Solved: Route setup and why translate outside source in NAT.

SJ K · ‎05-21-2015

Hi all,

I am diving into the confusing topic of NAT and I have setup a lab using NAT using both inside source and outside source and it is working fine.

(its a simple setup, but i spend 3 hours doing it ;/)

Router 0

ip nat inside source static 10.10.10.2 171.16.68.2
ip nat outside source static 172.16.69.2 30.30.30.2

Router 1

ip nat inside source static 30.30.30.2 172.16.69.2
ip nat outside source static 171.16.68.2 10.10.10.2

q1) On Router 0, I need to setup static route "ip route 172.16.69.0 255.255.255.0 20.20.20.2" to route traffic to NAT IP of Router 1 and

on Router 1, i need to setup static route "ip route 171.16.68.0 255.255.255.0 20.20.20.1" to route traffic to NAT IP of Router 0.

Is there anyway whereby static route does not need to be use ? (i doubt so ..?) unless the two router are sharing the same NAT range (is it right to do so)

q2) I have understand the benefit of

using inside src to outside

a) hide internal ips from external by converting internal src (inside local) to external src (inside global)

b) allow internal ips to communicate with the external network

using ouside src to inside

a) hide external ips from internal network ??? - converting outside src (outside global) to internal src (outside local) -- but what for ?

b) to choose another outgoing route from the incoming route whereby the packet is receive, by changing the src of the incoming packet, so that when replying back, it will use another changed src (outside local) as destination and use another route ??

Sorry for my lousy creativity.

Regards,
Noob

Marko Rodic · ‎05-21-2015

q1) it cant. unless you are using OSPF or some other dynamically based protocol. proper roter will be chosen from route table, but you still need to have that route statically implemented. again, unless you are using dynamic routing protocol such as OSPF, EIGRP, IS-IS...

q2) as i said, if you have same IP addresses, then you have to change source address of incoming packet. outside of that, there are rarely used source address change... you might want to access to "unroutable" address maybe, or accessing IP address which default gateway is on another router, then you need to change source

for example. you are doing dst nat of address 200.200.200.200 to IP address 192.168.200.20. now, your router have IP address of 192.168.200.1, but you have second router in your network with address 192.168.200.254(that router is used for accessing some L3 private networks, or something like that) and that router is default gateway to address 192.168.200.20... in this case, you need to change source address to(to something from 192.168.200.x network), otherwise you will send replaying packet to 192.168.200.254 instead of 192.168.200.1

View solution in original post

Jon Marshall · ‎05-21-2015

q1) you can use a loopback interface and assign your NAT subnet to that then include that in the routing protocol.

Another way is to configure a static route for the NAT subnet and redistribute into your routing protocol.

I agree with Marko on your lab. NAT can be quite complex so I don't understand why you have set it up on both routers. You have basically tried to copy the NAT statements on each router and there is no need for that.

I would just do it on one router and keep it simple.

Jon

View solution in original post

Marko Rodic · ‎05-21-2015

q1) yes, they can. you need to be in same OSPF area, and routers need to advertize their NAT addresses, and this routers will dynamically exchange information about their networks, which would lead to dynamically creating routes... but whole process is a bit more complex, so i would advise to understand NAT and routes first, and then go over to OSPF

q2) dst nat=change of destination address. going from your inside network to outside, or coming from outside network to inside, it doesn't matter, it is change of destination IP

src nat= same as dst, you just change source address instead of destination

ip nat outside and ip nat inside only defines where you are going to use nat, not how. for example, if you do this:

access-list 101 permit ip any any

ip nat inside source list101 interface public_interface overload

ip nat inside source static tcp private_IP 80 public_IP 80

then on outside interface put: ip nat outside

on inside interface put: ip nat inside

you have done both src nat(everything going from your private network will be translated on your public interface), and dst nat(port forwarding actually, which is one example of dst nat... so everything that gets on public IP on port 80 will be translated to private_ip on port 80)... so using ip nat inside command you have achieved both src and dst nat

as Jon pointed, NAT can be pretty complex thing, and you need to understand it first, then use it... cause there is no simple answer to question "what am i getting with ip nat inside source and what is a difference if i use ip nat outside source"

View solution in original post

Marko Rodic · ‎05-21-2015

urgh...

i think you are having problem of grasping concept of NAT...

q1) you have to have a route, regardless of NAT. it is just a question of when you are going to use a route, before or after NAT(for example, dst NAT is changing route, so to speak, but you still need to have one).

if two routers are having same range of addresses, then you need to know which range is that and how should you address it. they might have same range of private IP addresses, in which case you need to NAT private addresses, so other router knows how to reach other network(ie. if you have same private addresses and you do not NAT them, then router will never be able to reach other side...)

