payload modification) for this entry • N.B. There is no way to disable ALG for dynamic NAT ip nat inside source static 10.1.1.1 200.1.1.1 route-map COND [reversible] ! access-list 150 permit tcp any host 150.1.1.1 ! route-map COND permit 10 match ip address 150 • Adds conditions for a static NAT entry (only acl in route-map supported) • Only traffic matching route-map is allowed to be translated • Works from OUT to IN since CSCec54909 (12.4(2.11)) with "reversible" keyword

  26. Dynamic NAT Configuration ip nat pool PUBLIC 200.1.1.1 200.1.1.254 netmask 255.255.255.0 ip nat inside source list 1 pool PUBLIC ! access-list 1 permit 10.1.1.0 0.0.0.255 NAT#sh ip nat translations NAT# NAT# ! No entry as long as no traffic received from inside NAT# NAT# ! We generate traffic … NAT# NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.1.1.1:27354 10.1.1.1:27354 150.1.1.1:23 150.1.1.1:23 --- 200.1.1.1 10.1.1.1 --- --- tcp 200.1.1.2:16554 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23 --- 200.1.1.2 10.1.1.5 --- --- N.B. Traffic should be initiated from inside but once inside local is associated with an inside global, other sessions could be initiated from outside

  27. Dynamic NAT Pool Options NAT(config)#ip nat pool PUBLIC prefix-length 24 NAT(config-ipnat-pool)#address 200.1.1.1 200.1.1.10 NAT(config-ipnat-pool)#address 100.1.1.1 100.1.1.20 • Can define discontinuous pool ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 type match-host • Prefix-length defines host part • Keeps host part in translation • If not possible, no translation occurs • Addresses are prepopulated (consume memory) CSCdp05523 ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 add-route • Adds static route pointing to NVI (Nat Virtual Interface) • Static route subnet mask is prefix-length defined in pool • Used in VRF environment where NAT NVI is required

  28. Dynamic NAT Options NAT(config)#ip nat inside source list 1 pool PUBLIC ? mapping-id Associate a mapping id to this mapping overload Overload an address translation reversible Allow out->in traffic vrf Specify vrf

  29. Dynamic NAT Options - overload Inside Same address is used for different internal users ! 4 DA 200.1.1.1 Host B 5 3 10.1.1.3 150.1.1.1 DA 10.1.1.1 4 SA 200.1.1.1 Internet DA 200.1.1.1 Host C 10.1.1.2 150.1.2.1 1 2 NAT table SA 10.1.1.1 Inside Local IP Inside Global IP Outside Global Protocol Address: Port Address: Port IP Address: Port 10.1.1.1 TCP 10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23 TCP 10.1.1.2:1723 200.1.1.1:1723 150.1.1.1:23 TCP 10.1.1.3:1024 200.1.1.1:11024 150.1.1.1:23 TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23

  30. Dynamic NAT Config with Overloading ip nat pool ovrld-nat 200.1.1.1 200.1.1.1 netmask 255.255.255.0 ip nat inside source list 1 pool ovrld-nat overload ! OR ip nat inside source list 1 interface Serial0/0 overload ! access-list 1 permit 10.1.1.0 0.0.0.255 NAT#sh ip nat translations NAT# NAT# ! No entry as long as no traffic received from inside NAT# NAT# ! We generate traffic … NAT# NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.1.1.1:19250 10.1.1.1:19250 150.1.1.1:23 150.1.1.1:23 tcp 200.1.1.1:16564 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23 Icmp 200.1.1.1:9 10.1.1.2:9 150.1.1.1:9 150.1.1.1:9

  31. Dynamic NAT Options NAT(config)#ip nat inside source ? list Specify access list describing local addresses route-map Specify route-map static Specify static local->global mapping • Using list allows to check source IP -> std access-list. Extended acl should be used via route-map • Using route-map enforces conditional NAT, i.e. only packets matching route-map are translated. Can use extended acl, match on interface/next-hop

