We are continuing to develop our small, cozy Lift mi Up network. We have already discussed routing and stability issues, and now, finally, have grown to connect to the Internet. Enough confinement within our corporate environment!
But with development, new problems also arise.
First, the virus paralyzed the web server, then someone killed a worm that spread through the network, occupying part of the bandwidth. And also some villain got used to pick up passwords on ssh to the server.
Can you imagine what will begin when we connect to the Internet ?!
So, today:
1) we learn to configure various Access Control List
2) we try to understand the difference between the restriction of incoming and outgoing traffic
3) we will understand how NAT works, its pros, cons and features
4) in practice, we will organize an Internet connection through NAT and increase network security using access lists.

Access control list

So what do we have to say on access lists? In fact, the topic is relatively simple and not lazy from the CCNA course. But do not break us our amazing story due to some kind of prejudice?

What is the purpose of access lists? It would seem that the completely obvious answer is to restrict access: to forbid someone, for example. In general, this is true, but it needs to be understood in a broader sense: it is not only about security. That is, from the very beginning it was probably the way it was, hence permit and denywhen setting up. But in fact, an ACL is a versatile and powerful filtering mechanism. With their help, it is possible to determine who to hang certain politicians on and who does not, who will participate in certain processes, and who will not, whom we limit in speed to 56k, and who to 56M.
To make it a little clearer, we give a simple example. Based on access lists, Policy-Based Routing (PBR) works. You can make it here so that packets coming from the network 192.168.1.0/24 are sent to next-hop 10.0.1.1, and from the network 192.168.2.0/24 to 10.0.2.1 (note that normal routing relies on the destination address of the packet and automatically everything packets are sent to one next-hop):

At the end of the article, an example of PBR setup andACL-based speed limits .

Types of ACL

Okay, let's forget this lyrics for a while.
Generally speaking, access lists are different:

- Standard
- Advanced
- Dynamic
- Reflective
- Time-based.

We will focus on the first two today, and you can read more about all of them at tsiska .

Inbound and outbound traffic

For a start, let's deal with one thing. What is meant by inbound and outbound traffic? We will need this in the future. Inbound traffic is the one that comes to the interface from the outside.

Outgoing - one that is sent from the interface to the outside.

You can apply the access list either to the incoming traffic, then the unwanted packets will not even go to the router and, accordingly, further to the network or to the outgoing one, then the packets come to the router, are processed by it, reach the target interface and only drop on it.

The standard access list only checks the sender address. Extended - the address of the sender, the address of the recipient, as well as the port. It is recommended to set standard ACLs as close as possible to the recipient (so as not to cut more than necessary), and extended ones closer to the sender (so as to drop unwanted traffic as early as possible).

Practice

Let's get to practice right away. What should we limit this to in our small network “Lift mi Up”?

a) WEB server. Allow access to everyone over TCP port 80 (HTTP protocol). For the device from which the control will be performed (we have an admin) you need to open telnet and ftp, but we will give it full access. All the rest hang up.

b) file server. Residents of Lift mi Up should use it on ports for shared folders, and all the rest on FTP.

c) Mail server. Here we have launched SMTP and POP3, that is, TCP ports 25 and 110. We also open access for administration for the administrator. We block others.

d) For the future DNS server, you need to open UDP port 53

d) To allow ICMP messages to the network of servers

f) Since we have the Other network for all non-party people who have not entered the FEO, VET, and Accounting, we will restrict them all, and only give them access to some (we are the admin among them)

e) Again, only admin, and of course your beloved.

g) We will not build obstacles to the communication between employees of departments.

a) Access to the web server

Here we have a policy that is prohibited; everything that is not allowed is prohibited. Therefore, we now need to open something, and close the rest.
Since we protect the network of servers, we will hang up the sheet on the interface that goes towards them, that is, on FE0 / 0.3. The only question is in or out, do we need to do this? If we do not want to send packets to the servers that are already on the router, then this will be outgoing traffic. That is, we will have destination addresses in the network of servers (from them we will choose which server the traffic is going to), and source addresses can be any - either from our corporate network or from the Internet.
One more note: since we will filter by destination address as well (on the WEB server there are some rules, on the mail server - others), we need an extended access control list (extended), only it allows us to do this.

The rules in the access list are checked in order from top to bottom until the first match. As soon as one of the rules has worked, regardless of whether permit or deny, the check stops and the traffic is processed based on the rule that worked.
That is, if we want to protect the WEB server, then first of all we need to give permission, because if we configure deny ip any any in the first line , then it will always work and the traffic will not go at all. Any- This is a special word that means the network address and reverse mask 0.0.0.0 0.0.0.0 and means that absolutely all nodes from any networks are subject to the rule. Another special word is host - it means the mask 255.255.255.255 - that is, exactly one single specified address.
So, the first rule: allow access to everyone on port 80

msk-arbat-gw1 (config) # ip access-list extended Servers-out
msk-arbat-gw1 (config-ext-nacl) # remark WEB
msk-arbat-gw1 (config-ext-nacl) # permit tcp any host 172.16 .0.2 eq 80

Allow ( permit ) TCP traffic from any host ( any ) to the host ( host is exactly one address) 172.16.0.2, addressed to port 80.
We try to hang this access list on the FE0 / 0.3 interface:

msk-arbat-gw1 (config) # int fa0 / 0.3
msk-arbat-gw1 (config-subif) # ip access-group Servers-out out

We check from any of our connected computers:



As you can see, the page opens, but what about ping?



