Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
2
Replies

understanding nat

Go to solution
Thompso7540_2
Level 1
Level 1

‎01-19-2011 05:50 AM

can someone tell me how NAT is applied in this example? Since the NAT service policy is applied to my server side vlan ( 713) , and my understanding is that nat can only be applied inbound ( like coming into the SVI) - when my rserver server1 tries to communicate to anything in 172.19.199.0, it will hit nat pool 1, and be nat'ed to 172.19.199.254 correct? does the nat service policy always have to be applied to the interface that has the nat pool applied to? I believ i've seen examples on the wiki where they apply the nat service policy to client side and the nat pool to server side

when the nat pool is applied to an interface, does that mean that anything coming into that interface will hit that nat pool? ( as long as it matches that class-map and acl) ?

access-list acl_NAT_713 line 8 extended permit ip 172.19.241.0 255.255.255.0 172.19.199.0 255.255.255.0

rserver host server1
  ip address 172.19.241.24
  inservice

class-map match-any NAT_CLASS
  2 match access-list acl_NAT_713

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 713

interface vlan 199
  description client-side
  ip address 172.19.199.6 255.255.255.0
  alias 172.19.199.4 255.255.255.0
  peer ip address 172.19.199.5 255.255.255.0
  mac-sticky enable
  access-group input allowall
  access-group output allowall
  service-policy input LB_POLICY
  no shutdown


interface vlan 713
  description server side
  ip address 10.1.1.147 255.255.255.240
  alias 10.1.1.145 255.255.255.240
  peer ip address 10.1.1.146 255.255.255.240
  mac-sticky enable
  access-group input allowall
  access-group output allowall
  nat-pool 1 172.19.199.254 172.19.199.254 netmask 255.255.255.255 pat
  service-policy input LB_POLICY
  service-policy input NAT_POLICY
  no shutdown

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Nam
Level 1
Level 1

‎01-19-2011 07:18 PM

Your network topology looks like below

---  client vlan 199 --- ACE --- server vlan 713 -- router --- server

int vlan 199 : 172.19.199.6
int vlan 713 : 10.1.1.147
Rserver 172.19.241.24


Generally speaking, there are 2 rules to remember when you apply the nat.
1. apply service-policy to the incoming interface of ACE.
2. nat will takes place when the request leaves out of the ACE. .

Let's go back to your example.

From your config,

interface vlan 713
  description server side
  ip address 10.1.1.147 255.255.255.240
  alias 10.1.1.145 255.255.255.240
  peer ip address 10.1.1.146 255.255.255.240
  mac-sticky enable
  access-group input allowall
  access-group output allowall
  nat-pool 1 172.19.199.254 172.19.199.254 netmask 255.255.255.255 pat   <<<---
  service-policy input LB_POLICY
  service-policy input NAT_POLICY   <<<---
  no shutdown
 
you applied "service-policy input NAT_POLICY" to the int vlan 713. So I can assume that a request comes into interface vlan 713.

If the request comes into the int vlan 713, the ACE will check class-map matching condition to see if the request is valid.

class-map match-any NAT_CLASS
  2 match access-list acl_NAT_713

access-list acl_NAT_713 line 8 extended permit ip 172.19.241.0 255.255.255.0 172.19.199.0 255.255.255.0

So your request should have source ip with 172.19.241.24 and dest ip with anything in 172.19.199.0/24 and this should be good for the natting.

Next the ACE will go through the multi-match policy to make action.

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 713    <<<----

The above cmd basically tells the ACE to make action when the request leaves the ACE.


So the ACE will change source ip address of the packet to natted ip. Look more closely at "nat dynamic 1 vlan 713". The "1" refers to "nat-pool 1" statement and the "vlan 713" specifies the outbound interface.

What this means is that we want to make the ACE to replace the source ip from the rserver1 (172.19.241.24) to the ip in the "nat-pool 1" (172.19.199.254).
   
However, I do see some problem with this nat-pool ip 172.19.199.254. This address looks to be multi-hops away from the ACE. If your routers do not know this particular ip, then you will see some problem when the rserver1 returns the traffic back to the ACE (i.e. syn/ack).

For the nat-pool, it would make more sense if you use ip which is in the vlan 713 for the nat-pool to avoid anything routing issue.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Andrew Nam
Level 1
Level 1

‎01-19-2011 07:18 PM

Your network topology looks like below

---  client vlan 199 --- ACE --- server vlan 713 -- router --- server

int vlan 199 : 172.19.199.6
int vlan 713 : 10.1.1.147
Rserver 172.19.241.24


Generally speaking, there are 2 rules to remember when you apply the nat.
1. apply service-policy to the incoming interface of ACE.
2. nat will takes place when the request leaves out of the ACE. .

Let's go back to your example.

From your config,

interface vlan 713
  description server side
  ip address 10.1.1.147 255.255.255.240
  alias 10.1.1.145 255.255.255.240
  peer ip address 10.1.1.146 255.255.255.240
  mac-sticky enable
  access-group input allowall
  access-group output allowall
  nat-pool 1 172.19.199.254 172.19.199.254 netmask 255.255.255.255 pat   <<<---
  service-policy input LB_POLICY
  service-policy input NAT_POLICY   <<<---
  no shutdown
 
you applied "service-policy input NAT_POLICY" to the int vlan 713. So I can assume that a request comes into interface vlan 713.

If the request comes into the int vlan 713, the ACE will check class-map matching condition to see if the request is valid.

class-map match-any NAT_CLASS
  2 match access-list acl_NAT_713

access-list acl_NAT_713 line 8 extended permit ip 172.19.241.0 255.255.255.0 172.19.199.0 255.255.255.0

So your request should have source ip with 172.19.241.24 and dest ip with anything in 172.19.199.0/24 and this should be good for the natting.

Next the ACE will go through the multi-match policy to make action.

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 713    <<<----

The above cmd basically tells the ACE to make action when the request leaves the ACE.


So the ACE will change source ip address of the packet to natted ip. Look more closely at "nat dynamic 1 vlan 713". The "1" refers to "nat-pool 1" statement and the "vlan 713" specifies the outbound interface.

What this means is that we want to make the ACE to replace the source ip from the rserver1 (172.19.241.24) to the ip in the "nat-pool 1" (172.19.199.254).
   
However, I do see some problem with this nat-pool ip 172.19.199.254. This address looks to be multi-hops away from the ACE. If your routers do not know this particular ip, then you will see some problem when the rserver1 returns the traffic back to the ACE (i.e. syn/ack).

For the nat-pool, it would make more sense if you use ip which is in the vlan 713 for the nat-pool to avoid anything routing issue.

0 Helpful

Go to solution
Thompso7540_2
Level 1
Level 1
In response to Andrew Nam

‎01-25-2011 06:09 PM

thank you for the response and the good information

i have another question

what about this example from the troubleshooting ace wiki - the nat-pool is applied to a different interface then the service-policy, how does that change the rules of nat as opposed to my example, where the service policy and nat-pool are applied to the same interface - in this example, does this packet hit vlan 100, get matched, then get natted when it leaves out onto vlan 200?

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_Network_Address_Translation

access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 172.27.16.0 255.255.255.0 eq http

class-map match-any NAT_CLASS
  match access-list NAT_ACCESS

policy-map multi-match NAT_POLICY
  class NAT_CLASS
    nat dynamic 1 vlan 200

interface vlan 100
  mtu 1500
  ip address 192.168.1.100 255.255.255.0
  service-policy input NAT_POLICY
  no shutdown

interface vlan 200
  mtu 1500
  ip address 172.27.16.2 255.255.255.0
  nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0 pat


  no shutdown
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card