| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address as packets traverse a network device. Outgoing packets from the device then appear to come from a different source IP address. Incoming packets returning to that source address have their IP address translated back to the original one.
NAT is configured in cOS Stream by specifying the SourceTranslation property of an IP Rule to have an action of NAT. cOS Stream allows NAT to be applied to both IPv4 and IPv6 addresses, and NATing can be done both with a single IP Rule object. An example of this is given towards the end of this section.
NAT Benefits
NAT can have two important benefits:The IP addresses of individual clients and hosts can be "hidden" behind the firewall's IP address. This is sometimes referred to as topology hiding.
Only the firewall needs a public IP address for public Internet access. Hosts and networks behind the firewall can be allocated private IP addresses (as defined in RFC1918 for IPv4) but can still have access to the public Internet through the public IP address.
NAT Provides many-to-one IP Address Translation
NAT provides many-to-one translation. This means that each NAT rule in the main IP rule set will translate between several source IP addresses and a single source IP address.To maintain session state information, each NAT flow is translated to a unique combination of port number and IP address for the source. cOS Stream then performs automatic translation of the source port number as well as the IP address for returning packets. In other words, the actual source IP addresses for flows are all translated to the same IP address and the flows are distinguished from one another by the allocation of a unique port number to each.
The diagram below illustrates the NAT concept.
In the diagram above, three flows from IP addresses A, B and C are NATed through a single source IP address N. The original port numbers are also changed.
The next source port number allocated for a new NAT flow will be the first free port selected randomly by cOS Stream. Ports are allocated randomly to increase security from external attack.
Limitations on the Number of Flows
There is a limitation of approximately 65,500 simultaneous NAT flows where each flow consists of a unique pair of IP addresses. The term IP pair means one IP address on an interface and the IP address of some external host to which a flow is being made. If two different IP addresses on an external host are being connected to from the same NAT address on the firewall then this will constitute two, unique IP pairs. The 65,500 figure is therefore not a limitation for the entire Clavister NetShield Firewall.When discussing the 65,500 simultaneous NAT flow limit, a "flow" is considered to be a unique pair of IP addresses where different port numbers are not used or the same destination port is used. For example, if a remote server demands that all flows are to a single destination port then this limit will apply.
However, since there is a possible range of 65,500 source ports and the same number for destination ports, it is theoretically possible to have over 4 billion flows between two IP addresses if all ports are used.
The Source IP Address Used for Translation
There are three options for how cOS Stream determines the source IP address that will be used for NAT:Use the IP Address of the Interface
When a new flow is established, the routing table is consulted to resolve the outbound interface for the flow. The IP address of that resolved interface is then used as the new source IP address when cOS Stream performs the address translation. This is the default way that the IP address is determined.
Specify a Specific IP Address
A specific IP address can be specified as the new source IP address. The specified IP address needs to have a matching ARP Publish entry configured for the outbound interface. Otherwise, the return traffic will not be received by the Clavister NetShield Firewall. This technique might be used when the source IP is to differ based on the source of the traffic. For example, an ISP that is using NAT, might use different IP addresses for different customers.
The public IPv4 address of the Ethernet interface connected to the Internet is 203.0.113.5 (for simplicity, assume that the interface and the server are on the same network). NAT translation is applied to flows originating on this interface by specifying a NATing IP Rule object that allows flows from the client to the server.
The sequence of these events in the NAT process is illustrated in the diagram below and the description of steps that follows.
The sender at IP address 192.168.1.5 sends a packet from a dynamically assigned port number (assume port 1038) to the server at 203.0.113.10 on port 80.
=>
Assume that the NAT Use Interface Address option is used in the IP rule. cOS Stream changes the source port to a random unused port on its interface which is above port 1024. In this example, assume port 32,789 is chosen. The packet is then sent to its destination with this source port and the source IP of the interface.
=>
The server then processes the packet and sends its response back to the source IP and port.
=>
cOS Stream receives the packet and looks up the destination IP and port in its list of open flows. If it finds the flow, it restores the original source IP address and port number and forwards the packet.
=>
The original sender has now received the response without needing a public IP address of its own.
Example 9.1. Adding an IPv4 NAT Rule
This example will add a NAT rule that will perform IPv4 address translation for all HTTP/HTTPS traffic originating from the internal network if1 as it flows out to the public Internet on the wan interface. The IPv4 address of the wan interface will be used as the NATing address for all flows.
