Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT) - Page 3

ciscomoderator · ‎10-20-2006

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

kevineck · ‎10-26-2006

Mauricio,

Based on your previous description, I'm assuming that the router learns a route to 10.0.0.0/8 via EIGRP and the the next hop for that network is via the Tunnel0 interface.

In order for a translation to occur a packet must arrive on an "inside" interface and depart on an "outside" interface or vice versa. Using the configuration posted packets that meet the following criteria will be translated:

1. Arrive at the router via FastEthernet0/0

2. The route for the destination is via FastEthernet0/1

3. The source for the packet is on the 192.168.109.0/24 network

4. The destination for the packet is NOT on the 10.0.0.0/8 network

Packets that meet these criteria will have their source address translated to 70.2.2.2 using Port Address Translation.

As configured hosts on the outside can not initiate communication, but if communication initiated from the inside uses NAT return traffic will have the destination address translated back to the inside local address.

You want to have traffic arriving on the outside interface destined for 70.1.1.1 to reach the inside host 10.1.1.10. Outside-to-inside translations are translated first and then routed. When the packet arrives, there needs to be a translation in the table. To configure this use:

ip nat inside source static 10.1.1.10 70.1.1.1

For packets going from inside to outside this will create a translation of the source address from 10.1.1.10 -> 70.1.1.1. That same translation will also translate the destination address from 70.1.1.1 -> 10.1.1.10 for packets going from outside to inside.

After the packet is translated it must be routed via an "inside" interface. The route is via the Tunnel0 interface so you need to add:

interface Tunnel0

ip nat inside

The packet will then be sent to the 10.1.1.10 host. In order for return traffic to go back to the outside host the packet must be routed back across the tunnel so that the router can translate the source address for the return packet back to 70.1.1.1.

Let me know if that works for you.

Kevin

MauricioB · ‎10-26-2006

I can trace to 70.x.x.x but i cannot ping it..

correct me if i am wrong but what i think is happening is tracert works becuase it is replying back from the int fa 0/1 70.x.x.x secondary? but when the table says do this it doesnt and that is why i get no ping replies...

MauricioB · ‎10-27-2006

anyone?

kevineck · ‎10-27-2006

Yes, the NAT outside interface is responding to the traceroute. Not being able to ping does not mean that the translation is not working.

Are you able to ping the inside local address from the translating router? If not, then someone from the outside pinging the inside global address also won't get replies.

Does the inside host have a route back to the outside host? This route needs to go back through the translating router in order to have its source address translated back to the inside global address.

Also, you do not need to configure a secondary address on the outside interface in order to accept packets destined for the hosts inside global address. When you configure the translation an ARP entry is created for the inside global address using the MAC address of the outside interface.

Kevin

amaiale · ‎10-24-2006

Hi,

Are there any restrictions on the type of router interfaces NAT statements will work on, (IP NAT Inside or Outside). Specifically, will natting work on a loopback interface?

If I configure "IP Nat Outside" on a loopback interface, do I need to also configure a physical interface with the outside NAT statement too?

For example: (will this work?)

interface loopback0

ip address 192.168.10.11 255.255.255.0

ip nat outside

interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

interface fastethernet 0/1

ip address 10.2.2.2 255.255.255.0

interface serial 0/0

ip address 172.20.0.1 255.255.255.0

ip nat outside

ip nat inside source list 1 interface loopback0 overload

access-list 1 permit 10.1.1.0 0.0.0.255

Thanks for your help.

Tony

kevineck · ‎10-25-2006

Tony (amaiale),

Yes, a loopback interface can be defined as either a "nat inside" or "nat outside" address.

No, if you configure a loopback as "nat outside" you do not have to configure a separate physical outside interface.

Keep in mind, though, that for NAT to work it must arrive on an "inside" address and depart on an "outside" address or vice versa. If the loopback is the only outside address then translated packets must be routed "out" the loopback and return traffic must be routed back to the loopback.

The following document describes a concept called "NAT on a Stick" where a router only has a single physical interface and a loopback is used to allow NAT to be work:

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

In your example, packets with a source address from the 10.1.1.0/24 network arriving on FastEthernet0/0 will have the source translated to the IP of loopback0 using PAT and be routed out either loopback0 or Serial0/0, provided that a route to the destination exists via those interfaces.

If you are wanting to use the IP of the loopback for the translation but nothing is routed via the loopback, then the "ip nat outside" statment is not needed for the loopback. Just use the "ip nat inside source list 1 interface loopback0 overload" command along with the other "outside" and "inside" declatations.

Kevin

amaiale · ‎10-26-2006

Kevin,

Thanks for replying.

I appreciate your help.

Tony

theclam · ‎10-25-2006

Hi,

Is there any way to tell a router not to use a certain port for PAT?

The problem I have is that on a remote site we are using an 837 router, which has an Internet connection and uses ezvpn to connect into the corporate VPN concentrator.

Sometimes a user on the inside of that router runs a VPN client, which "steals" UDP port 500 and breaks the 837's tunnel.

I can restore connectivity by logging into the router and clearing out the nat translation for udp 500. Ideally, I would rather prevent this happening in the first place.

I could block udp 500 on the inside interfaces, but we need to be able to VPN from this site out (there is a raw Internet DMZ for contractor use).

The only solution I can think of would be to prevent the PAT from being able to bind to udp 500 somehow. Is this possible?

Thanks,

Foeh

mac · ‎10-25-2006

I'm a bit new to NAT, but I' m trying to get NAT working in such a way that the packets on the inside network are all local-net addresses.

