Some issues related to using the network address converter
Release Date: October 01, 2004
This page
Introduction NAT Operation NAT and Security Summary For Some Problems Summary in NAT Rear Use Server
Introduction
Network Address Converter (NAT) allows a computer to access Internet resources on a private network without accessing them directly from the Internet. NAT supports Repeat IPv4 dedicated address space on a private network (10.0.0.0.0.0, 172.16.0.0.0/12, 192.168.0.0.0.0.0/12, 192.168.0.0.0.0.0/12, 192.168.0.0.0.0.0/12, 192.168.0.0/16), alleviating a node that needs to access Internet resources requires pressure on an IPv4 public address . Although this is a significant advantage of using NAT, it is not cost to achieve this ability.
Initially, Internet is designed for global unique address space. All interfaces that connect to the Internet have a unique address of the subnet connected to the interface. Regardless of how the subsidies are grouped directly on the private network connected to the Internet, they can always access the appropriate interfaces through the global unique address.
It also violates the principles of the global unique address space using NAT and dedicated address spaces. Each NAT-processed network reuses the dedicated address space. This means that multiple interfaces that connect to different networks can have the same address. Although these networks have a private address from the Internet, they may be visible, but they can be visible, and multiple private networks are combined into a single network caused an address conflict (with the same address prefix or not clear routing item. Multiple subnets).
For example, company A uses a 10.0.0.0/8 dedicated address space for its internal network. Company B also used 10.0.0.0/8 dedicated address space. When companies A and company B merge, the chances of address conflicts between them will be high. The merged companies must renth of some of the combined networks, which is a process of cost-effective. Although it is helpful to most host-based IP nodes (DHCP), you must manually configure the static configuration nodes (such as servers), and must be redesigned with the routing infrastructure.
Back to top
NAT operation
As described in the Windows 2000 Network Address Converter (NAT) (Cable Guy Post, 2001, the Cable Guy article), NAT's basic operations are as follows:
• For the outgoing packet, NAT changes the dedicated source address to the public source address and change the Source Transmission Control Protocol (TCP) or User Data Rights Protocol (UDP) port number to a NAT-specific value. For incoming packets, NAT changes the target utility address to the initial dedicated address and change the target TCP or UDP port number to its original value.
The conversion table on the NAT makes it easier to make the public and dedicated addresses to maps between the TCP / UDP port numbers. NAT will discard all incoming traffic that is not transferred to the NAT assignment address (the item does not match in the conversion table).
When a computer located behind NAT-connects to a subnet isolated from the Internet - a node on the Internet, NAT will automatically create an appropriate conversion entry to forward the corresponding traffic to a computer that initiated communication. Browsing the web's Internet client is an example. The Domain Name System (DNS) Hypertext Transfer Protocol (HTTP) traffic initiated by the client computer automatically creates a conversion entry, which allows the client computer to access Internet resources without having to establish a direct connection to the Internet. Therefore, the NAT-processed client computer can usually access server computers (accessible directly on the Internet), and will not encounter any problems.
In order to access the server computer located after NAT from the Internet, NAT must be configured by the static conversion entry. For specific examples, see the configuration when accessing the network address converter (NAT) (the Cable Guy article released in May 2003) Back to top
NAT and security
Since NAT will discard all traffic that is not matched with the conversion entry, it is considered to be a security device. However, NAT cannot replace firewalls. Typically, the two sets of TCP and UDP ports are opened on the NAT:
• A group is a port corresponding to the converted traffic (specified by the conversion table). These include dynamic ports opened by clients located after NAT, and a static port configured for servers after NAT. • The other group is a port corresponding to the application running on the NAT.
The static port of the server after NAT and the port running on NAT and the port of the service make NAT vulnerable. Dynamic ports are not easily attacked, because attackers are difficult to predict when such ports will open. If NAT is a computer, not a dedicated device (such as an Internet Gateway device), then this computer is vulnerable.
Therefore, it is recommended to use NAT in conjunction with the firewall, and the dedicated network client should also use the host-based firewall to prevent malware from spreading on a private network.
Back to top
Some problems related to using servers in NAT
As described earlier herein, when the NAT-processed client computer is generally not encountered when accessing a server computer connected to the Internet. However, in the following cases, some issues occur when the server is behind NAT:
• Multi-party applications • Peer applications • IPSec NAT-T
Multiplicate application
Multi-application is a multiple computer that agrees to communicate with each other with a central server to implement specific purposes. For example: collaborative computing applications or multi-network games. When the central server and some client are located after NAT, some configuration issues will be generated using a dedicated address.
For example, there is a collaborative computing server and some clients behind the same NAT, and some clients are located on the Internet. Because the dedicated address space is used after NAT, since the server is behind the NAT, the following items must be configured:
• Map the NAT's public address and port number of the server application to the server's private address and the static conversion entry of the port number of the server application. • To allow clients connected to the Internet to access the server with your own DNS name, you must add an entry to the Internet DNS to resolve the server name to the public address of the NAT (for example: collabsrv.example.com). • In order to access the server with a dedicated client connected to the Internet, you must add an entry for the dedicated network DNS to resolve the server name as a dedicated address of the server.
If you use the actual public or dedicated address of the server when you connect from the client computer, you don't need DNS configuration. However, for end users, using an IPv4 address to connect to the server is inconvenient, and must ensure that the Internet client uses the public address and informs the client after NAT.
Even with the entire configuration, the client after NAT and the client connected to the Internet cannot agree on the server's IPv4 address. If a collaborative computing application is based on configuration, synchronization, or security, the server must use a common IPv4 address, then communication issues will still occur.
