summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-04-02 08:09:30 +0200
committerGitHub <noreply@github.com>2020-04-02 08:09:30 +0200
commit2de1b229f9a0f056a6bb8179183b88c20762f7ea (patch)
treea3e29798486e29470d9238d1339c6232d99ebbe7 /docs
parente0345c3cd7135e434e222a60de7027678f5f7ecc (diff)
parent3ad0b3e1e7037c3a01098a86b54a6aff627e1352 (diff)
downloadvyos-documentation-2de1b229f9a0f056a6bb8179183b88c20762f7ea.tar.gz
vyos-documentation-2de1b229f9a0f056a6bb8179183b88c20762f7ea.zip
Merge pull request #232 from currite/nat-format
nat: edit format and indentation
Diffstat (limited to 'docs')
-rw-r--r--docs/nat.rst417
1 files changed, 222 insertions, 195 deletions
diff --git a/docs/nat.rst b/docs/nat.rst
index 22ed1271..17698c26 100644
--- a/docs/nat.rst
+++ b/docs/nat.rst
@@ -4,60 +4,65 @@
NAT
###
-:abbr:`NAT (Network Address Translation)` is a common method of remapping one
-IP address space into another by modifying network address information in the
-IP header of packets while they are in transit across a traffic routing device.
-The technique was originally used as a shortcut to avoid the need to readdress
-every host when a network was moved. It has become a popular and essential tool
-in conserving global address space in the face of IPv4 address exhaustion. One
-Internet-routable IP address of a NAT gateway can be used for an entire private
-network.
-
-IP masquerading is a technique that hides an entire IP address space, usually
-consisting of private IP addresses, behind a single IP address in another,
-usually public address space. The hidden addresses are changed into a single
-(public) IP address as the source address of the outgoing IP packets so they
-appear as originating not from the hidden host but from the routing device
-itself. Because of the popularity of this technique to conserve IPv4 address
-space, the term NAT has become virtually synonymous with IP masquerading.
-
-As network address translation modifies the IP address information in packets,
-NAT implementations may vary in their specific behavior in various addressing
-cases and their effect on network traffic. The specifics of NAT behavior are
-not commonly documented by vendors of equipment containing NAT implementations.
-
-The computers on an internal network can use any of the addresses set aside by
-the :abbr:`IANA (Internet Assigned Numbers Authority)` for private addressing
-(see :rfc:`1918`). These reserved IP addresses are not in use on the Internet,
-so an external machine will not directly route to them. The following addresses
-are reserved for private use:
+:abbr:`NAT (Network Address Translation)` is a common method of
+remapping one IP address space into another by modifying network address
+information in the IP header of packets while they are in transit across
+a traffic routing device. The technique was originally used as a
+shortcut to avoid the need to readdress every host when a network was
+moved. It has become a popular and essential tool in conserving global
+address space in the face of IPv4 address exhaustion. One
+Internet-routable IP address of a NAT gateway can be used for an entire
+private network.
+
+IP masquerading is a technique that hides an entire IP address space,
+usually consisting of private IP addresses, behind a single IP address
+in another, usually public address space. The hidden addresses are
+changed into a single (public) IP address as the source address of the
+outgoing IP packets so they appear as originating not from the hidden
+host but from the routing device itself. Because of the popularity of
+this technique to conserve IPv4 address space, the term NAT has become
+virtually synonymous with IP masquerading.
+
+As network address translation modifies the IP address information in
+packets, NAT implementations may vary in their specific behavior in
+various addressing cases and their effect on network traffic. The
+specifics of NAT behavior are not commonly documented by vendors of
+equipment containing NAT implementations.
+
+The computers on an internal network can use any of the addresses set
+aside by the :abbr:`IANA (Internet Assigned Numbers Authority)` for
+private addressing (see :rfc:`1918`). These reserved IP addresses are
+not in use on the Internet, so an external machine will not directly
+route to them. The following addresses are reserved for private use:
* 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8)
* 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)
* 192.168.0.0 to 192.168.255.255 (CIDR: 192.168.0.0/16)
-If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses :rfc:`1918`
-address space to number customer gateways, the risk of address collision, and
-therefore routing failures, arises when the customer network already uses an
-:rfc:`1918` address space.
