Scribd Logo
Upload

Welcome to Scribd!

  • 20 views

    HCSCA111 Network Address Translation

    Uploaded by

    Muhammad Noshad Gulzar
    Network address translation (NAT) translates private IP addresses to public IP addresses so that private networks can communicate over the public internet using a limited number of public IP addresses. NAT was created as a temporary solution to the shortage of available public IPv4 addresses caused by the growth of the internet. The document discusses the objectives, contents, principles, categories, and application scenarios of NAT.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    HCSCA111 Network Address Translation

    Uploaded by

    Muhammad Noshad Gulzar
    20 views32 pages
    Network address translation (NAT) translates private IP addresses to public IP addresses so that private networks can communicate over the public internet using a limited number of public IP addresses. NAT was created as a temporary solution to the shortage of available public IPv4 addresses caused by the growth of the internet. The document discusses the objectives, contents, principles, categories, and application scenarios of NAT.

    Original Description:

    Network Address Translation-NOSHAD GULZAR

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Network address translation (NAT) translates private IP addresses to public IP addresses so that private networks can communicate over the public internet using a limited number of public IP addresses. NAT was created as a temporary solution to the shortage of available public IPv4 addresses caused by the growth of the internet. The document discusses the objectives, contents, principles, categories, and application scenarios of NAT.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    20 views32 pages

    HCSCA111 Network Address Translation

    Uploaded by

    Muhammad Noshad Gulzar
    Network address translation (NAT) translates private IP addresses to public IP addresses so that private networks can communicate over the public internet using a limited number of public IP addresses. NAT was created as a temporary solution to the shortage of available public IPv4 addresses caused by the growth of the internet. The document discusses the objectives, contents, principles, categories, and application scenarios of NAT.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 32

    Network Address Translation

    Foreword

     Network address translation (NAT) translates an IP address carried in the header of an


    IPv4 packet into another IP address. Generally, NAT is used to translate private
    addresses into public addresses so that devices can communicate across private and
    public networks.
     To alleviate the public IPv4 address shortage caused by Internet expansion, NAT
    emerged as a temporary solution.

    3 Huawei Confidential
    Objectives

    Upon completion of this course, you will be able to:


     Recognize NAT application scenarios.
     Understand how NAT works.
     Configure NAT on firewalls.

    4 Huawei Confidential
    Contents

    1. NAT Principle
    2. Source NAT
    3. Server Mapping
    4. Application Scenarios

    5 Huawei Confidential
    Background
     IPv4 addresses are depleted.
     IPv6 cannot completely replace IPv4 immediately.
     Technologies to mitigate IPv4 address exhaustion (NAT, for example) continue to emerge.

    6 Huawei Confidential
    Advantages and Disadvantages
     Advantages:
     IP addresses can be reused.
     The address translation process is transparent to users.
     Privacy protection is available to internal users.
     Load balancing among internal servers is available.
     Disadvantages:
     Network monitoring is more difficult.
     Some applications are restricted.

    7 Huawei Confidential
    Basic Principle
     NAT translates the source and destination IP addresses in IP packet headers so that numerous
    private addresses can access the public network through a limited number of public addresses.

    Destination IP address:
    Destination IP address: 123.3.2.3
    Translates private source
    123.3.2.3
    Source IP address: addresses into public
    Source IP address: 123.3.2.1 addresses
    10.1.1.1

    Destination IP address:
    123.3.2.1
    Source IP address:
    123.3.2.3

    Internal user FTP server


    10.1.1.1 Destination IP address: 123.3.2.3
    10.1.1.1
    Source IP address: Translates destination
    123.3.2.3 public addresses into
    private addresses

    8 Huawei Confidential
    NAT Categories

     Address pool mode


    Source NAT  Outbound interface address mode
    (easy IP)

    Server  Static mapping (NAT server)


    mapping

    9 Huawei Confidential
    Contents

    1. NAT Principle
    2. Source NAT
    3. Server Mapping
    4. Application Scenarios

    10 Huawei Confidential
    Address Pool Mode (1)
     Address pool mode without port translation

    Source address Destination address Source address Destination address


    192.168.0.11 1.1.1.1
    Translate 9.9.9.9 1.1.1.1

    Trust Untrust

     One-to-one address translation is performed without port translation.

