Solved: NAT Pool - Route to NULL0

marcusauman · ‎09-12-2011

I've recently seen in some router configs a NAT Pool created and applied accordingly. Also what i've seen and dont understand its purpose is a static route specifying the NAT pool and routing it to NULL0. Can someone please shed some light on this please. Thank you! Below is a configuration example.

Interface fa0/1

ip nat inside




interface ser0/0

ip nat outside




router eigrp 99

passive-interface fa0/1

network x.x.x.x x.x.x.x

distribute-list EIGRP out serial0/0

no auto-summary




ip access-list standard EIGRP

permit 100.0.0.0 0.0.0.7




ip access-list standard NAT

permit x.x.x.x 0.0.0.255




ip nat pool NAT_POOL 100.0.0.1 100.0.0.1 netmask 255.255.255.0

ip nat inside source list NAT pool NAT_POOL overload

Marwan ALshawi · ‎09-12-2011

Hi there

This can be used in the case of over aping networks where you can avoid it using nat plus you are using routing such as eigrp

Example

10.1.1.0/24-----router1------192.168.1.0/30---router2----10.1.1.1.0/24

In the above example if run routing between those two routers there will a problem because each router will advertise the 10.1.1.0/24 while it will get discarded by the other router because each router has as directly connected network

To over come this issue you can use nat , in router1 tou can create static route for a network for example 172.16.1/24 pointing to null0 and redistribute it into eigrp also nat this network as one to one using network keyword in the nat or pool so that traffic from 10.1.1.0 will be seen by router2 as it is from 172.16.1.0 and because we have the network added to eigrp and advertised to router2 router 2 will send traffic to 172.16.1.0 to router1 and router 1 will translate it back to 10.1.1.0

But the same concept has to be done on router 2 for the 10.1.1.0 so that both routers will not see overlaped networks

Hop this help

If helpful rate

View solution in original post

Peter Paluch · ‎09-12-2011

Hello Marwan,

You are correct in your explanation but you have chosen a rather complicated scenario to explain the Null0 route.

Simply put, any NATting into a pool of addresses has a consequence: the routing in the network must be set up so that when replies are being sent to these pool address, they must be routed back to our router performing the NAT. The question is now, how should the address range in the NAT pool be advertised in the routing protocol, as the pool is not an interface network and hence cannot be simply added by a

network

command to a routing protocol process.

Two approaches are commonly used. The first, more obvious, is to allocate a single IP address from the NAT pool and assign it to a loopback with an appropriate mask, then advertise that loopback in the routing protocol. The slight disadvantage of this approach is that you need to create a loopback interface (or a secondary address), and the router is actually the owner of the IP address and so it may be actually contactable under that address - something which may not align with company security policies.

Another approach is to define a static route to Null0 that covers the same IP address range as the NAT pool itself, and redistribute that static route into routing protocol. From the reachability point of view, the result is the same. However, the processing of packets returning to this "network" is more optimized: if the NAT table contains an entry for the returning packet, it will be translated back accordingly and sent to the proper inside station. If, however, there is no translation entry for a packet destined to this network, no NAT will be performed, and the packet will be routed according to this static route - which means it will be dropped because of the Null0 adjacency. This is actually a correct behavior: packets destined to the NAT pool addresses are either replies to connections from inside, in which case there must be a corresponding NAT entry present, or they do not align to any current session controlled by NAT and so cannot be forwarded further so or so. Note that if we used a loopback interface, under circumstances the packet could be received by the router itself which may not be a good idea.

So to sum it up, the static route to Null0 is added as a placeholder for the range of IP addresses in the NAt pool so that it can be advertised into a routing protocol, as the NAT pool itself is not an object that could be advertised by a routing protocol. The Null0 adjacency also prevents forged, malicious or late packets from being inappropriately forwarded - only packets with correct corresponding NAT table entries will be sent back into the inside network.

Best regards,

Peter

View solution in original post

Marwan ALshawi · ‎09-12-2011

Hi there

This can be used in the case of over aping networks where you can avoid it using nat plus you are using routing such as eigrp

Example

10.1.1.0/24-----router1------192.168.1.0/30---router2----10.1.1.1.0/24

In the above example if run routing between those two routers there will a problem because each router will advertise the 10.1.1.0/24 while it will get discarded by the other router because each router has as directly connected network

To over come this issue you can use nat , in router1 tou can create static route for a network for example 172.16.1/24 pointing to null0 and redistribute it into eigrp also nat this network as one to one using network keyword in the nat or pool so that traffic from 10.1.1.0 will be seen by router2 as it is from 172.16.1.0 and because we have the network added to eigrp and advertised to router2 router 2 will send traffic to 172.16.1.0 to router1 and router 1 will translate it back to 10.1.1.0

But the same concept has to be done on router 2 for the 10.1.1.0 so that both routers will not see overlaped networks

Hop this help

If helpful rate

Peter Paluch · ‎09-12-2011

Hello Marwan,

You are correct in your explanation but you have chosen a rather complicated scenario to explain the Null0 route.