+If an ISP deploys a :abbr:`CGN (Carrier-grade NAT)`, and uses
+:rfc:`1918` address space to number customer gateways, the risk of
+address collision, and therefore routing failures, arises when the
+customer network already uses an :rfc:`1918` address space.
-This prompted some ISPs to develop a policy within the :abbr:`ARIN (American
-Registry for Internet Numbers)` to allocate new private address space for CGNs,
-but ARIN deferred to the IETF before implementing the policy indicating that
-the matter was not a typical allocation issue but a reservation of addresses
-for technical purposes (per :rfc:`2860`).
+This prompted some ISPs to develop a policy within the :abbr:`ARIN
+(American Registry for Internet Numbers)` to allocate new private
+address space for CGNs, but ARIN deferred to the IETF before
+implementing the policy indicating that the matter was not a typical
+allocation issue but a reservation of addresses for technical purposes
+(per :rfc:`2860`).
-IETF published :rfc:`6598`, detailing a shared address space for use in ISP
-CGN deployments that can handle the same network prefixes occurring both on
-inbound and outbound interfaces. ARIN returned address space to the :abbr:`IANA
-(Internet Assigned Numbers Authority)` for this allocation.
+IETF published :rfc:`6598`, detailing a shared address space for use in
+ISP CGN deployments that can handle the same network prefixes occurring
+both on inbound and outbound interfaces. ARIN returned address space to
+the :abbr:`IANA (Internet Assigned Numbers Authority)` for this
+allocation.
The allocated address block is 100.64.0.0/10.
Devices evaluating whether an IPv4 address is public must be updated to
-recognize the new address space. Allocating more private IPv4 address space for
-NAT devices might prolong the transition to IPv6.
+recognize the new address space. Allocating more private IPv4 address
+space for NAT devices might prolong the transition to IPv6.
Overview
========
@@ -70,26 +75,28 @@ Different NAT Types
SNAT
^^^^
-:abbr:`SNAT (Source Network Address Translation)` is the most common form of
-:abbr:`NAT (Network Address Translation)` and is typically referred to simply
-as NAT. To be more correct, what most people refer to as :abbr:`NAT (Network
-Address Translation)` is actually the process of :abbr:`PAT (Port Address
-Translation)`, or NAT overload. SNAT is typically used by internal users/private
-hosts to access the Internet - the source address is translated and thus kept
-private.
+:abbr:`SNAT (Source Network Address Translation)` is the most common
+form of :abbr:`NAT (Network Address Translation)` and is typically
+referred to simply as NAT. To be more correct, what most people refer
+to as :abbr:`NAT (Network Address Translation)` is actually the process
+of :abbr:`PAT (Port Address Translation)`, or NAT overload. SNAT is
+typically used by internal users/private hosts to access the Internet
+- the source address is translated and thus kept private.
.. _destination-nat:
DNAT
^^^^
-:abbr:`DNAT (Destination Network Address Translation)` changes the destination
-address of packets passing through the router, while :ref:`source-nat` changes
-the source address of packets. DNAT is typically used when an external (public)
-host needs to initiate a session with an internal (private) host. A customer
-needs to access a private service behind the routers public IP. A connection is
-established with the routers public IP address on a well known port and thus all
-traffic for this port is rewritten to address the internal (private) host.
+:abbr:`DNAT (Destination Network Address Translation)` changes the
+destination address of packets passing through the router, while
+:ref:`source-nat` changes the source address of packets. DNAT is
+typically used when an external (public) host needs to initiate a
+session with an internal (private) host. A customer needs to access a
+private service behind the routers public IP. A connection is
+established with the routers public IP address on a well known port and
+thus all traffic for this port is rewritten to address the internal
+(private) host.