    192.168.1.1 155.133.87.1
    192.168.1.2 155.133.87.2
    192.168.1.3 155.133.87.3
    192.168.1.4 Discard

    11 Huawei Confidential
    Address Pool Mode (2)
     Address pool mode with port translation
    Source address Source Destination address Translate Source address Source port Destination address
    192.168.0.11 port X 1.1.1.1 2.2.2.2 Y 1.1.1.1

    Trust Untrust

     Different private addresses are mapped to the same public address but different port numbers to
    implement many-to-one address translation.

    192.168.1.1 155.133.87.1:7111
    192.168.1.2 155.133.87.1:7112
    192.168.1.3 155.133.87.1:7113

    12 Huawei Confidential
    Easy IP
     Outbound interface address mode (easy IP)

    Source address Destination address Translate Source address Destination address


    192.168.0.11 1.1.1.1 155.133.87.1 1.1.1.1

    Trust Untrust

    192.168.1.1 155.133.87.1:7111
    192.168.1.2 155.133.87.1:7112
    192.168.1.3 155.133.87.1:7113

    13 Huawei Confidential
    NAT ALG
     The NAT application level gateway (ALG) is a translation proxy used for certain application
    protocols and can translate the address and port number carried in application layer data.

    Ethernet Application Ethernet


    IP header TCP header
    header data trailer

    ?
    Information that
    can be NATed

    14 Huawei Confidential
    NAT ALG Implementation Principle
     NAT ALG application in FTP active mode
    Private network Public network

    Host NAT ALG FTP Server


    192.168.1.2 192.168.1.2 <------> 8.8.8.11 8.8.8.1
    Set up a control connection between the host and FTP server.

    The host sends a PORT packet.


    (192.168.1.2, 1084)
    ALG The payload of the PORT packet has
    processing been translated.
    (8.8.8.11, 12487)
    The FTP server initiates a data The FTP server initiates a data connection
    connection to the host. to the host.
    (8.8.8.1, 3004 -> 192.168.1.2, 1084) (8.8.8.1, 3004 -> 8.8.8.11, 12487)

    Transmit data over the established data connection.

    15 Huawei Confidential
    Contents

    1. NAT Principle
    2. Source NAT
    3. Server Mapping
    4. Application Scenarios

    16 Huawei Confidential
    NAT Server - Internal Server
     The NAT server function uses a public address to represent the private address of an internal
    server.
    Source Destination address Source Destination address
    address 192.168.1.1 address 202.202.1.1
    Translate

    Public address

    202.202.1.1
    WWW server DMZ Untrust
    192.168.1.1 Real address External user

     On the firewall, a public address is configured to represent the server's private address. External
    users access the server through this public address.

    17 Huawei Confidential
    NAT Server and Server Map Table (1)
     After the NAT server is configured, the device automatically generates server map entries that
    map public and private addresses.

    [NGFW]nat server server1 protocol tcp global 202.202.1.1 inside 192.168.1.1

    Protocol carried Post-NAT Private


    over IP public address address

     Example: server map entry

    Type: Nat Server, ANY ->202.202.1.1:21[192.168.1.1:21], Zone:---, protocol:tcp


    Vpn: public --> public
    Type: Nat Server Reverse, 192.168.1.1[202.202.1.1] -> ANY, Zone:---, protocol:tcp Vpn: public
    --> public, counter: 1

    18 Huawei Confidential
    NAT Server and Server Map Table (2)
     After no-reverse is specified, the device generates only forward server map entries.

    [NGFW]nat server server1 protocol tcp global 202.202.1.1 inside 192.168.1.1 no-reverse

     Example: server map entry

    Type: Nat Server, ANY -> 202.202.1.1[192.168.1.1], Zone:---, protocol:tcp


    Vpn: public -> public

    19 Huawei Confidential
    Contents

    1. NAT Principle
    2. Source NAT
    3. Server Mapping
    4. Application Scenarios

    20 Huawei Confidential
    Typical NAT Scenario and Configuration Example
     Application scenarios
    Untrust zone
     Source NAT application
     NAT server application
    202.169.10.1/29

    192.168.20.1/24

    DMZ 192.168.0.1/24

    Trust zone
    21 Huawei Confidential
    Source NAT Configuration on the Firewall (Web)
     Configure a NAT address pool.

