Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
DHCP Stands for Dynamic Host Configuration Protocol.
DHCP is a protocol that automatically provides an IP host with its IP address and other related configuration information ( subnet mask, default gateway,DNS etc. )
Works on Protocol UDP port no 67 and 68.
This presentation contains why we need sub netting, how we do sub netting, CIDR, Subnet mask, Subnet mask value, Class A Sub netting, Class B Sub netting, Class C Sub netting.
DHCP Stands for Dynamic Host Configuration Protocol.
DHCP is a protocol that automatically provides an IP host with its IP address and other related configuration information ( subnet mask, default gateway,DNS etc. )
Works on Protocol UDP port no 67 and 68.
This presentation contains why we need sub netting, how we do sub netting, CIDR, Subnet mask, Subnet mask value, Class A Sub netting, Class B Sub netting, Class C Sub netting.
IPv4 (Internet Protocol Version 4). This silde will give u all information about IPv4.
Hope so you like it Freinds.
and
Sorry if i can fulfill ur wish in the given IPv4 Presentation.
This is Powerpoint Presentation on IP addressing & Subnet masking. This presentation describes how IP address works, what its classes and how the subnet masking works and more.
This presentation is about Introduction to NAT ie Network Address Translation.This I made for conducting training for my team. As per their feedback they found it good,hence I felt like to share it with others.
Enjoy !!!
IPv4 (Internet Protocol Version 4). This silde will give u all information about IPv4.
Hope so you like it Freinds.
and
Sorry if i can fulfill ur wish in the given IPv4 Presentation.
This is Powerpoint Presentation on IP addressing & Subnet masking. This presentation describes how IP address works, what its classes and how the subnet masking works and more.
This presentation is about Introduction to NAT ie Network Address Translation.This I made for conducting training for my team. As per their feedback they found it good,hence I felt like to share it with others.
Enjoy !!!
NAT (network address translation) & PAT (port address translation)Netwax Lab
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP
networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not globally unique) addresses in
the internal network into legal addresses, before packets are forwarded to another network.
Network Address Port Translation. Residential Network connections vi.pdfshalins6
Network Address Port Translation. Residential Network connections via Cable or DSL usually
are allocated only a single IP Address. As end users often want to operate multiple internet
enabled devices at home, people often use small routers to map an internal network with multiple
IP addresses, to the single IP address provided by the ISP. This is referred to as Network Address
Port Translation (NAPT) or just Network Address Translation (NAT). Assume we have a home
network that is connected by a wireless router that includes NAT capabilities as well as a DHCP
server. On the wireless network we have a Desktop, a Laptop and a Video Game Console that
are switched on and used in this order. The external IP address of the router is 71.204.145.120,
the internal IP address is 192.168.1.1. The DHCP server on the router is programmed to give out
IP addresses on the nework 192.168.1.1, netmask FF:FF:00:00.
(a.) Draw the topology of the network with the router after all devices are switched on (you can
omit any hosts between the wireless router and myth18). The topology should include IP
addresses and netmasks where known.
(b.) After all three hosts on the wireless network are switched on they connect to a web server
running on myth18.stanford.edu. What IP addresses will the web server on myth18 record for the
web requests coming from the Laptop, Desktop and Video Game Console?
(c.) Both the Laptop and Desktop have an SSH server running on port 22. Is it possible to
connect from myth18 to the SSH servers? If yes, explain the steps involved in setting up the
connection. If no explain why it is not possible.
(d.) Is there an upper limit for the maximum number of parallel UDP connections from hosts on
the local network of the router to servers on the internet? If yes, what is this maximum?
Solution
A single listening port can accept more than one connection simultaneously.
There is a \'64K\' limit that is often cited, but that is per client per server port, and needs
clarifying.
Each TCP/IP packet has basically four fields for addressing; these are:
Inside the TCP stack, these four fields are used as a compound key to match up packets to
connections (e.g. file descriptors).
If a client has many connections to the same port on the same destination, then three of those
fields will be the same - only source_port varies to differentiate the different connections. Ports
are 16-bit numbers, therefore the maximum number of connections any given client can have to
any given host port is 64K.
However, multiple clients can each have up to 64K connections to some server\'s port, and if the
server has multiple ports or either is multi-homed then you can multiply that further.