And so from any other node?

The fact is that after all the rules in the tsiskovye ACLs, an implicit deny ip any any (implicit deny) is added at the end . What does this mean for us? Any packet coming out of the interface and not meeting any rule from the ACL falls under implicit deny and is discarded. That is, at least ping, at least ftp, at least anything here will not work.

We go further: we must give full access to the computer from which control will be performed. This will be the computer of our admin with the address 172.16.6.66 from the Other network.
Each new rule is automatically added to the end of the list if it already exists:

msk-arbat-gw1 (config) # ip access-list extended Servers-out
msk-arbat-gw1 (config-ext-nacl) # permit tcp host 172.16.6.66 host 172.16.0.2 range 20 ftp
msk-arbat-gw1 (config -ext-nacl) # permit tcp host 172.16.6.66 host 172.16.0.2 eq telnet

That's all. We check from the right host (since the servers in RT do not support telnet, we check for FTP):



That is, the FTP message came to the router and should leave the FE0 / 0.3 interface. The router checks and sees that the packet matches the rule we added and passes it.

And from an extraneous host,



the FTP packet does not fall under any of the rules except the implicit deny ip any any and is discarded.

b) Access to the file server

Here it would be necessary first of all to decide who will be the “resident”, who needs to be given access. Of course, these are those who have an address from the network 172.16.0.0/16 - we will only give them access.
Now with shared folders. Most modern systems already use the SMB protocol for this, which needs TCP port 445. On older versions, NetBios was used, which fed through three ports: UDP 137 and 138 and TCP 139. Having agreed with our admin, we will configure port 445 (though check within the framework of the RT, of course, it will not work). But besides this, we will need ports for FTP - 20, 21, and not only for internal hosts, but also for connections from the Internet:

msk-arbat-gw1 (config) # ip access-list extended Servers-out
msk-arbat-gw1 (config-ext-nacl) # permit tcp 172.16.0.0 0.0.255.255 host 172.16.0.3 eq 445
msk-arbat-gw1 ( config-ext-nacl) # permit tcp any host 172.16.0.3 range 20 21

Here we reapplied the range 20 21 construct - in order to specify multiple ports on the same line. For FTP, generally speaking, only the 21st port is not enough. The fact is that if you open only it, then you will be authorized, but there will be no file transfer.

0.0.255.255 - reverse mask (wildcard mask). We will talk about what it is a little later

c) Access to the mail server

We continue to practice - now with the mail server. As part of the same access list, we add the new entries we need.
Instead of port numbers for widespread protocols, you can specify their names:

msk-arbat-gw1 (config) # ip access-list extended Servers-out
msk-arbat-gw1 (config-ext-nacl) #permit tcp any host 172.16.0.4 eq pop3
msk-arbat-gw1 (config-ext-nacl ) #permit tcp any host 172.16.0.4 eq smtp

d) DNS server

msk-arbat-gw1 (config) # ip access-list extended Servers-out
msk-arbat-gw1 (config-ext-nacl) # permit udp 172.16.0.0 0.0.255.255 host 172.16.0.5 eq 53

e) ICMP

It remains to fix the situation with ping. It’s okay to add rules to the end of the list, but it’s somehow aesthetically pleasing to see them first.
We use a simple cheat for this. For this, you can use a text editor, for example. Copy the ACL slice from show run and add the following lines:
no ip access-list extended Servers-out
ip access-list extended Servers-out
permit icmp any any
remark WEB
permit tcp any host 172.16.0.2 eq www
permit tcp host 172.16. 6.66 host 172.16.0.2 range 20 ftp
permit tcp host 172.16.6.66 host 172.16.0.2 eq telnet
remark FILE
permit tcp 172.16.0.0 0.0.255.255 host 172.16.0.3 eq 445
permit tcp any host 172.16.0.3 range 20 21
remark MAIL
permit tcp any host 172.16.0.4 eq pop3
permit tcp any host 172.16.0.4 eq smtp
remark DNS
permit udp 172.16.0.0 0.0.255.255 host 172.16.0.5 eq 53 The


first line we delete the existing list, then create it again and list everything new rules in the order we need. Using the command in the third line, we allowed the passage of all ICMP packets from any hosts to any hosts.

Next, just copy everything in bulk and paste it into the console. The interface interprets each line as a separate command and executes it. Thus, we replaced the old list with the new one.
Check that ping is:



Fine.

This cheat is good for the initial configuration, or if you understand exactly what you are doing. On the working network, when you configure the ACL remotely, you run the risk of being left without access to the custom hardware.

