So we all use NAT daily, but what is it really doing? This is more of a ‘beginners’ guide than anything else. The IPv4 address space is rapidly running out. A long time ago, if you were a company with 150 users needing internet access, you would need a /24 public IP block. Essentially any device needing internet access would need to have a public, routable IP. Bigger companies needed much bigger blocks and so some were even given /16′s – Enough addresses to give 65536 devices a public IP. However this was never going to work forever. The IPv4 block is limited in size so we could not simply give all companies /16′s – Not only that but home users started needing more than a single IP address. ISP’s did not have enough IP’s to give each customer 8 or 16 addresses. S NAT was introduced. Essentially NAT ‘translates’ an IP address from one to another. This allows you to use RFC1918 addresses internally. Essentially this gives you 16 843 007 addresses to use, and that can all be ‘translated’ behind a single public IP address (or range, it doesn’t matter) Not only that, but that SAME RFC1918 address space can be used by everyone. It doesn’t matter it my home PC and your home PC are both 192.168.1.1, as these will be translated when going off to the internet. But what exactly is happening? I think we need an analogy here. Let’s imagine that you and I live in the same street. Let’s also imagine that you and I both live in an apartment block (or flat as well call it in the U.K.) Let’s also say that I live in apartment 10 in my building and you live in apartment 10 in yours. How will the postman be able to deliver our post correctly if we both live at number 10 in the same street? That’s easy in the real world. Each building on the street will have it’s own number. All the public numbers on the street have to be unique. You can’t have 2 number 10 Bond Streets. A similar thing is happening when you NAT traffic, but your router/firewall/NAT device is going to do all the hard work for you. Let’s way through an example. I’m now at home and want to go to Cisco.com. My PC’s IP address is 192.168.1.10. Let’s also say my wife wants to get to Cisco.com at the same time. Her laptop’s IP address is 192.168.1.20. My laptop will source an IP packet that has a source address of 192.168.1.10 and a destination of 220.127.116.11. My wife’s laptop will source an IP packet with a source of 192.168.1.20 and a destination of 18.104.22.168. Let’s pretend that my public IP is 22.214.171.124 – When these packets hit my router, the router will take my packet and change the source IP to 126.96.36.199 and use a high random port number (eg: 188.8.131.52:5000) and then send the packet off to Cisco.com. It will then take my wife’s packet and do the same, but use a different port. As an example let’s use 184.108.40.206:600 and also send it off to Cisco.com. Cisco.com now receives both packets, and responds to both of them. When responding to mine, it’ll reply with a destination of 220.127.116.11:500. when it replies to my wife’s, it’ll reply with a destination of 18.104.22.168:600 As this is a public address, it goes back to my router. Once there, the router will check the destination port. When it sees a port of 500, it knows that it created this port session earlier, and the original IP was 192.168.1.10. It will strip the destination IP address and insert 192.168.1.10 and then send it off on the LAN. The same thing happens for the next packet. The router will convert 22.214.171.124:600 to 192.168.1.20 and send it off to the LAN.
Let’s have a look at a real world example. I’ve set up NAT through a Juniper SSG and these are the logs:
Here I’ve initiated pings from 2 internal machines to the same external IP address. You can see 10.1.1.50 is my first machine and 10.1.1.51 is my second. As far as 126.96.36.199 is concerned, all these pings are coming from the same 192.168.1.3 external address. The firewall will keep a session table and will know what to change the destination IP to when the packet comes back. Unfortunately I cannot actually show this in the picture above :(
Note that NAT can actually be used more than once in the same path. If you notice in the picture above I’m actually getting to 188.8.131.52 via 192.168.1.3. How is that possible when 192.168.1.3 is a private address? I’m actually NAT’d once more through a ZyXEL router. NAT can be layered many times, but it’s not something I would do.
There has been a distinct lack of updates recently. Work has been incredibly busy while we try and finish off a bunch of projects before the end of the year. This has of course also cut into my serious lack of study time.
I’ve currently got around 18 half-finished draft posts. Any chance I get to continue and finish them I take. so please bear with me :)
There are a number of things that I put into my standard router/switch builds, and I thought I’d share them here. If you have any to add, please do!
service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 no ip domain lookup no ip ospf name-lookup line con 0 exec-timeout 10 0 logging synchronous line vty 0 4 exec-timeout 5 0 logging synchronous
So what does the above exactly do? Let’s break them down one at a time.
service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year
This tells the router to include the correct timezone, date, year in the log file, down to the very millisecond. Very handy when troubleshooting.
A no-brainer really. Encrypt your passwords in the config.
clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
You’ll need to change this to suit your timezone. This correctly tells my devices what timezone they are in, and when to change their clocks. You’ll never need to add or subtract an hour again!
no ip domain lookup
Ever mistyped a command only for the router to try and resolve it for what seems like 5 minutes? This command disables lookups for your mistyped commands.
no ip ospf name-lookup
If you run OSPF and do a show ip ospf neighbor, you’ll notice it sometimes takes forever. Why? What’s happening is that IOS is trying to resolve the neighbor ID’s to a hostname through RDNS. I always want it to be quick, and I also want to know my neighbor ID’s by the ID. This command disables that RDNS lookup.
line con 0 exec-timeout 30 0 logging synchronous line vty 0 4 exec-timeout 5 0 logging synchronous
If I’m consoled onto the device, I don’t want to have to keep logging into it because of a timeout. I set this to 30 minutes to ensure this doesn’t happen. You could set this to 0 0 but be careful, this will cause it to NEVER log out (unless the device reboots or something) – This means you could console in, make some changes, come back in 3 months and reconnect that console cable in. You’ll still be connected!
Logging synchronous prevents IOS from logging on the same line you’re currently typing in.