Solved: CISCO 861 NAT questions

sebionofrei · ‎02-05-2013

Hello,

I have a CISCO 861 router, and here's the scenario I want to achieve (regarding ISP and NAT)

FastEthernet 4

Assign IP 89.45.204.117 255.255.255.248 ( ip address x.x.x.x x.x.x.x )

Assign IP 89.45.202.117 255.255.255.240 ( ip address x.x.x.x x.x.x.x secondary )

VLan1 (dhcp server) 10.11.12.0 255.255.255.0 (done)

I want to achive 2 tipes of NAT, as following:

internat-to-external translation (so I go out using different IP addresses I have)
external-to-internal translation (so I can access local private machines from outside world)

In CentOS iptables, (1) is done something like this:

iptables -t nat -A POSTROUTING -s 10.11.12.20 -o $EXTIF -j SNAT --to-source 89.45.204.118

In CentOS iptables, (2) is done something like this:

iptables -t nat -A PREROUTING -p TCP -d 89.45.204.117 --dport 80 -j DNAT --to 10.11.12.70:80

As far as I understood, on a Cisco IOS, (2) is done something like this:

ip nat inside source static tcp 10.11.12.70 80 89.45.204.117 80 extendable

I don't get how to setup the number (1) ...

P.S. The public IP address on FastEthernet 4 are setup up with ip address and ip address secodnary.

Many thanks.

Peter Paluch · ‎02-05-2013

Hello Sebastian,

Let me explain the NAT as implemented on Cisco devices from a different angle - perhaps that will clarify things.

All translations you need to configure will be configured using the ip nat inside source command, regardless of whether the connection is initiated from inside or from outside of your network.

The ip nat inside source command is used to define a multitude of different NAT behaviors:

A static 1:1 mapping between an internal and external IP address (no ports). This way, you basically expose the whole station having the particular internal IP address to the outside world using the configured external address. At any time, a connection can be initiated from the inside IP address (and it will be translated to the configured outside address), or a connection can be initiated to the outside IP address (and it will be translated to the configured inside address). The mapping is 1:1 meaning that a single internal IP address must be mapped to just one outside IP address, and an outside IP address must be mapped to just one internal IP address. In other words, you need as many outside IP addresses as many internal IP addresses you want to expose this way. The syntax of the command is ip nat inside source static I.I.I.I O.O.O.O where I.I.I.I is the inside IP address and O.O.O.O is the outside IP address.
A static 1:1 mapping between a particular internal and external IP and a transport port. The behavior is identical to the behavior described in the previous type, with the notable difference that the translation applies only to traffic sourced from the particular inside IP/port combination, or to traffic destined to the particular outside IP/port combination. This kind of translation is configured using the ip nat inside source static { tcp | udp } I.I.I.I p O.O.O.O P where I.I.I.I and O.O.O.O are inside/outside IP addresses, p is the inside port and P is the outside port. You may reuse the I.I.I.I and O.O.O.O as long as the translations remain unique, i.e. the particular combination of I.I.I.I and p, or O.O.O.O and P must never be used twice.
A dynamic 1:1 mapping between a set of internal IP addresses and an equally sized (or larger) pool of outside IP addresses. What this configuration does is assigning each inside IP address a particular outside IP address whenever a connection is initiated from the inside IP address. This mapping exists for a limited period of time and expires after the inside IP address stops communicating with the outside world. Therefore, during longer periods of time, a single inside IP address may get translated to different outside IP addresses, hence there is no fixed 1:1 mapping between inside and outside addresses. The mapping is only temporary and changes over time. Connections initiated to the outside IP address succeed only if there is currently a mapping created for this outside IP address, otherwise they fail. I am not sure if you want to configure this kind of NAT behavior so I am not including a configuration example right now. If you want your NAT to behave this way, let me know.
A dynamic M:1 mapping between a set of internal IP addresses and a smaller pool of outside IP addresses. This basically refers to the typical -j SNAT type of NAT behavior under Linux when hiding several internal IP addresses under a single outside IP address using both address and port rewriting. A special case of this configuration is NATting to the outside IP address configured on a particular interface, similar to the MASQUERADE target in Linux.