So the real limit is file descriptors. Each individual socket connection is given a file descriptor,
so the limit is really the number of file descriptors that the system has been configured to allow
and resources to handle. The maximum limit is typically up over 300K, but is configurable e.g.
wit.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.
CRM is how a customer looks to a company, while CEM is really how the company looks to the customer.
CRM comes after the experience, and CEM works hard on anticipating it.
GIM encompasses the management, leadership, structures and practices required for the successful operation of GIS within an entity, nationally, regionally or globally.
Big Data Definition & Characteristic.
Company Dominates Big Data.
Big Data and Other Technologies.
Big Data and UN.
Big Data for Statistics.
Big Data for Development.
Big data & Open Data.
Big data & SDG’s.
In this Presentation, I will discuss in depth about the various approaches that have been followed for predicting user’s personality from analyzing multiple types of texts. I specify the kind of personality detection using Myers-Briggs Type Indicator (MBTI) Test. However, different techniques have been used from tweets to narrative writing but there are certain shortcomings which still need to be addressed to be refined. At the end of this review I will suggest a new methodology to overcome the issues faced by researchers in this field.
The term “fog computing” or “edge computing” means that rather than hosting and working from a centralized cloud, fog systems operate on network ends. It is a term for placing some processes and resources at the edge of the cloud, instead of establishing channels for cloud storage and utilization.
ARIMA models provide another approach to time series forecasting. Exponential smoothing and ARIMA models are the two most widely-used approaches to time series forecasting, and provide complementary approaches to the problem. While exponential smoothing models were based on a description of trend and seasonality in the data, ARIMA models aim to describe the autocorrelations in the data.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
4. IPv4 Problem
0 Whatever connects directly into Internet must have public (globally unique) IP
address.
0 There is a shortage of public IPv4 address.
0 The solutions:
0 Long term solution is IPv6.
0 short term solution is CIDR (Classless Inter Domain Routing ).
0 NAT.
By Joud Khattab 4
5. Private Network
0 Private IP network is an IP network that is not directly connected to the Internet.
0 IP addresses in a private network can be assigned arbitrarily.
0 Not registered and not guaranteed to be globally unique.
0 Three address ranges are reserved for private usage (non-routable addresses):
0 Class A : 10.0.0.0/8
0 Class B : 172.16.0.0/16 to 172.31.0.0/16
0 Class C : 192.168.0.0/24 to 192.168.255.0/24
0 A private IP is mapped to a Public IP, when the machine has to access the Internet
By Joud Khattab 5
7. Solution with NAT
0 Its short term to Network Address Translation, and its known as network masquerading or IP-
masquerading.
0 NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are
replaced at the boundary of a private network.
0 NAT is a method that enables hosts on private networks to communicate with hosts on the
Internet.
0 NAT run on routers that connect private networks to the public Internet, to replace the IP
address-port pair of an IP packet with another IP address-port pair.
0 NAT device has address translation table.
By Joud Khattab 7
8. Solution with NAT
0 NAT can transparently change a network internal, private address
to a public address
0 a new mapping is dynamically created when the first packet for a connection
passes the NAT.
0 return traffic can use the same mapping to the other direction.
0 allows normally only outbound connections.
0 often use TCP/UDP ports for multiplexing.
0 NAT always checks translation table for entry before access lists.
0 NAT provides some shields for the internal network.
By Joud Khattab 8
10. Simple NAT
NAT
(Private IP addresses)
(Public IP addresses)
Main
Internet
(Public IP addresses)
By Joud Khattab 10
11. Multiple NAT
ISP
NAT
(Private IP addresses)
(Public IP addresses)
Main
Internet
ISP
network
Home
NAT
Home
network
10.0.0.12
192.168.2.12
192.168.2.99
156.148.70.32
By Joud Khattab 11
12. NAT Terminology
Local Global
Inside An IP address not
routable on the
internet and refers to a
device inside our
network
An IP address that is
routable on the
internet and refers to a
device inside our
network
Outside An IP address not
routable on the
internet and refers to a
device outside our
network
An IP address that is
routable on the
internet and refers to a
device outside our
network
By Joud Khattab 12
13. Translation Modes
1. Static Translation.
0 a block external addresses are translated to a same size block of internal addresses.
2. Dynamic Translation (IP Masquerading):
0 large number of internal users share a single or pool of external addresses.
