Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
3
Replies

Cisco NAT type

Leshkan
Level 1
Level 1

‎12-11-2018 12:43 AM

Good day to everyone!

 

Could someone tell me what type of NAT Cisco implements?

As far as I know there are 4 types of NAT: Symmetric, Full Cone, Address Restricted, Port Restricted.

 

To be more precise:

I have Cisco 881 router with overloaded NAT and no ACL on external interface.

Supposing that some host from internal network has connected to external host, and the router created translation: internal host address iAddr:iPort is mapped to router's external address eAddr:ePort:

 

Which packets will router accept?

1) Packets from any external host destined to eAddr:ePort

2) Packets from the external host to which the internal one was previously connected, destined to eAddr: any port

3) Packets from the external host to which the internal one was previously connected, destined to eAddr: ePort

 

Thanks in advance!

 

Best regards,

 

Labels:
0 Helpful
3 Replies 3

dbeattie
Level 1
Level 1

‎12-11-2018 01:31 AM - edited ‎12-11-2018 01:32 AM

Hi Leshkan,

 

Cisco Overload NAT is a dynamic NAT also known as Hide NAT. This means that it is functionally an outbound NAT with source port translation, so the only packets from external hosts that will get forwarded to the internal host are packets that are considered to be replies. In a relatively simple device like your 881, this will be a reply defined at layer 4. If you were to run an IOS firewall on the device, this gets extended to layer 7 replies, allowing protocols like FTP to work properly. This aligns to your option 3.

 

Hope this helps

 

Dave

0 Helpful

Leshkan
Level 1
Level 1
In response to dbeattie

‎12-11-2018 02:19 AM

One more precision:

If the internal host has initiated connection to external host and NAT translation still exists on the router, will that external host be able to initiate connection to the internal host, and in what circumstances?

I mean: will the router accept new packets from that external host?

 

Best regards,

0 Helpful

dbeattie
Level 1
Level 1
In response to Leshkan

‎12-11-2018 03:11 AM

In theory no further packets should be allowed when the session ends because the dynamic NAT entry should be removed from the NAT table. In practice this may be HW & SW dependent. Some may keep the NAT entry in the table until an idle timeout occurs. Certainly if you run the IOS firewall, the entry should be marked as closed, preventing further traffic, but left in the table for a period of time in order to prevent re-use.

 

Hope this helps


Dave

 

0 Helpful
Customers Also Viewed These Support Documents