    22 Huawei Confidential
    Source NAT Configuration on the Firewall (Web)
     Configure a source NAT policy.

    In this example, the


    configuration enables users in
    the trust zone to access
    Internet resources in the
    untrust zone. Therefore, the
    source security zone is trust
    and the destination security
    zone is untrust.

    Select the configured address


    pool.

    23 Huawei Confidential
    NAT Server Configuration on the Firewall (Web)
     Configure the internal web and FTP servers.

    External and internal


    addresses. The public
    address is the address
    used by external users
    for access. The private
    address is the internal
    server's address on the
    LAN.

    24 Huawei Confidential
    NAT Server Configuration on the Firewall (Web)
     Configure an interzone security policy.

    25 Huawei Confidential
    Source NAT Configuration on the Firewall (CLI)
     Configure interzone access rules.
     Specify the network segment 192.168.0.0 as the source address. (Detailed configurations are not
    described here.)
     Configure an address pool.
    [NGFW] nat address-group 1
    [NGFW -nat-address-group-1] section 202.169.10.2 202.169.10.6
     Configure a source NAT policy.

    [NGFW] nat-policy
    [NGFW-policy-nat] rule name nat1
    [NGFW-policy-nat-rule-nat1] source-zone trust
    [NGFW-policy-nat-rule-nat1] destination-zone untrust
    [NGFW-policy-nat-rule-nat1] source-address 192.168.0.0 24
    [NGFW-policy-nat-rule-nat1] action nat address-group 1

    26 Huawei Confidential
    NAT Server Configuration on the Firewall (CLI)
     Configure the internal web and FTP servers.

    [USG] nat server wwwserver protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080
    [USG] nat server ftpserver protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp

     Configure interzone packet filtering rules.


    [USG] security-policy
    [USG -policy-security] rule name p1
    [USG -policy-security-rule-p1] source-zone untrust
    [USG -policy-security-rule-p1] destination-zone dmz
    [USG -policy-security-rule-p1] destination-address 192.168.20.2 32
    [USG -policy-security-rule-p1] service http
    [USG -policy-security-rule-p1] action permit
    [USG -policy-security] rule name p2
    [USG -policy-security-rule-p2] source-zone untrust
    [USG -policy-security-rule-p2] destination-zone dmz
    [USG -policy-security-rule-p2] destination-address 192.168.20.3 32
    [USG -policy-security-rule-p2] service ftp
    [USG -policy-security-rule-p2] action permit

    27 Huawei Confidential
    Twice NAT
     Application scenarios:
     NAT server + source NAT
     Intrazone NAT

    28 Huawei Confidential
    Interzone Twice NAT
     To simplify the configuration of the route from a server to a public network, you can configure
    source NAT based on the NAT server function.

    Private address after


    source NAT
    DMZ Untrust

    192.168.1.1 2.2.2.5

    192.168.1.5 202.20.1.5
    Internal server Internet user
    Real address Public address

    29 Huawei Confidential
    Intrazone Twice NAT
     The firewall translates the destination address of the user's request packet into the private address of the FTP server.
    In addition, it translates the source address into the public address of the user.
     The firewall translates the source address of the response packet from the FTP server into the public address. In
    addition, it translates the destination address into the private address of the user.

    Trust zone

    Server's public address User's public address


    202.202.1.1 202.202.1.5

    192.168.1.5 192.168.1.1
    Internal user Server

    30 Huawei Confidential
    Quiz

    1. Which of the following are reasons why NAT emerged?


    A. Insufficient IP address resources

    B. Protection to real IP addresses of internal servers

    C. Requirements of specific services

    D. Demand for easy device management

    31 Huawei Confidential
    Summary

     Technical principle of NAT


     NAT application scenarios
     Typical NAT configurations on firewalls

    32 Huawei Confidential
    Thank you. 把数字世界带入每个人、每个家庭、
    每个组织,构建万物互联的智能世界。
    Bring digital to every person, home, and
    organization for a fully connected,
    intelligent world.

    Copyright©2021 Huawei Technologies Co., Ltd.


    All Rights Reserved.

    The information in this document may contain predictive


    statements including, without limitation, statements regarding
    the future financial and operating results, future product
    portfolio, new technology, etc. There are a number of factors that
    could cause actual results and developments to differ materially
    from those expressed or implied in the predictive statements.
    Therefore, such information is provided for reference purpose
    only and constitutes neither an offer nor an acceptance. Huawei
    may change the information at any time without notice.

    You might also like