Vyatta Suite200 1301ShorewayRoad Belmont,CA94002 vyatta.com 6504137200 1888VYATTA1(USandCanada) VYATTA,INC. |  VyattaSystem NAT REFERENCEGUIDE NAT COPYRIGHT Copyright©2005–2012Vyatta,Inc.Allrightsreserved. Vyattareservestherighttomakechangestosoftware,hardware,anddocumentationwithoutnotice.Forthemostrecentversionof documentation,visittheVyattawebsiteatvyatta.com. PROPRIETARYNOTICES VyattaisaregisteredtrademarkofVyatta,Inc. Hyper‐VisaregisteredtrademarkofMicrosoftCorporation. VMware,VMwareESX,andVMwareserveraretrademarksofVMware,Inc. XenServer,andXenCenteraretrademarksofCitrixSystems,Inc. Allothertrademarksarethepropertyoftheirrespectiveowners. RELEASEDATE:October2012 DOCUMENTREVISION.6.5R1 v01 RELEASEDWITH:6.5R1 PARTNO.A0‐0230‐10‐0013 iii NAT 6.5R1v01 Vyatta Contents QuickListofCommands......................................................... v ListofExamples ...............................................................vi Preface. ..................................................................... vii IntendedAudience ................. ................... ..........................................viii OrganizationofThisGuide ........... ....... ................................. .....................viii DocumentConventions ............................................ ............... ................ix VyattaPublicati ons................. ................................ .. ................. ...........ix Chapter1NATOverview........................................................ 1 WhatisNAT? .............................................. .. ................. ................... 2 BenefitsofNAT ............ ...................................................................... 3 TypesofNAT ........................... .........................................................4 SourceNAT(SNAT).......................................... ................................. .5 DestinationNAT(DNAT)............. ................................. .........................5 BidirectionalNAT ......................................... ....................................6 InteractionBetweenNAT,Routing,Firewall,andDNS ....... ............... ................... .........7 InteractionBetweenNATandRouting .. .........................................................7 InteractionBetweenNATandFirewall ....................................... ...................10 InteractionBetweenNATandDNS ........................ .. ................................. ..13 NATRules ...... ........ ................................. .................... ................... 13 TrafficFilters ......................... . ............... ................... .................... ...14 The“outbound‐interface”Filter ................................... ...... .......................14 The“inbound‐interface”Filter....................... ..........................................14 The“protocol”Filter ..... ................................. ...................................15 The“source”Filter ................ .............. ................................ .. ...........15 The“destination”Filter ... ............... ................... ..................................16 AddressConversion:“Translatio n”Addresses............................. ...........................16 SourceAddressTranslations ...... ............... ................................. .............16 DestinationAddressTranslations .. .............................................................17 Chapter2NATConfigurationExamples........................................... 18 SourceNAT(One‐to‐One)............... .. ........................................................19 SourceNAT(Man y‐to‐One) ................... ................................. ...................20 SourceNAT(Man y‐to‐Many).............. ............................. ...........................22 SourceNAT(One‐to‐Many) .................. ................................ .. ................. ..23  iv NAT 6.5R1v01 Vyatta Masquerade....................................................... .............................25 DestinationNAT(One‐to‐One)............. ................................. .......................27 DestinationNAT(One‐to‐Many) ....................................... ............... .............29 BidirectionalNAT..................... .................................................... .......31 MappingAddressRanges.. ..................................... ..................................32 The“exclude”Option............. .................................... ...........................34 SourceNATandVPN:Usingthe“exclude”Option............. ................. ............... ........35 TheNegationOperator ......... ................ ............... ................... ................37 Chapter3NATCommands ..................................................... 40 clearnat<rule‐type>counters ...... ................... ........................................42 monitornat<rule‐type>background............................ ................................43 monitornat<rule‐type>rule<rule‐num> ..... ....... ................................. ...........44 monitornat<rule‐type>translations.. ..........................................................45 nat .............................. .. .......... ............... ...............................47 nat<rule‐type>rule <rule‐num> ...............................................................48 nat<rule‐type>rule<rule‐num>description<desc> ............................. ..................50 nat<rule‐type>rule<rule‐num>destination ......................... ............................52 nat<rule‐type>rule<rule‐num>disable ................ ................................. ........54 nat<rule‐type>rule<rule‐num>exclude .. ................................. .....................56 nat<rule‐type>rule<rule‐num>inbound‐interface<interface> ..................................... 58 nat<rule‐type>rule<rule‐num>log<state> .. ................... ................... .. ...........60 nat<rule‐type>rule<rule‐num>outbound‐interface<interface>.............................. ......62 nat<rule‐type>rule<rule‐num>protocol<protocol> ..................................... .........64 nat<rule‐type>rule<rule‐num>source.................................. ............... ........66 nat<rule‐type>rule<rule‐num>translation..................... ............... ..................68 shownat<rule‐type>rules ............. ............... ................... .....................70 shownat<rule‐type>statistics.......................................... .......................72 shownat<rule‐type>translations ...................... ................................. .......73 GlossaryofAcronyms.......................................................... 75 v NAT 6.5R1v01 Vyatta QuickListofCommands Use this list to help you quickly locate commands. clearnat<rule‐type>counters........................................ .. ................. ..........42 monitornat<rule‐type>background ....................... ................................. .......43 monitornat<rule‐type>rule<rule‐num>.... ................................. .................... ...44 monitornat<rule‐type>translations ........................ ............... ........................45 nat<rule‐type>rule<rule‐num>description<desc>................... ................................50 nat<rule‐type>rule<rule‐num>destination .. .. ........ ................................ .. ...........52 nat<rule‐type>rule<rule‐ num>disable.............................................................54 nat<rule‐type>rule<rule‐num>exclude................................ ............................56 nat<rule‐type>rule<rule‐num>inbound‐interface<interface>............. ............................58 nat<rule‐type>rule<rule‐num>log<state> ............ .. ................................. ..........60 nat<rule‐type>rule<rule‐num>outbound ‐interface<interface>..................... ................... 62 nat<rule‐type>rule<rule‐num>protocol<protocol>.. ................................. ...............64 nat<rule ‐type>rule<rule‐num>source ........................................ .. ................. ..66 nat<rule‐type>rule<rule‐num>translation ............................ .............................68 nat<rule‐type>rule<rule‐num>............... ............... ................... ..................48 nat............... .. ................................ ................................. ..........47 shownat<rule‐type>rules... .....................................................................70 shownat<rule‐type>statistics .......................... ............... ................... ........72 shownat<rule‐type>translations .... ............... ...............................................73 vi NAT 6.5R1v01 Vyatta ListofExamples Use this list to help you locate examples you’d like to look at or try. Example1‐1CreatingasourceNAT(SNAT)rule.......................................... ............14 Example1‐2 Settingtheoutboundinterface .................................. .......................14 Example1‐3 Settingtheinboundinterface...................... ................................. ...14 Example1‐4 Filteringpacketsbyprotocol ......... ................................. .................15 Example 1‐5 Filteringpacketsbysourceaddress....... ..............................................15 Example1‐6 Filteringpacketsbysourcenetworkaddressandport................................ ......15 Example1‐7 Filteringpacketsbydestinationaddress...................................... ...........16 Example1‐8 SettingasourceIPaddress........................ ......... ............... ............16 Example1‐9 SettingarangeofsourceIPaddresses ............... ....................................17 Example1‐10 SettingasourceIPaddresstothatoftheoutboundinterface.. ............... ..............17 Example1‐11 SettingadestinationIPaddress............... ............... ................... ......17 Example1‐12 SettingarangeofdestinationIPaddresses .. ............................................17 Example2‐14 MultiplesourceNATrulesusing thenegationoperator:unexpec tedbehavior .................38 Example3‐3DisplayingsourceNATruleinformation ...................... ............................71 Example3‐4DisplayingsourceNATstatisticsinformation ................ ..............................72 vii NAT 6.5R1v01 Vyatta Preface This document describes the various deployment, installation, and upgrade options for Vyatta software. This preface provides information about using this guide. The following topics are presented: • Intended Audience • Organization of This Guide • Document Conventions • Vyatta Publications  IntendedAudience viii NAT 6.5R1v01 Vyatta IntendedAudience This guide is intended for experienced system and network administrators. Depending on the functionality to be used, readers should have specific knowledge in the following areas: • Networking and data communications • TCP/IP protocols • General router configuration • Routing protocols • Network administration • Network security • IP services OrganizationofThisGuide This guide has the following aid to help you find the information you are looking for: • Quick List of Commands Use this list to help you quickly locate commands. • List of Examples Use this list to help you locate examples you’d like to try or look at. This guide has the following chapters: Chapter Description Page Chapter 1:NATOverview Thischapterexplainshowtosetupnetwork addresstranslation(NAT)ontheVyatta System. 1 Chapter 2:NATConfiguration Examples Thischapterprovidesconfigurationexamples forusi ngnetworkaddresstranslation(NAT) ontheVyattasystem. 18 Chapter 3:NATCommands Thischapterdescribesnetworkaddress translation(NAT)commands. 40 GlossaryofAcronyms 75  DocumentConventions ix NAT 6.5R1v01 Vyatta DocumentConventions This guide uses the following advisory paragraphs, as follows. NOTENotesprovideinformationyoumightneedtoavoidproblemsorconfigurationerrors. This document uses the following typographic conventions. VyattaPublications WARNINGWarningsalertyoutosituationsthatmayposeathreattopersonalsafety. CAUTIONCautionsalertyoutosituationsthatmightcauseharmtoyoursystemordamageto equipment,orthatmayaffectservice. Monospace Examples, command-line output, and representations of configuration nodes. boldMonospace Your input: something you type at a command line. bold Commands, keywords, and file names, when mentioned inline. Objects in the user interface, such as tabs, buttons, screens, and panes. italics An argument or variable where you supply a value. <key> A key on your keyboard, such as <Enter>. Combinations of keys are joined by plus signs (“+”), as in <Ctrl>+c. [ key1 | key2] Enumerated options for completing a syntax. An example is [enable | disable]. num1–numN A inclusive range of numbers. An example is 1–65535, which means 1 through 65535, inclusive. arg1 argN A range of enumerated values. An example is eth0 eth3, which means eth0, eth1, eth2, or eth3. arg[ arg ] arg[,arg ] A value that can optionally represent a list of elements (a space-separated list and a comma-separated list, respectively).  VyattaPublications x NAT 6.5R1v01 Vyatta Full product documentation is provided in the Vyatta technical library. To see what documentation is available for your release, see the Guide to Vyatta Documentation. This guide is posted with every release of Vyatta software and provides a great starting point for finding the information you need. Additional information is available on www.vyatta.com and www.vyatta.org. [...]... • NAT simplifies routing NAT reduces the need to implement more complicated routing schemes within larger local networks Types of NAT There are three main types of NAT: • • Destination NAT This is also called DNAT • NAT Source NAT This is also called SNAT “Masquerade” NAT is a special type of SNAT Bidirectional NAT When both SNAT and DNAT are configured, the result is bidirectional NAT 6. 