cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12524
Views
0
Helpful
8
Replies

Order Of Operations NAT

cheery Tomato
Level 1
Level 1

Is someone able to confirm this is the correct order of operations for NAT.

Is there anything else that can be added to this network flow to make if more complete?

NAT Order Of Operations.jpg

Any assistance is greatly appreciated.

8 Replies 8

Peter Paluch
Cisco Employee
Cisco Employee

Hello Tom,

I have always used the following document as a reference:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Best regards,

Peter

Cheers for the reply Peter,

That was the article I was working with.

I dont understand how the Decryption occurs in an Inside-To-Outside translation

or the encryption of an Outside-To-Inside translation?

Inside-to-Outside

Outside-to-Inside

  • If IPSec then check input access list
  • decryption - for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption - for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

Hello Thomas,

I would hypothesize that the decryption in the in-to-out and encryption in the out-to-in paths are related to IPsec VPNs in which the clients are considered "inside" and they are accessing the outside internet. Think of a teleworker using a IPsec-protected access to internet via his/her company infrastructure. After creating an IPsec tunnel terminated at an interface marked as "inside", the teleworker's IPsec-protected traffic arrives at the router, is decrypted and after routing out through an "outside" interface, it is being NATted. For the return traffic, it is NATted from "outside" to "inside", then sent to the teleworker IPsec-encrypted.

This is I how understand it.

Best regards,

Peter

Cheers Peter,

So is this a correct interpretation of the NAT order of operations for an encrypted packet?

NAT Order Of Operations_NATTraversal.jpg

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

!

inside-to-outside
!
policy routing
routing
nat translation
!
outside-to-inside
nat translation
policy-routing
routing

!

HTH

andnagy122
Level 1
Level 1

Hello guys,

I have the same problem and as I can see here, this is not answered yet.

I looked after this topic and I found the following:

Inside-to-Outside:

  • policy routing
  • routing
  • NAT inside to outside (local to global translation)

Outside-to-Inside:

  • NAT outside to inside (global to local translation)
  • policy routing
  • routing

I understand that by out-to-in direction NATing happens first and only then routing, this is logical, since the main point would be in to route only a private IP in the intern network instead of a public one.

But in case of in-to-out direction, I don't see the logic of making routing before NATing.

In order to properly route the packet with a public destination address, it first has to be NATted back from the private IP.

Did I understand something incorrectly?

Thanks in advance!

The reason it needs to check routing and policy routing first on in-to-out NAT translations is that there are likely several interfaces it could use to reach the next hop for routing and therefore the exit interface needs to be determined prior to invoking NAT because maybe you NAT it to different outside global address space depending on the interface which it leaves the router.  On the out-to-in, you likely don't control the path in which it comes in because the most common (but not the ONLY) use case is traffic coming into the device from the internet and again the most common setup is a single, predictable and consistent interface on the router.  So it's going to perform the UN-NAT first, and then use routing and policy routing to determine the inside interface it should go to in order to reach the final destination.

Old thread but came up in my searches and the question asked by @andnagy122 is what i had in mind as well . Cant really think of any reason why if the routing is correct the NAT cannot be performed before the routing. However for policy based routing that may look at source you would understand why policy-routing comes before NAT. The only reason that comes to mind is, Cisco or any vendor would want to combine the policy routing and routing together so to have all routing functions come first and not separate routing before and after NAT. So trying to avoid something like: 

Policy Routing

NAT

Routing

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: