‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Chapter 9: NAT for IPv4 Routing and Switching Essentials 6.0 Planning Guide Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • •9.1 NAT Operation •9.2 Configure NAT •9.3 Troubleshoot NAT •9.4 Něco navíc § Chapter 9 - Sections Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 9: NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.1 NAT Operation 9 – NAT for IPv4 9.1 – NAT Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential IPv4 Private Address Space Did you ever notice how all your labs were based on these addresses? These are the IP addresses you will see assigned to company devices. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.1 – IPv4 Private Address Space ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Private IP addresses cannot be routed over the Internet. §NAT is used to translate private IP addresses to public addresses that can be routed over the Internet. §One public IPv4 address can be used for thousands of devices that have private IP addresses. • IPv4 Private Address Space (Cont.) 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.1 – IPv4 Private Address Space ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Important Concept—NAT is enabled on one device (normally the border or edge router) What is NAT? 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.2 – What is NAT? ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Private IP addresses cannot be routed over the Internet. §NAT is used to translate private IP addresses used inside a company to public addresses that can be routed over the Internet. §NAT hides internal IPv4 addresses from outside networks. •Companies use the same private IPv4 addresses so outside devices cannot tell one company’s 10.x.x.x network from another company’s 10.x.x.x network. §A NAT-enabled router can be configured with a public IPv4 address. §A NAT-enabled router can be configured with multiple public IPv4 addresses to be used in a pool or NAT pool for internal devices configured with private addresses. § What is NAT? ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential §Four types of addresses: inside, outside, local, and global •Always consider the device that is having its private address translated to understand this concept. •Inside address – address of the company network device that is being translated by NAT •Outside address – IP address of the destination device •Local address – any address that appears on the inside portion of the network •Global address – any address that appears on the outside portion of the network NAT Terminology 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.3 –NAT Terminology ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Terminology (Cont.) 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.4 –NAT Terminology (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How NAT Works 1. The private (internal) IP address gets translated to a public IP address used to reach the external server. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How NAT Works 1. The private (internal) IP address gets translated to a public IP address used to reach the external server. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How NAT Works 1. The private (internal) IP address gets translated to a public IP address used to reach the external server. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How NAT Works (Cont.) 2. The translated public address is used by the server to send the requested information to the device that actually has a private IP address assigned to it. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Characteristics How NAT Works (Cont.) 3. The NAT-enabled router consults the routing table to see what private address requested the data. 9.1 – NAT Operation 9.1.1 – NAT Characteristics 9.1.1.5 – How NAT Works (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Static NAT §Static address translation (static NAT) assigns one public IP address to one private IP address §Commonly used for servers that need to be accessed by external devices or for devices that must be accessible by authorized personnel when offsite §One-to-one address mapping between local and global addresses • 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.1 – Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Static NAT 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.1 – Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Dynamic NAT §Dynamic NAT assigns a public IP address from a pool of addresses to each packet that originates from a device that has a private IP address assigned when that packet is destined to a network outside the company. •Addresses are assigned on a first-come, first serve basis •The number of internal devices that can transmit outside the company is limited to the number of public IP addresses in the pool. 