.. _bidirectional-nat:
@@ -97,33 +104,35 @@ Bidirectional NAT
^^^^^^^^^^^^^^^^^
This is a common scenario where both :ref:`source-nat` and
-:ref:`destination-nat` are configured at the same time. It's commonly used then
-internal (private) hosts need to establish a connection with external resources
-and external systems need to access internal (private) resources.
+:ref:`destination-nat` are configured at the same time. It's commonly
+used then internal (private) hosts need to establish a connection with
+external resources and external systems need to access internal
+(private) resources.
NAT, Routing, Firewall Interaction
----------------------------------
-There is a very nice picture/explanation in the Vyatta documentation which
-should be rewritten here.
+There is a very nice picture/explanation in the Vyatta documentation
+which should be rewritten here.
NAT Ruleset
-----------
-:abbr:`NAT (Network Address Translation)` is configured entirely on a series
-of so called `rules`. Rules are numbered and evaluated by the underlying OS
-in numerical order! The rule numbers can be changes by utilizing the
-:cfgcmd:`rename` and :cfgcmd:`copy` commands.
+:abbr:`NAT (Network Address Translation)` is configured entirely on a
+series of so called `rules`. Rules are numbered and evaluated by the
+underlying OS in numerical order! The rule numbers can be changes by
+utilizing the :cfgcmd:`rename` and :cfgcmd:`copy` commands.
-.. note:: Changes to the NAT system only affect newly established connections.
- Already establiushed ocnnections are not affected.
+.. note:: Changes to the NAT system only affect newly established
+ connections. Already established connections are not affected.
-.. hint:: When designing your NAT ruleset leave some space between consecutive
- rules for later extension. Your ruleset could start with numbers 10, 20, 30.
- You thus can later extend the ruleset and place new rules between existing
- ones.
+.. hint:: When designing your NAT ruleset leave some space between
+ consecutive rules for later extension. Your ruleset could start with
+ numbers 10, 20, 30. You thus can later extend the ruleset and place
+ new rules between existing ones.
-Rules will be created for both :ref:`source-nat` and :ref:`destination-nat`.
+Rules will be created for both :ref:`source-nat` and
+:ref:`destination-nat`.
For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and
:ref:`destination-nat` needs to be created.
@@ -133,12 +142,13 @@ For :ref:`bidirectional-nat` a rule for both :ref:`source-nat` and
Traffic Filters
---------------
-Traffic Filters are used to control which packets will have the defined NAT
-rules applied. Five different filters can be applied within a NAT rule
+Traffic Filters are used to control which packets will have the defined
+NAT rules applied. Five different filters can be applied within a NAT
+rule.
-* **outbound-interface** - applicable only to :ref:`source-nat`. It configures
- the interface which is used for the outside traffic that this translation rule
- applies to.
+* **outbound-interface** - applicable only to :ref:`source-nat`. It
+ configures the interface which is used for the outside traffic that
+ this translation rule applies to.
Example:
@@ -156,8 +166,8 @@ rules applied. Five different filters can be applied within a NAT rule
set nat destination rule 20 inbound-interface eth1
-* **protocol** - specify which types of protocols this translation rule applies
- to. Only packets matching the specified protocol are NATed. By default this
+* **protocol** - specify which types of protocols this translation rule
+ applies to. Only packets matching the specified protocol are NATed. By default this
applies to `all` protocols.
Example:
@@ -170,15 +180,16 @@ rules applied. Five different filters can be applied within a NAT rule
set nat source rule 20 protocol tcp_udp
set nat destination rule 20 protocol udp
-* **source** - specifies which packets the NAT translation rule applies to
- based on the packets source IP address and/or source port. Only matching
- packets are considered for NAT.
+* **source** - specifies which packets the NAT translation rule applies
+ to based on the packets source IP address and/or source port. Only
+ matching packets are considered for NAT.