5R1 v01 Vyatta. .. without having to change any other rules 6. 5R1 v01 Vyatta Chapter 1: NAT Overview  Traffic Filters 14 The Vyatta system allows you to configure source NAT ( SNAT), or destination NAT rules To implement bidirectional NAT, you define a NAT rule for SNAT and one for DNAT Example 1-1 defines an SNAT rule 10 Example 1‐1   Creating a source NAT (SNAT) rule vyatta@ vyatta# set nat source rule 10 Traffic Filters... IP address 6. 5R1 v01 Vyatta Chapter 1: NAT Overview  Types of NAT 6 Figure 1‐5   Destination NAT (DNAT) External (untrusted ) network Source-addr = 96. 97.98.99 Dest-addr = 12.34. 56. 78 Internal (trusted) network DNAT Source-addr = 96. 97.98.99 Dest-addr = 10.0.0.4 Bidirectional NAT Bidirectional NAT is just a scenario where both SNAT and DNAT are configured at the same time Bidirectional NAT is typically... interface.  This is to ensure that  the Vyatta system will reply to  ARP requests from remote  devices for one of the  translation addresses vyatta@ vyatta# set nat source rule 10 translation address  12.34. 56. 64‐12.34. 56. 79 Commit the change vyatta@ vyatta# commit NAT 6. 5R1 v01 Vyatta Chapter 2: NAT Configuration Examples  Masquerade 25 Example 2‐4   Source NAT (one‐to‐many) Show the configuration vyatta@ vyatta# show nat source rule 10... Example 1 6   Filtering packets by source network address and port vyatta@ vyatta# set nat source rule 20 source address 10.0.0.0/24 vyatta@ vyatta# set nat source rule 20 source port 80 NAT 6. 5R1 v01 Vyatta Chapter 1: NAT Overview  Address Conversion: “Translation” Addresses 16 The “destination” Filter The destination filter specifies which packets the NAT translation will be applied to, based on their destination... • Source NAT (Many-to-One) • Source NAT (Many-to-Many) • Source NAT (One-to-Many) • Masquerade • Destination NAT (One-to-One) • Destination NAT (One-to-Many) • Bidirectional NAT • Mapping Address Ranges • The “exclude” Option • NAT Source NAT (One-to-One) Source NAT and VPN: Using the “exclude” Option 6. 5R1 v01 Vyatta Chapter 2: NAT Configuration Examples  Source NAT (One‐to‐One) 19 Source NAT (One‐to‐One)... represented as three / 16 subnets) mapped to a small range of external addresses Figure 2‐3   Source NAT (many‐to‐many) 10.1.0.0/ 16 10.43.0.0/ 16 eth0 INTERNET 10.197.0.0/ 16 Source-addr = 10.X.X.X Dest-addr = 96. 97.98.99 NAT 6. 5R1 v01 SNAT Source-addr = 12.34. 56. 64-79 Dest-addr = 96. 97.98.99 Vyatta Chapter 2: NAT Configuration Examples  Source NAT (One‐to‐Many) 23 To configure NAT in this way, perform... out) SNAT Network B Yes Firewall (name, local) Local Process Routing Vyatta system Scenario 2b: SNAT—Packets Originating From the Vyatta System In this scenario, packets are originated by a process within the Vyatta system Firewall rule sets are not involved NAT 6. 5R1 v01 Vyatta Chapter 1: NAT Overview  NAT Rules 13 Figure 1‐15   Vyatta system‐originated SNAT firewall decisions Src-addr = 12.34. 56. 78... Vyatta system replies to ARP  requests from remote devices  for the translation address vyatta@ vyatta# set nat source rule 10 translation address  12.34. 56. 78  Commit the change vyatta@ vyatta# commit NAT 6. 5R1 v01 Vyatta Chapter 2: NAT Configuration Examples  Source NAT (Many‐to‐Many) 22 Example 2‐2   Source NAT (many‐to‐one) Show the configuration vyatta@ vyatta# show nat source rule 10 outbound‐interface eth0 source {         address 10.0.0.0/24... Chapter 1: NAT Overview This chapter explains how to set up network address translation (NAT) on the Vyatta System This chapter presents the following topics: • • Benefits of NAT • Types of NAT • Interaction Between NAT, Routing, Firewall, and DNS • NAT Rules • Traffic Filters • NAT What is NAT? Address Conversion: “Translation” Addresses 6. 5R1 v01 Vyatta Chapter 1: NAT Overview  What is NAT? 2 What is NAT? . = 12.34. 56. 78 Dest-addr = 96. 97.98.99 Source-addr = 10.0.0.4 Dest-addr = 96. 97.98.99 SNAT Chapter1: NAT Overview Typesof NAT 6 NAT 6. 5R1 v01 Vyatta Figure1‐5Destination NAT (DNAT) Bidirectional NAT Bidirectional. Packet Dest-addr = 12.34. 56. 78 IP Packet Dest-addr = 10.0.0.4 NAT Chapter1: NAT Overview Benefitsof NAT 3 NAT 6. 5R1 v01 Vyatta Benefitsof NAT NAT confers several advantages: • NAT conserves public. not listed Internet Hacker 87 .65 .43.21 Secret Workstation 10.0.0.99 ? No Route Chapter1: NAT Overview Typesof NAT 5 NAT 6. 5R1 v01 Vyatta Source NAT (SNAT) Tip:SNATis performed afterthe routing decisionis made. SNAT