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.2 – Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Dynamic NAT 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.2 – Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Port Address Translation (PAT) §PAT (otherwise known as NAT overload) can use one public IPv4 address to allow thousand of private IPv4 addresses to communicate with outside network devices. §Uses port numbers to track the session 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.3 – Port Address Translation (PAT) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Port Address Translation (PAT) 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.3 – Port Address Translation (PAT) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Next Available Port §PAT tries to preserve the original source port number. •If that port number is already use, PAT will assign the first available port number for the appropriate port group •0 - 511 •512 - 1023 •1024 - 65,535 •When there are no more port numbers available, PAT moves to the next public IP address in the pool if there is one. 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.4 – Next Available Port ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Next Available Port 1. Notice how traffic is from two different internal devices using the same port number. 2. Notice how PAT uses the same public address, but two different port numbers. 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.4 – Next Available Port ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Comparing NAT and PAT §Static NAT translates address on a 1:1 basis §PAT uses port numbers so that one public address can be used for multiple privately addressed devices •PAT can still function with a protocol such as ICMP that does not use TCP or UDP 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.5 – Comparing NAT and PAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of NAT Packet Tracer – Investigating NAT Operation 9.1 – NAT Operation 9.1.2 – Types of NAT 9.1.2.6 – Packet Tracer – Investigating NAT Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Advantages of NAT §Conserves the legally registered addressing scheme •Every company can use the private IP addresses §Increases the flexibility of connections to the public network •Multiple NAT pools, backup pools, and load-balancing across NAT pools §Provides consistency for internal network addressing schemes •Do not have to readdress the network if a new ISP or public IP address is assigned §Provides network security •Hides user private IPv4 addresses 9.1 – NAT Operation 9.1.3 – NAT Advantages 9.1.3.1 – Advantages of NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Disadvantages of NAT §Performance is degraded. •The NAT-enabled border device must track and process each session destined for an external network. §End-to-end functionality is degraded. •Translation of each IPv4 address within the packet headers takes time. §End-to-end IP traceability is lost. •Some applications require end-to-end addressing and can‘t be used with NAT. •Static NAT mappings can sometimes be used. •Troubleshooting can be more challenging. §Tunneling becomes more complicated (náročnější). §Initiating TCP connections can be disrupted. 9.1 – NAT Operation 9.1.3 – NAT Advantages 9.1.3.2 – Disadvantages of NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.2 Configure NAT 9 – NAT for IPv4 9.2 – Configure NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Static NAT 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.1 – Configure Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Typická chyba! Remember that any interface on the border router that is on the inside network must be configured with the ip nat inside command. This is a common mistake for those new to NAT. 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.1 – Configure Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Static NAT 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.1 – Configure Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Analyzing Static NAT 1.Client opens a web browser for a connection to a web server. 2.R2 receives the packet on the outside interface and checks the NAT table. 3.R2 replaces the inside global address with inside local address of 192.168.10.254 (the server’s address). 4.Web server responds to the client. 5.(a) R2 receives the packet from the server on the inside address. (b) R2 checks NAT table and translates the source address to the inside global address of 209165.201.5 and forwards the packet. 6.The client receives the packet. 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.2 – Analyzing Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Verifying Static NAT A best practice is to clear statistics when verifying that NAT is working. Important commands: •show ip nat translations •show ip nat statistics 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.3 – Verifying Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Static NAT Packet Tracer – Configuring Static NAT 9.2 – Configure NAT 9.2.1 – Configuring Static NAT 9.2.1.4 – Packet Tracer – Configuring Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure Dynamic NAT Dynamic NAT Operation §Remember that dynamic NAT uses a pool of public IPv4 addresses. §Use the same concepts of inside and outside NAT interfaces as static NAT. 