To insert a rule at the beginning or at any other desired place, you can resort to this technique:
ip access-list extended Servers-out
1 permit icmp any any

Each rule in the list is numbered with a certain step and if you put a number before the word permit / deny , then the rule will not be added to the end, but to the place you need. Unfortunately, such a feature does not work in RT.
If it is suddenly necessary (all consecutive numbers between the rules are busy), you can always number the rules (in this example, the number of the first rule is assigned 10 (the first number) and the increment is 10):
ip access-list resequence Servers-out 10 10

As a result, the Access List on the server network will look like this:
ip access-list extended Servers-out
permit icmp any any
remark WEB
permit tcp any host 172.16.0.2 eq www
permit tcp host 172.16.6.66 host 172.16.0.2 range 20 ftp
permit tcp host 172.16.6.66 host 172.16.0.2 eq telnet
remark FILE
permit tcp 172.16.0.0 0.0.255.255 host 172.16.0.3 eq 445
permit tcp any host 172.16.0.3 range 20 21
remark MAIL
permit tcp any host 172.16.0.4 eq pop3
permit tcp any host 172.16.0.4 eq smtp
remark DNS
permit udp 172.16.0.0 0.0.255.255 host 172.16.0.5 eq 53


Now our admin has access only to the WEB server. Give him full access to the entire network. This is the first homework.

e) Rights of users from the network Other

Until now, we had to not let anyone in, so we paid attention to the destination address and the access list were hung on the traffic coming from the interface.

Now we need to not let it out : no requests from computers from the Other network should go beyond. Well, of course, except for those that we specifically allow.

msk-arbat-gw1 (config) # ip access-list extended Other-in
msk-arbat-gw1 (config-ext-nacl) # remark IAM
msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16. 6.61 any
msk-arbat-gw1 (config-ext-nacl) # remark ADMIN
msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.6.66 any

Here we could not first forbid everyone, and then allow the chosen ones, because absolutely all packets would fall under the deny ip any any rule and permit would not work at all.
Apply to the interface. This time the input:

msk-arbat-gw1 (config) #int fa0 / 0.104
msk-arbat-gw1 (config-subif) #ip access-group Other-in in

that is, all IP packets from the host with the address 172.16.6.61 or 172.16.6.66 are allowed to be transmitted wherever they are intended. Why are we also using an extended access list here? After all, it would seem that we only check the sender address. Because we gave the administrator full access, but for the guest of the “Elevator mi Up” company, for example, who gets into the same network there is absolutely nothing to access anywhere other than the Internet.

g) Management network

Nothing complicated. The rule will look like this:

msk-arbat-gw1 (config) # ip access-list extended Management-out
msk-arbat-gw1 (config-ext-nacl) # remark IAM
msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16. 6.61 172.16.1.0 0.0.0.255
msk-arbat-gw1 (config-ext-nacl) # remark ADMIN
msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.6.66 172.16.1.0 0.0.0.255

We apply this ACL to out on the FE 0 / 0.2 interface:

msk-arbat-gw1 (config) # int fa0 / 0.2
msk-arbat-gw1 (config-subif) #ip access-group Management-out out

g) No more restrictions

Done

Mask and reverse mask

Until now, without explanation, we have given a strange parameter of the form 0.0.255.255, suspiciously resembling a subnet mask.
It’s a little difficult to understand, but it is it - the inverse mask - that is used to determine the hosts that fall under the rule.
To understand what a reverse mask is, you need to know what a regular mask is.

Let's start with the simplest example.

Normal network with 256 addresses: 172.16.5.0/24, for example. What does this entry mean?
And it means exactly the following

IP address Decimal record	172	16	5	0
IP address Binary record	10101100	00010000	00000101	00000000
Subnet mask. Binary record	11111111	11111111	11111111	00000000
Subnet mask. Decimal record	255	255	255	0

An IP address is a 32-bit parameter divided into 4 parts, which you are used to seeing in decimal form.
The subnet mask also has a length of 32 bits - it is actually a template, a stencil, which determines the identity of the subnet address. Where there are units in the mask, the value cannot change, that is, part 172.16.5 is completely unchanged and it will be the same for all hosts on this subnet, but the one with zeros varies.
That is, in the example we took, 172.16.5.0/24 is the network address, and the hosts will be 172.16.5.1-172.16.5.254 (the last 255 is broadcast), because 00000001 is 1, and 11111110 is 254 (we are talking about the last octet of the address ) / 24 means that the length of the mask is 24 bits, that is, we have 24 units - the invariable part and 8 zeros.
Another case when the mask is, for example, 30 bits, and not 24.
For example, 172.16.2.4/30. We will write it like this:

IP address Decimal record	172	16	2	4
IP address Binary record	10101100	00010000	00000010	00000100
Subnet mask. Binary record	11111111	11111111	11111111	11111100
Subnet mask. Decimal record	255	255	255	252

As you can see, only the last two bits can change for this subnet. The last octet can take the following 4 values:
00000100 - subnet address (4 in decimal)
00000101 - host address (5)
00000110 - host address (6)
00000111 - broadcast (7)
Everything outside this is another subnet

That is Now you should be a little clear that the subnet mask is a sequence of 32 bits, where first there are units that mean the address of the subnet, then zeros that mean the host address. In this case, zeros alternate and units in the mask cannot alternate. That is, the mask 11111111.11100000.11110111.00000000 is impossible.

