Solved: NAT - Translate outside source and destination.

Darren Frowen · ‎04-03-2012

Hi,

I was wondering if anyone could advise on the following issue that we are trying to overcome. We wish to be able to translate both source and destination of an outside (Internet) initiated packet. With the following configuration, we can clearly see both the source and desitnation being trnaslated when it hits the outside interface. However we never see a hit on the IP NAT inside interface to translate back the original packet. We have confirmed that the traffic has returned to the inside interface by way of debug ip packet. We cannot understand why there are not hits on the Inside interface. Please not that there will never by an initiated connection from the inside, connections will only ever be initiated from outside. Any help with this issue would be greatly appreciated.

interface FastEthernet0/0

description Uplink to Firewall_DMZ

ip address 10.10.102.187 255.255.255.192

no ip redirects

no ip unreachables

ip flow ingress

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

description Uplink to Internet_Dirty

ip address 2.2.70.99 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool Outside-Local-Source 10.10.102.187 10.10.102.187 prefix-length 26

ip nat inside source static 10.10.102.148 2.2.70.99

ip nat outside source list Outside-Global-Source pool Outside-Local-Source

ip route 0.0.0.0 0.0.0.0 2.2.70.253 name default_route_to_internet

!

ip access-list standard Outside-Global-Source

permit 82.132.0.0 0.0.255.255

Initiate connection from outside only

----------------------------------------------------

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 10.10.102.187 82.132.234.194

tcp 2.2.70.99:80 10.10.102.148:80 10.10.102.187:34347 82.132.234.194:34347

tcp 2.2.70.99:80 10.10.102.148:80 10.10.102.187:34348 82.132.234.194:34348

--- 2.2.70.99 10.10.102.148 --- ---

Debug IP nat detail shows outside initiated packet translated source and desitnation

-------------------------------------------------------------------------------------------------------------------------

004240: *Apr 3 08:02:49.065 GMT: NAT*: o: tcp (82.132.234.194, 33969) -> (2.2.70.99, 80) [41383]

004241: *Apr 3 08:02:49.065 GMT: NAT*: s=82.132.234.194->10.10.102.187, d=2.2.70.99 [41383]

004242: *Apr 3 08:02:49.065 GMT: NAT*: s=10.10.102.187, d=2.2.70.99->10.10.102.148 [41383]

004243: *Apr 3 08:02:49.501 GMT: NAT: Existing entry found in the global tree,updating it to point to the latest node passed

Debug ip packet shows return packet coming from DMZ but no hit on the IP NAT inside interface

------------------------ ------------------------------------------------------------------------------------------------------------------

004262: *Apr 3 08:07:27.101 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004263: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004264: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004265: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004266: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004267: *Apr 3 08:07:27.105 GMT: IP: tableid=0, s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), routed via RIB

004268: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), len 52, output feature, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004269: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), len 52, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004270: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), len 52, rcvd 3

004271: *Apr 3 08:07:27.105 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, stop process pak for forus packet

004272: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004273: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, sending

004274: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004275: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004276: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004277: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004278: *Apr 3 08:07:27.109 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, sending full packet

004279: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004280: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004281: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004282: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004283: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004284: *Apr 3 08:07:30.481 GMT: IP: tableid=0, s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), routed via RIB

004285: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), len 52, output feature, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004286: *Apr 3 08:07:30.481 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), len 52, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004287: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187 (FastEthernet0/0), len 52, rcvd 3

004288: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.148 (FastEthernet0/0), d=10.10.102.187, len 52, stop process pak for forus packet

004289: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004290: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, sending

004291: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004292: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004293: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004294: *Apr 3 08:07:30.485 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, output feature, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

004295: *Apr 3 08:07:30.489 GMT: IP: s=10.10.102.187 (local), d=10.10.102.148 (FastEthernet0/0), len 40, sending full packetu all

Regards

Darren

Neeraj Arora · ‎04-03-2012

Darren,

you cannot overload when using "ip nat ouside source" command, but there is a workaround for what you are looking for. Use a fictitious subnet for outside translation like 10.10.200.0/24. this way you can have 255 simultaneous connections

Try the following config and check:

ip nat pool Outside-Local-Source 10.10.200.1 10.10.200.255 prefix-length 24

ip nat inside source static 10.10.102.148 2.2.70.100

ip nat outside source list Outside-Global-Source pool Outside-Local-Source

ip route 10.10.200.0 255.255.255.0 2.2.70.253 name to_send_server_response_outside

ip route 0.0.0.0 0.0.0.0 2.2.70.253 name default_route_to_internet

!

ip access-list standard Outside-Global-Source

permit 82.132.0.0 0.0.255.255

View solution in original post

Neeraj Arora · ‎04-03-2012

yes...correct...but I am assuming that the servers are configured with router's inside ip address as their default gateway, so the return traffic will come back to the router