Example:
- * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network
- * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24 network
- with a source port of 80 and 443
+ * Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24
+ network
+ * Set SNAT rule 30 to only NAT packets arriving from the 192.0.3.0/24
+ network with a source port of 80 and 443
.. code-block:: none
@@ -187,16 +198,17 @@ rules applied. Five different filters can be applied within a NAT rule
set nat source rule 30 source port 80,443
-* **destination** - specify which packets the translation will be applied to,
- only based on the destination address and/or port number configured.
+* **destination** - specify which packets the translation will be
+ applied to, only based on the destination address and/or port number
+ configured.
.. note:: If no destination is specified the rule will match on any
destination address and port.
Example:
- * Configure SNAT rule (40) to only NAT packets with a destination address of
- 192.0.2.1.
+ * Configure SNAT rule (40) to only NAT packets with a destination
+ address of 192.0.2.1.
.. code-block:: none
@@ -206,34 +218,36 @@ rules applied. Five different filters can be applied within a NAT rule
Address Conversion
------------------
-Every NAT rule has a translation command defined. The address defined for the
-translation is the address used when the address information in a packet is
-replaced.
+Every NAT rule has a translation command defined. The address defined
+for the translation is the address used when the address information in
+a packet is replaced.
Source Address
^^^^^^^^^^^^^^
-For :ref:`source-nat` rules the packets source address will be replaced with
-the address specified in the translation command. A port translation can also
-be specified and is part of the translation address.
+For :ref:`source-nat` rules the packets source address will be replaced
+with the address specified in the translation command. A port
+translation can also be specified and is part of the translation
+address.
-.. note:: The translation address must be set to one of the available addresses
- on the configured `outbound-interface` or it must be set to `masquerade`
- which will use the primary IP address of the `outbound-interface` as its
- translation address.
+.. note:: The translation address must be set to one of the available
+ addresses on the configured `outbound-interface` or it must be set to
+ `masquerade` which will use the primary IP address of the
+ `outbound-interface` as its translation address.
-.. note:: When using NAT for a large number of host systems it recommended that
- a minimum of 1 IP address is used to NAT every 256 private host systems.
- This is due to the limit of 65,000 port numbers available for unique
- translations and a reserving an average of 200-300 sessions per host system.
+.. note:: When using NAT for a large number of host systems it
+ recommended that a minimum of 1 IP address is used to NAT every 256
+ private host systems. This is due to the limit of 65,000 port numbers
+ available for unique translations and a reserving an average of
+ 200-300 sessions per host system.
Example:
* Define a discrete source IP address of 100.64.0.1 for SNAT rule 20
* Use address `masquerade` (the interfaces primary address) on rule 30
-* For a large amount of private machines behind the NAT your address pool might
- to be bigger. Use any address in the range 100.64.0.10 - 100.64.0.20 on SNAT
- rule 40 when doing the translation
+* For a large amount of private machines behind the NAT your address
+ pool might to be bigger. Use any address in the range 100.64.0.10 -
+ 100.64.0.20 on SNAT rule 40 when doing the translation
.. code-block:: none
@@ -251,8 +265,8 @@ replaced by the specified address in the `translation address` command.
Example:
-* DNAT rule 10 replaces the destination address of an inbound packet with
- 192.0.2.10
+* DNAT rule 10 replaces the destination address of an inbound packet
+ with 192.0.2.10
.. code-block:: none
@@ -268,8 +282,8 @@ To setup SNAT, we need to know:
* The outgoing interface to perform the translation on
* The external IP address to translate to
-In the example used for the Quick Start configuration above, we demonstrate
-the following configuration:
+In the example used for the Quick Start configuration above, we
+demonstrate the following configuration:
.. code-block:: none
@@ -291,76 +305,84 @@ Which generates the following configuration:
}
}
-In this example, we use **masquerade** as the translation address instead of
-an IP address. The **masquerade** target is effectively an alias to say "use
-whatever IP address is on the outgoing interface", rather than a statically
-configured IP address. This is useful if you use DHCP for your outgoing
-interface and do not know what the external address will be.