3. PAT (Port Address Translation).
By Joud Khattab 13
14. Translation Modes
Inside Local Address (10.1.1.100 ) Private IP address that is being
translated into public IP Address
Inside Global Address (4.4.4.4 ) The public IP that the Private IP
address is being translated to
Outside Global Address (3.3.3.3 ) The Destination’s IP Address
Outside Local Address The Destination’s Private IP Address
By Joud Khattab 14
15. Static Translation
0 Map a range of external address to the same size block of internal addresses
0 Firewall just does a simple translation of each address.
0 Port forwarding - map a specific port to come through the Firewall rather than
all ports; useful to expose a specific service on the internal network to the
public network.
By Joud Khattab 15
16. Static Translation
0 Static translation are entered directly into the configuration and are always
in the translation table:
0 ip nat inside source static 10.6.1.20 171.69.68.10
By Joud Khattab 16
17. Static Translation
Source Address 10.1.1.100
Destination Address 3.3.3.3
We statically tell the Router to translate a single Inside local address
into a single Inside Global Address
10.1.1.100 will be mapped to 4.4.4.2 ( one of the Inside Global Address
provided by our ISP )
Inside Global Inside Local
4.4.4.2 10.1.1.100
By Joud Khattab 17
18. Dynamic Translation
0 Individual hosts inside the Firewall are identified based on of each connection flowing
through the firewall.
0 Since a connection doesn’t exist until an internal host requests a connection through
the firewall to an external host, and most Firewalls only open ports only for the
addressed host only that host can route back into the internal network
0 IP Source routing could route back in; but, most Firewalls block incoming source
routed packets.
0 NAT only prevents external hosts from making connections to internal hosts.
0 Some protocols won’t work; protocols that rely on separate connections back into the
local network
By Joud Khattab 18
19. Dynamic Translation
0 Dynamic translations use access lists to identify IP addresses that NAT should
create translations for:
0 ip nat inside source list 1 pool nat-pool
0 access-list 1 permit 10.0.0.0 0.255.255.255
By Joud Khattab 19
20. Dynamic Translation
A type of NAT in which an Inside Local Address is mapped to Inside Global
Address drawing from a pool of registered (public) IP addresses.
Typically, the router in a network will keep a table of registered IP addresses, and
when a private IP address requests access to the Internet, the router chooses an IP
address from the table that is not at the time being used by another private IP
address
Inside Local Address Inside Global Address Outside Global Address
10.1.1.101 4.4.4.2 3.3.3.3
10.1.1.102 4.4.4.3 3.3.3.3
By Joud Khattab 20
21. Static vs. Dynamic Translations
0 Static translations:
0 When you need to be able to initiate a connection from both the inside and outside
interfaces (e.g. SMTP, Web).
0 Or you want a specific host to be translated to a specific IP address.
0 Dynamic translations:
0 When you want to initiate a connection from only the inside or only the outside.
By Joud Khattab 21
22. PAT Translation
If we have a multiple number of Inside Local addresses and one
Inside Global Address !!
In this case we use PAT
PAT keep Track of Port Numbers
- 10.1.1.101:44252 4.4.4.4:4096
- 10.1.1.102:17115 4.4.4.4:4097
Source Address 10.1.1.101:44252
Destination Address 3.3.3.3:80
Inside Local Address Inside Global Address Outside Global Address
10.1.1.101:44252 4.4.4.4:4096 3.3.3.3:80
10.1.1.102:17115 4.4.4.4:4097 3.3.3.3:80
By Joud Khattab 22
23. Compare between NAT & PAT
0 NAT changes the IP addresses in the IP header
My
Network Internet
10.6.1.20 Internet Host
NATBefore NAT
Outbound Packet
Src Addr
10.6.1.20
Dest Addr
Internet Host
After NAT
Outbound Packet
Src Addr
171.69.68.10
Dest Addr
Internet Host
After NAT
Return Packet
Src Addr
Internet Host
Dest Addr
10.6.1.20
Before NAT
Return Packet
Src Addr
Internet Host
Dest Addr
171.69.68.10
By Joud Khattab 23
24. Compare between NAT & PAT
0 Port Address Translation (PAT) extends NAT from “one-to one” to
“many-to-one” by associating the source port with each flow.