Peerless application
Another problem with NAT is the impact on peer applications. In the peer-to-peer communication model, the peer can act as a client or act as a server, and can communicate directly to each other. If some party is behind NAT, then there are two addresses associated with it: dedicated address and public address. Let us look at a simple configuration, NAT will bring problems to the peer applications. The figure below shows a private network with NAT in its edge. For peer-to-peer applications running on all peers, the peer 1 can initiate sessions to the peer 2 (access to its subnet) and peer 3 on its subnet). However, the peer 1 cannot notify the peer 3 of the peer 3, because the peer 1 does not know the address. In addition, if the NAT is manually configured by the static conversion table item, the peer 1 or the peer 2 is converted to the inbound connection request data packet, and the peer 3 cannot be pair of equal or peers. Fang 2 initiated a session. Even through the static conversion entry, the peer 3 cannot initiate sessions to the peer 1 and the peer 2, because the two host use the same IPv4 public address and application port number.
Worse, Internet peers often in two different NATs. For example, in the above figure, the peer 3 is also located in NAT. To ensure that peer applications work in any NAT, you must modify the peer applications to support NAT to bring additional complexity to your application.
IPsec Nat-T
Internet Protocol Security (IPSEC) NAT Cross (NAT-T) allows IPSec peers to detect NAT to exist, negotiate IPSec security association (SA), and transmit data protected by encapsulated security measures (ESP) protection, Even if the address in IPV4 packets protected by IPSec is changed. For more information on IPSec NAT-T works, see IPSec NAT Crossing Overview (the Cable Guy post released in August 2002).
Microsoft Windows Server 2003 and Windows XP Service Pack 2 (SP2) support IPsec Nat-T, and Windows XP Service Pack 1 and Windows 2000 can also support IPsec Nat-T, but you must first download a free software. However, due to IPsec and NAT Behavior, by default, Windows XP SP2 no longer supports establishing IPSec Nat-T SA to avoid known security risks to the server after NAT. The figure below shows a configuration example.
To ensure that the server 1 is available for IPSec traffic access, it is necessary to map the Internet Key Exchange (IKE 500) and IPSec NAT-T (using UDP port 4500) traffic to server 1's static conversion item. Configure NAT.
In this configuration, the following occurs:
1. Client 1 on the Internet 1 establishes two-way SA with the server 1 using IPSec Nat-T. Since the static conversion entry is manually configured, NAT will forward IKE and IPsec NAT-T traffic in server 1 and client 1. 2. The client 2 establishes two-way SA with the client 1 using IPSec Nat-T. When the client 2 is communicated with the client 1, NAT creates a set of dynamic conversion entries, allows IKE and IPSec NAT-T traffic between client 2 and client 1. 3. If NAT deletes the dynamic conversion entries created by the client 2, a situation has caused the client 1 to establish SA with the client 2, then the following cases occur: Client 1 Send IKE traffic to NAT Public IP address and UDP port 500. Since this flow matches the static conversion entry entry of the IKE traffic to the server 1, the NAT will forward the IKE traffic to the server 1, not the client 2. Because the client 1 is re-establishing SA, it will begin to perform IPSec main mode negotiation and end with the server 1, rather than the client 2. Known security risks are that the client 1 will establish two-way SA with a peerless peer. Although this is a small situation, the default behavior of a computer running with SP2 Windows XP is to avoid establishing any IPsec NAT-T-T-based SA to be established for servers located behind NAT, ensuring that such conditions will never happen. .
To change the IPSec Nat-T behavior of a computer running with SP2 Windows XP, you must create and set the AssumeudPencapSulationContextonsendRule registry value. However, before doing this, you should first consult the network administrator or security staff.
To add and configure the AssumeudPencapSulationContextonsendRule registry value, perform the following steps:
1. On the Windows XP desktop, click Start, click Run, type "regedit.exe", and then click OK. 2. In the console tree of "Registry Editing", open the following registry key: hkey_local_machine / system / currentControlSet / Services / IPsec 3. On the Edit menu, click Add value, then add the following value: value Name: AssumeudPenCapSulationContextonsendRule Data Type: REG_DWORD Data Value: 0, 1 or 2
• 0 = Unable to establish SA (default) after NAT • 1 = can establish SA with servers located after NAT, provided that the client must have a public address • 2 = When the client and server are located after NAT You can establish SA (this is a Windows XP with Service Pack 1 for Windows XP for the service pack package)
Note: AssumeudPencapsulationContextonsendRule name is case sensitive.
The Windows XP with SP2 must be restarted to take effect.
Set AsSumeudPenCapSulationContextOnSendRule to 1 or 2 Make a computer running Windows XP with SP2 to connect to the server after NAT, including the virtual private network (VPN) server running Windows Server 2003.
Back to top
to sum up
NAT is only extended by IPv4 public address space usage, not the long-term solution to the problem. NAT can play its greatest role in terms of dedicated address space for client computers. Most server computers still require a clear public address. The peer in the peer communication can be placed behind NAT, but in general applications (when multiple pairs of peer are separated after a single NAT), the peer applications must be modified. Support for NAT. After the server can be placed in NAT; however, NAT must be manually configured by a static conversion table entry to request a packet to request a packet for a dedicated address and port of the server. For IPSec Nat-T, this static conversion entry will result in some unexpected results in a particular configuration. Back to top
More information
For more information on NAT and Windows, please contact the following resources:
• Access Configuration (Cable Guy) in May 2003 in May 2003 • IPsec Nat Crossview (Cable Guy article released in August 2002) • Not recommended The Windows Server 2003 computer after the network address converter uses IPsec NAT-T • Windows XP Service Pack 2's default behavior of IPSec Nat Cross (NAT-T) has changed