Types 1. and 2. in this description do not refer to ACLs because they are static, i.e. they perfectly specify the inside and outside address already. However, the dynamic mappings in types 3. and 4. above must use an ACL to specify what traffic is to be translated. If, therefore, using dynamic mappings, it is mandatory to create an ACL that selects the traffic to be handled by the dynamic NAT, and in addition, this ACL should explicitly exempt the traffic that is already handled by static NAT entries from also being handled by this dynamic NAT. Otherwise, this traffic could under circumstances be incorrectly translated.

From what you have indicated, I believe that you want to go with NAT configuration types 1. and 2. as described earlier in this post. Would this be what you are looking for?

Best regards,

Peter

View solution in original post

Peter Paluch · ‎02-06-2013

Hello Sebastian,

I went over the configuration, and:

Do you need to tweak the TCP MSS using the ip tcp adjust-mss 1452 command on your Vlan1 interface? If you are not running over DSL service and if you can send your IP packet of the size up to 1500 bytes (the standard) then this command forces all TCP connections to use a smaller Maximum Segment Size, resulting in larger overhead.
As you do not have any Dialer interfaces configured, you can safely remove the dialer-list 1 command

Apart from this, I see no configuration tidbits that could decrease the performance of your router.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎02-06-2013

Hello Sebastian,

I am sorry... No tricks possible with the 800 series routers. See the attached datasheet... According to that, the 860 series routers have their throughput with IMIX 64-byte packets rated at roughly 12-13 Mbps. Your throughput is higher, no doubt owing to larger-size packets, but I am afraid it is at this device's limits.

Cisco's ISR series routers, especially the lower platforms, are not really built for full wireline performance. While packed with different features, their forwarding performance is not that great. These routers have traditionally been used at WAN edge towards generally low-speed WAN technologies where the performance impact was not that noticeable.

I am sorry about this but I am afraid that indeed, this router with its CPU rated on hundreds of MHz at most cannot compete with your former Linux machine.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎02-05-2013

Hello Sebastian,

The first requirement should be relatively easy to configure - you first define an ACL saying what kinds of packets you want to translate, and then you configure how they should be translated. This ACL should explicitly disallow matching the same packets that would be translated by the static entry (to remove an ambiguosity when creating/using NAT entries), and allow other inside-to-outside traffic to be NATted.

ip access-list extended NAT

deny tcp host 10.11.12.70 eq 80 any

permit ip 10.11.12.0 0.0.0.255 any

!

ip nat inside source list NAT interface FastEthernet4 overload

This should hopefully do the trick.

Best regards,

Peter

sebionofrei · ‎02-05-2013

Dunno if that helps.. i don't see how.

I kind'a need this extended. For example, follow this scenario:

10.11.12.1 goes out via 89.45.x.x
10.11.12.2 goes out via 89.45.x.y
10.11.12.3 goes out via 89.45.x.z

And on the other side,

http://89.45.x.x needs to point to internal 10.11.12.222 for example
ftp://89.45.x.y needs to point to internal 10.11.12.33 for example
ssh 89.45.x.z needs to point to internal linux box with ip 10.11.12.11 for example

So ... will that access list help me ?

Peter Paluch · ‎02-05-2013

Hi Sebastian,

You did not indicate in your original post that you want to set up your mappings in this particular way.

10.11.12.1 goes out via 89.45.x.x
10.11.12.2 goes out via 89.45.x.y
10.11.12.3 goes out via 89.45.x.z

Do you want to set up these mappings statically, or do you want the router to create them for you on the fly? In particular, do you specifically need a 1:1 mappings between your inside and outside addresses?

http://89.45.x.x needs to point to internal 10.11.12.222 for example
ftp://89.45.x.y needs to point to internal 10.11.12.33 for example
ssh 89.45.x.z needs to point to internal linux box with ip 10.11.12.11 for example

This will be accomplished using the (2) style you have posted.