PAT
My
Network
10.6.1.20
10.6.1.6
Before PAT
Outbound Packet
Dest Port
Any Port
Dest Addr
10.6.1.6
Src Port
1506
Dest Addr
Host 2
After PAT
Outbound Packet
Dest Port
Any Port
Src Addr
171.69.68.10
SRC Port
1506
Dest Addr
Host 2
After PAT
Outbound Packet
Dest Port
Any Port
Src Addr
171.69.68.10
SRC Port
2031
Dest Addr
Host 1
Before PAT
Outbound Packet
Dest Port
Any Port
Src Addr
10.6.1.20
Src Port
2031
Dest Addr
Host 1
Internet
By Joud Khattab 24
25. Compare between NAT & PAT
0 Port Address Translation (PAT) extends NAT from “one-to one” to
“many-to-one” by associating the source port with each flow.
PAT
My
Network
10.6.1.20
10.6.1.6
Before PAT
Outbound Packet
Dest Port
Any Port
Dest Addr
10.6.1.6
Src Port
1506
Dest Addr
Host 2
Before PAT
Outbound Packet
Dest Port
Any Port
Src Addr
10.6.1.20
Src Port
2031
Dest Addr
Host 1
Internet
Before PAT
Return Packet
Dest Addr
171.69.68.10
Dest Port
1506
Src Addr
Host 2
Src Port
Any Port
By Joud Khattab 25
26. NAT Kinds
1. Full cone NAT.
2. Restricted cone NAT.
3. Port Restricted cone NAT.
4. Symmetric NAT.
By Joud Khattab 26
27. Full cone NAT
0 Full cone is NAT where all requests from the same internal IP address and port
are mapped to the same public IP address and port.
0 Once a mapping is created, all incoming traffic to the public address is routed to
the internal host without checking the address of the remote host.
By Joud Khattab 27
28. Full cone NAT
Host A Host C
Full
cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.5:4321,
D=192.168.2.2:4445)
Packet(S=1.1.1.6:1234,
D=1.1.1.4:10100)
Packet(S=1.1.1.6:1234,
D=192.168.2.2:4445)
By Joud Khattab 28
29. Full cone NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 Policy:
0 ALLOW ALL TO 1.1.1.4:10100
By Joud Khattab 29
30. Restricted cone NAT
0 Restricted cone like full cone all requests from the same internal IP address
and port are mapped to the same public IP address and port.
0 Unlike a full cone NAT, a remote host (with IP address X) can send a packet to
the internal host only if the internal host had previously sent a packet to IP
address X.
By Joud Khattab 30
31. Restricted cone NAT
Host A Host C
Restricted
cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.5:4321,
D=192.168.2.2:4445)
Packet(S=1.1.1.6:1234,
D=1.1.1.4:10100)
X
Packet(S=192.168.2.2:4445,
D=1.1.1.6:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.6:7777)
Packet(S=1.1.1.6:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.6:4321,
D=192.168.2.2:4445)
By Joud Khattab 31
32. Restricted cone NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 Policy:
0 ALLOW 1.1.1.5 TO 1.1.1.4:10100
0 ALLOW 1.1.1.6 TO 1.1.1.4:10100
By Joud Khattab 32
33. Port restricted cone NAT
0 Port restricted cone is like a restricted cone NAT, but the restriction includes
port numbers.
0 Specifically, an external host can send a packet, with source IP address X and
source port P, to the internal host only if the internal host had previously sent a
packet to IP address X and port P.
By Joud Khattab 33
34. Port restricted cone NAT
Host A Host C
Port - restr
cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)
Packet(S=1.1.1.5:7777,
D=192.168.2.2:4445)
X
Packet(S=1.1.1.5:7777,
D=1.1.1.4:10100)
By Joud Khattab 34
35. Port restricted cone NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 Policy:
0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100
0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100
By Joud Khattab 35
36. STUN- Session Traversal Utilies for NAT
0 STUN is a standardized set of methods and a network protocol to allow an end
host to discover its public IP address if it is located behind a NAT.
0 It is used to permit NAT traversal for applications of real-time voice, video,
messaging, and other interactive IP communications.
0 STUN is intended to be a tool to be used by other protocols, such as ICE.
By Joud Khattab 36
37. Symmetric NAT
0 Symmetric NAT is a NAT where all requests from the same internal IP address
and port to a specific destination IP address and port are mapped to the same
external source IP address and port.
0 If the same internal host sends a packet with the same source address and port
to a different destination, a different mapping is used. Furthermore, only the
external host that receives a packet can send a UDP packet back to the internal
host.
By Joud Khattab 37
39. Symmetric NAT
Host A Host Csymmetric Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,
D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777)
Packet(S=1.1.1.5:7777,
D=192.168.2.2:4445)
Packet(S=1.1.1.5:7777,
D=1.1.1.4:10100)
Packet(S=192.168.2.2:4445,
D=1.1.1.6:7777)
Packet(S=1.1.1.4:10179,
D=1.1.1.6:7777)
Packet(S=1.1.1.6:7777,
D=192.168.2.2:4445)
Packet(S=1.1.1.6:7777,
D=1.1.1.4:10179)
Packet(S=1.1.1.6:7777,
D=1.1.1.4:10100)
X
By Joud Khattab 39
40. Symmetric NAT
0 Mapping:
0 192.168.2.2:4445 <-> 1.1.1.4:10100
0 192.168.2.2:4445 <-> 1.1.1.4:10179
0 Policy:
0 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100
0 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179
By Joud Khattab 40
41. Binding timeout
0 When a NAT device creates a binding (a public-private IP address mapping), it
will associate a timer with it.
0 The timer is used to destroy the binding once there is no activity/traffic
associated with the binding.
0 Because of this, a NAT aware application that wishes to keep the binding open
must periodically send outbound packets, a mechanism known as keep-alive,
or otherwise it will ultimately loose the binding and unable to receive incoming
packets from Internet.
By Joud Khattab 41
42. NAT Scenario
1. Pooling of IP addresses.
2. Supporting migration between network service providers.
3. IP masquerading.
4. Load balancing of servers.
By Joud Khattab 42
43. Pooling of IP addresses
0 Scenario:
0 Corporate network has many hosts but only a small number of public IP addresses.
0 NAT solution:
0 Corporate network is managed with a private address space.
0 NAT device, located at the boundary between the corporate network and the public
Internet, manages a pool of public IP addresses.
0 When a host from the corporate network sends an IP datagram to a host in the
public Internet, the NAT device picks a public IP address from the address pool, and
binds this address to the private address of the host.
By Joud Khattab 43
44. Pooling of IP addresses
H1
private address: 10.0.1.2
public address:
H5
Private
network
Internet
Source = 10.0.1.2
Destination = 213.168.112.3
Source = 128.143.71.21
Destination = 213.168.112.3
public address: 213.168.112.3
NAT
device
Private
Address
Public
Address
10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
By Joud Khattab 44
45. Migration between network service
providers
0 multiple internet connections are attached to a NAT Firewall that it chooses and uses
based on bandwidth, congestion and availability.
0 Can be used to provide automatic fail-over of servers or load balancing.
0 Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to
use based on client load
0 kind of like reverse load balancing.
0 a dead ISP will be treated as a fully loaded one and the client will be routed through another ISP.
By Joud Khattab 45
46. Migration between network service
providers
0 Scenario:
0 In CIDR, the IP addresses in a corporate network are obtained from the service provider.
Changing the service provider requires changing all IP addresses in the network.
0 NAT solution:
0 Assign private addresses to the hosts of the corporate network.
0 NAT device has static address translation entries which bind the private address of a host to the
public address.
0 Migration to a new network service provider merely requires an update of the NAT device. The
migration is not noticeable to the hosts on the network.
0 Note:
0 The difference to the use of NAT with IP address pooling is that the mapping of public and private
IP addresses is static.
By Joud Khattab 46
48. IP masquerading
0 Also called:
0 Network address and port translation (NAPT), port address translation (PAT).
0 Scenario:
0 Single public IP address is mapped to multiple hosts in a private network.
0 NAT solution:
0 Assign private addresses to the hosts of the corporate network.
0 NAT device modifies the port numbers for outgoing traffic.
By Joud Khattab 48
49. IP masquerading
H1
private address: 10.0.1.2
Private network
Source = 10.0.1.2
Source port = 2001
Source = 128.143.71.21
Source port = 2100
NAT
device
Private
Address
Public
Address
10.0.1.2/2001 128.143.71.21/2100
10.0.1.3/3020 128.143.71.21/4444
H2
private address: 10.0.1.3
Source = 10.0.1.3
Source port = 3020
Internet
Source = 128.143.71.21
Destination = 4444
128.143.71.21
By Joud Khattab 49
50. Load balancing of servers
0 Scenario:
0 Balance the load on a set of identical servers, which are accessible from a single IP address.
0 NAT solution:
0 Here, the servers are assigned private addresses.
0 NAT device acts as a proxy for requests to the server from the public network.
0 The NAT device changes the destination IP address of arriving packets to one of the private
addresses for a server.
0 A sensible strategy for balancing the load of the servers is to assign the addresses of the
servers in a round-robin fashion.
By Joud Khattab 50
51. Load balancing of servers
0 a single incoming IP address is distributed across a number of internal servers.
0 A firewall that will dynamically map a request to a pool of identical clone machines
0 often done for really busy web sites.
0 each clone must have a way to notify the Firewall of its current load so the Fire wall can choose a
target machine.
0 or the firewall just uses a dispatching algorithm like round robin.
0 Only works for stateless protocols (like HTTP).
By Joud Khattab 51
53. Concerns about NAT
1. Performance.
2. Fragmentation.
3. End-to-end connectivity.
4. IP address in application data.
By Joud Khattab 53
54. Performance
0 Modifying the IP header by changing the IP address.
0 requires that NAT boxes recalculate the IP header checksum.
0 Modifying port number requires that NAT boxes recalculate TCP checksum.
By Joud Khattab 54
55. Fragmentation
0 Care must be taken that a datagram that is fragmented before it reaches the
NAT device, is not assigned a different IP address or different port numbers for
each of the fragments.
By Joud Khattab 55
56. End-To-End Connectivity
0 NAT destroys universal end-to-end reachability of hosts on the Internet.
0 A host in the public Internet often cannot initiate communication to a host in a
private network.
0 The problem is worse, when two hosts that are in a private network need to
communicate with each other.
By Joud Khattab 56
57. IP address in application data
0 Applications that carry IP addresses in the payload of the application data
generally do not work across private public network boundary.
0 Some NAT devices inspect the payload of widely used application layer
protocols and, if an IP address is detected in the application-layer header or the
application payload, translate the address according to the address translation
table.
By Joud Khattab 57
58. Problems with NAT
0 Can’t be used with:
0 protocols that require a separate back-channel(FTP).
0 protocols that encrypt TCP headers.
0 embed TCP address info .
0 specifically use original IP for some security reason.
0 (the solutions).
By Joud Khattab 58
59. How Much Memory?
0 Needs 42 Kb of system memory to enable NAT.
0 160–200 bytes for each entry in the NAT translation table.
0 1,000 entries use approximately 205 Kb of memory (includes 42 Kb).
By Joud Khattab 59
60. NAT in IPv6
0 Network address translation is not commonly used in IPv6 as one of its aims is
to restore true host-to-host connectivity.
0 NAT loopback is not commonly needed. Although still possible, the large
addressing space of IPv6 obviates the need to conserve addresses and every
device can be given a unique globally routable address.
0 NAT loopback, when implemented, works as in IPv4.
By Joud Khattab 60
66. Configure Static NAT
0 As you have seen in configuration there is not direct route for 10.0.0.2. So PC from network of 30.0.0.0 will never
know about it.
0 They will access 50.0.0.1 as the web server IP. To test it double click on any computer and ping from 50.0.0.1 and
you will get replay.
0 Packet Tracer PC Command Line 1.0
0 PC>ping 50.0.0.1
0 Pinging 50.0.0.1 with 32 bytes of data:
Reply from 50.0.0.1: bytes=32 time=141ms TTL=126
Reply from 50.0.0.1: bytes=32 time=80ms TTL=126
Reply from 50.0.0.1: bytes=32 time=109ms TTL=126
Reply from 50.0.0.1: bytes=32 time=125ms TTL=126
0 Ping statistics for 50.0.0.1:
0 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
0 Approximate round trip times in milli-seconds:
0 Minimum = 80ms, Maximum = 141ms, Average = 113ms
By Joud Khattab 66
67. Configure Static NAT
0 Now ping from 10.0.0.2 and you will get destination host unreachable error.
0 PC>ping 10.0.0.2
0 Pinging 10.0.0.2 with 32 bytes of data:
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
Reply from 30.0.0.1: Destination host unreachable.
0 Ping statistics for 10.0.0.2:
0 Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
By Joud Khattab 67
68. Configure Static NAT
0 This demonstration show how the companies use NAT to hide their internal network from the outside of
the world. Now open web browser from any PC in 30.0.0.0 network and brows the 50.0.0.1 site
By Joud Khattab 68
70. Configure Dynamic NAT
0 In this example our internal network is using 192.168.0.0 network. We have five public ip address 50.0.0.1 to 50.0.0.5
to use.
0 configure Router0 :
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.0.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 30.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
By Joud Khattab 70
71. Configure Dynamic NAT
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
R1(config)#ip nat pool test 50.0.0.1 50.0.0.5 netmask 255.0.0.0
R1(config)#ip nat inside source list 1 pool test
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#exit
By Joud Khattab 71
73. Configure Dynamic NAT
0 For testing of NAT go R1 and enable debug for NAT from privilege
mode
0 R1#debug ip nat
0 Now go on pc and ping to 20.0.0.2
By Joud Khattab 73
74. Configure Dynamic NAT
0 When ICMP ping packet reach to R1. It examines its source address against the access list 1. As this
packet is generated form the network of 192.168.0.0 so it will pass the access list. Now router will
check NAT pools for free address to translate with this address. Which you can check in the output of
debag command in R1
0 IP NAT debugging is on
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
0 NAT: s=192.168.0.7->50.0.0.1, d=20.0.0.2[1]
0 NAT*: s=20.0.0.2, d=50.0.0.1->192.168.0.7[1]
By Joud Khattab 74
75. Configure Dynamic NAT
0 As you can see in output 192.168.0.5 is translate with
50.0.0.1 before leaving the router.
0 Now check for web access from any client pc
By Joud Khattab 75
76. Configure Dynamic PAT
0 In dynamics Nat translations is made IP to IP. so you need as much global IP
address as you have inside local address. That's an issue if you have few global
IP address and hundred of inside local address to translate. In such a situation
you need to use PAT.
0 For demonstration we are going to configure the same topology which we used
in dynamic NAT but this time we are using only one global IP address 50.0.0.1
By Joud Khattab 76
78. Configure Dynamic PAT
0 IP address of PC are already configured double click on R1 and configured it as given here
0 configure R1 :
0 Router>enable
0 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
0 Router(config)#hostname R1
0 R1(config)#interface fastEthernet 0/0
0 R1(config-if)#ip address 192.168.0.1 255.255.255.0
0 R1(config-if)#no shutdown
0 R1(config-if)#exit
0 R1(config)#interface serial 0/0/0
0 R1(config-if)#ip address 30.0.0.1 255.0.0.0
By Joud Khattab 78
79. Configure Dynamic PAT
0 R1(config-if)#clock rate 64000
0 R1(config-if)#bandwidth 64
0 R1(config-if)#no shutdown
0 R1(config-if)#exit
0 R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0
0 R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
0 R1(config)#ip nat pool test 50.0.0.1 50.0.0.1 netmask 255.0.0.0
0 R1(config)#ip nat inside source list 1 pool test overload
0 R1(config)#interface fastEthernet 0/0
0 R1(config-if)#ip nat inside
0 R1(config-if)#exit
0 R1(config)#interface serial 0/0/0
0 R1(config-if)#ip nat outside
0 R1(config-if)#exit
0 R1(config)#
By Joud Khattab 79
82. Configure Dynamic PAT
0 To verify PAT go on R1 and run show ip nat translations
0 R1#show ip nat translations
0 Pro Inside global Inside local Outside local Outside global
icmp 50.0.0.1:1 192.168.0.7:1 20.0.0.2:1 20.0.0.2:1
icmp 50.0.0.1:2 192.168.0.7:2 20.0.0.2:2 20.0.0.2:2
icmp 50.0.0.1:3 192.168.0.7:3 20.0.0.2:3 20.0.0.2:3
icmp 50.0.0.1:4 192.168.0.7:4 20.0.0.2:4 20.0.0.2:4
0 As you can see this time address translation is done with port address instead
of IP
By Joud Khattab 82