Nope! There is a technology -- or more accurately, two closely related technologies that are often confused with each other -- that will allow our router to act as a "translator" between our internal network and the Internet. These technologies are often called "Network Address Translation" or "NAT," although what most people typically mean by the term is more accurately called "Port Address Translation" or "PAT." "NAT" refers to substituting a public IP address on the router for a private IP address inside the LAN -- basically, when the router receives an outbound packet, it rewrites the Source field of the IP packet with a public IP address assigned to the router's external interface. This is a one-to-one translation: if two hosts inside the LAN need to communicate with external hosts, there must be two IP addresses on the router's external interface. With "PAT," however, the router uses a combination of source port and a single, external interface to uniquely identify traffic for each internal host.
Let's set up port address translation on our company router:
lab2651rtr# conf t
lab2651rtr(config)# int fa0/0
lab2651rtr(config-if)# ip nat inside
lab2651rtr(config-if)# int fa0/1
lab2651rtr(config-if)# ip nat outside
lab2651rtr(config-if)# exit
lab2651rtr(config)# access-list 1 permit 192.168.1.0 0.0.0.255
lab2651rtr(config)# ip nat inside source list 1 interface FastEthernet0/1 overload
Essentially, what we are doing is creating a filter ("access-list 1 permit 192.168.1.0 0.0.0.255" -- we'll discuss access lists in a lot more detail later on), then using that filter to allow certain traffic (anything coming from a 192.168.1.xxx address) to be dynamically mapped to the router's external interface.
If you think about it, that's pretty cool, actually. Your computers and workstations inside your local area network can now communicate with other hosts on the Internet, but only Internet hosts that have an lready-established communication channel with your internal hosts can get back in through your router. Not only that, but a black hat on the Internet doesn't know the internal structure of your network when you are using NAT. Yeah, I'm familiar with the saying about security through obscurity. I'm not saying that you shouldn't take reasonable precautions to ensure network and PC security, but I would argue that hiding the details of your network design behind NAT can certainly be an effective layer of our security plan. Why give an attacker any more information than you have to?
However, there is a price to be paid for this feature (some would call it an ugly hack on IPv4 to handle the flaws inherent in the IPv4 addressing scheme, but meh...). First, since external hosts can only communicate with internal hosts that have already initiated a conversation with them, NAT will break services that you want to be initiated from outside your network. For example, if you build a public web server to advertise for your company, or an e-mail server that you want to be able to receive mail from other corporations, NAT will break these services. Furthermore, some protocols, for example SIP (which is commonly used in voice over IP telephony) do not work well when NAT'ted. There are work-arounds for these problems, fortunately. Servers that should have an external presence as well as an internal presence can be placed in a DMZ or you can configure additional external IP addresses on your router that map statically to the internal IP address of your servers.
At this point, your hosts should be talking on the Internet and to each other. That makes this a good point to stop for the night again. We'll pick up tomorrow with a tool to make it easier for you to assign IP addresses to hosts on your network.
No comments:
Post a Comment