Does internal routing affect NAT?

ElQueue · ‎12-24-2018

I'm about to drastically change my network, breaking it up into multiple private IP subnets. Nothing I've studied on NAT has helped me confirm or deny whether routing behind NAT will stop NAT from working, so I want to know before I change everything if this will break my network.

What I mean is this:

Currently all my devices belong to the 192.168.0.x subnet, all get their addresses from the Arris cable modem that provides my Internet gateway and performs NAT. All my WAPs are in bridge mode and all devices connect to a L3 C3750-24P Cisco switch. I want to subnet the network, perform internal routing and hand out DHCP leases using the L3 switch, but I can't tell if doing so will break the NAT at the WAN link.

I understand that I might be completely misunderstanding how NAT works, but here's what I understand: You take the single external IP and map it to a single internal IP subnet. What I don't know is if you have the 192.168.0.x subnet between the WAN link and the L3 switch, does that mean only the L3 swtich can traverse the NAT, or does internal routing still allow, say, the 192.168.1.x subnet behind the L3 switch from going out the WAN link?

I'm hoping someone can decipher what I'm saying. I know all the information is there, but it likely can be stated better; I just don't know how.

Georg Pauwen · ‎12-24-2018

Hello,

NAT doesn't care how many IP addresses you map to a single public address, or to how many different subnets these internal addresses belong to. So you can have 1, or you can have 20 subnets, they will all work.

Internal routing is usually not affected by NAT, since typically you use a default route for external traffic, and your internal networks are either directly connected, or have routes that are more specific than the default route.

Maybe you can draw out your topology so it becomes a bit more visible what your network will look like, and what your concerns are...

paul driver · ‎12-24-2018

Hello

@ElQueue wrote:

I'm about to drastically change my network, breaking it up into multiple private IP subnets. Nothing I've studied on NAT has helped me confirm or deny whether routing behind NAT will stop NAT from working, so I want to know before I change everything if this will break my network.

In summary yes it will unless that is you attach another rtr between the cable modem and the l3 switch as im assuming this switch will not be a very high end model and as such it wont be able to perform NAT and you will need NAT for your newly created internal vlans to be able to reach the internet..

How this will work is the addressing you already receive from the cable modem will become your wan subnet for the new rtr wan interface and it will also have a interface connecting to your l3 switch ( which can be part of a mgt vlan you create on the switch)

From the L3 switch perspective you then can defined your internal networks (vlans) any way you desire with a connection a and default route towards your new rtr.

The new rtr will then perform NAT on its internall l3 switch facing interface and its cable modem (now wan) interface, As such the cable modem will see its own lan interface as being in the 192.168.0.x subnet and be non the wiser.

So your new rtr will perform nat and then your cable modem will also.

example:
vlans - L3 Switch <>new rtr 192.168.0.x <> cable modem<>internet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ElQueue · ‎12-24-2018

Paul, why can't my L3 switch BE that router? I.E. Vlan1 does the routing for Vlan 111, 112, 113, 114, and 115 out to the WAN link?

So Vlan 1 is on 192.168.0.x subnet, along with the WAN port, routing all vlans out to the WAN via default gateway

Vlan 111 is 192.168.1.x subnet

Vlan 112 is on 192.168.2.x subnet

etc

paul driver · ‎12-24-2018

Hello

@ElQueue wrote:

Paul, why can't my L3 switch BE that router? I.E. Vlan1 does the routing for Vlan 111, 112, 113, 114, and 115 out to the WAN link?

So Vlan 1 is on 192.168.0.x subnet, along with the WAN port, routing all vlans out to the WAN via default gateway

Vlan 111 is 192.168.1.x subnet

Vlan 112 is on 192.168.2.x subnet

etc

Do you have management access to the cable modem- At present this device has two interfaces- one for your lan and and the other for wan hence its providing the nat and routing

however if you have management access to be able to change things then it is very visible for your modem to do this

My assumption was you dont have acces to this device ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎12-26-2018

I agree with Paul that you will need to introduce a router to accomplish what you want. You ask this question

why can't my L3 switch BE that router?

The reason the L3 switch can not BE that router is that your L3 Catalyst switch does not support doing address translation.

Looking at the question from a slightly different perspective I would explain the issue this way: Currently your cable modem is configured to translate addresses in the 192.168.0.0 network and not for any other networks or subnets. If you subdivide your network (which probably is a good thing to do) and the L3 switch routes for those various networks and uses its default route to forward their traffic to the cable modem then the cable modem will reject any source address that is not in 192.168.0.0. Unless you get into a very high end switch the Catalyst switches do not support address translation.

HTH

Rick

HTH

Rick

ElQueue · ‎12-27-2018

Okay, so in a way I think you answered my question about routing and NAT. If what I'm understanding is correct, my modem/gateway can only NAT from 192.168.0.x to my external IP address, and no other subnets. The only way to do this is to get a router that can NAT from the other subnets into 192.168.0.x address space and then the NAT would happen again at the gateway out. That doesn't seem very useful. BUT I do have a couple routers I can play with if it came to that. I have 1 1841 series and 2 2811 series collecting dust.