Command-Line Interface
First, change the current category to be the main IP rule set:
System:/> cc RuleSet IPRuleSet mainNow, create the IP rule:
System:/IPRuleSet/main> add IPRule
SourceInterface=if1
SourceNetwork=if1_net
DestinationInterface=wan
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceTranslation=NAT
SetSourceAddress=InterfaceAddress
Name=NAT_HTTPNow, return to the default CLI context if no more rules are needed:
System:/IPRuleSet/main>ccSystem:/>
DNS Traffic Needs a Separate Rule
Note that a second, similar rule will be needed to NAT DNS traffic from the internal HTTP/HTTPS clients so that web browsers can resolve URLs. Everything will be the same except the Service property should be set to dns-all in such a rule.Specifying the NAT IP Address
In the preceding example, the IP address used for NAT is the IPv4 address of the destination interface. The alternative is to specify another IPv4 address that is to be used on the destination interface. This is done by specifying the SetSourceAddress option as AllToOne and using the NewSourceIP4 option to specify the new NAT address for the interface.Example 9.2. Specifying an IPv4 NAT Address
This example is the same as the preceding example except the NAT address used on the wan interface is to be explicitly specified as 10.0.0.1
Command-Line Interface
First, change the current category to be the main IP rule set:
System:/> cc RuleSet IPRuleSet mainNow, create the IP rule:
System:/IPRuleSet/main> add IPRule
SourceInterface=if1
SourceNetwork=if1_net
DestinationInterface=wan
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceTranslation=NAT
SetSourceAddress=AllToOne
NewSourceIP4=10.0.0.1
Name=NAT_HTTPThe IPv4 address 10.0.0.1 must also be explicitly ARP published on the wan interface if it is not already one of the addresses assigned to that interface.
ARP Publishing the NAT IPv4 address
As mentioned in the last NAT example, if the NAT IPv4 address is not already ARP published on the Ethernet interface then this must be done explicitly. Doing this is described in Chapter 4, ARP.ARP publishing of all the IP addresses already assigned to an Ethernet interface is done automatically and any Ethernet interface can have multiple IP addresses associated with it.
It is possible to NAT IPv6 traffic in the same way that NAT is used for IPv4 traffic. It is also possible to combine IPv4 and IPv6 traffic in the same IP rule.Example 9.3. Adding an IPv6 NAT Rule
This example will add a NAT rule that will perform IPv6 address translation for all IPv6 HTTP/HTTPS traffic originating from the internal network if1 as it flows out to the public Internet on the wan interface. The IPv6 address of the wan interface will be used as the NATing address for all flows.
Command-Line Interface
First, change the current category to be the main IP rule set:
System:/> cc RuleSet IPRuleSet mainNow, create the IP rule:
System:/IPRuleSet/main> add IPRule
SourceInterface=LAN
SourceNetwork=LAN_ip6_net
DestinationInterface=WAN
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceTranslation=NAT
SetSourceAddress=InterfaceAddress
Name=NAT_IP6_HTTPExample 9.4. Adding a Combined IPv4 and IPv6 NAT Rule
This example repeats the preceding example but will perform NAT on both IPv4 and IPv6 traffic. The difference in how the SourceNetwork property is specified.
Command-Line Interface
First, change the current category to be the main IP rule set:
System:/> cc RuleSet IPRuleSet mainNow, create the IP rule:
System:/IPRuleSet/main> add IPRule
SourceInterface=LAN
SourceNetwork=LAN_net,LAN_ip6_net
DestinationInterface=WAN
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceTranslation=NAT
SetSourceAddress=InterfaceAddress
Name=NAT_IPv4_IP6_HTTPSpecifying the IPv6 NAT Address
Note that the property NewSourceIP6 could be used to specify an IPv6 address as the NAT address for IPv6 traffic. Either or both of NewSourceIP4 and NewSourceIP6 must be specified in the same rule when the SetSourceAddress=AllToOne option is used.If the NAT rule allows both IPv4 and IPv6 addresses (for example, the source IP might be all-nets) then both NewSourceIP4 and NewSourceIP6 will have to be specified since the rule must deal with applying NAT to both address types.
Protocols Handled by NAT
Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols. For other IP level protocols, unique flows are identified by their sender addresses, destination addresses and protocol numbers.This means that for protocols other than TCP, UDP and ICMP:
An internal machine can communicate with several external servers using the same IP protocol.
An internal machine can communicate with several external servers using different IP protocols.
Several internal machines can communicate with different external servers using the same IP protocol.
Several internal machines can communicate with the same server using different IP protocols.
Several internal machines can not communicate with the same external server using the same IP protocol.
![[Note]](images/note.png) |
Note: Restrictions only apply to IP level protocols |
|---|---|
|
These restrictions apply only to IP level protocols other than TCP, UDP and ICMP, such as OSPF and L2TP. They do not apply to the protocols transported by TCP, UDP and ICMP such as telnet, FTP, HTTP and SMTP. cOS Stream can alter port number information in the TCP and UDP headers to make each flow unique, even though such flows have had their sender addresses translated to the same IP. |
Some protocols, regardless of the method of transportation used, can cause problems during address translation.