+In this example, we use **masquerade** as the translation address
+instead of an IP address. The **masquerade** target is effectively an
+alias to say "use whatever IP address is on the outgoing interface",
+rather than a statically configured IP address. This is useful if you
+use DHCP for your outgoing interface and do not know what the external
+address will be.
When using NAT for a large number of host systems it recommended that a
-minimum of 1 IP address is used to NAT every 256 host systems. This is due to
-the limit of 65,000 port numbers available for unique translations and a
-reserving an average of 200-300 sessions per host system.
+minimum of 1 IP address is used to NAT every 256 host systems. This is
+due to the limit of 65,000 port numbers available for unique
+translations and a reserving an average of 200-300 sessions per host
+system.
-Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is
-recommended.
+Example: For an ~8,000 host network a source NAT pool of 32 IP addresses
+is recommended.
-A pool of addresses can be defined by using a **-** in the
-`set nat source rule [n] translation address` statement.
+A pool of addresses can be defined by using a hyphen between two IP
+addresses:
.. code-block:: none
set nat source rule 100 translation address '203.0.113.32-203.0.113.63'
-.. note:: Avoiding "leaky" NAT
+.. _avoidng_leaky_nat:
-Linux netfilter will not NAT traffic marked as INVALID. This often confuses
-people into thinking that Linux (or specifically VyOS) has a broken NAT
-implementation because non-NATed traffic is seen leaving an external interface.
-This is actually working as intended, and a packet capture of the "leaky"
-traffic should reveal that the traffic is either an additional TCP "RST",
-"FIN,ACK", or "RST,ACK" sent by client systems after Linux netfilter considers
-the connection closed. The most common is the additional TCP RST some host
-implementations send after terminating a connection (which is implementation-
-specific).
+Avoiding "leaky" NAT
+--------------------
-In other words, connection tracking has already observed the connection be
-closed and has transition the flow to INVALID to prevent attacks from
+Linux netfilter will not NAT traffic marked as INVALID. This often
+confuses people into thinking that Linux (or specifically VyOS) has a
+broken NAT implementation because non-NATed traffic is seen leaving an
+external interface. This is actually working as intended, and a packet
+capture of the "leaky" traffic should reveal that the traffic is either
+an additional TCP "RST", "FIN,ACK", or "RST,ACK" sent by client systems
+after Linux netfilter considers the connection closed. The most common
+is the additional TCP RST some host implementations send after
+terminating a connection (which is implementation-specific).
+
+In other words, connection tracking has already observed the connection
+be closed and has transition the flow to INVALID to prevent attacks from
attempting to reuse the connection.
You can avoid the "leaky" behavior by using a firewall policy that drops
"invalid" state packets.
-Having control over the matching of INVALID state traffic, e.g. the ability to
-selectively log, is an important troubleshooting tool for observing broken
-protocol behavior. For this reason, VyOS does not globally drop invalid state
-traffic, instead allowing the operator to make the determination on how the
-traffic is handled.
+Having control over the matching of INVALID state traffic, e.g. the
+ability to selectively log, is an important troubleshooting tool for
+observing broken protocol behavior. For this reason, VyOS does not
+globally drop invalid state traffic, instead allowing the operator to
+make the determination on how the traffic is handled.
.. _hairpin_nat_reflection:
Hairpin NAT/NAT Reflection
--------------------------
-A typical problem with using NAT and hosting public servers is the ability for
-internal systems to reach an internal server using it's external IP address.
-The solution to this is usually the use of split-DNS to correctly point host
-systems to the internal address when requests are made internally. Because
-many smaller networks lack DNS infrastructure, a work-around is commonly
-deployed to facilitate the traffic by NATing the request from internal hosts
-to the source address of the internal interface on the firewall.
