Category Archives: NAT

Network Address Translation (NAT) & Scenario

Configuration Notes:
Defining NAT Inside and Outside Interfaces
The first step to deploy NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. This figure shows an example of this.

NAT Overloading
Also called Port Address Translation (PAT) is form of dynamic NAT where we have is just a single inside global IP address providing Internet access to all inside hosts. As a general case, NAT Overload is used in scenarios where the number of inside local addresses is greater than the number of inside global addresses.

Clearing Static NAT Entry
Clear command will just delete dynamic entries. If you don’t need a static entry anymore, delete it in the config.
It will not be possible to clear static NAT entry that’s the reason why error message is seen “Translation not dynamic”. If the static NAT entry is not useful/not doing intended purpose, why not just editing or removing it.


NAT Order of Operation:

  1. When a packet arrives on an interface which is configured as ‘ip nat inside’,
    • The Packet is first checked if it qualifies as per the NAT access-list aka interested traffic.
    • The packet is then checked for the destination address.
    • If the destination is reachable via an interface which is configured ‘ip nat outside’ then before sending the actual packet out on the egress interface, the source address will be masked/NATed.
  2. When the return packet arrives on an interface which is configured as ‘ip nat outside’,
    • The packet is first compared with a matching entry in the NAT translation table.
    • If a matching entry is found then the destination IP and port will be replaced as per the entry before being routed toward the internal port.

NAT Terminology:

Inside Local – The IP address of the inside network as viewed locally (e.g. your LAN network or private network)
Inside Global – The IP address of the inside network as viewed by outside world (e.g. your public IP on WAN interface)
Outside Local – The IP address of the outside network as viewed you
Outside Global – The IP address of the outside network as viewed outside world

IP NAT OUTSIDE SOURCE STATIC SCENARIO:

  1. Translating the output public IP to reach the LAN network.

nat120190923

Note: Outside perform translation before routing and inside perform routing then translation.

acnat20190923

Configure loopback on R3 and R2, make sure the route is correct on all routers.

R2#sh run int loop 30
interface Loopback30
ip address 171.68.1.1 255.255.255.255

R3#sh run int loop 30
interface Loopback30
ip address 172.16.89.32 255.255.255.255

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 171.68.1.1 255.255.255.255 192.168.1.1

R1# ip nat outside source static 172.16.89.32 171.68.16.5  -> This translate the outside global source to outside local. 

R5#sh run | sec ip route
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

Results:

R3#ping 171.68.1.1 source loop 30

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 171.68.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.89.32
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 171.68.16.5 172.16.89.32
icmp 171.68.1.1:0 171.68.1.1:0 171.68.16.5:0 172.16.89.32:0

R1#sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Peak translations: 2, occurred 00:00:26 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 10 Misses: 0
CEF Translated packets: 9, CEF Punted packets: 1
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

2. Overlapping Network

natops120190923.PNG

acnatops20190923.PNG

R1#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 122.1.1.2
ip route 9.9.9.0 255.255.255.0 122.1.1.2
ip route 123.12.12.0 255.255.255.0 192.168.1.1
ip route 171.68.1.1 255.255.255.255 192.168.1.1
R1#sh run | sec ip nat
ip nat outside
ip nat inside
ip nat inside source static 123.12.12.3 8.8.8.1
ip nat inside source static 192.168.1.1 8.8.8.2
ip nat outside source static 123.12.12.1 9.9.9.1
ip nat outside source static 172.16.89.32 9.9.9.2

R2#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 192.168.1.254
R2#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.3 255.255.255.255

R3#sh run | sec ip route
ip route 0.0.0.0 0.0.0.0 221.0.0.2
R3#sh run int loop 40 | beg int
interface Loopback40
ip address 123.12.12.1 255.255.255.255

R5#sh run | sec ip route
ip route 8.8.8.0 255.255.255.0 122.1.1.1
ip route 123.12.12.0 255.255.255.0 221.0.0.1
ip route 171.68.1.1 255.255.255.255 122.1.1.1
ip route 172.16.89.32 255.255.255.255 221.0.0.1

R3#ping 8.8.8.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/65/76 ms

R2#ping 9.9.9.1 source loopback 40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.1, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/68 ms

Note: In troubleshooting, Make sure route is correct and all the routers that included on the path should route from both Global/Local In and out.

