cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2635
Views
0
Helpful
18
Replies

NAT for local originated packet

Hi,

I've configured a Cisco 3725 w/ IOS 12.(4)21a to implement  natting for local originated packet going out towards a  specific IP destination

Basically I configured ip nat outside on the egress i/f /(serial 0/0.100)

interface Serial0/0.100 point-point

ip address 172.16.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

!

and ip nat inside source list TO-DST interface serial 0/0.100 in global configuration mode

ip access-list extended TO-DST

permit ip host 10.10.10.1 host 172.16.10.3

!

ip nat inside source list TO-DST interface Serial0/0.100 overload

!

The C3725 has an entry for 172.16.10.3 in IP RIB and pinging from this router to dst is ok. Now a question arises.....

How can the router perform NAT if ip nat inside command is not configured on any interfaces ?

Thanks

18 Replies 18

rais
Level 7
Level 7

Once you have NAT outside defined, all other interfaces are treated as inside for NAT translation.
Thanks.

But....this is a default behaviour ? And why then configure ip nat inside (on the the inside router interface) in a enterprise scenario to perform natting for inside hosts ?

Not sure. But you have designated a boundary:  an outside interface. And you do have a ip nat inside statement configured on the router.

Thanks.

.....just to better understand...In my scenario I've an outside interface (serial0/0.100 configured with ip nat outside) but I've not configured any inside interface (no interface has ip nat inside configured)

How can NAT work ? Is it a specific condition in which packets (ping) are local originated by the router itself ?

Thanks in advance

Hi Carlo,

I think that you can solve that, tricking the router

int lo0

ip add 1.1.1.1 255.255.255.255

ip nat inside

!

route-map NAT-NH-LOOP

match

set ip next-hop 1.1.1.1

!

ip local policy route-map NAT-NH-LOOP

Regards

Dan

Yes, I know this trick (the local (ping) originated packet re-enter from loopback0 where ip nat inside is configured...)....but I do not understand why it works without ip nat inside on any interfaces...

I do not belive that NAT is performned

First do you have any other nat configured ?

Can you post :

debug ip nat

debug ip icmp

ping 172.16.10.3

unde all

Dan

R1#sh run int lo101

Building configuration...

Current configuration : 86 bytes

!

interface Loopback101

ip address 10.10.10.1 255.255.255.255

ip ospf 1 area 0

end

!

R1#sh run int s0/0.100

Building configuration...

Current configuration : 198 bytes

!

interface Serial0/0.100 point-to-point

ip address 172.16.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip ospf 1 area 0

snmp trap link-status

frame-relay interface-dlci 102

end

R1#sh runn | b access-list

ip access-list extended TO-DST

permit ip host 10.10.10.1 host 172.16.10.3

!

R1#sh run | in nat inside

ip nat inside source list TO-DST interface Serial0/0.100 overload

R1#

!

R1#

R1#debu ip nat

IP NAT debugging is on

R1#debu ip icmp

ICMP packet debugging is on

R1#

R1#

R1#

R1#sh deb

Generic IP:

  ICMP packet debugging is on

  IP NAT debugging is on

R1#

R1#ping 172.16.10.3 source loopback 101 r 2

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 172.16.10.3, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.1

!!

Success rate is 100 percent (2/2), round-trip min/avg/max = 108/122/136 ms

R1#

*Mar  1 00:11:09.623: NAT: s=10.10.10.1->172.16.1.1, d=172.16.10.3 [16]

*Mar  1 00:11:09.751: NAT*: s=172.16.10.3, d=172.16.1.1->10.10.10.1 [16]

*Mar  1 00:11:09.755: ICMP: echo reply rcvd, src 172.16.10.3, dst 10.10.10.1

*Mar  1 00:11:09.759: NAT: s=10.10.10.1->172.16.1.1, d=172.16.10.3 [17]

*Mar  1 00:11:09.863: NAT*: s=172.16.10.3, d=172.16.1.1->10.10.10.1 [17]

*Mar  1 00:11:09.867: ICMP: echo reply rcvd, src 172.16.10.3, dst 10.10.10.1

R1#

R1#u all

All possible debugging has been turned off

R1#

Any help is apreciated..

To my knowledge this is not expected !  Are you using real hardware ? What IOS/HW are you using on this one ?

Regards

Dan

Same behaviour (w/o any ip nat inside) on 'real' C7200

7200-RR1#sh ver

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.2(33)SRE3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Tue 25-Jan-11 08:35 by prod_rel_team

ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)

7200-RR1 uptime is 7 weeks, 5 days, 11 hours, 15 minutes

System returned to ROM by power-on

System restarted at 10:10:16 MET Mon Jan 23 2012

System image file is "disk2:c7200-adventerprisek9-mz.122-33.SRE3.bin"

Last reload type: Normal Reload

this time the ping source address is 172.16.217.230 (loop0) with destination 172.16.217.15

7200-RR1#debu ip nat

IP NAT debugging is on

7200-RR1#debu ip icmp

ICMP packet debugging is on

7200-RR1#

7200-RR1#

7200-RR1#sh deb

Generic IP:

  ICMP packet debugging is on

  IP NAT debugging is on

7200-RR1#

7200-RR1#ping 172.16.217.15 source loopback 0 repeat 2

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 172.16.217.15, timeout is 2 seconds:

Packet sent with a source address of 172.16.217.230

!!

Success rate is 100 percent (2/2), round-trip min/avg/max = 28/28/28 ms

7200-RR1#

Mar 17 21:30:23.451 MET: NAT: ICMP id=8->1024

Mar 17 21:30:23.451 MET: NAT: s=172.16.217.230->172.16.203.230, d=172.16.217.15 [37]

Mar 17 21:30:23.479 MET: NAT*: ICMP id=1024->8

Mar 17 21:30:23.479 MET: NAT*: s=172.16.217.15, d=172.16.203.230->172.16.217.230 [37]

Mar 17 21:30:23.479 MET: ICMP: echo reply rcvd, src 172.16.217.15, dst 172.16.217.230, topology BASE, dscp 0 topoid 0

Mar 17 21:30:23.479 MET: NAT: ICMP id=8->1024

Mar 17 21:30:23.479 MET: NAT: s=172.16.217.230->172.16.203.230, d=172.16.217.15 [38]

Mar 17 21:30:23.507 MET: NAT*: ICMP id=1024->8

Mar 17 21:30:23.507 MET: NAT*: s=172.16.217.15, d=172.16.203.230->172.16.217.230 [38]

Mar 17 21:30:23.507 MET: ICMP: echo reply rcvd, src 172.16.217.15, dst 172.16.217.230, topology BASE, dscp 0 topoid 0

7200-RR1#

Any idea ? Carlo.

Hi Carlo,

Tested and found the same behavior.

It seams that the router considers the control-plane as an inside interface.

Have a look at this link :

http://ieoc.com/forums/p/18741/161550.aspx

Regards

Dan

great explaination !

Another question related to NAT....

Having a router an inside and outside interface configured, the only NAT option supported on outside interface is ip nat ouside source ...... while on inside i/f source/destination natting (ip nat inside source/destination ) is supported

Why these differences exist from a configuration point of view ?

Thanks

Hi Carlo,

ip nat inside/outside source  list/route-map is for Source NAT and the flow must be initiated from the interface specified in the command - this does not apply for the static command.

ip nat inside/outside source static - is bidirectional - meaning that the packet could be initiated on any interface (inside or outside ) this means that is not only Source NAT but also Destination NAT,

ip nat inside destination is used for loadbalancing, the packet must be initiated from OUTSIDE.

Regards

Dan

Hi Dan,

just to better understand...

ip nat outside source lis/route-map create a dynamic NAT entry (when flow is outside initiated) to translate outside-global -> outside-local

From you answer it seem to me ip nat inside destination list/route-map works the same way

If this is right, what are differences between them ?

Thanks a lot

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco