Solved: Re: IOS Double NAT Scenario

Ian Underwood · ‎10-18-2017

I've got a weird scenario where I need to do a port-forward in NAT, as well as a source address translation at the same time. Let me explain.

I have a secondary ISP coming into a data center facility and I have been asked to come up with a configuration that would allow a port forward to an arbitrary system within the network, and have all that traffic appear from and return through this router.

ISP2 --- Fa0/0 (192.0.2.2 - nat out) / Fa0/1 (192.168.225.10 nat in) --- Inside networks --- Host (10.36.100.1)

The first part is easy, as I can use a port forward:

ip nat inside source static tcp 10.36.100.1 23 interface FastEthernet0/0 2323

What Doesn't Work

The second part I have not been able to figure out using one router.

I have added a small address pool and an outside source list:

ip access-list extended ACL-OUTSIDE
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.0.0.0 0.31.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
!
ip nat pool POOL 192.168.225.11 192.168.225.15 prefix-length 26
ip nat outside source list ACL-OUTSIDE pool POOL

On the inside host, I've got an IP packet debug that seems to show the double-nat is working there:

*Oct 12 21:00:38.970: IP: s=192.168.225.11 (FastEthernet1/0), d=10.36.100.1, len 44, rcvd 4
*Oct 12 21:00:38.970: IP: s=192.168.225.11 (FastEthernet1/0), d=10.36.100.1, len 44, stop process pak for forus packet
*Oct 12 21:00:38.982: IP: s=10.36.100.1 (local), d=192.168.225.11 (FastEthernet1/0), len 44, sending
*Oct 12 21:00:38.990: IP: s=10.36.100.1 (local), d=192.168.225.11 (FastEthernet1/0), len 44, sending full packet

The translation seems to build:

GW1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.225.11     4.2.2.1
tcp 192.0.2.14:2323    10.36.100.1:23     192.168.225.11:37521 4.2.2.1:37521
tcp 192.0.2.14:2323    10.36.100.1:23     ---                ---

However, I don't get return traffic on the nat outside interface. All the routing is correct.

The same behavior persists, even when I specifiy a static outside address without using a pool.

What Does Work

I did find that I can achieve the same ends if I place two routers back to back like so:

outside -- (fa0/0 nat out) R1 (fa0/1 nat in) -- (fa0/1 nat in) R2 (fa1/0 nat out) -- inside

Then I keep the same port forward on R1:

ip nat inside source static tcp 10.36.100.1 23 interface FastEthernet0/0 2323

And then I do an overload on R2:

ip access-list extended ANY
 permit ip any any
!
ip nat inside source list ANY interface FastEthernet1/0 overload

The scenario is labbed with ISO 15.2(4)M11, if it makes any difference.

++I;

Jon Marshall · ‎10-18-2017

I don;t have time to lab it up but I suspect it may be because inside to outside with NAT routing is done first.

So the destination IP is 192.168.225.11 but the router has an interface with an IP from that subnet so it never gets routed to the outside interface.

Possible solutions -

1) try using an IP pool that is not part of the same IP subnet as the inteface IP. If you have a L3 switch for the inside networks then just use an unused IP subnet and add a route with next hop IP of 192.168.225.10

2) an alternative solution may be to add a static route for the pool pointing out of the fa0/0 interface of the router.

Jon

View solution in original post

Jon Marshall · ‎10-18-2017

I don;t have time to lab it up but I suspect it may be because inside to outside with NAT routing is done first.

So the destination IP is 192.168.225.11 but the router has an interface with an IP from that subnet so it never gets routed to the outside interface.

Possible solutions -

1) try using an IP pool that is not part of the same IP subnet as the inteface IP. If you have a L3 switch for the inside networks then just use an unused IP subnet and add a route with next hop IP of 192.168.225.10

2) an alternative solution may be to add a static route for the pool pointing out of the fa0/0 interface of the router.

Jon

Ian Underwood · ‎10-18-2017

Jon,

I even tried to simply this a little bit, by specifying a static inside and a static outside as a 1:1, hoping for anything. I used a separate network on the inside and made sure it was routed to the inside interface.

The telnet sessions source from a loopback interfaces on another virtual router which comes in on the outside.

GW1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.225.128    4.2.2.1
--- 192.0.2.13         10.36.100.1        ---                ---
GW1#sh run | i nat 
 ip nat outside
 ip nat inside
ip nat inside source static 10.36.100.1 192.0.2.13
ip nat outside source static network 4.2.2.1 192.168.225.128 /32
GW1#

It almost looks like the packets aren't hitting NAT processing on the way back via inside. I sent one ping only to keep the chatter down:

GW1#
*Oct 18 20:21:09.519: NAT: Existing entry found in the global tree,updating it to point to the latest node passed
*Oct 18 20:21:09.519: NAT*: o: icmp (4.2.2.1, 7) -> (192.0.2.13, 7) [27]     
*Oct 18 20:21:09.519: NAT*: o: icmp (4.2.2.1, 7) -> (192.0.2.13, 7) [27]
*Oct 18 20:21:09.523: NAT*: s=4.2.2.1->192.168.225.128, d=192.0.2.13 [27]
*Oct 18 20:21:09.523: NAT*: s=192.168.225.128, d=192.0.2.13->10.36.100.1 [27]
*Oct 18 20:21:09.551: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.555: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, Stateful Inspection(7), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.559: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, Virtual Fragment Reassembly(37), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.559: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, Access List(44), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.563: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, Virtual Fragment Reassembly After IPSec Decryption(54), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.563: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, NAT Outside(86), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.563: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128, len 100, input feature, MCI Check(101), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.563: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128 (FastEthernet0/0), len 100, output feature, Post-routing NAT Outside(25), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.567: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128 (FastEthernet0/0), len 100, output feature, Common Flow Table(28), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.567: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128 (FastEthernet0/0), len 100, output feature, Stateful Inspection(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.567: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128 (FastEthernet0/0), len 100, output feature, NAT ALG proxy(61), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 18 20:21:09.567: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128 (FastEthernet0/0), g=192.0.2.9, len 100, forward
*Oct 18 20:21:09.571: IP: s=10.36.100.1 (FastEthernet1/0), d=192.168.225.128 (FastEthernet0/0), len 100, sending full packet

The internal host appears to process the packet as expected:

*Oct 13 00:02:26.181: IP: s=192.168.225.128 (FastEthernet1/0), d=10.36.100.1, len 100, rcvd 4
*Oct 13 00:02:26.185: IP: s=192.168.225.128 (FastEthernet1/0), d=10.36.100.1, len 100, stop process pak for forus packet
*Oct 13 00:02:26.189: IP: s=10.36.100.1 (local), d=192.168.225.128 (FastEthernet1/0), len 100, sending
*Oct 13 00:02:26.189: IP: s=10.36.100.1 (local), d=192.168.225.128 (FastEthernet1/0), len 100, sending full packet

The translations show themselves being built:

GW1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.225.128    4.2.2.1
icmp 192.0.2.13:8      10.36.100.1:8      192.168.225.128:8  4.2.2.1:8
icmp 192.0.2.13:9      10.36.100.1:9      192.168.225.128:9  4.2.2.1:9
--- 192.0.2.13         10.36.100.1        ---                ---
GW1#

++I;

Jon Marshall · ‎10-18-2017

I only have phone with me so I may not be reading the whole thing properly but have you tried what I suggested ie. it is about the order the router is processing things.

When you enter the nat outside static command can you see if there is an "add-route" option you can add to the line.

Jon

Jon Marshall · ‎10-19-2017

Back at work now so can give a fuller answer.

You say it is almost like the NAT is not happening for the return traffic which is what I was trying to explain in my first post.

When the packet arrives back at the router the first thing the router does is a route lookup for the destination IP so no matter what that IP is the router must find a route for it pointing out of the interface configured with "ip nat outside".

So do you have this on your router ?

Jon

Ian Underwood · ‎10-19-2017

Jon,

The suggestion to use an address range not related to the local inside subnet was the correct answer. I routed an unused subnet on the inside network to the router.

I combed through the lab environment this morning, and noticed I fat-fingered a route on the external side of the lab, which I fixed. Rookie mistake, and easy to overlook. Of course, the traffic would have never returned.

The final relevant snips of the config look like this:

GW1#sh run | i nat
 ip nat outside
 ip nat inside
ip nat translation timeout 180
ip nat pool POOL 192.168.225.130 192.168.225.135 prefix-length 26
ip nat inside source static tcp 10.36.100.1 23 interface FastEthernet0/0 2323
ip nat outside source list ACL-OUTSIDE pool POOL add-route
GW1#sh access-list ACL-OUTSIDE
Extended IP access list ACL-OUTSIDE
    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 172.0.0.0 0.31.255.255 any
    30 deny ip 192.168.0.0 0.0.255.255 any (4 matches)
    40 permit ip any any (4 matches)
GW1#

One thing I found interesting after this was verified was that if I tried to reconnect to the source host, it still build a translation table, but it only chnage the outside local/outside global, and not the inside global:

GW1#sh ip nat trans | i 4.2.2.1
--- ---                ---                192.168.225.130    4.2.2.1
tcp 192.0.2.14:2323    10.36.100.1:23     192.168.225.130:35200 4.2.2.1:35200
tcp 192.168.225.1:17922 192.168.225.1:17922 192.168.225.130:23 4.2.2.1:23
GW1#

But this is fine, since I don't want reverse traffic anyway.

In any case ... thank you so much for the guidance, and that made a huge difference!

++I;

Jon Marshall · ‎10-18-2017

Forgot to say, if you use an unused subnet you would still need to add a route as per the second option.

Jon

Georg Pauwen · ‎10-18-2017

Is this a GNS3 lab ? Can you post the file ?

Georg Pauwen · ‎10-18-2017

Hello,

post the full config of your router so we can lab this. How is your 10.x.x.x network connected to your router ?

d-fillmore · ‎12-22-2017

Thanks for this post, it's really helped me out.

A problem I have found with it is, that it only seems to support one translation from the outside interface to the inside.

My requirement is similar to the OP's in that I'm trying to connect to a firewall through a NATing router. The firewall already has a default route and so need to both source PAT inbound traffic from the Internet and perform destination NAT on the NATing router (867VAE-K9 15.7(3)M1)

If I clear the translation table and straight away hit the IP, I get through ok. If I leave it a few seconds, a bot will end up filling what seems to be the sole entry in the NAT table.

Did you have the same problem?

Cheers, Dom