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.1 – Dynamic NAT Operation ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.2 – Configuring Dynamic NAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Analyzing Dynamic NAT 1.PC1 and PC2 open a web browser for a connection to a web server. 2.R2 receives the packets on the inside interface and checks if translation should be performed (via an ACL). R2 assigns a global address from the NAT pool and creates a NAT table entry for both packets. 3.R2 replaces the inside local source address on each packet with the translated inside global address from the pool. 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.3 – Analyzing Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Analyzing Dynamic NAT 4.The server responds to PC1 using the destination address of 209.165.200.226 (the NAT-assigned address) and to PC2 using the destination address of 209.165.200.227. 5.(a and b) R2 looks up each received packet and forwards based on the private IP address found in the NAT table for each of the destination addresses. 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.3 – Analyzing Dynamic NAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Verifying Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.4 – Verifying Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Verifying Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.4 – Verifying Dynamic NAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Packet Tracer – Configuring Dynamic NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.5 – Packet Tracer – Configuring Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Dynamic and Static NAT 9.2 – Configure NAT 9.2.2 – Configure Dynamic NAT 9.2.2.6 – Lab – Configuring Dynamic and Static NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring PAT: Address Pool The pool contains the public addresses. The ACL defines which private IP addresses gets translated. The ip nat inside source list acl# pool name overload command ties Step 1 with Step 2. The overload command is what allows the router to track port numbers (and do PAT instead of dynamic NAT). 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.1 – Configuring PAT: Address Pool ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring PAT: Address Pool 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.1 – Configuring PAT: Address Pool (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring PAT: Single Address §When a public address is assigned to the external interface on the border router, that public address can be used for PAT and translate internal private IP addresses to the public IP address. Still need an ACL to define which private IP addresses gets translated. Instead of associating an ACL with a pool, the ACL is associated with an interface that has a public IP address assigned. The overload command is always needed for PAT. 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.2 – Configuring PAT: Single Address ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Analyzing PAT 1.PC1 and PC2 open a web browser for a connection to a web server. 2.R2 receives the packets on the inside interface and checks if translation should be performed (via an ACL). R2 assigns the IP address of the outside interface, adds a port number, and creates a NAT table entry for both packets. 3.R2 replaces the inside local source address on each packet with the translated inside global address. 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.3 – Analyzing PAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Analyzing PAT 4.Each server responds to PC1 and PC2 using the destination address of the public address assigned to the external interface on the border router. 5.R2 looks up the received packet and forwards to PC1 because that is the private IP address found in the NAT table for the destination address and port number. 6.R2 looks up the received packet and forwards to PC2 because that is the private IP address found in the NAT table for the destination address and port number. 7. 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.3 – Analyzing PAT (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configure PAT Verifying PAT 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.4 – Verifying PAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Packet Tracer – Implementing Static and Dynamic NAT 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.6 – Packet Tracer – Implementing Static and Dynamic NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Port Address Translation (PAT) 9.2 – Configure NAT 9.2.3 – Configure PAT 9.2.3.7 – Lab – Configuring Port Address Translation (PAT) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Port Forwarding §Port forwarding allows an external device to reach a device on a specific port number and the device is located on an internal (private) network. •Required for some peer-to-peer file-sharing programs and operations such as web serving and outgoing FTP •Solves the problem of NAT only allowing translations for traffic destined for external networks at the request of internal devices. 