Best regards,

Peter

sebionofrei · ‎02-05-2013

Hi Peter,

I want to define all (1) statically

Basically I want a rule so that ALL IP addresses go out via some IP address, assume 89.45.204.222 for example.

But some specific IP addresses I need to go out via specific public IP addresses. And yes, I want total control on which internal IP to which external IP is bound.

Many thanks.

Peter Paluch · ‎02-05-2013

Hello Sebastian,

Let me explain the NAT as implemented on Cisco devices from a different angle - perhaps that will clarify things.

All translations you need to configure will be configured using the ip nat inside source command, regardless of whether the connection is initiated from inside or from outside of your network.

The ip nat inside source command is used to define a multitude of different NAT behaviors:

A static 1:1 mapping between an internal and external IP address (no ports). This way, you basically expose the whole station having the particular internal IP address to the outside world using the configured external address. At any time, a connection can be initiated from the inside IP address (and it will be translated to the configured outside address), or a connection can be initiated to the outside IP address (and it will be translated to the configured inside address). The mapping is 1:1 meaning that a single internal IP address must be mapped to just one outside IP address, and an outside IP address must be mapped to just one internal IP address. In other words, you need as many outside IP addresses as many internal IP addresses you want to expose this way. The syntax of the command is ip nat inside source static I.I.I.I O.O.O.O where I.I.I.I is the inside IP address and O.O.O.O is the outside IP address.
A static 1:1 mapping between a particular internal and external IP and a transport port. The behavior is identical to the behavior described in the previous type, with the notable difference that the translation applies only to traffic sourced from the particular inside IP/port combination, or to traffic destined to the particular outside IP/port combination. This kind of translation is configured using the ip nat inside source static { tcp | udp } I.I.I.I p O.O.O.O P where I.I.I.I and O.O.O.O are inside/outside IP addresses, p is the inside port and P is the outside port. You may reuse the I.I.I.I and O.O.O.O as long as the translations remain unique, i.e. the particular combination of I.I.I.I and p, or O.O.O.O and P must never be used twice.
A dynamic 1:1 mapping between a set of internal IP addresses and an equally sized (or larger) pool of outside IP addresses. What this configuration does is assigning each inside IP address a particular outside IP address whenever a connection is initiated from the inside IP address. This mapping exists for a limited period of time and expires after the inside IP address stops communicating with the outside world. Therefore, during longer periods of time, a single inside IP address may get translated to different outside IP addresses, hence there is no fixed 1:1 mapping between inside and outside addresses. The mapping is only temporary and changes over time. Connections initiated to the outside IP address succeed only if there is currently a mapping created for this outside IP address, otherwise they fail. I am not sure if you want to configure this kind of NAT behavior so I am not including a configuration example right now. If you want your NAT to behave this way, let me know.
A dynamic M:1 mapping between a set of internal IP addresses and a smaller pool of outside IP addresses. This basically refers to the typical -j SNAT type of NAT behavior under Linux when hiding several internal IP addresses under a single outside IP address using both address and port rewriting. A special case of this configuration is NATting to the outside IP address configured on a particular interface, similar to the MASQUERADE target in Linux.

Types 1. and 2. in this description do not refer to ACLs because they are static, i.e. they perfectly specify the inside and outside address already. However, the dynamic mappings in types 3. and 4. above must use an ACL to specify what traffic is to be translated. If, therefore, using dynamic mappings, it is mandatory to create an ACL that selects the traffic to be handled by the dynamic NAT, and in addition, this ACL should explicitly exempt the traffic that is already handled by static NAT entries from also being handled by this dynamic NAT. Otherwise, this traffic could under circumstances be incorrectly translated.

From what you have indicated, I believe that you want to go with NAT configuration types 1. and 2. as described earlier in this post. Would this be what you are looking for?

Best regards,

Peter

sebionofrei · ‎02-05-2013

Hi Peter, indeed seems right about what you say. I will try to accomplish my scenario and fill your answer as correct if the case.