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— — — 9.9.9.1 123.12.12.1
— — — 9.9.9.2 172.16.89.32
— 8.8.8.1 123.12.12.3 — —
— 8.8.8.2 192.168.1.1 — —
R1#sh ip nat stat
Total active translations: 4 (4 static, 0 dynamic; 0 extended)
Peak translations: 53, occurred 00:19:08 ago
Outside interfaces:
GigabitEthernet1/0
Inside interfaces:
GigabitEthernet2/0
Hits: 299 Misses: 0
CEF Translated packets: 233, CEF Punted packets: 30
Expired translations: 36
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

What is CEF Punt?

https://learningnetwork.cisco.com/thread/123503

Troubleshoot/Verify NAT Configuration

1. The command: “show ip nat translations” display the details of NAT assignments; it will enable you to verify that correct translations exist in the translation table. It’s recommended that you clear any dynamic NAT translation entries that might still be on the router.

2. To view additional details about each translation us the following command;

R1#show ip nat translations verbose

This command will display additions information, which includes creation dates and usage of each translation.

To clear NAT translations use the command: clear ip nat translation.

Note: “show ip nat translations verbose” command doesn’t work in packet tracer.

3. Verify the operations of NAT by checking details about every packet that is translated by the router. To view this information use the:

R1#debug ip nat or

R1#debug ip nat detailed

The later command debug ip nat detailed Provide a description of each packet that had been considered for translation. It also displays information on some errors such as failure to assign a global IP address.

4. The show ip nat statistics command display:

a) Details of all the active translation entries
b) NAT configuration parameters
c) Number of IP addresses in the pool
d) Total number of assigned IP addresses.

http://academy.delmar.edu/Courses/download/CiscoIOS/NAT_ip_nat_outside_source_static.pdf
https://cciepursuit.wordpress.com/2007/10/07/hits-and-misses-in-ip-nat-statistics/
http://brbccie.blogspot.com/2013/06/everything-nat.html

3 ways to NAT on a Cisco Router


https://learningnetwork.cisco.com/thread/96145

Advertisements

NAT Basics

static nat
ip nat inside source static 10.0.0.2 112.1.1.5

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
— 112.1.1.5 10.0.0.2 — —

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 112.1.1.5:5 10.0.0.2:5 112.1.1.2:5 112.1.1.2:5
icmp 112.1.1.5:6 10.0.0.2:6 112.1.1.2:6 112.1.1.2:6
icmp 112.1.1.5:7 10.0.0.2:7 112.1.1.2:7 112.1.1.2:7

Dynamic nat
access-list 10 permit any
ip nat inside source list 10 interface g2/0 overload

R4#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 112.1.1.1:8 10.0.0.2:8 112.1.1.2:8 112.1.1.2:8
icmp 112.1.1.1:9 172.1.1.1:9 112.1.1.2:9 112.1.1.2:9
icmp 112.1.1.1:10 172.1.1.1:10 112.1.1.2:10 112.1.1.2:10

https://learningnetwork.cisco.com/thread/41202

NAT Traversal

NAT Traversal
Network address translator traversal is a computer networking technique of establishing and maintaining Internet protocol connections across gateways that implement network address translation (NAT).

NAT traversal techniques are required for many network applications, such as peer-to-peer file sharing and Voice over IP.

https://en.wikipedia.org/wiki/NAT_traversal#Hosted_NAT_traversal

How Does NAT-T work with IPSec?
https://supportforums.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442