In a Network Translation and with PAT ( port address transalation ) , a client source address and port numbers are mapped to a single NAT'd source. This is commonly called SNAT ( source NAT'ing ). Doing this for a hand full of clients machine is not critical. Since the src_port is expiring and temporary used and forever changing.
This process of temporary using a src_port is called "ephemeral". So take this machine that I'm typing this blog on;
sahel01: ~ kfelix$ netstat -an | head
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 112.22.1.172.58430 173.194.35.175.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58429 173.194.35.175.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58428 173.194.35.175.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58427 173.194.35.175.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58421 173.194.35.175.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58411 173.194.35.175.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58383 74.125.139.191.80 ESTABLISHED
tcp4 0 0 112.22.1.172.58382 74.125.139.191.80 ESTABLISHED
The port#s in bold are my ephemeral port that's short live. Every time I connect via my browser to a page or link, it will create a new session until that tcp session is torn down. Same if I ssh to an external host or conduct a dns query. The port number are always increasing in a round-robbin fashion.
So if you have a few thousands of machines doing this, and stacked behind one single /32 NAT host addresss, you can run out of available ports range. The available port-range is technically 0-65536, but common we only use the number 1024 and greater.
And port #0 is never to be used or seen, since it's reserved by IANA.
So how do we avoid this potential port exhaustion in big enterprise networks ?
Simple, you need to create numerous NAT_pools and spread the SNAT around to allow for more possible connections.
Take this simple cisco configuration where the source network is a hughe 10.100.0.0/16. That along is over 64K machines or potential clients. And of then opening numerous ports for their tcp/udp sessions could drain a single ip_address if we where to PAT against one address ( /32 )
Here's the NAT ACLs for the source networks;
ip access-list extended mynat_group1
permit ip 10.100.0.0 0.0.63.255 any
remark range 10.100.{0-63}.0/24
ip access-list extended mynat_group2
permit ip 10.100.64.0 0.0.63.255 any
remark range 10.100.{64-127}.0/24
ip access-list extended mynat_group3
permit ip 10.100.128.0 0.0.63.255 any
remark range 10.100.{128-191}.0/24
ip access-list extended mynat_group4
permit ip 10.100.192.0 0.0.63.255 any
remark range 10.100.{192-255}.0/24
!
And now the rest of the NAT configurations;
interface GigabitEthernet0/0
description Link to Internal_CORE
backup interface GigabitEthernet0/2
ip address 10.100.0.2 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
description Link to TrackNetwork WAN Circuit ID:
ip address xxx.xxx.xxx.238 255.255.255.252
ip nat outside
!ip nat pool ephemeral-group1 xx8.xx4.x8.201 xx8.xx4.x8.201 netmask 255.255.255.0 ip nat pool ephemeral-group2 xx8.xx4.x8.202 xx8.xx4.x8.202 netmask 255.255.255.0 ip nat pool ephemeral-group3 xx8.xx4.x8.203 xx8.xx4.x8.203 netmask 255.255.255.0 ip nat pool ephemeral-group4 xx8.xx4.x8.204 xx8.xx4.x8.204 netmask 255.255.255.0
!
ip nat inside source list mynat_group1 pool ephemeral-group1 overload
ip nat inside source list mynat_group2 pool ephemeral-group2 overload ip nat inside source list mynat_group3 pool ephemeral-group3 overload
ip nat inside source list mynat_group4 pool ephemeral-group4 overload
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.237 name INTERNET_NEXT-HOP ip route 10.100.0.0 255.255.0.0 10.100.0.254 name STATIC_2_CORE
So in this cfg you will notice we broke down the sources into ranges and then stacked them behind a single /32. The /16 was split into quarters ( 64 class C groupings ) and then any hosts in those groups would be NAT'd to the corresponding /32.
i.e
10.100.0.1- 10.100.63.255 into group 1
10.100.64.1- 10.100.127.255 into group2
10.100.64.128- 10.100.191.255 into group3
10.100.64.192- 10.100.255.255 into group4
So in the above, that will provide a fair amount of ephemeral-to-client port ratio. And hopefully not exhaust any src_ports upon a pike nat-translations.
We can even tweak port expiration from the nat process;
i.e
ip nat translation udp-timeout 30 ip nat translation syn-timeout 45 ip nat translation icmp-timeout 30 ip nat translation port-timeout udp 53 20 ip nat translation port-timeout tcp 23 3600 ip nat translation port-timeout tcp 22 3600
The above will handle nat translation expiration to recover quicker , once these session goes idle and based on the number of seconds idle.So be very careful of your ephemeral port-ranges to avoid exhaustion. I will show you during the next blogpost, how we prevent this with a cisco ASA running code 9.X using the same above networks.
Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed dot com
No comments:
Post a Comment