Simply put, any NATting into a pool of addresses has a consequence: the routing in the network must be set up so that when replies are being sent to these pool address, they must be routed back to our router performing the NAT. The question is now, how should the address range in the NAT pool be advertised in the routing protocol, as the pool is not an interface network and hence cannot be simply added by a

network

command to a routing protocol process.

Two approaches are commonly used. The first, more obvious, is to allocate a single IP address from the NAT pool and assign it to a loopback with an appropriate mask, then advertise that loopback in the routing protocol. The slight disadvantage of this approach is that you need to create a loopback interface (or a secondary address), and the router is actually the owner of the IP address and so it may be actually contactable under that address - something which may not align with company security policies.

Another approach is to define a static route to Null0 that covers the same IP address range as the NAT pool itself, and redistribute that static route into routing protocol. From the reachability point of view, the result is the same. However, the processing of packets returning to this "network" is more optimized: if the NAT table contains an entry for the returning packet, it will be translated back accordingly and sent to the proper inside station. If, however, there is no translation entry for a packet destined to this network, no NAT will be performed, and the packet will be routed according to this static route - which means it will be dropped because of the Null0 adjacency. This is actually a correct behavior: packets destined to the NAT pool addresses are either replies to connections from inside, in which case there must be a corresponding NAT entry present, or they do not align to any current session controlled by NAT and so cannot be forwarded further so or so. Note that if we used a loopback interface, under circumstances the packet could be received by the router itself which may not be a good idea.

So to sum it up, the static route to Null0 is added as a placeholder for the range of IP addresses in the NAt pool so that it can be advertised into a routing protocol, as the NAT pool itself is not an object that could be advertised by a routing protocol. The Null0 adjacency also prevents forged, malicious or late packets from being inappropriately forwarded - only packets with correct corresponding NAT table entries will be sent back into the inside network.

Best regards,

Peter

Marwan ALshawi · ‎09-12-2011

Hi Peter,

I totally agree but the resoan why I put the case above because in real life its the mostly used one as if you have Internet link with different public pools normally the ISP will already advertise it for you and point traffic for that certain range to your CE end (except if you have public BGP ASN and public ranges this is different story where we can use the methods above too )

Thanks,

Marwan

Peter Paluch · ‎09-12-2011

Hello Marwan,

Yes, you're right. I have been exposed more often in our labs to the need of advertising the NAT pool by the CE router itself but it is true that usually it is the ISP that is going to advertise the subnet on your behalf.

Best regards,

Peter

Marwan ALshawi · ‎09-12-2011

Well i belive It's always better to have two brains exchanging knowledge for a solution :)

marcusauman · ‎09-13-2011

Guys! Thank you both for your in depth and prompt response on my question. I put this in a lab enviroment and did some verifications.

I was checked to find out if you have the static route to null0 you have two options:

1) - Network statement

2) - Redistribute static routes into your IGP of choice

Both of these came back with the same result. I did not test the loopback feature Peter recommened because as he stated thats not really a good design.

Again thanks guys!

Peter Paluch · ‎09-13-2011

Hello,

You are welcome, and thank you for the generous ratings.

One addition to your findings: about using the

network

statement with static route pointing to Null0, this will work only for distance vector routing protocols like EIGRP or RIP (and naturally for BGP). It will not work for OSPF or IS-IS. The catch here is that distance vector protocols on Cisco routers treat a static route specified with egress interface as a directly connected network and therefore, the

network

command applies to it. Link-state protocols see it only as a static route, not as a directly connected network, and the only way to advertise that route is using

 redistribute static

Best regards,

Peter

Marwan ALshawi · ‎09-13-2011

Just to add to Peter post

The idea is the other end point to your router outside interface for traffic going to nat pool range you might even add static route on the other end router without using null0 or advertise it on the router you doing the nat in

HTH

Sent from Cisco Technical Support iPhone App

Peter Paluch · ‎09-13-2011

Hello Marwan,

Thanks!

Best regards,

Peter