But what is the reverse mask (wildcard)?
For the vast majority of admins and some engineers, this is nothing more than an inversion of a regular mask. That is, zeros first specify the address of the part, which must necessarily coincide, and units, on the contrary, the free part.
That is, in the first example we took, if you want to filter all hosts from the 172.16.5.0/24 subnet, then you will set the rule in the Access list:
.... 172.16.5.0 0.0.0.255
Because the inverse mask will look like this:

00000000.00000000.00000000.11111111

In the second example with the network 172.16.2.4/30, the inverse mask will look like this: 30 zeros and two units:

Reverse mask Binary record	00000000	00000000	00000000	00000011
Reverse mask Decimal record	0	0	0	3

Accordingly, the parameter in the access list will look like this:
.... 172.16.2.4 0.0.0.3
Later, when you eat a dog on miscalculations of masks and reciprocal masks, you will remember the most used numbers, the number of hosts in a particular mask, you will understand that in the described situations the last octet of the inverse mask is obtained by subtracting the last octet from 255 regular masks (255-252 = 3), etc. In the meantime, you need to work hard and count)

But in fact, the reverse mask is a slightly richer tool, here you can combine addresses within the same subnet or even combine subnets, but the most important difference is that you can alternate zeros and ones. This allows you, for example, to filter out a specific host (or group) on several subnets in a single line.

Example 1

Given: network 172.16.16.0/24
It is necessary: ​​to filter the first 64 addresses (172.16.16.0-172.16.16.63)
Solution: 172.16.16.0.0.0.0.63

Example 2

Given: networks 172.16.16.0/24 and 172.16.17.0/24
It is necessary: ​​to filter addresses from both networks
Solution: 172.16.16.0 0.0.1.255

Example 3

Given: Networks 172.16.0.0-172.16.255.0
It is necessary: ​​to filter the host with address 4 from all subnets
Solution: 172.16.16.0 0.0.255.4

To admit, I have never encountered the last application scenario in my life. These are some terribly specific tasks that should be.
You can read more about reverse masks here: http://habrahabr.ru/post/131712/

ACL performance in pictures

Hypothetical network:



1) On the RT1 router on the FE0 / 1 interface, we are allowed to enter everything except ICMP.



2) SSH and TELNET are not allowed to exit on the RT2 router on the FE0 / 1 interface.



Tests are
clickable
1) Ping from PC1 to Server1 3) TELNET from PC1 to Server1 3) SSH from PC1 to Server2 4) Ping from Server2 to PC1

Additions

1) The rules that apply to outgoing traffic (out) will not filter the traffic of the device itself. That is, if you need to prevent the tsiska from accessing somewhere, then you have to filter incoming traffic on this interface (the answer is from where you need to block access).

2) C ACL need to be careful. With a small error in the rule, the wrong order of settings, or a generally poorly thought out list, you can remain without access to the device.
For example, you want to block access anywhere for the 172.16.6.0/24 network, except for your address 172.16.6.61 and set the rules like this:

deny ip 172.16.6.0 0.0.0.255 any
permit ip host 172.16.6.61 any

As soon as you apply ACLs to the interface, you will immediately lose access to the router, because you fall under the first rule and the second is not even checked.
The second unpleasant situation that may happen to you: traffic that should not have got under the ACL.
Imagine this situation: in our server room we have an FTP server in passive mode. To access it, you have opened the 21st port in ACL Servers-out. After the initial connection is established, the FTP server tells the client the port on which it is ready to send / receive files, for example, the 1523rd. The client tries to establish a TCP connection to this port, but stumbles upon ACL Servers-out, where there is no such permission - and the tale of a successful transfer ends. In our example above, where we configured access to the file server, we opened access only on the 20th and 21st, because this is enough for an example. In real life you have to tinker. A few examples of ACL configuration for common cases.

3) A very similar and interesting problem follows from point 2.
You thought, for example, to hang such ACLs on the Internet interface:

access-list in permit tcp host 1.1.1.1 host 2.2.2.2 eq 80
access-list in permit tcp host 2.2.2.2 any eq 80

It would seem: a host with the address 1.1.1.1 is allowed access on the 80th port to server 2.2.2.2 (the first rule). And back from the server 2.2.2.2 allowed connections inside.
But the nuance here is that computer 1.1.1.1 establishes a connection to port 80, but from some other, for example, 1054, that is, the response packet from the server arrives at socket 1.1.1.1:1054, does not fall under the rule in ACL on IN and discarded due to implicit deny ip any any.
To avoid this situation, and not to open the whole bunch of ports, you can resort to such a trick in the ACL on in:

permit tcp host 2.2.2.2 any established.

Details of such a decision are in one of the following articles.

4) Speaking about the modern world, you can not get around such a tool as object groups (Object-group).

Let's say we need to create an ACL that issues three specific Internet addresses on three identical ports with the prospect of expanding the number of addresses and ports. How it looks without knowledge of object groups:

ip access-list extended TO-INTERNET
permit tcp host 172.16.6.66 any eq 80
permit tcp host 172.16.6.66 any eq 8080
permit tcp host 172.16.6.66 any eq 443

permit tcp host 172.16.6.67 any eq 80
permit tcp host 172.16.6.67 any eq 8080
permit tcp host 172.16.6.68 any eq

80
permit permit tcp host 172.16.6.68 any eq 8080
permit tcp host 172.16.6.68 any eq 443

As the number of parameters increases, it becomes harder and harder to maintain such an ACL; it is easy to make a mistake when configuring.
But if we turn to the object groups, then it takes the following form:

object-group service INET-PORTS
description Ports allowed for some hosts
tcp eq www
tcp eq 8080
tcp eq 443

object-group network HOSTS-TO-INET
description Hosts allowed to browse the net
host 172.16.6.66
host 172.16.6.67
host 172.16.6.68

ip access-list extended INET-OUT
permit object-group INET-PORTS object-group HOSTS-TO-INET any

at first glance it looks somewhat menacing, but if you look, it’s very convenient.