View solution in original post

Neeraj Arora · ‎04-03-2012

Darren,

As per me your config is not entirely correct. I understand that you want to a user sitting outside to initiate a connection for the ip address assigned to your FastEthernet0/1 interface & when it reaches your internal private server, the packet should look like its coming from the ip assigned to FastEthernet0/0 interface

There are couple of basic points which you overlooked:

1. Never configure static NAT using the ip addresses assigned to physical interfaces, it always create some unwanted/unforseen issues. And in your config you are using both inside and outside interface ip's as translated ip

2. "ip nat inside" & "ip nat outside" commands are not mentioned in the config above

3. NAT behaves differently while packet going in->out & out->in ... check the working from the below mentioned link:

Very Basic rule of Network Address Translation (NAT)

http://blog.instruosolutions.com/2012/01/08/very-basic-rule-of-network-address-translation-nat-routers-switches/

Now the reason why you do not see NATing happen when the return traffic is sent from the server is because your server is sending traffic to 10.10.102.187 which is router's inside interface and it never puts that packet on the outside interface, and the rule of NAT says While going out, a packet will only be translated when it hits both Inside & outside interface.

So you need to make some modifications in your config to make it work, here is something which I woudl suggest:

interface FastEthernet0/0

description Uplink to Firewall_DMZ

ip address 10.10.102.187 255.255.255.192

no ip redirects

no ip unreachables

ip flow ingress

ip virtual-reassembly in

duplex auto

speed auto

ip nat inside

!

interface FastEthernet0/1

description Uplink to Internet_Dirty

ip address 2.2.70.99 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip virtual-reassembly in

duplex auto

speed auto

ip nat outside

!

ip nat pool Outside-Local-Source 10.10.102.190 10.10.102.190 prefix-length 26

ip nat inside source static 10.10.102.148 2.2.70.100

ip nat outside source list Outside-Global-Source pool Outside-Local-Source

ip route 10.10.102.190 255.255.255.255 2.2.70.253 name to_send_server_response_outside

ip route 0.0.0.0 0.0.0.0 2.2.70.253 name default_route_to_internet

!

ip access-list standard Outside-Global-Source

permit 82.132.0.0 0.0.255.255

Hope it helps

Neeraj

Darren Frowen · ‎04-03-2012

Dear Neeraj,

Thank you so much for your assistance and configuration reccomendation. You have solved our issue perfectly. We now have the configuration as you have suggested. We have one more issue to be resolved and would be extremely gratefull for any more advice on how to resolve. It appears that we can only achieve a single connection from the outside to inside host. Is there a way of overloading to the 10.10.102.186 address as I do not see the option on a ip nat ouside source command?

interface FastEthernet0/0

description Uplink to Firewall_Facin_DMZ

ip address 10.10.102.187 255.255.255.192

no ip redirects

no ip unreachables

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

description Uplink to Internet_Facing_Dirty

ip address 2.2.70.99 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool Outside-Local-Source 10.10.102.186 10.10.102.186 prefix-length 26

ip nat inside source static 10.10.102.148 2.2.70.100

ip nat outside source list Outside-Global-Source pool Outside-Local-Source

!

ip route 0.0.0.0 0.0.0.0 2.2.70.253 name default_to_internet

ip route 10.10.102.186 255.255.255.255 2.2.70.253 name to_send_server_response_outside

!

ip access-list extended Outside-Global-Source

permit tcp any host 2.2.70.100 eq www

deny ip any any log

Kindest Regards

Darren

Neeraj Arora · ‎04-03-2012

Darren,

you cannot overload when using "ip nat ouside source" command, but there is a workaround for what you are looking for. Use a fictitious subnet for outside translation like 10.10.200.0/24. this way you can have 255 simultaneous connections

Try the following config and check:

ip nat pool Outside-Local-Source 10.10.200.1 10.10.200.255 prefix-length 24

ip nat inside source static 10.10.102.148 2.2.70.100

ip nat outside source list Outside-Global-Source pool Outside-Local-Source

ip route 10.10.200.0 255.255.255.0 2.2.70.253 name to_send_server_response_outside

ip route 0.0.0.0 0.0.0.0 2.2.70.253 name default_route_to_internet

!

ip access-list standard Outside-Global-Source

permit 82.132.0.0 0.0.255.255

Darren Frowen · ‎04-03-2012

Dear Neeraj,

When you say fictitious subnet, this will still have to be routable via the inside network correct? As the server needs to respond to that pool of NAT addresses?

Kindest Regards

Darren

Neeraj Arora · ‎04-03-2012

yes...correct...but I am assuming that the servers are configured with router's inside ip address as their default gateway, so the return traffic will come back to the router

Darren Frowen · ‎04-03-2012

Dear Neeraj,

Actually no the gateway is our Firewall that sits between the router and Host. Completely understand though, we have now asssigned a new pool and everything is working as it should. May I thank you once more for your excellent support.

Kindest Regards

Darren