NAT

You are currently browsing articles tagged NAT.

OpenBSD as a Simple NAT Router

To setup a simple NAT router/firewall using OpenBSD, use these steps as a general guideline.  I’m assuming that you have general knowledge of OpenBSD.

First, configure the network interfaces appropriately.  Typically, this will involve editing the hostname.<NIC type> file.  In a VMware ESX Server environment, OpenBSD uses pcn0 for the first virtual NIC, pcn1 for the second virtual NIC, etc., so the appropriate configuration files would be hostname.pcn0, hostname.pcn1, and so forth.

Next, enable IP forwarding by editing /etc/sysctl.conf and making the following change (the line is present in a default installation, you just need to uncomment it):

net.inet.ip.forwarding=1

Next, we’ll need to enable the OpenBSD packet filter, pf.  This is typically done by creating/editing the file /etc/rc.conf.local and making sure the following line is present:

pf=YES

Next, we’ll configure pf for network address translation (NAT) and simple packet filtering.  If you’ve never configured pf before, I highly recommend this OpenBSD PF guide; it will introduce you to the functionality of this very powerful packet filtering engine.  (Sometimes I wish Mac OS X would switch to using pf.)  You configure pf by placing a ruleset into /etc/pf.conf.

Here’s a quick sample ruleset (keep in mind this is based on OpenBSD running as a virtual machine in a VMware environment):

# Set some variables for use later
ext_if=“pcn1”
int_if=“pcn0”
icmp_types=“echoreq”

# Skip all loopback traffic
set skip on lo

# Scrub all traffic
scrub in

# Perform NAT on external interface
nat on $ext_if from $int_if:network -> ($ext_if:0)

# Define default behavior
block in
pass out keep state

# Allow inbound traffic on internal interface
pass quick on $int_if

# Protect against spoofing
antispoof quick for { lo $int_if }

# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state
pass in inet proto icmp from $allowed_hosts icmp-type $icmp_types keep state

This is a really, really simple configuration, but it will get the job done.  (I did title this “OpenBSD as a Simple NAT Router”, after all.)

For more advanced configurations, I highly recommended reviewing the OpenBSD documentation (which, by the way, is very thorough and very extensive; kudos to the OpenBSD team for their documentation efforts.)

Tags: , , , ,

Cisco NAT Issue Resolved

A short while back I mentioned that I was having a bit of a problem with network address translation (NAT) on a Cisco router.  I’ve managed to get the issue resolved, so here’s the solution in case someone runs across this problem in the future.

In this instance, the original configuration of the router provided a means for both dynamic NAT and static NAT.  Specifically, all the workstations on the LAN would be dynamically translated using port address translation (PAT) behind the external interface of the router, while the web server itself would be statically translated.  Normally, this would not be a problem.

This feat was accomplished using an access list, like this:

access-list 1 permit 172.16.1.0 0.0.0.255

This access list was then applied to the interface using a route map.  The problem here, though, is that this dynamic NAT setup includes the IP address of the web server (let’s just say for the purposes of this example that the web server is 172.16.1.10).

So, to fix the problem, we modified the access list to specifically exclude the web server’s IP address:

access-list 1 deny 172.16.1.10
access-list 1 permit 172.16.1.0 0.0.0.255

This took care of the apparent conflict between the dynamic NAT setup and the static NAT setup (which was accomplished using an ordinary “ip nat inside source” command), and the setup has worked without any problems since then.

Now, if I could just figure out why my GRE-over-IPSec tunnels aren’t working, I’d be in really good shape…

Tags: , ,

Cisco NAT Issue

I’ve been helping a customer try to resolve a network address translation (NAT) problem on a Cisco router for the last week or so, and the solution to the problem is escaping me.  What’s worse, all the documentation I can find from Cisco says the current configuration is correct.

It’s a really simple situation.  Customer has a web server at their office that needs to be accessible from the outside.  OK, fine, no problem, I use—in accordance with the Cisco documentation—the “ip nat inside source static” command to create a static NAT entry.  I then use the appropriate “show” commands to verify that the static entry exists in the NAT table.  It does.

However, when an external host goes to connect, it can’t.  The only way external hosts can connect is during that brief period of time after the internal web server initiates some communications to the outside world and the router “reinstates” the NAT entry, just as if the NAT entry was not static.  The only workaround we’ve found is to schedule a batch file that uses a wget statement to download a very small web page from an external host every 10 minutes.  This keeps the NAT translation active and the web server is fully accessible from the outside world.

If anyone has any ideas as to why this doesn’t work, please let me know.

Tags: , , ,