Static NAT

With a static NAT, sessions can be initiated from hosts in the inside or out- side network. Inside addresses are bound to globally unique addresses using static translations as the connections are established in either direc- tion. A translation that occurs from the inside network to the outside net- work will be translated with the statically configured address on the NAT

Figure 3.4

Outside

Host A

IP Header

Src Addr Dst Addr Data 192.168.1.2 207.139.221.11

Global Address Pool 207.139.221.2 192.168.1.1 207.139.221.1 Inside NAT Device IP Header

Src Addr Dst Addr Data 207.139.221.2 207.139.221.11 192.168.1.2 Translation Table Lcl: 192.168.1.2:80:1576 - Glbl: 207.139.221.2:80 Lcl: 192.168.1.3:21:1577 - Glbl: 207.139.221.2:21 IP Header

Src Addr Dst Addr Data 192.168.1.3 207.139.221.12

IP Header

Src Addr Dst Addr Data 207.139.221.2 207.139.221.12 Host B 192.168.1.3 Host Z207.139.221.12 Host Y 207.139.221.11 Port Port Port Port Port Port Port Port 1576 80 1576 80 1577 21 21 1577

device. When a session must be established from an outside network to an inside network, the static translation must already be set up manually on the router. By creating a static translation, you are translating an inside IP address to a fixed outside global IP address. This translation will never change and will always remain in the translation table.

For example, if there is a resource on the inside network that must be made accessible to the outside network, the global IP address of the resource can be advertised worldwide through the DNS. Since this resource has been statically translated into a global IP, this IP can be advertised in a DNS record. If the resource is a mail server, an MX record may be created in the company’s zone associating the MX record with the global IP that was statically assigned to the resource in the inside network. By doing this, even though the mail server is not physically located in the outside network, it can still be accessed as if it were.

TIP

A configuration allowing global access to resources has security related advantages. If the NAT device is a Cisco PIX firewall or Cisco router run- ning FW IOS, Access Control Lists can be used to limit the type of traffic permitted to reach the resource. Compare this with having a server that is physically placed in the outside network allowing global access, lim- iting the type of traffic would be very difficult if not impossible, there- fore becoming a security risk.

Figure 3.5 illustrates a static NAT translation. A session is initiated from Host Z on the outside network. Since the NAT device has a static translation for Host A’s IP address to a global IP address, the NAT device can forward the packet from Host Z to Host A’s static NAT public IP address. Recall that with traditional or outbound NAT, a session can be initiated only from the inside host, which causes a dynamic translation to occur on the NAT device. Once this translation has been created, only then can the outside host reply back to the inside host. Once the session times out, the inside host will need to start a new session with the outside host, causing the NAT device to create a new translation and possibly allocating a new global IP address to the inside host for the duration of the session (if NAT is used). With a static NAT, the translation is always active; the global IP address will never be allocated dynamically to another host on the inside network for translation purposes.

Twice NAT

Twice NAT is a variation of NAT—both the source and destination

addresses are modified by the NAT device as the packet crosses address realms. Compare this to traditional NAT, where only one of the addresses (either source or destination) is translated when traversing the NAT device.

Twice NAT is necessary when both inside and outside networks have overlapping address space. Although this type of problem does not occur often, a need for Twice NAT would arise when two companies merge their networks together and they use overlapping address space, or when a com- pany chooses an IP subnet that is already in use on the Internet. Figure 3.6 illustrates Twice NAT.

The router performs the following process when translating overlapping addresses:

1. The device Host 1.1.1.1 opens a connection to Host C by DNS name. A name-to-address lookup request is sent to DNS server x.x.x.x.

2. The router intercepts the DNS reply and translates the returned address (Data portion of packet) if there is an overlap (that is, the resulting legal address resides illegally in the inside network). To translate the return address, the router creates a simple transla- tion entry mapping the overlapping address 1.1.1.3 to an address from a separately configured, outside local address pool. The router examines every DNS reply from everywhere, ensuring that the IP address is not in the inside network. If it is, the router translates the address.

Figure 3.5

Outside

Host A Host Z

IP Header

Src Addr Dst Addr Data 192.168.1.1 192.168.1.2 192.168.1.1 207.139.221.1 Inside NAT Device IP Header

Src Addr Dst Addr Data 207.139.221.11 207.139.221.2

192.168.1.2 207.139.221.11

Translation Table

3. Host 1.1.1.1 opens a connection to 3.3.3.3.

4. The router sets up translations mapping inside local and global addresses to each other, and outside global and local addresses to each other.

5. The router replaces the source address with the inside global address and replaces the destination address with the outside global address.

6. Host C receives the packet and continues the conversation. 7. The router does a lookup, replaces the destination address with

the inside local address, and replaces the source address with the outside local address.

8. Host 1.1.1.1 receives the packet and the conversation continues, using this translation process.