q2) again, concept of NAT.... whether you are using outside NAT or inside NAT, it is still the same. changing IP address. so you are not hiding anything(even though many supplies are using hide as expression... i think some are even using hide as part of their NAT syntax), you are simply change IP address to fit your purpose. so you might need to change outside IP to access some device on private range(ie. you have web server with private address, and you want to access it via public IP, you need to change your public IP to private IP... or you had new office, and you put your server in there, but public DNS is still pointing to your old IP, you will have dst NAT that will change your public IP to a public IP of a different router...)

second part of question... im even not sure what do you ask? :s if i understood is correctly, it will not change dst address, unless you are doing source NAT, which in this example, you aren't

i think you are doing it all wrong... you are setting up a lab, and then think what you can get with it. you should use reverse it. you should first think what do you want to achieve, and then try setting up the lab that will do it. this way, i think you are just confusing yourself. and difference in NAT is source NAT(changing source address of the package), destination NAT(changing dst address) and static NAT (doing full 1 on 1 NAT that is bidirectional )

SJ K · ‎05-21-2015

Hi Mark,

Thank you for your opinion.

for q1) I know that i would need to have a route, the question is, can it not be discover dynamically for the nat addresses instead of configuring static route.

for q2) my question is that, under what scenario it would be good to change a source of an incoming packet ?, since routing doesn't depend on source address, unless when it is replying back to the source.

In my example, i am doing both src and dst nat on both in and outside of the router.

============

Regards,
Noob

Marko Rodic · ‎05-21-2015

q1) it cant. unless you are using OSPF or some other dynamically based protocol. proper roter will be chosen from route table, but you still need to have that route statically implemented. again, unless you are using dynamic routing protocol such as OSPF, EIGRP, IS-IS...

q2) as i said, if you have same IP addresses, then you have to change source address of incoming packet. outside of that, there are rarely used source address change... you might want to access to "unroutable" address maybe, or accessing IP address which default gateway is on another router, then you need to change source

for example. you are doing dst nat of address 200.200.200.200 to IP address 192.168.200.20. now, your router have IP address of 192.168.200.1, but you have second router in your network with address 192.168.200.254(that router is used for accessing some L3 private networks, or something like that) and that router is default gateway to address 192.168.200.20... in this case, you need to change source address to(to something from 192.168.200.x network), otherwise you will send replaying packet to 192.168.200.254 instead of 192.168.200.1

SJ K · ‎05-21-2015

Hi Marko,

it cant. unless you are using OSPF or some other dynamically based protocol. proper roter will be chosen from route table, but you still need to have that route statically implemented. again, unless you are using dynamic routing protocol such as OSPF, EIGRP, IS-IS...

q1) Can you confirm if a dynamic routing protocol is able to detect and setup the route for the nat addresses ? I am not talking about the point to point / transit ips between the routers.

Meaning in my example above, can dynamic routing protocols setup a route for the NAT address (172.16.69.0/24) and (172.16.68.0/24) respectively for Router0 and Router1 ?

q2) In your context against cisco ,

"dst nat" = ip nat outside source = changing destination ip address when going to the outside network ?

"src nat" = ip nat inside source = changing source ip address when going to the outside network ?

Regards,
Noob

Jon Marshall · ‎05-21-2015

q1) you can use a loopback interface and assign your NAT subnet to that then include that in the routing protocol.

Another way is to configure a static route for the NAT subnet and redistribute into your routing protocol.

I agree with Marko on your lab. NAT can be quite complex so I don't understand why you have set it up on both routers. You have basically tried to copy the NAT statements on each router and there is no need for that.

I would just do it on one router and keep it simple.

Jon

SJ K · ‎05-21-2015

Hi Jon,

Thanks for the reply.

To be honest. I have no idea how i came up the lab also, i just thought that with the lab, i can visualize better and start to think of why would be the use and need to translate a destination address (outside src) to something else ..

Regards,
Noob

Marko Rodic · ‎05-21-2015

q1) yes, they can. you need to be in same OSPF area, and routers need to advertize their NAT addresses, and this routers will dynamically exchange information about their networks, which would lead to dynamically creating routes... but whole process is a bit more complex, so i would advise to understand NAT and routes first, and then go over to OSPF

q2) dst nat=change of destination address. going from your inside network to outside, or coming from outside network to inside, it doesn't matter, it is change of destination IP

src nat= same as dst, you just change source address instead of destination

ip nat outside and ip nat inside only defines where you are going to use nat, not how. for example, if you do this:

access-list 101 permit ip any any

ip nat inside source list101 interface public_interface overload

ip nat inside source static tcp private_IP 80 public_IP 80

then on outside interface put: ip nat outside

on inside interface put: ip nat inside

you have done both src nat(everything going from your private network will be translated on your public interface), and dst nat(port forwarding actually, which is one example of dst nat... so everything that gets on public IP on port 80 will be translated to private_ip on port 80)... so using ip nat inside command you have achieved both src and dst nat

as Jon pointed, NAT can be pretty complex thing, and you need to understand it first, then use it... cause there is no simple answer to question "what am i getting with ip nat inside source and what is a difference if i use ip nat outside source"