+A typical problem with using NAT and hosting public servers is the
+ability for internal systems to reach an internal server using it's
+external IP address. The solution to this is usually the use of
+split-DNS to correctly point host systems to the internal address when
+requests are made internally. Because many smaller networks lack DNS
+infrastructure, a work-around is commonly deployed to facilitate the
+traffic by NATing the request from internal hosts to the source address
+of the internal interface on the firewall.
This technique is commonly referred to as NAT Reflection or Hairpin NAT.
Example:
-* Redirect Microsoft RDP traffic from the outside (WAN, external) world via
- :ref:`destination-nat` in rule 100 to the internal, private host 192.0.2.40.
+* Redirect Microsoft RDP traffic from the outside (WAN, external) world
+ via :ref:`destination-nat` in rule 100 to the internal, private host
+ 192.0.2.40.
-* Redirect Microsoft RDP traffic from the internal (LAN, private) network via
- :ref:`destination-nat` in rule 110 to the internal, private host 192.0.2.40.
- We also need a :ref:`source-nat` rule 110 for the reverse path of the traffic.
- The internal network 192.0.2.0/24 is reachable via interface `eth0.10`.
+* Redirect Microsoft RDP traffic from the internal (LAN, private)
+ network via :ref:`destination-nat` in rule 110 to the internal,
+ private host 192.0.2.40. We also need a :ref:`source-nat` rule 110 for
+ the reverse path of the traffic. The internal network 192.0.2.0/24 is
+ reachable via interface `eth0.10`.
.. code-block:: none
@@ -433,12 +455,12 @@ Which results in a configuration of:
Destination NAT
---------------
-DNAT is typically referred to as a **Port Forward**. When using VyOS as a NAT
-router and firewall, a common configuration task is to redirect incoming
-traffic to a system behind the firewall.
+DNAT is typically referred to as a **Port Forward**. When using VyOS as
+a NAT router and firewall, a common configuration task is to redirect
+incoming traffic to a system behind the firewall.
-In this example, we will be using the example Quick Start configuration above
-as a starting point.
+In this example, we will be using the example Quick Start configuration
+above as a starting point.
To setup a destination NAT rule we need to gather:
@@ -446,9 +468,10 @@ To setup a destination NAT rule we need to gather:
* The protocol and port we wish to forward;
* The IP address of the internal system we wish to forward traffic to.
-In our example, we will be forwarding web server traffic to an internal web
-server on 192.168.0.100. HTTP traffic makes use of the TCP protocol on port 80.
-For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
+In our example, we will be forwarding web server traffic to an internal
+web server on 192.168.0.100. HTTP traffic makes use of the TCP protocol
+on port 80. For other common port numbers, see:
+https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Our configuration commands would be:
@@ -480,19 +503,21 @@ Which would generate the following NAT destination configuration:
}
}
-.. note:: If forwarding traffic to a different port than it is arriving on,
- you may also configure the translation port using
+.. note:: If forwarding traffic to a different port than it is arriving
+ on, you may also configure the translation port using
`set nat destination rule [n] translation port`.
-This establishes our Port Forward rule, but if we created a firewall policy it
-will likely block the traffic.
+This establishes our Port Forward rule, but if we created a firewall
+policy it will likely block the traffic.
It is important to note that when creating firewall rules that the DNAT
-translation occurs **before** traffic traverses the firewall. In other words,
-the destination address has already been translated to 192.168.0.100.
+translation occurs **before** traffic traverses the firewall. In other
+words, the destination address has already been translated to
+192.168.0.100.
-So in our firewall policy, we want to allow traffic coming in on the outside
-interface, destined for TCP port 80 and the IP address of 192.168.0.100.
+So in our firewall policy, we want to allow traffic coming in on the
+outside interface, destined for TCP port 80 and the IP address of
+192.168.0.100.
.. code-block:: none
@@ -527,19 +552,19 @@ This would generate the following configuration:
----------
Another term often used for DNAT is **1-to-1 NAT**. For a 1-to-1 NAT
-configuration, both DNAT and SNAT are used to NAT all traffic from an external
-IP address to an internal IP address and vice-versa.
+configuration, both DNAT and SNAT are used to NAT all traffic from an
+external IP address to an internal IP address and vice-versa.
Typically, a 1-to-1 NAT rule omits the destination port (all ports) and
replaces the protocol with either **all** or **ip**.
-Then a corresponding SNAT rule is created to NAT outgoing traffic for the
-internal IP to a reserved external IP. This dedicates an external IP address
-to an internal IP address and is useful for protocols which don't have the
-notion of ports, such as GRE.
+Then a corresponding SNAT rule is created to NAT outgoing traffic for
+the internal IP to a reserved external IP. This dedicates an external IP
+address to an internal IP address and is useful for protocols which
+don't have the notion of ports, such as GRE.
-Here's an extract of a simple 1-to-1 NAT configuration with one internal and
-one external interface:
+Here's an extract of a simple 1-to-1 NAT configuration with one internal
+and one external interface:
.. code-block:: none
@@ -556,24 +581,24 @@ one external interface:
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '192.0.2.30'
-Firewall rules are written as normal, using the internal IP address as the
-source of outbound rules and the destination of inbound rules.
+Firewall rules are written as normal, using the internal IP address as
+the source of outbound rules and the destination of inbound rules.
NAT before VPN
--------------
-Some application service providers (ASPs) operate a VPN gateway to provide
-access to their internal resources, and require that a connecting organisation
-translate all traffic to the service provider network to a source address
-provided by the ASP.
+Some application service providers (ASPs) operate a VPN gateway to
+provide access to their internal resources, and require that a
+connecting organisation translate all traffic to the service provider
+network to a source address provided by the ASP.
Example Network
^^^^^^^^^^^^^^^
Here's one example of a network environment for an ASP.
The ASP requests that all connections from this company should come from
-172.29.41.89 - an address that is assigned by the ASP and not in use at the
-customer site.
+172.29.41.89 - an address that is assigned by the ASP and not in use at
+the customer site.
.. figure:: _static/images/nat_before_vpn_topology.png
:scale: 100 %
@@ -596,9 +621,10 @@ The required configuration can be broken down into 4 major pieces:
Dummy interface
"""""""""""""""
-The dummy interface allows us to have an equivalent of the Cisco IOS Loopback
-interface - a router-internal interface we can use for IP addresses the router
-must know about, but which are not actually assigned to a real network.
+The dummy interface allows us to have an equivalent of the Cisco IOS
+Loopback interface - a router-internal interface we can use for IP
+addresses the router must know about, but which are not actually
+assigned to a real network.
We only need a single step for this interface:
@@ -639,8 +665,8 @@ The ASP has documented their IPSec requirements:
* DH Group 14
-Additionally, we want to use VPNs only on our eth1 interface (the external
-interface in the image above)
+Additionally, we want to use VPNs only on our eth1 interface (the
+external interface in the image above)
.. code-block:: none
@@ -663,10 +689,11 @@ interface in the image above)
IPSec VPN Tunnels
"""""""""""""""""
-We'll use the IKE and ESP groups created above for this VPN. Because we need
-access to 2 different subnets on the far side, we will need two different
-tunnels. If you changed the names of the ESP group and IKE group in the previous
-step, make sure you use the correct names here too.
+We'll use the IKE and ESP groups created above for this VPN. Because we
+need access to 2 different subnets on the far side, we will need two
+different tunnels. If you changed the names of the ESP group and IKE
+group in the previous step, make sure you use the correct names here
+too.
.. code-block:: none
@@ -685,8 +712,8 @@ step, make sure you use the correct names here too.
Testing and Validation
""""""""""""""""""""""
-If you've completed all the above steps you no doubt want to see if it's all
-working.
+If you've completed all the above steps you no doubt want to see if it's
+all working.
Start by checking for IPSec SAs (Security Associations) with: