Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT) - Page 5

ciscomoderator · ‎10-20-2006

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

kevineck · ‎11-02-2006

cisconoobie,

You are correct. With split tunneling when a packet is routed directly to the internet and not over the VPN tunnel then it will use the ISP provided address and not the internal address for the VPN.

Can you configure split tunneling so that packets destined to the datacenter are routed via the VPN and not directly over the internet? They would then leave for the datacenter from the corporate network and would be translated into one of the addresses accepted by the datacenter like the other users physically on the corporate net.

Kevin

stretchlad · ‎10-30-2006

Hi Aamer and Kevin

I have built a solution based on NAT and IP SLA to provide some server redudnacy.

We have a LAN 10.0.0.0/24 and 2 servers that exist out on the WAN, 172.16.0.100 and 172.17.0.50 respectivly. Using NAT I have masked these servers as 192.168.2.1

What I have achieved with IP SLA tied to HSRP is that one router, NAT_A has NAT rules pointing clients to Server A and NAT_B has NAT rules point clients to Server B. IP SLA is configured on NAT_A so that if Server A is repsonding to telnets then NAT_A is the active router if not NAT_B takes over and clients get router to Server B.

The NAT routers are plugged into the 10.0.0.0 network and are doing Nat on a stick as we dont have access to the WAN router.

I have two questsions:

1) I have static NAT for clients (in the config 10.0.0.101 is a client) when I tried it with a dynamic pool it didnt seem to match up on the way back and failed. Can the clients be configured to use a dynamic pool?

2) My main question. Is it possible to tie the NAT function to IP SLA rather than HSRP so that if the router fails itself it doesn't cause a switchover to server B. This way we could also have two identically configured routers rather than one router natting to Server A and one natting to server B.

I have included the relevant config of NAT_A in the hope it makes my explanations a little clearer.

hostname NAT_A

!

ip sla 10

tcp-connect 172.16.0.100 23 source-port 60784 control disable

timeout 2000

frequency 10

ip sla schedule 10 life forever start-time now

!

track 10 rtr 10

!

interface Loopback0

ip address 10.0.1.1 255.255.255.252

ip nat outside

ip virtual-reassembly

!

interface Vlan1

ip address 10.0.0.253 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map NAT-LOOP

standby 0 ip 10.0.0.254

standby 0 preempt

standby 0 track 10

!

ip route 0.0.0.0 0.0.0.0 10.0.0.1

!

no ip http server

no ip http secure-server

ip nat inside source static 10.0.0.101 1.1.1.1

ip nat inside source static 172.16.0.100 192.168.2.1

ip nat outside source static 10.0.0.101 1.1.1.1

ip nat outside source static 172.16.0.100 192.168.2.1

!

access-list 10 permit 10.0.0.0 0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 host 192.168.2.1

access-list 102 permit ip host 172.16.0.100 1.1.1.0 0.0.0.255

access-list 102 permit ip host 192.168.1.2 1.1.1.0 0.0.0.255

!

route-map NAT-LOOP permit 10

match ip address 102

set ip next-hop 10.0.1.2

!

route-map NAT-LOOT permit 10

!

Thank you in adavnce

Nick

aakhter · ‎10-31-2006

Nick,

this isn't a direct response to your question, but have you looked at IOS Server LoadBalancing (SLB). There is a serverNAT component that allows the server(s) to live several hops away from where the Virtual IP (VIP) exists.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a0080086f2b.html#wp2731178

stretchlad · ‎11-01-2006

I didn't know about SLB so thank you for that.

Unfortunately we have no control of the WAN routers so I am looking at doing something on the LAN hence the use of NAT on a stick and SLB does not allow this.

Do you have any thoughts on my original questions.

Thank you again in advance.

Nick

joe.morrison · ‎10-30-2006

I am doing NAT overlapping through a VPN, and am having some problems with dropping packets.

I have followed the instructions on " http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml " and I am still losing about 50% of the packets I send.

I am using low-cost hardware (1812 and 1841 routers) and I am wondering if processing power is the problem, or if there may be something else.

If the routers are not the issue,would it help to enable QOS on the packets being sent through the VPN.

Thanks in advance

JoeMo

kevineck · ‎10-31-2006

Joe,

How much traffic are you sending over the tunnel?

Do you see zero traffic loss with smaller traffic amounts and the traffic loss increases as the amount of traffic increases?

What does the CPU utilization look like?

Do you see input or output queue drops?

If the CPU utlization is close to 100% and there are lots of queue drops then processor power may be the culprit. If the CPU is low and you aren't seeing interface drops then there is likely some other cause for the packet loss.

Kevin

ashish_network · ‎10-30-2006

Hi Experts,

I am very glad that i am here.

OK,My que is.

QUE-What is the Gratuitous ARP .?

QUE-Can i ping the unnumbered interface ?

QUE-How Device MIB works.Is it a devices vendor dependent information/configuration database ?

martin_lx1980 · ‎10-30-2006

Could you explain how IPSEC Over UDP works and what the different between NAT-T and IPSEC Over UDP is?

Thanks a lot.

kevineck · ‎10-31-2006

Martin,

NAT-T, or NAT Transparency, and IPsec Over UDP are two names for the same functionality. It allows IPsec encrypted packets to travel through NAT devices on the network, with some restrictions.

During key exchange the endpoints are able to determine that a NAT device exists between them. The encrypted payload is then encapsulated inside a UDP packet before being sent. Upon reaching the destination the original ESP packet is able to be pulled from the UDP packet.

You can read more about NAT-T here:

http://www/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html

Kevin

nvelie · ‎10-31-2006

Hi Aamer, I'm using a Cisco 1841 (SP Services) that is connected to 3 DSL lines and serves 100 users. When one of the users uses P2P the network is jammed and the NAT table is full. I want to add a security feature in combination to the SP Services to block P2P by headers, is it possible? Perhaps more DRAM can help the NAT issue?

Thanks in advance

Elie Khoury

martin_lx1980 · ‎10-31-2006

Hi,expert

I make the experiment to test NAT-T with ipsec vpn.

router1---pix(Pating)---router2

ipsec tunnel setup between router2 and router1 which pass traffic through pix using pat.When i am disable the NAT-T feature in either of router,ipsec tunnel can be setup and pc behind router1 can not able to ping pc behind router2.Both ipsec sa are ok.

pix---router1(Pating)---router2

ipsec tunnel setup between pix and router2 which pass traffic through router1 using pat.

When i am disable the NAT-T feature in router1 or pix,ipsec tunnel can be setup and pc behind pix can able to ping pc behind router2.Both ipsec sa are ok.

Why two experiment show me the different result?Is NAT-T feature different between router and pix?

note:router1 and router2 2811 version 12.4(3a) pix515 version 6.3(5)

kevineck · ‎10-31-2006

Elie,

You might want to take a look at Network-Based Application Recognition (NBAR). It can be used to help control peer-to-peer traffic. You can read more about NBAR here:

http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a00800a3ded.shtml

Adding more DRAM will allow more translations in the table (I assume you are using overloading) but may not solve your problem.

Are there just a few P2P users on the network or a large number? You can use the "ip nat translation max-entries host" command to limit the number of translations which are allowed for a specific host. This method does require an entry for each address you want to limit. Also, if addresses are dynamically allocated then the limit will not apply if the host is issued a different IP.

Kevin

aksher · ‎10-31-2006

Hi Akhter

when PAT is defined what is the difference between using a netmask like 255.255.255.0 in global st.say like global(outside) 1 10.80.11.1 netmask 255.255.255.0 and with out netmask global(outside) 1 10.80.11.1

Thanks

kevineck · ‎10-31-2006

Aksher,

If the netmask is not specified then the default mask for the address class is used. In your example 10.80.11.1 is a Class A address so the mask 255.0.0.0 would be used if none was specified.

Kevin

aksher · ‎11-01-2006

Kevin

But for PAT there should be only one global IP know, that's say for ex global (outside)

1 10.10.1.2 and in some places it's mentioned

along with subnet mask/default subnet mask and hence there will be a range know?

Thanks