What happens if a packet doesn't match any NAT entry?

Mitrixsen · ‎01-30-2025

Hello, everyone.

Here is my topology:

Imagine that the network on the left is some internal network with private IPs that are being translated into 9.9.9.x. If I issue the following configuration:

This means that anyone from the network on the right will be able to access Host1 via the IP 9.9.9.55 using Telnet.Since Static PAT is bidirectional, this also means that any replies coming from Host1 will be translated from 10.1.1.11 23 into 9.9.9.55 23.

Now, my question is, what exactly happens if a packet is received that doesn't match any of the Static PAT entries that I've configured? In a NAT course that I am following, the instructor created a packet with the port number set to 25 and the PAT router sent a TCP RST message in return.

However, in my topology, the router replies with an ICMP Destination Unreachable message which is used when there isn't a route for the destination (which R1 doesn't have).

So what exactly makes the router drop the packet? The lack of the NAT entry or the lack of a route? What if there isn't a NAT/PAT entry that would match the packet? Is the packet immediately dropped or is it just not translated and then dropped due to a lack of route?

Thank you.

David

MHM Cisco World · ‎01-30-2025

NAT IP make it routable for router

If IP not NATing then router can not forward it and drop.

The first reason we use NAT is for routing' he hide private IP behind public IP

MHM

MHM Cisco World · ‎01-30-2025

Friend now start to see what happened inside router

Use

Debug ip nat

Debug ip policy

Check output for both case

MHM

paul driver · ‎01-30-2025

Hello
it will be because of the lack of translation before any lack of routing
if you look up nat order of translation it should show you the nat order regards domain-nat

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎01-30-2025

In your topology, where is the 9.9.9.0/24 network?

Mitrixsen · ‎01-30-2025

Hello.

It isn't a network on its own, its just the range of "public" IP addresses that I use for the translation. xR3 has a route only for that IP address range.

paul driver · ‎01-30-2025

Hello @Joseph W. Doherty
The assumption is that range is routable externally towards the nat rtr hence its being used for translation

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎01-30-2025

"However, in my topology, the router replies with an ICMP Destination Unreachable message which is used when there isn't a route for the destination (which R1 doesn't have)."

(Sorry, my prior reply was a hint based on why the particular error was returned.)

Exactly - because the 9.9.9.0/24 is unknown to R1. The static PAT statement is valid, but there's no route for the 9.9.9.5 IP.

I assume your instructor's example has a value route for both inside and outside IPs.

"So what exactly makes the router drop the packet? The lack of the NAT entry or the lack of a route?"

Depends on whether going inside to outside or the converse because NAT and routing order of execution difers and what information is missing or invalid.

"What if there isn't a NAT/PAT entry that would match the packet? Is the packet immediately dropped or is it just not translated and then dropped due to a lack of route?"

If there's no matching NAT/PAT, then packet processed normally. I.e. there's nothing to translate.

Assuming the actual NAT/PAT can be executed, unsure why CLI would allow an invalid statement, only an operation whose failure precludes execution of a subsequent translation would preclude its execution.

Possibly this will help: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

Joseph W. Doherty · ‎01-30-2025

Addendum:

Again, my first reply was addressing the question why the particular error response.

My follow on reply further delved into answers for questions, which also depends on order of operations, but my first reply had noticed @paul driver had touched upon that in his first reply, but in my second reply, I forgot his first reply, and so needlessly provided the same reference rather than just refer to his original reply.

Giuseppe Larosa · ‎01-30-2025

Hello @Mitrixsen ,

the type of answer is platform dependent and also it depends on the config.

A firewall and all NGFW are zone based answers with a TCP RST when attempting an inbound conn from public internet.This happens on Cisco ASA, Cisco ASA X, Cisco FTD, Juniper SRX, Fortinet Fortigate and so on.

An IOSXE router configured with ZBFW + NAT it is lkely to do the same.

In your configuration using simple static NAT the router acts as a router and it is stateless. On the other hand sending an ICMP unreach is more efficient in terms of resources when a DoS attack is occurring.

Hope to help

Giuseppe