4) Information very useful for troubleshooting can be obtained from the output of the show ip access-lists% command ACL% name . In addition to the actual list of rules for the specified ACL, this command displays the number of matches for each rule.

msk-arbat-gw1 # sh ip access-lists nat-inet
Extended IP access list nat-inet
permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq www
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
permit ip 172.16 .5.0 0.0.0.255 host 192.0.2.4
permit ip host 172.16.4.123 any
permit ip host 172.16.6.61 any
permit ip host 172.16.6.66 any (4 match (es))
permit ip host 172.16.16.222 any
permit ip host 172.16.17.222 any
permit ip host 172.16.24.222 any

And adding at the end of any rule log , we will be able to receive messages about each match in the console. (the latter does not work in PT)

NAT

Network Address Translation - a mechanism in the economy absolutely necessary since 1994. Many sessions about him are broken and packages are lost.
It is most often needed to connect your local network to the Internet. The fact is that theoretically there are 255 * 255 * 255 * 255 = 4,228,250,625. 4 billion addresses. Even if every inhabitant of the planet had only one computer, the addresses would not be enough. And here, except that irons are not connected to the Internet. Smart people realized this back in the early 90s and as a temporary solution they suggested dividing the address space into public (white) and private (private, gray).
The latter include three ranges:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

You can freely use them in your private network, and therefore, of course, they will be repeated. What to do with uniqueness? Who will respond to the WEB server that received the request with the return address 192.168.1.1? Rostelecom? Tatneft companies? Or your room Dlink? On the big Internet, no one knows anything about private networks - they are not routed.
Then NAT enters the scene. By and large, this is a hoax, a setup. Roughly speaking, your private address on the device is simply replaced with a white address, which will appear later in the packet while it travels to the WEB server. But the white addresses are very well routed, and the packet will definitely go back to the device that is rubbing.
But how does it in turn understand what to do next? We’ll deal with this.

NAT Types

Static

In this case, one internal address is converted to one external. And at the same time, all requests coming to the external address will be broadcast to the internal. It is as if this host is the owner of this white IP address.

It is configured with the following command:

Router (config) # ip nat inside source static 172.16.6.5 198.51.100.2

What is happening:
1) Node 172.16.6.5 is accessing the WEB server. It sends an IP packet, where the address of the recipient is 192.0.2.2, and the sender is 172.16.6.5.



2) On the corporate network, the packet is delivered to the gateway 172.16.6.1, where NAT is configured



3) According to the configured command, the router removes the current IP header and changes it to a new one, where the white address 198.51.100.2 already appears as the sender address.



4) On the Internet, the updated package reaches server 192.0.2.2.



5) He sees that the answer must be sent to 198.51.100.2 and prepares the response IP packet. As the address of the sender, the actual server address is 192.0.2.2, the destination address is 198.51.100.2



6) The packet flies back over the Internet, and it is not a fact that in the same way.

7) On the dubbing device it is indicated that all requests to the address 198.51.100.2 must be redirected to 172.16.6.5. The router again strips the TCP segment hidden inside and sets a new IP header (the sender address does not change, the destination address is 172.16.6.5).



8) On the internal network, the packet is returned to the initiator, who is not even aware of what miracles were happening to him at the border.
And so it will be with everyone.
Moreover, if the connection is initiated from the Internet, the packets automatically, passing through a dubbing device, get to the internal host.

This approach is useful when you have a server inside your network that needs full access from the outside. Of course, you cannot use this option if you want to release three hundred hosts on the Internet through one address. This NAT option doesn’t help you save white IP addresses, but it can be useful nonetheless.

Dynamic

You have a pool of white addresses, for example, the provider allocated you a network 198.51.100.0/28 with 16 addresses. Two of them (the first and last) are the network address and broadcast address, two more addresses are assigned to the equipment to ensure routing. You can use the 12 remaining addresses for NAT and release your users through them.
The situation is similar to static NAT - one private address is translated to one external - but now the external is not clearly fixed, but will be selected dynamically from the specified range.
It is configured as follows:

Router (config) #ip nat pool lol_pool 198.51.100.3 198.51.103.14

We set the pool (range) of public addresses from which the address for nating will be selected

Router (config) # access-list 100 permit ip 172.16.6.0 0.0.0.255 any

We set an access list that passes all packets with a source address of 172.16.6.x, where x varies 0-255.

Router (config) #ip nat inside source list 100 pool lol_pool

With this command we dock the created ACL and the pool.

This option is also not universal, you will also not be able to release your 300 users to the Internet if you do not have 300 external addresses. Once the white addresses are exhausted, no one new will be able to access the Internet. At the same time, those users who have already managed to grab an external address for themselves will work. The clear ip nat translation command will help you to drop all current broadcasts and free up external addresses *
In addition to dynamically allocating external addresses, this dynamically NAT differs from static in that without a separate port forwarding setting it is no longer possible to externally connect to one of the pool addresses.

Many-to-one

The following type has several names: NAT Overload, Port Address Translation (PAT), IP Masquerading, Many-to-One NAT.
The last name speaks for itself - through one external address many private ones enter the world. This allows you to solve the problem of a lack of external addresses and to let everyone out into the world.
Here it is necessary to give an explanation of how this works. How two private addresses are translated into one can be imagined, but how does the router understand who needs to forward the packet that returned from the Internet to this address?
Everything is very simple:
Suppose that from two hosts from the internal network packets come to the dubbing device. Both with a request to the web server 192.0.2.2.
The data from the hosts looks like this:

Sender address	Sender Port	Address of the recipient	Recipient Port
172.16.6.5	23761	192.0.2.2	80
172.16.4.5	39800	192.0.2.2	80

The router uncovers the IP packet from the first host, extracts the TCP segment from it, prints it, and finds out from which port the connection is established. It has an external address 198.51.100.2, to which the address from the internal network will change.
Then he selects a free port, for example, 11874. And what does he do next? He packs all the application-level data into a new TCP segment, where there is still 80 left as the destination port (the WEB server is waiting for connections on it), and the sender port changes from 23761 to 11874. This TCP segment is encapsulated in the new IP a packet where the sender's IP address changes from 172.16.6.5 to 198.51.100.2.
The same thing happens for a packet from the second host, only the next free port is selected, for example 11875. “Free” means that it is not yet occupied by other such connections.
The data that is sent to the Internet will now look like this.

Sender address	Sender Port	Address of the recipient	Recipient Port
198.51.100.2	11874	192.0.2.2	80
198.51.100.2	11875	192.0.2.2	80

In his NAT table, he writes the data of senders and recipients

Local sender address	Local port of sender	Global sender address	Global Sender Port	Address of the recipient	Recipient Port
172.16.6.5	23761	198.51.100.2	11874	192.0.2.2	80
172.16.4.5	39800	198.51.100.2	11875	192.0.2.2	80

For a WEB server, these are two completely different requests, which it must each process individually. After that, he sends an answer that looks like this:

Sender address	Sender Port	Address of the recipient	Recipient Port
192.0.2.2	80	198.51.100.2	11874
192.0.2.2	80	198.51.100.2	11875

When one of these packets reaches our router, it matches the data in this packet with its entries in the NAT table. If a match is found, the reverse procedure occurs - the packet and the TCP segment are returned with its original parameters only as a destination:

Sender address	Sender Port	Address of the recipient	Recipient Port
192.0.2.2	80	172.16.6.5	23761
192.0.2.2	80	172.16.4.5	39800

And now the packets are delivered via the internal network to the initiating computers, which are not even aware that somewhere their data was so harshly treated at the border.

Each of your appeals is a separate connection. That is, you tried to open a WEB page - this is the HTTP protocol using port 80. To do this, your computer must establish a TCP session with a remote server. Such a session (TCP or UDP) is defined by two sockets: local IP address: local port and remote IP address: remote port. In a normal situation, you will establish one computer-server connection, while in the case of NAT-connection there will be two connections: the router-server and the computer thinks that it has a computer-server session.

The configuration differs quite slightly: with the added word overload:

Router (config) # access-list 101 permit 172.16.4.0 0.0.0.255
Router (config) #ip nat inside source list 101 interface fa0 / 1 overload

At the same time, of course, you can still configure the address pool:

Router (config) #ip nat pool lol_pool 198.51.100.2 198.51.103.14
Router (config) # access-list 100 permit 172.16.6.0 0.0.0.255
Router (config) #ip nat inside source list 100 pool lol_pool overload

Port forwarding

Otherwise they say more port forwarding or mapping.
When we just started talking about NAT, we had a one-to-one translation and all requests coming from outside were automatically redirected to the internal host. Thus, it would be possible to put the server out on the Internet.
But if you do not have such an opportunity - you are limited in white addresses, or do not want to expose it with the whole bunch of ports, what should I do?
You can specify that all requests arriving at a specific white address and a specific port on the router should be redirected to the desired port of the desired internal address.

Router (config) #ip nat inside source static tcp 172.16.0.2 80 198.51.100.2 80 extendable

Using this command means that a TCP request that came from the Internet to the address 198.51.100.2 on port 80 will be redirected to the internal address 172.16.0.2 on the same 80th port. Of course, you can forward UDP as well and redirect from one port to another. This, for example, may be useful if you have two computers that need external RDP access. RDP uses port 3389. You cannot forward the same port to different hosts (when using the same external address). Therefore, you can do this:

Router (config) # ip nat inside source static tcp 172.16.6.61 3389 198.51.100.2 3389
Router (config) # ip nat inside source static tcp 172.16.6.66 3389 198.51.100.2 3398

Then, to get to computer 172.16.6.61, you start an RDP session on port 198.51.100.2lla389, and on 172.16.6.66 - 198.51.100.2lla398. The router itself will scatter everything where necessary.

By the way, this command is a special case of the very first one: ip nat inside source static 172.16.6.66 198.51.100.2. Only in this case we are talking about forwarding all traffic, and in our examples, specific TCP protocol ports.

This is how NAT functions in general. A lot of articles have been written about its features, pros / cons, but they cannot be noted.

Weaknesses and Strengths of NAT

+

- First of all, NAT allows you to save public IP addresses. Actually, for this he was created. Through one address, it is theoretically possible to issue more than 65,000 gray addresses (by the number of ports).
- Secondly , PAT and dynamic NAT are to some extent a firewall, preventing external connections from reaching end computers that may not have their own firewall and antivirus. The fact is that if a packet arrives from outside the device that is not expected or not allowed, it is simply discarded.
For the packet to be skipped and processed, the following conditions must be met:
1) The NAT table must have an entry for this external address, indicated as the sender address in the
AND packet
2) The sender port in the packet must match the port for this white address in the record
AND
3) The destination port in the packet matches the port in the record.
OR
Port forwarding configured.
But you do not need to consider NAT as a firewall - it is nothing more than its additional bun.

- Thirdly , NAT hides the internal structure of your network from prying eyes - when tracing a route from the outside you will not see anything further than a rubbing device.

-

NAT has a cons. The most tangible of them are perhaps the following:
- Some protocols cannot work through NAT without crutches. For example, FTP or tunneling protocols (despite the fact that I just set up FTP in the lab, in real life it can create a bunch of problems)
- Another problem is that there are a lot of requests from one address to one server. Many have witnessed this when you go to some Rapidshare, and he says that there was already a connection from your IP, you think that he’s lying, the dog, and that your neighbor is already sucking. For the same reason, there were problems with ICQ when the server was denied registration.
- The problem is not very relevant right now: the load on the processor and RAM. Since the amount of work is quite large compared to simple routing (you need to not just look at the IP header, you need to remove it, remove the TCP header, put new headers in the table) in small offices there are problems with this.
I came across such a situation.
One of the possible solutions is to transfer the NAT function to a separate PC or to a specialized device, for example, Cisco ASA.
For large players with routers rolling 3-4 BGP full-view, now this is not a problem.

What else do you need to know?
- NAT is mainly used to provide Internet access to hosts with private addresses. But there is another application - the connection between two private networks with intersecting address spaces.
For example, your company buys a branch in Aktyubinsk. Your addressing is 10.0.0.0-10.1.255.255, and they have 10.1.1.0-10.1.10.255. Ranges obviously intersect, you can’t set up routing in any way, because the same address can be in Aktyubinsk and at your headquarters.
In this case, NAT is configured at the junction. Since we don’t measure gray addresses, we can select, for example, the range 10.2.1.0-10.2.10.255 and do one-to-one translation:
10.1.1.1-10.2.1.1
10.1.1.2-10.2.1.2
...
10.1.10.255- 10.2.10.255

- In large adult toys, NAT can be implemented on a separate board (and often it is) and without it it won’t work. And on the office glands, on the contrary, there is almost always.

- With the widespread adoption of IPv6, the need for NAT will come to naught. Already, big customers are beginning to become interested in NAT64 functionality - this is when you have access to the world through IPv4, and the internal network is already on IPv6

- Of course, this is just a superficial look at NAT and there is still a sea of ​​nuances that self-education will help you not to drown in.

NAT practice

What does reality require of us?
1) The management network does not have Internet access at all
2) Hosts from the VET network have access only to specialized sites, for example, Linkmeup.ru
3) Dear ladies from accounting, need to cut a window into the world of client banks.
4) FEO does not let go anywhere, except for the financial director
5) On the Other network, our computer and the administrator's computer - we will give them full access to the Internet. All others can be opened upon written request.
6) Do not forget about the branches in St. Petersburg and in Kemerovo. For simplicity, we’ll configure full access for enikies from these subnets.
7) With servers a separate song. For them we will configure port forwarding. All we need:
a) WEB-server must be accessible on port 80
b) The mail server on the 25th and 110th
c) The file server is accessible from the world via FTP.
8) Admin and ours computers should be accessible from the Internet via RDP. Actually, this is the wrong way - you need to use a VPN connection for a remote connection and use RDP while already on the local network, but this is the topic of a separate, completely different article.

First, we will prepare a test site:

Internet connection will be organized through the existing link that the provider provides.
He goes to the provider's network. We remind you that everything in this cloud is an abstract network, which in fact can consist of dozens of routers and hundreds of switches. But we need something manageable and predictable, so we put another router here. On the one hand, it has a link from the switch, on the other server on the Internet.

We will need the following servers:
1. Two client banks for accountants (sperbank.ru, mmm-bank.ru)
2. Linkmeup.ru for PTOshnikov
3. Yandex (yandex.ru)



For such a connection, we will raise another vlan to msk- arbat-gw1. His number, of course, is consistent with the provider. Let it be VLAN 6.
Suppose the provider provides us with a subnet of 198.51.100.0/28. The first two addresses are used to organize the link (198.51.100.1 and 198.51.100.2), and we use the remaining addresses as a pool for NAT. However, no one completely bothers us to use the address 198.51.100.2 for the pool. So let's do it: pool: 198.51.100.2-198.51.100.14
For simplicity, suppose that our public servers are on the same subnet:
192.0.2.0/24 .
How to configure the link and addresses you are already fully aware.
Since we have only one router in the provider's network, and all networks are connected directly to it, there is no need to configure routing.
But our msk-arbat-gw1 should know where to send packets to the Internet, so we need a default route:

msk-arbat-gw1 (config) # ip route 0.0.0.0 0.0.0.0 198.51.100.1

Now, in order

First, configure the address pool

msk-arbat-gw1 (config) # ip nat pool main_pool 198.51.100.2 198.51.100.14 netmask 255.255.255.240