  32. Dynamic NAT Options – route-map • Example 1 • All HTTP traffic is seen outside as coming from 200.1.1.1 • All TELNET traffic is seen outside as coming from 200.1.1.2 • Rest of traffic is seen as coming from 200.1.1.3 ip nat pool PUB_1 200.1.1.1 200.1.1.1 netmask 255.255.255.0 ip nat pool PUB_2 200.1.1.2 200.1.1.2 netmask 255.255.255.0 ip nat pool PUB_3 200.1.1.3 200.1.1.3 netmask 255.255.255.0 ! ip nat inside source route-map WWW pool PUB_1 overload ip nat inside source route-map TELNET pool PUB_2 overload ip nat inside source route-map OTHERS pool PUB_3 overload ! route-map WWW permit 10 match ip address 150 route-map TELNET permit 10 match ip address 151 route-map OTHERS deny 10 match ip address 150 151 route-map OTHERS permit 20 ! access-list 150 permit tcp any any eq www access-list 151 permit tcp any any eq telnet NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 200.1.1.3:7 10.1.1.1:7 150.1.1.1:7 150.1.1.1:7 tcp 200.1.1.2:11158 10.1.1.1:11158 150.1.1.1:23 150.1.1.1:23 tcp 200.1.1.1:37312 10.1.1.1:37312 150.1.1.1:80 150.1.1.1:80

  33. Dynamic NAT Options – route-map • Example 2 • A single link to reach Internet and Intranet remote sites • Translation only if destination IP is a public IP ip nat pool PUB 200.1.1.1 200.1.1.1 netmask 255.255.255.0 ! ip nat inside source route-map COND pool PUB overload ! route-map COND deny 10 match ip address 150 route-map COND permit 20 ! access-list 150 permit ip any 10.0.0.0 0.255.255.255 access-list 150 permit ip any 172.16.0.0 0.0.7.255 Access-list 150 permit ip any 192.168.0.0 0.0.255.255 Internet In Out MPLS/VPN Internet + Intranet traffic Remote site Intranet

  34. SA 10.1.1.100 SA 150.1.1.1 DA 200.1.1.1 DA 10.1.1.1 DA 150.1.1.1 SA 200.1.1.1 1 SA 10.1.1.1 1 Translating Outside Global Addresses - Static Inside Host B should appear as an inside host 4 5 3 10.1.1.3 Host B 150.1.1.1 Internet 10.1.1.2 10.1.1.2 1 DA 10.1.1.100 2 NAT table Outside Local IP Address Inside Local IP Address Outside Global IP Address Inside Global IP Address 10.1.1.1 200.1.1.1 10.1.1.1 10.1.1.100 150.1.1.1

  35. Configuring Example ipnat inside source static 10.1.1.1 200.1.1.1 ipnat outside source static 150.1.1.1 10.1.1.100 ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ipnat inside ! interface Serial0/0 ip address 120.16.2.1 255.255.255.0 ipnat outside ! ip route 10.1.1.100 255.255.255.255 120.16.2.2 From inside to outside, routing occurs before NAT, then there should be a route for destination of original packet. NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 10.1.1.100 150.1.1.1 icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.100:2 150.1.1.1:2 --- 200.1.1.1 10.1.1.1 --- ---

  36. SA 10.1.1.100 SA 150.1.1.1 DA 200.1.1.1 DA 10.1.1.1 Host Host DA 150.1.1.1 SA 200.1.1.1 1 150.1.1.1 180.1.1.1 SA 10.1.1.1 1 2 NAT table Translating Outside Global Addresses - Dynamic All hosts on Internet should appear as internal hosts [10.1.1.128-159] 1 Inside 3 Internet 10.1.1.2 5 4 10.1.1.1 DA 10.1.1.100 Host Inside Local IP Inside Global IP Outside Local Protocol Outside Global 180.1.1.1 Address: Port Address: Port IP Address: Port IP Address: Port Overloading not supported 2 NAT table 150.1.1.1:1024 TCP 10.1.1.1:80 200.1.1.1:80 10.1.1.128:1024 180.1.1.1:1024 TCP 10.1.1.1:80 200.1.1.1:80 10.1.1.129:1024

  37. Configuring Example ip nat pool OUT 10.1.1.128 10.1.1.159 prefix-length 24 ip nat inside source static 10.1.1.1 200.1.1.1 ip nat outside source list 1 pool OUT ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 120.16.2.1 255.255.255.0 ip nat outside ! ip route 10.1.1.128 255.255.255.224 serial 0/0 ! access-list 1 permit any N.B. there should be a route for pool used for outside source translation NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 10.1.1.128 150.1.1.1 --- --- --- 10.1.1.129 180.1.1.1 icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.128:2 150.1.1.1:2 icmp 200.1.1.1:3 10.1.1.1:3 10.1.1.129:3 180.1.1.1:3 --- 200.1.1.1 10.1.1.1 --- ---

  38. NAT timeout • Dynamic NAT entries should be deleted when not used anymore • Each NAT entry has an inactivity counter (left …) • There are different timeout depending on type of traffic • All these timeouts are reset when a packet uses the entry • Basic timeout (when no else matches) is by default set to 86400 sec (1day) • When huge amount of NAT entries, maintaining timeout is very CPU intensive and could cause high CPU utilization (IP NAT Ager process) NAT(config)#ip nat translation ? dns-timeout Specify timeout for NAT DNS flows finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST icmp-timeout Specify timeout for NAT ICMP flows max-entries Specify maximum number of NAT entries port-timeout Specify timeout for NAT TCP/UDP port specific flows pptp-timeout Specify timeout for NAT PPTP flows routemap-entry-timeout Specify timeout for routemap created half entry syn-timeout Specify timeout for NAT TCP flows after a SYN and no further data tcp-timeout Specify timeout for NAT TCP flows timeout Specify timeout for dynamic NAT translations udp-timeout Specify timeout for NAT UDP flows

  39. VFR (Virtual Fragment Reassembly) NAT(config-if)# ip virtual-reassembly • Layer4 (TCP, UDP) informations are available only in first fragment of an IP packet • NAT cannot do overloading without layer4 informations • Idea is for NAT router to reassemble the packet although it’s not the destination of packet • This command is automatically added when NAT is enabled on an interface • Can specify the following options : • Max-reassemblies (default 64) : max number of fragments belonging to different IP packet which could be stored at any given time • Max-fragments (default 16) : max number of fragments stored for a given IP packet • Timeout (default 3 sec) : max time to receive all fragments of an IP packet

  40. NAT Services NAT(config)#ip nat service ? H225 H323-H225 protocol allow-h323-even-rtp-ports Allow even RTP ports for H323 allow-h323-keepalive Allow H323 KeepAlive allow-sip-even-rtp-ports Allow even RTP ports for SIP allow-skinny-even-rtp-ports Allow even RTP ports for Skinny fullrange allocate all available port of 1 to 65535 list Specify access list describing global addresses ras H323-RAS protocol sip SIP protocol skinny skinny protocol

  41. NAT Services NAT(config)# ip nat service allow-h323-keepalive • Introduced by CSCsa62551 • Background : when NAT modifies payload, length of TCP segment might change so ALG uses a sequence-fixup to adapt TCP seq# accordingly. This seq-fixup keeps track of next expected seq# and delta and adapt the seq# if it’s equal or higher than the expected next seq#. • Problem is H323 KA seq# uses previous seq# – 1 so seq-fixup doesn’t work for H323 KA • This feature modifies seq-fixup to take care of H323 KA • Disabled by default • Need to enable it when TCP keepalives are sent on H323 port (1720)

  42. NAT Services NAT(config)# ip nat service allow-h323-even-rtp-ports NAT(config)# ip nat service allow-sip-even-rtp-ports NAT(config)# ip nat service allow-skinny-even-rtp-ports • Introduced by CSCsa86914 • Background : RTP sessions use classically even UDP port numbers and related RTCP sessions use the next available port (odd port). Some applications accept only RTP sessions using even port and refuse RTP sessions using odd port. • NAT selects the next available port+1 for H323/SIP/SKINNY fixup in the NAT translations. NAT does NOT check for even/odd pair for RTP\RTCP port numbers. • This feature changes H323/SIP/SKINNY fixup to use only even port for RTP session • Need to enable this when application expects RTP to use even port only.

  43. NAT Services NAT(config)# ip nat service fullrange udp/tcp port [1-511] • Introduced by CSCed93887 • Background : when NAT modifies a port, it uses a new port in same range as original port. Ranges are [1-511], [512- 1023], [1024-65535]. • Problem : when many sessions with same source port are initiated, NAT could run out of free ports in the same range. Typical example is IKE using source UDP port 500. • This feature allows NAT to use full port range [1-65535] for packets coming in with source port specified in command • Example : ‘ip nat service fullrange udp port 500’ allows NAT to use full port range for IKE traffic. Otherwise, only 511 IKE connections are allowed

  44. NAT Services - IPSEC NAT(config)# ip nat service list <acl> ESP spi-match • Introduced by CSCdw17198 • Acl should match the outside global address of the IPSEC server/concentrator • Background : • IPSEC peers can negotiate NAT-T (NAT-Transversal) to add a UDP header on top of ESP packets so NAT could use UDP port for overloading • NAT-T is on by default on IOS devices -> (config)#no crypto ipsec nat-transparency udp-encaps’ on IPSEC client/server to disable this • Without NAT-T, NAT uses SPI (part of ESP header) for overloading • Difficulty comes from the fact there is one SPI per direction so NAT router should ‘bind’ both SPIs • Limitations : • NAT router accepts only one connection to same outside server at a time as long as SPI binding is not done. Once SPI binding is done, another connection could be initiated • NAT router should first see ESP packet from IN to OUT

  45. .1 150.1.1.1 IPSEC Server .2 IN OUT Internet IPSEC Clients .3 10.1.1.0/24 NAT Services - IPSEC • Client 1 initiates connection with SPI1, this creates the first NAT entry • If at that moment, client 2 initiates a connection to same server, this packet is dropped by NAT router • When server replies (with SPI2) to client 1 request, a second NAT entry is created and associated with first one, i.e. any esp packets from server with SPI2 are dispatched to client 1 NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global esp 200.1.1.1:0 10.1.1.1:SPI1 150.1.1.1:0 150.1.1.1:0 esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:SPI2

  46. NAT Services - IPSEC *Apr 13 12:09:03.307: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=5940943A, IG=200.1.1.1 *Apr 13 12:09:03.307: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0x5940943A, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1 *Apr 13 12:09:03.307: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply *Apr 13 12:09:03.307: NAT: creating portlist proto 50 globaladdr 200.1.1.1 *Apr 13 12:09:03.307: NAT: creating ESP portlist for IG=200.1.1.1 *Apr 13 12:09:03.311: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [80] *Apr 13 12:09:03.311: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [80] .... [server doesn't reply for any reason] *Apr 13 12:09:13.415: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [88] *Apr 13 12:09:13.415: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [88] .... [a second client tries to establish a IPSEC connection to same server] *Apr 13 12:09:47.059: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.2, SPI=1BF6BAA5, IG=200.1.1.1 *Apr 13 12:09:47.059: NAT: IPSec: another inside host (10.1.1.1) is trying to open an ESP conn to 150.1.1.1, cannot process request from 10.1.1.2 *Apr 13 12:09:47.059: NAT*: Can't create new inside entry - forced_punt_flags: 0 *Apr 13 12:09:47.059: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.2, SPI=1BF6BAA5, IG=200.1.1.1 *Apr 13 12:09:47.059: NAT: IPSec: another inside host (10.1.1.1) is trying to open an ESP conn to 150.1.1.1, cannot process request from 10.1.1.2 *Apr 13 12:09:47.059: NAT: translation failed (A), dropping packet s=10.1.1.2 d=150.1.1.1 *Apr 13 12:10:04.711: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [98] *Apr 13 12:10:04.711: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [98] *Apr 13 12:10:04.711: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x7FB18572, IG=200.1.1.1, IL=10.1.1.1 ... [SPI of first session is bound ->now second client can establish a ESP connection] *Apr 13 12:10:12.587: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.2, SPI=1BF6BAA5, IG=200.1.1.1 *Apr 13 12:10:12.587: NAT: IPSec: created In->Out ESP translation IL=10.1.1.2 SPI=0x1BF6BAA5, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1 *Apr 13 12:10:12.587: NAT: IPSec: Inside host (IL=10.1.1.2) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply *Apr 13 12:10:12.591: NAT: i: esp (10.1.1.2, 0x1BF6BAA5) -> (150.1.1.1, 0x0) [22] *Apr 13 12:10:12.591: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [22] *Apr 13 12:10:12.591: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x1093AEB7, IG=200.1.1.1, IL=10.1.1.2 NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:7FB18572 esp 200.1.1.1:0 10.1.1.1:5940943A 150.1.1.1:0 150.1.1.1:0 esp 200.1.1.1:0 10.1.1.2:0 150.1.1.1:0 150.1.1.1:1093AEB7 esp 200.1.1.1:0 10.1.1.2:1BF6BAA5 150.1.1.1:0 150.1.1.1:0

  47. NAT Services – SPI matching • If IPSEC responder supports SPI matching (on Cisco IOS device -> (config)#crypto ipsec nat-transparency spi-matching), SPI used by responder is not randomly generated anymore but computed based on MD5 hash done on incoming SPI • This allows NAT router to calculate what’s the SPI of out-to-in esp packets once first in-to-out esp packet is received • This allows many inside clients to initiate simultaneously esp connection to same outside server • Disabled by default • If outside server (150.1.1.1) uses SPI-matching, this command will enable SPI-matching for this server on NAT router • Rem: if server matched in acl does NOT use SPI matching, esp session cannot be translated (return packet is dropped) ! NAT(config)# ip nat service list 1 ESP spi-match NAT(config)# access-list 1 permit 150.1.1.1

  48. NAT Services – SPI-matching *Apr 13 14:09:40.899: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=ED19E956, IG=200.1.1.1 *Apr 13 14:09:40.899: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0xED19E956, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1 *Apr 13 14:09:40.899: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply *Apr 13 14:09:40.899: NAT: creating portlist proto 50 globaladdr 200.1.1.1 *Apr 13 14:09:40.899: NAT: creating ESP portlist for IG=200.1.1.1 *Apr 13 14:09:40.899: NAT: i: esp (10.1.1.1, 0xED19E956) -> (150.1.1.1, 0x0) [184] *Apr 13 14:09:40.899: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [184] … [esp packet from server is received and it matches calculated SPI] *Apr 13 14:09:40.903: NAT: ESP: SPIs matched *Apr 13 14:09:40.903: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x5FF2220B, IG=200.1.1.1, IL=10.1.1.1 NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:5FF2220B esp 200.1.1.1:0 10.1.1.1:ED19E956 150.1.1.1:0 150.1.1.1:0

  49. NAT Services NAT(config)# ip nat service list <acl> IKE preserve-port • Introduced by CSCdu76854 – see ENG-114802 • Acl should match the outside global address of the IPSEC server/concentrator • Source port 500 is preserved, multiplexing is done on initiator cookie (part of IKE header) • Initiator cookie is visible with ‘show ip nat translations verbose’ • Disabled by default (breaks some IPSEC implementations in Phase 1 rekeying) NAT(config)# ip nat service list <acl> ftp tcp port <1-65535> • Acl should match the outside global address of the FTP server • Allows FTP server to use non-default port (21) for control session

  50. NAT Services – IKE Preserve-port *Apr 13 15:29:08.179: NAT: address not stolen for 10.1.1.1, proto 17 port 500 *Apr 13 15:29:08.179: NAT: preserving IKE port for source addr 10.1.1.1, destination addr 150.1.1.1, initiator cookie 0x4EBDB5C *Apr 13 15:29:08.179: NAT: [0] Allocated Port for 10.1.1.1 -> 200.1.1.1: wanted 500 got 500 *Apr 13 15:29:08.179: NAT: i: udp (10.1.1.1, 500) -> (150.1.1.1, 500) [258] *Apr 13 15:29:08.179: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [258] *Apr 13 15:29:08.243: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [302] *Apr 13 15:29:08.243: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.1 [302] ... [second inside client initiate an IKE session] *Apr 13 15:29:25.135: NAT: preserving IKE port for source addr 10.1.1.2, destination addr 150.1.1.1, initiator cookie 0x28810D1E *Apr 13 15:29:25.135: NAT: [0] Allocated Port for 10.1.1.2 -> 200.1.1.1: wanted 500 got 3 [without IKE preserve-port command, source UDP port would have been set to 3] *Apr 13 15:29:25.139: NAT: i: udp (10.1.1.2, 500) -> (150.1.1.1, 500) [72] *Apr 13 15:29:25.139: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [72] *Apr 13 15:29:25.207: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [306] *Apr 13 15:29:25.207: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.2 [306] [out-to-in packet are dispatched to correct internal host based on initiator cookie] NAT#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp 200.1.1.1:500 10.1.1.1:500 150.1.1.1:500 150.1.1.1:500 udp 200.1.1.1:500 10.1.1.2:500 150.1.1.1:500 150.1.1.1:500 NAT#sh ip nat translations verbose Pro Inside global Inside local Outside local Outside global udp 200.1.1.1:500 10.1.1.1:500 150.1.1.1:500 150.1.1.1:500 create 00:00:29, use 00:00:12 timeout:300000, left 00:04:47, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 40, lc_entries: 0 initiator cookie: 0xAFD17956, Entry type : 0 udp 200.1.1.1:500 10.1.1.2:500 150.1.1.1:500 150.1.1.1:500 create 00:00:12, use 00:00:12 timeout:300000, left 00:04:47, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 41, lc_entries: 0 initiator cookie: 0x9716334C, Entry type : 0

More Related