CCSA-Module 6
CCSA-Module 6
CCSA-Module 6
AITA\SWBU\CCSA\08
Module 6
Network Address Translation
AITA\SWBU\CCSA\08
Module 6
Introduction Objectives
List the reasons and methods for Network Address Translation Demonstrate how to set up Static NAT Demonstrate how to set up Dynamic (Hide) NAT Describe basic network configurations using NAT
AITA\SWBU\CCSA\08
Module 6
Key Terms Network Address Translation (NAT) Static Source NAT Static Destination NAT Dynamic (Hide) NAT Automatic and Manual NAT rules Address Resolution Protocol (ARP)
AITA\SWBU\CCSA\08
Module 6
Network Address Translation NAT conceals internal computers from outside networks as a component of VPN-1/Firewall-1 it is used for three things :
to make use of private IP addresses on the internal network to limit external network access for security reasons to give ease and flexibility to network administration
AITA\SWBU\CCSA\08
Module 6
NAT IP Addressing
RFC 1918 details the reserved address groups Class A network numbers
10.0.0.0 10.255.255.255
AITA\SWBU\CCSA\08
Module 6
Network Security additional benefit of NAT is increased network security internal host can connect both inside and outside intranet external unknown host outside the network cannot connect to internal host external connections with a spoofed internal address will be recognised and prevented from gaining access internal public servers are made available with inbound mapping of well know TCP ports to specific internal addresses
AITA\SWBU\CCSA\08 7
Module 6
Network Administration
VPN-1/Firewall-1 supports two types of NAT Static NAT Dynamic (Hide) NAT
Static NAT
translates each private address to a corresponding public address two modes, static source and static destination
AITA\SWBU\CCSA\08
Module 6
Static Source NAT
translates private internal source IP addresses to a public external source IP address initiated by internal clients with private IP address
AITA\SWBU\CCSA\08
Module 6
Static Source NAT
AITA\SWBU\CCSA\08
10
Module 6
Address Translation Using Static Source Mode
AITA\SWBU\CCSA\08
11
Module 6:
Static Destination NAT translates public addresses to private addresses initiated by external clients
AITA\SWBU\CCSA\08
12
Module 6
Address Translation Using Static Destination Mode
AITA\SWBU\CCSA\08
13
Module 6
Address Translation Using Static Destination Mode
AITA\SWBU\CCSA\08
14
Module 6
Dynamic (Hide) NAT used for connections initiated by hosts in an internal network where the hosts IP addresses are private private internal addresses are hidden behind a single public external address uses dynamically assigned port numbers to distinguish between them
AITA\SWBU\CCSA\08
15
Module 6
Dynamic NAT
AITA\SWBU\CCSA\08
16
Module 6
Dynamic (Hide) NAT Ctd. hide mode packets source port numbers are modified destination of a packet is determined by the port number port numbers are dynamically assigned from two pools of numbers :
from 600 to 1023 from 10,000 to 60,000
hide mode cannot be used for protocols where the port number cannot be changed or where the destination IP address is required
AITA\SWBU\CCSA\08
17
Module 6
Hide Mode Address Translation
AITA\SWBU\CCSA\08
18
Module 6
Hiding behind 0.0.0.0
if the administrator specifies 0.0.0.0 as the hide address, all clients will be hidden behind the firewalls server side interface
AITA\SWBU\CCSA\08
19
Module 6
Hiding Behind 0.0.0.0
AITA\SWBU\CCSA\08
20
Module 6
Automatic and Manual NAT Rules NAT Rules
NAT rules consist of two elements the conditions that specify when the rule is to be applied the action to be taken when the rule is applied each section in the NAT Rule Base Editor is divided into Source, Destination and Service
AITA\SWBU\CCSA\08
21
Module 6
Automatic and Manual NAT Rules NAT Rules
the action is always the same translate source under original packet to source under translated packet translate destination under original packet to destination under translated packet translate service under original packet to service under translated packet
AITA\SWBU\CCSA\08
22
Module 6
Network Address Translation Properties
several properties can be applied to automatically generated NAT rules these are enabled by default in new installations however disabled by default when upgrading from previous versions these properties can be configured in the network address translation page of the Global Properties window
AITA\SWBU\CCSA\08
23
Module 6
Network Address Translation Properties (Ctd)
Allow Bi-directional NAT the firewall will check all of the rules to see if a source in one rule and destination in another rule match firewall will take the first source rule and the first destination rule that are found to match, applying both rules concurrently
AITA\SWBU\CCSA\08
24
Module 6
Network Address Translation Properties (Ctd)
Translate destination on client side prior versions of Firewall performed NAT on the server side, requiring special anti spoofing and internal routing Automatic ARP configuration ARP tables on the gateway are automatically configured, enabling ARP requests for a NATed machines, network or address range are answered by the gateway
AITA\SWBU\CCSA\08
25
Module 6
IP Pools
a range of IP addresses routable to a gateway encrypted connections opened to a host will have a substituted IP address from the IP Pool for the source IP address must be routable back to the gateway
AITA\SWBU\CCSA\08
26
Module 6
Address Translation Example-Gateway with Two Interfaces Routing
the router routes IP addresses in the network 199.203.73.0 to the gateway the gateway routes IP address 192.203.73.3 to the internal interface (10.0.0.1) the gateway routes IP addresses 199.203.73.64 through 199.203.73.80 to the internal interface (10.0.0.1)
AITA\SWBU\CCSA\08
27
Module 6
Gateway with Two Interfaces
AITA\SWBU\CCSA\08
28
Module 6
Address Translation Example-Gateway with Three Interfaces Routing
ensure router routes IP address in the network 192.45.125.0 to the gateway the gateway should be able to route IP address 172.45.125.209 to the internal interface (195.9.200.1)
AITA\SWBU\CCSA\08
29
Module 6
Gateway with Three Interfaces
AITA\SWBU\CCSA\08
30
Module 6
Address Translation Example Two Networks Statically Translated
AITA\SWBU\CCSA\08
31
Module 6
Two Networks Statically Translated
AITA\SWBU\CCSA\08
32
Module 6
Address Translation and Anti-Spoofing anti spoofing is performed correctly for automatically generated NAT rules (provided it is allowed in the Global Properties) there will be a conflict between anti-spoofing and NAT if NAT takes place at the server side to correct the problem, add the translated (i.e the Valid address) is added to the public addresses on the Internal Interface
AITA\SWBU\CCSA\08
33