I just saw now there is a ip nat inside and ip nat outside ... what's the difference between these 2?

Many thanks.

Peter Paluch · ‎02-05-2013

Hello Sebastian,

The ip nat outside source command defines a mapping between so-called outside global and outside local IP addresses. Basically, it makes the internal machines see and talk to external, outside IP addresses under different IP space than the outside IP addresses really exist in. For example, you might want to make an outside IP address 192.0.2.3 appear as 10.0.2.3 to the inside machines for whatever purposes. This is where the ip nat outside source would come handy. I have not seen this command being used much, though.

Best regards,

Peter

sebionofrei · ‎02-05-2013

Hi Peter,

Thanks very much for all your detailed replies, they helped me fix it all.

As a side note, are there any special settings I have to make on a CISCO router so that it will work at full speed? Something like tips and tricks?

I'm mostly interested in upload optimizations, as download is less important in my case.

Many thanks.

Peter Paluch · ‎02-05-2013

Hello Sebastian,

Default settings of recent IOS-based routers usually do not require any tweaking for a fine performance. To be honest, I would need to see your entire configuration to see if there is any obvious opportunity for an improvement.

Best regards,

Peter

sebionofrei · ‎02-06-2013

Hi Peter,

My config is almost like in this topic: https://supportforums.cisco.com/thread/2196400

The only difference now is that I made the NAT as per your advices.

Many thanks.

Peter Paluch · ‎02-06-2013

Hello Sebastian,

I went over the configuration, and:

Do you need to tweak the TCP MSS using the ip tcp adjust-mss 1452 command on your Vlan1 interface? If you are not running over DSL service and if you can send your IP packet of the size up to 1500 bytes (the standard) then this command forces all TCP connections to use a smaller Maximum Segment Size, resulting in larger overhead.
As you do not have any Dialer interfaces configured, you can safely remove the dialer-list 1 command

Apart from this, I see no configuration tidbits that could decrease the performance of your router.

Best regards,

Peter

sebionofrei · ‎02-06-2013

Many thanks Peter, God bless you!

--sebastian.

sebionofrei · ‎02-06-2013

Hello,

I'm quite dissappointed in this router's performance.

I managed to configure it exactly as I wanted, all seems fine, but it seems its performance is not what I expected.

Question: does anyone know what CPU power does this router have?

I'm asking this because it seems with 12 NAT static translations it gets really really slow when it comes to speed.

With my linux box i get constant 80mbit download and 45-46 upload... with this router and no other computer conencted to the lan (but my test laptop) I could only get a maximum of 30mbit download and 20 upload ...

And it spends a lot of time before connecting to either a download or upload process.

Anyway... before i return it back (i hope to be able to... it costed me ~350$ here in Romania)... is there a trick to optimize at maximum its upload/download speeds?

I really really have a hunch that its CPU is too weak for NAT. And we all know that NAT & routing together eat a lot of CPU. My hunch here is that this router has a CPU not bigger than 300MHz. Does anyone know something for real?

I'm really really dissappointed by its performance.

Probably for a really small company that only needs internet access and security... it may be a good choise. But I don't get why they added NAT knowing it will slow it down.

Many thanks. I kinda hope there is a trick somewhere. I believed until today that a CISCO router will not dissapoint me. What a shame!

Peter Paluch · ‎02-06-2013

Hello Sebastian,

I am sorry... No tricks possible with the 800 series routers. See the attached datasheet... According to that, the 860 series routers have their throughput with IMIX 64-byte packets rated at roughly 12-13 Mbps. Your throughput is higher, no doubt owing to larger-size packets, but I am afraid it is at this device's limits.

Cisco's ISR series routers, especially the lower platforms, are not really built for full wireline performance. While packed with different features, their forwarding performance is not that great. These routers have traditionally been used at WAN edge towards generally low-speed WAN technologies where the performance impact was not that noticeable.

I am sorry about this but I am afraid that indeed, this router with its CPU rated on hundreds of MHz at most cannot compete with your former Linux machine.

Best regards,

Peter