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.1 – Port Forwarding ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Wireless Router Example §Port forwarding can be enabled for specific applications •Must specify the inside local address that requests should be forwarded to 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.2 – Wireless Router Example ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Configuring Port Forwarding with IOS 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.3 – Configuring Port Forwarding with IOS ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Kontrola 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.3 – Configuring Port Forwarding with IOS (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Packet Tracer – Configuring Port Forwarding on a Wireless Router 9.2 – Configure NAT 9.2.4 – Configure Port Forwarding 9.2.4.4 – Packet Tracer – Configuring Port Forwarding on a Wireless Router ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT for IPv6? §IPv6 was developed with the intention of making NAT for IPv4 unnecessary §IPv6 does have its own form of NAT •IPv6 has its own private address space 9.2 – Configure NAT 9.2.5 – NAT and IPv6 9.2.5.1 – NAT for IPv6? ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential IPv6 Unique Local Addresses §IPv6 unique local addresses (ULAs) are similar to IPv4 private addresses •ULAs are to provide IPv6 address space for communications within a local site. •First 64 bits of a ULA •Prefix of FC00::/7 (FC00 to FDFF) •Next bit is a 1 if the prefix is locally assigned •Next 40 bits define a global ID •Next 16 bits is a subnet ID •Last 64 bits of a ULA is the interface ID or host portion of the address §Allows sites to be combined without address conflicts §Allows internal connectivity §Not routable on the Internet 9.2 – Configure NAT 9.2.5 – NAT and IPv6 9.2.5.2 – IPv6 Unique Local Addresses ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT for IPv6 §Provide access between IPv6-only and IPv4-only networks (not translating private address to public addresses as NAT for IPv4 was) §Techniques available •Dual-stack – both devices run protocols for both IPv4 and IPv6 •Tunneling – Encapsulate the IPv6 packet inside an IPv4 packet for transmission over an IPv4-only network •NAT for IPv6 (translation) •Should not be used as a long term strategy •The older Network Address Translation-Protocol Translation (NAT-PT) •NAT64 • 9.2 – Configure NAT 9.2.5 – NAT and IPv6 9.2.5.3 – NAT for IPv6 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.3 Troubleshoot NAT 9 – NAT for IPv4 9.3 – Troubleshoot NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The show ip nat Commands 1.Determine what NAT is supposed to achieve and compare with configuration. This may reveal a problem with the configuration. 2.Verify translations using the show ip nat translations command. 3.Use the clear and debug commands to verify NAT. 4.Review what is happening to the packet and verify routing. 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.1 – The show ip nat Commands ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The debug ip nat Commands §Common commands •debug ip nat •debug ip nat detailed §Output symbols and values •* - The translation is occurring in the fast-switched path •s= - Source IPv4 address •a.b.c.d--->w.x.y.z – Source a.b.c.d is translated to w.x.y.z. •d= - Destination IPv4 address •[xxxx] - IPv4 identification number §Check the ACL to ensure the correct private addresses are designated. • • 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.2 – The debug ip nat Commands ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Scenario: překlady by měly vypadat takto: 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.3 – NAT Troubleshooting Scenario ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Scenario: interní počítač není schopen kontaktovat externí server, tabulka překladů vypadá takto: nic 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.3 – NAT Troubleshooting Scenario ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Scenario: můžete mít prohozeny rozhraní 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.3 – NAT Troubleshooting Scenario ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Scenario: může být blbě ACL 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.3 – NAT Troubleshooting Scenario ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential NAT Troubleshooting Commands Packet Tracer – Verifying and Troubleshooting NAT Configurations 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.4 – Packet Tracer – Verifying and Troubleshooting NAT Configurations ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting NAT Configurations 9.3 – Troubleshoot NAT 9.3.1 – NAT Troubleshooting Commands 9.3.1.5 – Lab – Troubleshooting NAT Configurations ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy a NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Typy proxy CGI (Common Gateway Interface) Proxy – CGI proxy se používají hlavně pro přístup na webovou stránku, která je blokována firemními společnostmi, vzdělávací institucí atd. CGI proxy skryjí naši IP adresu a předávají webové stránky URL serveru proxy serveru, aby získali přístup na tyto stránky. Například stránky sociálních médií budou blokovány v různých korporátních společnostech, vzdělávací instituce CGI proxy nám pomáhají v přístupu na stránky. Transparentní proxy – Transparentní proxy, který se představuje jako proxy server, ale nezakrývá aktuální IP adresu klienta. Klient proto neví, zda používají server proxy nebo ne. Pomáhá dostat se přes blok IP, ale uživatel nemá žádnou anonymitu. Anonymous Proxy - Anonymní proxy server pomůže skrýt IP adresu klienta, ale představí jej jako proxy server. Pomůže vám určit anonymitu přes IP a poskytne nesprávnou IP adresu přístupovým webům. High Anonymity Proxy – tento proxy server je nejbezpečnější a poskytuje uživateli úplnou anonymitu. Skrývá IP adresu klienta a sám funguje jako zařízení. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Co je proxy z bezpečnostního hlediska? §Proxy server je počítač, který funguje jako prostředník mezi internetem a uživatelským počítačem. Umožňuje počítači uživatele nepřímé připojení k jiným síťovým službám. § §Proxy server se používá hlavně pro skrytí aktuální polohy uživatele a sdílení internetového připojení mezi více uživateli. § §Když používáme proxy server, klientské počítače se nejprve připojí k proxy serveru a poté pošlou požadavek. Proxy server nejprve zkontroluje v keši, zda požadavek již neproveden dříve. Pokud nebyl, nový je požadavek odeslán na internet z proxy serveru. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Výhody proxy §Snižuje náklady na internet, protože může být sdílen s více klienty. § §Může být použit v rámci VPN spojení, což vám pomůže skrýt aktuální polohu a pomoci zobrazit umístění podle našich preferencí. § §Lze aplikovat filtr, čímž zlepšují bezpečnostní funkce. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rozdíly forward proxy – reverse proxy Výřez obrazovky Výřez obrazovky ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pohled Microsoftu Výřez obrazovky ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Kam firewall Výřez obrazovky ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential K čemu lze forward proxy použít §Content Filtering §eMail security §NAT’ing §Compliance Reporting ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential K čemu lze reverse proxy použít §Application Delivery including: §Load Balancing (TCP Multiplexing) §SSL Offload/Acceleration (SSL Multiplexing) §Caching §Compression §Content Switching/Redirection §Application Firewall §Server Obfuscation §Authentication §Single Sign On ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Co blokuje jedna US firma na forward proxy § familypostcards2008.com (Storm Worm virus) § § facebook.com § § playboy.com § § wikipedia.org ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential forward proxy software (server side) PHP-Proxy cgi-proxy glype Internet censorship wiki: List of Web Proxies ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential reverse proxy software for HTTP (server side) §apache mod_proxy (can also work as a forward proxy for HTTP) §nginx (used on hulu.com, spam sites, etc.) §HAProxy §lighthttpd §perlbal portfusion §pound §varnish cache ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential reverse proxy software for TCP (server side) balance delegate pen portfusion python director ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rozdíl proxy a NAT §'Proxy' označuje aplikaci vrstvy 7 na referenčním modelu OSI. Překlad síťových adres (NAT) je podobný proxy, ale pracuje ve vrstvě 3. § §V konfiguraci klienta vrstvy-3 NAT je konfigurace brány dostatečná. Pro klientskou konfiguraci proxy vrstvy 7 však musí být cílem paketů, které klient vygeneruje, vždy proxy server (vrstva-7), pak proxy server přečte každý paket a zjistí skutečný cíl. § §Vzhledem k tomu, že NAT pracuje na vrstvě 3, je méně náročný na zdroje než proxy vrstvy 7, ale také méně flexibilní. § §Srovnáme-li tyto dvě technologie, můžeme se setkat s terminologií známou jako „transparentní firewall“. Transparentní brána firewall znamená, že proxy používá výhody proxy vrstvy 7 bez znalosti klienta. Klient předpokládá, že brána je NAT ve vrstvě 3 a nemá žádnou představu o vnitřku paketu, ale prostřednictvím této metody se pakety vrstvy 3 odesílají pro účely vyšetřování do proxy serveru vrstvy 7. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Tor onion proxy software §Tor (zkratka pro Onion Router) je systém, který má umožnit online anonymitu. Klientský software Tor směruje internetový provoz prostřednictvím celosvětové sítě serverů dobrovolníků, aby se utajilo umístění uživatele nebo jeho použití od někoho, kdo provádí sledování sítě nebo analýzu provozu. Pomocí Tor je obtížnější sledovat činnost na internetu, včetně „návštěv na webových stránkách, online příspěvcích, okamžitých zprávách a dalších komunikačních formátech“, zpět uživateli. Jeho cílem je chránit osobní svobodu, soukromí a schopnost provádět důvěrné obchodní činnosti tím, že jejich internetové aktivity budou monitorovány. § §„Cibulární směrování“ se vztahuje k vrstvené povaze šifrovací služby: Původní data jsou několikrát zašifrována a znovu odšifrována, poté posílána po sobě jdoucími Tor relé, z nichž každá dekóduje „vrstvu“ šifrování před předáním dat na další relé a nakonec cíl. Tím se snižuje možnost, že původní data budou při tranzitu odšifrována. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Problém s NAT 82 Velký problém je s NAT. Otázkou je, kde je umístěno proxy: - uvnitř vnitřní sítě (v rámci lokální LAN); - v rámci vnější sítě a z vnitřní sítě se je třeba k němu přihlašovat; - dvě administrativní domény jsou spolu propojeny, každá má vlastní proxy. . ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Nejnepříjemnější je vnější proxy §Jeho privátní IP adresa je z privátní sítě (např. 10.1.1.100) a přichází k proxy v příkazu INVITE spolu s jeho SIP adresou (např. pepa@hp.cz). §Odpověď OK pak nenalezne příjemce. Možným řešením je použití transportního protokolu TCP anebo protokolu STUN. §A nejlepším řešením je NAT vůbec pokud možno nepoužívat – což je i jeden z argumentů pro přechod na IPv6. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Kdy STUN a kdy firewall? 84 STUN1.png STUN – Simple traversal of UDP through NATs ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential STUN (Simple/Session Traversal of UDP through NATs) 85 NAT obr.png § Dvojice adres „server-reflexivní“ § Obvykle u ISP jako služba § STUN2 xoruje k adrese nonce § Klient je cloněn pouze nepříliš bezpečným NAT a je vystaven útokům kohokoliv, kdo odchytá STUN provoz § Nezajišťuje symetrický NAT, kdy mezi unikátními IP adresami a porty odesilatele a příjemce misí být unikátní i dvojice na NATu (jen pro ně). ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential TURN (Traversal Using Relay NAT) 86 Turn obr.png § Metoda náročná na šířku pásma § Server musí být blízko NATu a k dispozici po celou dobu komunikace § Zajišťuje symetrický NAT ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential TURN je součást migrace do IPv6 87 qq.png IPv6.png ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ICE (Interactive Connectivity Establishment) 88 § Využívá STUN i TURN podle nastavené priority § Zprostředkovává je volanému prostřednictvím CDP § Po navázání spojení zastaví jejich použití Microsoft Office Communications Server 2007 R2, A/V Edge Server je rozšířen o STUN/TURN, blíže Mike Atkins v „Troubleshoot STUN with TURN in Office Communications Server 2007 R2“ v http://blogs.technet.com z prosince 2010 IC432564.jpg ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Microsoft ICE z roku 2008 – 1. krok Klient posílá požadavek na STUN/TURN server 89 P1.png Klient STUN posílá TURN Allocation request na A/V Edge Server Záznam: Microsoft Network Monitor 3.4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2. krok Odpověď STUN/TURN serveru 90 P2.png ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3. krok Výpočet MI a její odeslání na STUN/TURN server 91 P3.png Message-Integrity = MD5(username ":" realm ":" SASLPrep(password)) kde SASL (Simple Authentication and Security Layer) je obecná metoda ověřování v protokolech klient/server SASLprep – reprezentace jmen a hesel pro SASL - viz RFC 4013 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4. krok Server STUN/TURN odpovídá vzdálenému klientu 92 P5.png § Server STUN/TURN odesílá paket Allocate Response, v ní hodnotu časovače, šířky pásma… § XORMappedAddress je počítána XORem z MagicCookie z 1. kroku ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9.4 Chapter Summary 9 – NAT for IPv4 9.4 – Summary ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conclusion Packet Tracer - Skills Integration Challenge 9.4 – Summary 9.4.1 – Conclusion 9.4.1.2 – Packet Tracer - Skills Integration Challenge ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential § §Explain how NAT provides IPv4 address scalability in a small to medium-sized business network. §Configure NAT services on the edge router to provide IPv4 address scalability in a small to medium-sized business network. §Troubleshoot NAT issues in a small to medium-sized business network. § Conclusion 9.4 – Summary 9.4.1 – Conclusion 9.4.1.3 – NAT for IPv4 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Výřez obrazovky Výřez obrazovky ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://www.mall.cz/porovnani?sectionId=EB036 Výřez obrazovky