Now collect the ACL:

msk-arbat-gw1 (config) # ip access-list extended nat-inet

1) Management network

doesn't have internet access at all
Done

2) Hosts from the VET network

They have access only to specialized sites, for example, Linkmeup.ru

msk-arbat-gw1 (config-ext-nacl) # permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq 80

3) Accounting

We give access to all hosts on both servers

msk-arbat-gw1 (config-ext-nacl) # permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
msk-arbat-gw1 (config-ext-nacl) # permit ip 172.16.5.0 0.0.0.255 host 192.0.2.4

4) FEO

We give permission only to the CFO - this is only one host.

msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.4.123 any

5) Other

Our computers with full access

msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.6.61 any
msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.6.66 any

6) Branches in St. Petersburg and Kemerovo

Let the addresses of the enikis be the same: 172.16.x.222

msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.16.222 any
msk-arbat-gw1 (config-ext-nacl) # permit ip host 172.16.17.222 any
msk-arbat-gw1 (config-ext- nacl) # permit ip host 172.16.24.222 any

This is how the ACL now looks completely:
ip access-list extended nat-inet
remark PTO
permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq www
remark ACCOUNTING
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.4
remark FEO
permit ip host 172.16.4.123 any
remark IAM
permit ip host 172.16.6.61 any
remark ADMIN
permit ip host 172.16.6.66 any
remark SPB_VSL_ISLAND
permit ip host 172.16.16.222 any
remark SPB_OZERKI
permit ip host 172.16. 17.222 any
remark KMR
permit ip host 172.16.24.222 any


Run:

msk-arbat-gw1 (config) # ip nat inside source list nat-inet pool main_pool overload

But happiness will not be complete without configuring the interfaces:
On the external interface, you need to give the command ip nat outside
On the internal: ip nat inside

msk-arbat-gw1 (config) # int fa0 / 0.101
msk-arbat-gw1 (config-subif) # ip nat inside
msk-arbat-gw1 (config) # int fa0 / 0.102
msk-arbat-gw1 (config-subif) # ip nat inside
msk-arbat-gw1 (config) # int fa0 / 0.103
msk-arbat-gw1 (config-subif) # ip nat inside
msk-arbat-gw1 (config) # int fa0 / 0.104
msk-arbat-gw1 ( config-subif) # ip nat inside

msk-arbat-gw1 (config) # int fa0 / 1.6
msk-arbat-gw1 (config-subif) # ip nat outside

This will allow the router to figure out where to wait for packets to be processed and where to send them later.

For servers on the Internet to be accessible by domain name, it would be nice for us to get a DNS server on our network:



Naturally, we need to register it on the devices from which we will check access:


Show must go on!

Everything


is accessible from the administrator’s computer: From the VET network there is access only to the linkmeup.ru website via port 80 (HTTP):



In the FEO network, only 4.123 enters the world (



financial director) Only client-bank sites work in accounting. But, since permission is given completely to the IP protocol, they can also be pinged:

7) Servers

Here we need to configure port forwarding so that they can be accessed from the Internet:

a) Web server

msk-arbat-gw1 (config) # ip nat inside source static tcp 172.16.0.2 80 198.51.100.2 80

We check right away, for example, we can do this from a test PC with address 192.0.2.7.
Now nothing will work, because for the network of servers we do not have an interface configured on msk-arbat-gw1:

msk-arbat-gw1 (config) # int fa0 / 0.3
msk-arbat-gw1 (config-subif) # ip nat inside

And now:

b) file server

msk-arbat-gw1 (config) #
ip nat inside source static tcp 172.16.0.3 21 198.51.100.3 21

For this purpose, in the ACL Servers-out, we also opened the 20-21st ports for everyone

c) Mail server

msk-arbat-gw1 (config) #
ip nat inside source static tcp 172.16.0.4 110 198.51.100.4 110

Check is also not difficult. Follow the instructions:
First, configure the mail server. We specify the domain and create two users.



Next, add the domain to DNS. This step is optional - you can access the server via IP, but why not?



We configure the computer from our network:



From the external:



We are preparing a letter:



On the local host, click Receive:

8) RDP access to admin computers and ours

msk-arbat-gw1 (config) # ip nat inside source static tcp 172.16.6.61 3389 198.51.100.10 3389
msk-arbat-gw1 (config) # ip nat inside source static tcp 172.16.6.66 3389 198.51.100.10 3398

Security

Lastly, one remark. It’s most likely a nagging device, it looks outward with your ip nat outside interface - to the Internet. Therefore, it would not hurt to hang an ACL on this interface, where you deny, allow, what you need. We will not dwell on this issue already in this article.

On this, the first acquaintance with NAT technology can be considered complete.
As another DZ answer the question why there is no Internet access from Enikiev computers in St. Petersburg and Kemerovo. After all, we have already added them to the access list.

Release Materials

New IP-plan, switching plans for each point and regulations.
RT file with laboratory.
Device configuration.

Additional links:
General information and TCP load balancing.
Two providers + NAT.
Useful information from cisco.
Our colleague habruiser wrote several articles on the features of NAT . This article may be especially interesting .
But be that as it may, no one will write better about cisco than cisco
Reverse mask

Bonuses

Maturing issues for careless people can be implemented in LJ .
Thanks to my co-author thegluck Special
thanks for the help in preparing the JDima article