(i.e. as per the description of "Define All Local and Global Addresses" on here:-

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml )

The reason for this is that the Cisco Router (877) I'm using is _not_ the default route for the hosts on the inside network, so in order for externally initiated connections (e.g. SMTP) to have their replies sent back to them through the 877 the packets on the inside network need to have the 877's IP address in them.

However, where we do this (using an 'ip nat inside static source' and an 'ip nat outside static source') the packets appear to be correctly addressed on the inside network, but when a (return) TCP packet from the inside host reaches the 877 it doesn't get NAT-ed back to the outside network. Instead the 877 sends an 'RST' back to the inside host and the connection fails.

We have 'tcpdump'ed to establish this.

877 setup

ADSL (atm0, Dialer0)

81.149.25.79

FastEthernet0

212.219.216.197

inside host

212.219.216.56

outside host

80.68.93.148

So I think I want a set up that looks like:-

Inside Global Inside local Outside local Outside global

81.149.25.79 212.21.216.56 212.219.216.197 80.68.93.148

What am I doing wrong?

Mac

P.S. Can you confirm that the tables on the above mentioned web page aren't quite right in the first two scenarios?

kevineck · ‎10-26-2006

Mac,

Yes, the first two tables are incorrect. For the first example only the inside source translation is configured so both the "Outside Local" and "Outside Global" should be 171.16.68.1. Likewise, for the second example only the outside source translation is configured so both the "Inside Local" and "Inside Global" should be 10.10.10.1. The third example has both translations configured and is correct.

I believe the behavior you are seeing is due to the NAT order of operation. You can read more about that here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

On inside-to-outside translations the packet is routed first, and then translated. On outside-to-inside translations the packet is translated first, then routed.

When the packet arrives from the outside host it has its source translated to the address of FastEthernet0 and its destination translated to the address of the inside host. The packet is then routed to the inside host.

The return packet from the host is sent to the FastEthernet0 interface directly. Routing is performed before the translation so the 877 accepts the packet for itself. It did not initiate the TCP session so it sends back the RST message.

For this to work you can either configure the gateway to redirect packets destined for the outside host to use the 877 and forego the outside source translation, or you can configure the outside source translation to use an available address on the 212.219.216.x network instead of the 877's own interface address.

Kevin

mac · ‎10-27-2006

Thank you Kevin.

This explains all the behaviour I have seen.

Sadly I don't have any other available 212.219.216.x addresses, and even if I did I'd have to persuade hosts on the inside network to route packets for them to the 877, instead of the normal (RIP controlled) routes. Is this so?

Sadly I don't understand the other option you mentioned, "configure the gateway to redirect packets destined for the outside host to use the 877 and forego the outside source translation". Which gateway are you refering to?

Finally, it seems to me that actual re-writing of addresses (that NAT performs) only takes place as a packet traveres an 'ip nat outside' interface. If I were to define both the interfaces on this 877 as 'outside', could I then write the relevant NAT rules to achieve the required end?

Mac

kevineck · ‎10-31-2006

Mac,

You had said that the default route for the hosts was via a different router than the 877. This router is what I was referring to as the "gateway."

NAT packets must go from an inside interface to an outside interface or vice-versa.

When you configure "ip nat inside source static x.x.x.x y.y.y.y" this creates an entry in the translation table that will translate the source address from x.x.x.x -> y.y.y.y for packets that arrive on an inside interface and are routed out an outside interface. It will also translate the destination address from y.y.y.y -> x.x.x.x for packets which arrive on an outside interface and are routed out an inside interface.

Likewise, when you configure "ip nat ouside source static x.x.x.x y.y.y.y" it will translate the source address from x.x.x.x -> y.y.y.y for packets which arrive on an outside interface and are routed out an inside interface. It will also translate the destination address from y.y.y.y -> x.x.x.x for packets which arrive on an inside interface and are routed out an outside interface.

To create the "inside global" address for the internal host you would use the "ip nat inside source static" command.

Since you don't have any available inside addresses you need to have a route to the outside host via the 877. Can you redistribute a route into RIP for the outside host?

Kevin

edw · ‎10-26-2006

Hi,

I have a 2800 router with seven interfaces. I have one which is outside interface. I have another which is inside to my internal network. I have one more at present which is setup on vlan for public events. IE I keep them seperate. I can get Nat working from inside to outside. I can ping from internal network to public vlan and back.

But I can't figure out how to get NAT running for the public vlan.

!

interface FastEthernet0/0

description OUTSIDE

ip address 210.30.180.x 255.255.255.248

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description INSIDE

ip address 192.168.1.195 255.255.255.0

ip nat inside

duplex full

speed auto

!

interface Vlan10

ip address 10.10.10.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 210.30.180.x permanent

!

interface FastEthernet0/0/3

switchport access vlan 10

ip nat pool IntOut 210.30.180.x 210.30.180.x netmask 255.255.255.0

ip nat pool Public 210.30.180.x 210.30.180.x netmask 255.255.255.0

ip nat inside source list 150 pool IntOut overload

ip nat inside source list 151 pool Public overload

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

access-list 151 permit ip 10.10.10.0 0.0.0.255 any

Any pointers or ideas????

Thanks

Ed

aakhter · ‎10-27-2006

Ed,

I believe you will want to look at the NAT NVI feature.

Basically instead of inside/outside you will need to do 'ip nat enable'.

Additionally to specify which traffic to apply NAT to (and how) use the 'ip nat source list interface overload' format.

http://cio.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041d91a.html

aksher · ‎10-26-2006

Hi Aamer

Could you please explain the

static(outside, inside) and nat (outside) features on PIX/ASA with practical examples.

Thanks

Aksher