Nat vpn
This presentation is the property of its rightful owner.
Sponsored Links
1 / 9

NAT & VPN PowerPoint PPT Presentation


  • 43 Views
  • Uploaded on
  • Presentation posted in: General

NAT & VPN. Lecture 8 Hassan Shuja 05/02/2006. NAT. Network Address Translation (NAT) Allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet Host might be using a private address or address assigned to another organization

Download Presentation

NAT & VPN

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Nat vpn

NAT & VPN

Lecture 8

Hassan Shuja

05/02/2006


Nat vpn

NAT

  • Network Address Translation (NAT)

    • Allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet

      • Host might be using a private address or address assigned to another organization

    • The source IP address is changed within the packet from the private to the public address.

    • Cisco terminology uses “Inside” and “Outside” to describe where the IP addresses reside

      • “local” and “global” are also used to describe the location of the IP addresses

    • A table is kept with the translation

  • Static NAT

    • A one to one mapping is setup where the inside address is always mapped to the same outside address

      • This mapping does not change

      • A second private address will require a second public address


Nat vpn

NAT

  • Dynamic NAT

    • A one to one mapping is setup where the inside IP addresses are dynamically assigned to a pool of outside addresses

      • If all addresses in the outside pool are being used, then the host will not be able to access the outside

  • Dynamic NAT & Static NAT

    • Dynamic NAT and Static NAT can work together

      • It is possible to setup a pool addresses and also statically map some of the addresses

  • NAT Overload

    • Overloading allows NAT to scale to support many clients to one IP address

      • Also referred to as PAT

    • Instead of just translating the IP address, it also translates the port number

    • The translation table also maintains the port number


Nat vpn

NAT

  • NAT Configuration

    • The interfaces on router need to be designated as the “inside” and “outside” interface

      • “ip nat inside”

      • “ip nat outside”

  • Static NAT Configuration

    • Configuration commands

      • “ip nat inside source static 10.1.1.2 200.1.1.2”

    • Show commands

      • “show ip nat translations”

        • Displays the translation table

      • “sh ip nat statistics”

        • Displays various different statistics


Nat vpn

NAT

  • Dynamic NAT

    • A NAT pool must be setup for outside addresses

      • “ip nat pool umbc 200.1.1.1 200.1.1.254 netmask 255.255.255.0”

        • The above command is executed in configuration mode

    • The addresses to be translated need to be identified

      • “access-list 1 permit 10.1.1.0 0.0.0.255”

        • The above command is executed in configuration mode

    • The inside addresses need to be mapped to the outside pool

      • “ip nat inside source list 1 pool umbc”

        • The above command is executed in configuration mode


Nat vpn

NAT

  • NAT Overload

    • A NAT pool must be setup for outside addresses

      • “ip nat pool umbc 200.1.1.1 netmask 255.255.255.255”

        • The above command is executed in configuration mode

    • Two ways of mapping the inside addresses to the outside pool

      • “ip nat inside source list 1 pool umbc overload”

      • “ip nat inside source list 1 interface serial0/0 overload”

        • The above command is executed in configuration mode

        • This will map everything in access list 1 to the IP address of the serial interface

    • The addresses to be translated need to be identified

      • “access-list 1 permit 10.1.1.0 0.0.0.255”

        • The above command is executed in configuration mode


Nat vpn

VPN

  • Virtual Private Network (VPN)

    • A private data network that makes use of the public telecommunication infrastructure (Internet), maintaining privacy through the use of a tunneling protocol and security procedures

      • A VPN is very cost effective

    • Traffic is encrypted as it travels across the Internet

    • An administrator must be aware of the traffic that flows through the tunnel and the end points of tunnel

    • All traffic on the secure VPN must be encrypted and authenticated

      • Encryption types

        • DES, 3DES, AES


Nat vpn

VPN

  • Virtual Private Network (VPN)

    • The security properties on all end points of the VPN tunnel must be the same

    • No one outside the VPN tunnel should be able to effect the security properties of the tunnel

    • Split Tunneling allows for traffic to be sent through a tunnel and outside the tunnel at the same time

      • Very big security concern with Split Tunneling

    • IPSEC is used for encryption of VPN tunnel

      • Uses ISAKMP (IKE) – UDP port 500 for tunnel setup

      • Uses esp (protocol 50) and ah (protocol 51) for encryption


Nat vpn

VPN

  • Types of VPN

    • A client based VPN tunnel handles only the connection for one workstation

      • Usually created from a PC to a VPN Gateway (server)

    • A LAN-2-LAN VPN tunnel is built for many clients to use

      • Usually created from one Gateway to another Gateway

    • Understand the design for each type

      • Discussed in class

  • VPN Devices

    • Possible to create a VPN tunnel with any device than supports IPSEC

    • Cisco devices

      • IOS router

      • PIX Firewall

      • VPN concentrator


  • Login