And to answer Paul's question, I have access to the gateway's management console for a lot of functionality. But as far as I can tell I only have the power to turn on and off NAT, nothing more powerful than that.

Richard Burts · ‎12-27-2018

I want to be careful about how we answer your question. Part of my point was that currently your Arris cable modem is translating for only a single network. I do not know enough about that device to be able to state whether it is capable of doing address translation for more than one network or not. If that cable modem is capable of translating for multiple networks and if your service provider is willing to do it then you would not need a router.

I agree that it is a bit complex to do address translation on your router and then translate again on the cable modem and that it would be desirable to have translation only once. But many service providers want to support only a single network coming from the customer to them. In that case the double translation is a way to have multiple networks within your network and to provide Internet access for them. Either your 1841 or a 2811 should easily handle the address translation if you want to use them for this purpose. If your provider is willing to translate for multiple networks then you do not need your router.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎12-27-2018

If you're current running on a /24, you want to define other subnets for what purpose?

Reason I ask, as others have mentioned, you can NAT to Arris cable modem, however, low end Catalyst switches generally don't support NAT. As others have also mentioned, low end Cisco routers do support NAT, but you might find their NAT support, if you need to use PAT, might not work as well as what the Arris cable modem supports. Further, low end Cisco routers generally do not have high bandwidth capacity. I.e. you might find your cable modem's throughput is limited by the router (such as a 2811).

In other words, what you might do, and perhaps what you should do, may have different answers, especially if cost is considered. (I.e. whether you need to buy more powerful equipment.)

If a low end Cisco router presents itself to the Arris cable modem as a single host, or hosts, on the existing /24 network, it should work, again though, you might find presenting all your internal hosts as a single host might break some applications. If you don't use PAT, but just use a pool of NAT addresses, that is likely to work best, but you then need to consider whether a /24 is a sufficiently large NAT pool.

Rick raises an interesting point, i.e. whether the Arris cable model supports more than one internal side network. Likely not, but as Rick notes, if it does, that would be a solution. As far your ISP is concerned, doubtful they concern themselves with what you do on the internal side of cable modem, beyond your bandwidth consumption.

ElQueue · ‎12-30-2018

The biggest reason I'm creating subnets is to segregate traffic classes. A /24 address space is sufficient for all my hosts, but I'd like to keep secure data on one subnet, IP phone traffic on another, general WAP traffic on another, etc, with the ability to shape bandwidth as I need it. Something that I thought of when I was in the shower (brilliant idea-generator, that shower!) was "Does the gateway care that my network is subnetted if they are all in the same Class C space?" I could in theory subnet 192.16.0.x into a bunch of /22s and a /23. Would the gateway care or would it get routed properly by the L3 switch VLAN 1?

Richard Burts · ‎12-30-2018

We need to be careful in how you describe your possible subnetting. You currently have a /24. You could subnet that into /25, /26, /27, etc however you want it. And the cable modem would still see just 192.168.0.0/24 and would translate and everything would be fine. If you attempt to subnet into /22, /23 then you would be outside of your original /24 and that is potentially a problem for the cable modem address translation.

HTH

Rick

HTH

Rick

ElQueue · ‎12-31-2018

My appologies, I was in a hurry and instead of adding bits I removed them, but that's what I meant. Thanks for this information and it will help me greatly.

Just one more thing I'd like to know, if I change the subnet mask on my gateway from 255.255.255.0 to 255.255.0.0 and change the internal IP addresses to something like 10.0.x.x, would that upgrade the NAT to allow 65532 addresses out instead of 253?

I know this is a Cisco forum, but I'd like to get people's best guess here.

Richard Burts · ‎12-31-2018

Yes if you change the network from a class C like 192.168.0.0 to a class B like 172.16.0.0 or to the class A 10.0.0.0 and used a subnet mask of 255.255.0.0 then you would potentially be able to have 65532 addresses. This assumes that you have the ability to reconfigure the address translation on the cable modem or that the provider agrees to make that change for you.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎12-31-2018

"Does the gateway care that my network is subnetted if they are all in the same Class C space?"

Yes and no. For egress, your gateway should "see" all IPs within it's defined address block, so it should accept them, NAT them, and route them (externally). For inbound (from ISP) traffic, your gateway router would expect all internal IPs to be directly accessible, at L2, and if you have different VLANs and smaller (/25, /26 . . .) subnets of the /24, it wouldn't know they need routing to a IP on the L3 switch. However, if inbound traffic is return traffic, the host's MAC, if in the ARP cache, should be the L3 switch's MAC, and if it is, traffic should flow alright.

If the gateway router doesn't have the internal host IP in its ARP cache, it would ARP for it, which should also work okay if the L3 switch works as a proxy.