Solved: Re: nat scenario

sarahr202 · ‎01-28-2011

Hi every body.

I have few questions about NAT.

1) scenario :

Let say we have a router ,R, performing static nat for our host,h1, connected to router's f0( i.e Nat is used to the protect the host from attacks from internet), For the sake of brevity, only Nat related commands are shown.

h1-----f0/0--R s0------internet

Router config.

Int S0

ip nat outside

Int F0

ip nat inside

ip nat inside source static 199.199.199.1 200.200.200.1

1) Let say a host h2 across internet wishes to initiate a communication with h1. Since the command " ip nat outside" is configured on the s0 interface, router,R will drop the packet coming from h2. Router will only allow those communications between h1 and other hosts across internet which are initiated by h1. Is it correct?

2) When router receives packet on its f0 int ( inside interface), router will perform routing table look up first and then NAT. Correct?

3) When router receives a packet on its s0 int ( outside interface), router will perform NAT and then look -up of routing table. Correct?

=====================================================================================================

scenario: 2

h1------f0 R s0------network--h2

h1 199.199.199.2

s0 address is 200.200.200.2

h2 199.199.199.4

Both h1 and h2 are on overlapping network. h2 is assigned 199.199.199.4 . Router must change the source ip address in the packet received from h2 and destined for h1 in order to enable communication between h1 and h2. Further assume that we must use " ip nat outside source" command on R to perform nat.

So with above conditions in mind , we configured our router as follows:

( again NAT related config is shown for brevity)

R:

Ip nat outside source static 199.199.199.4 100.100.100.100.

s0

ip nat inside ( I am not sure what should i configure under s0 , should it be ip nat inside or outside.? The reason i configured ip nat inside because that packet from h2 enters s0 to reach h1 so translation must be performed)

f0

ip nat outside ( My rational to use ip nat outside under f0 is because packets from h2 has already been translated and need to exit the router via f0)

But then question arises will h1 be able to initiate communication with h2 , because my underlying assumption is when ip nat outside is used under a interface, router will reject all messages requesting to initiate communication with the host/hosts reachable via interface configured with " ip nat inside"

Thanks and have a great weekend.

Dan-Ciprian Cicioiu · ‎01-28-2011

Hi ,

1) No , the static nat is bidirectional , so if there is a packet with the destination 200.200.200.1 on the S0 interface , the router will change the destination to 199.199.199.1

2) Yes

3) If you stick with S0 - outside and F0 - inside , you are correct

You might wanna have a look at :

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

View solution in original post

Dan-Ciprian Cicioiu · ‎01-28-2011