Table of Contents. Cisco NAT Order of Operation

Similar documents
Using NAT in Overlapping Networks

Lab Configuring Static Routes Instructor Version 2500

Lab Troubleshooting Using traceroute Instructor Version 2500

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

VPN Connection through Zone based Firewall Router Configuration Example

IPsec Anti-Replay Window Expanding and Disabling

Context Based Access Control (CBAC): Introduction and Configuration

IPsec Anti-Replay Window: Expanding and Disabling

Configure the ASA for Dual Internal Networks

Three interface Router without NAT Cisco IOS Firewall Configuration

Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

L2TP IPsec Support for NAT and PAT Windows Clients

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Configuring Authentication Proxy

cable modem dhcp proxy nat on Cisco Cable Modems

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

co Configuring PIX to Router Dynamic to Static IPSec with

Cisco IOS Firewall Authentication Proxy

Configuring Authentication Proxy

Cisco Configuring Hub and Spoke Frame Relay

Configuring Authentication Proxy

Firewall Stateful Inspection of ICMP

WCCPv2 and WCCP Enhancements

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Troubleshooting High CPU Utilization Due to the IP Input Process

Lab b Simple DMZ Extended Access Lists Instructor Version 2500

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

Lab b Standard ACLs Instructor Version 2500

Firewall Stateful Inspection of ICMP

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

IPv6 Tunnel through an IPv4 Network

Table of Contents 1 System Maintaining and Debugging 1-1

Configuring a Terminal/Comm Server

Lab Establishing and Verifying a Telnet Connection Instructor Version 2500

Configuring IDS TCP Reset Using VMS IDS MC

Packet Tracer - Connect a Router to a LAN (Instructor Version)

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Sample Business Ready Branch Configuration Listings

Secure ACS Database Replication Configuration Example

Lab Configuring and Verifying Standard IPv4 ACLs Topology

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

NAT Support for Multiple Pools Using Route Maps

Configuring IOS to IOS IPSec Using AES Encryption

Configuring Redundant Routing on the VPN 3000 Concentrator

Table of Contents. Cisco Configuring IP Access Lists

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuring Secure (Router) Mode on the Content Switching Module

Lab VTY Restriction Instructor Version 2500

Basic Router Configuration

Configuring IP Multicast over Unidirectional Links

IP MultiLayer Switching Sample Configuration

1. Which OSI layers offers reliable, connection-oriented data communication services?

Lab Configuring IGRP Instructor Version 2500

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Table of Contents. isco Configuring 802.1q Trunking Between a Catalyst 3550 and Catalyst Switches Running Integrated Cisco IOS (Nativ

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Configuring GRE Tunnel Over Cable

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode

Lab Catalyst 2950T and 3550 Series Basic Setup

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Cisco 1921 router performance test

1 of :22

Lab Configuring IPv6 Static and Default Routes (Solution)

Implementing Authentication Proxy

Configuring Data Export for Flexible NetFlow with Flow Exporters

Cisco - Connecting Routers Back-to-Back Through the AUX Ports using a Rollover Cable

Lab Troubleshooting Routing Issues with debug Instructor Version 2500

IPsec Management Configuration Guide Cisco IOS Release 12.4T

Lab Troubleshooting IP Address Issues Instructor Version 2500

Catalyst Switches for Microsoft Network Load Balancing Configuration Example

Using ping, tracert, and system debugging

Basic Router Configuration using SDM

Lab Troubleshooting Routing Issues with show ip route and show ip protocols Instructor Version 2500

Lab - Configuring IPv6 Addresses on Network Devices

Configuring Secure Shell

Configuring Routes on the ACE

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Lab 6.7.1: Ping and Traceroute

Configuring Data Export for Flexible NetFlow with Flow Exporters

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Lab 7 Configuring Basic Router Settings with IOS CLI

Configuring IP Multicast over Unidirectional Links

Configuring IP SLAs TCP Connect Operations

Flexible NetFlow IPv6 Unicast Flows

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Configuring Modem Transport Support for VoIP

IPsec Virtual Tunnel Interfaces

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

CCNA 1 Chapter 6 v5.0 Exam Answers 2013

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Flexible NetFlow IPv6 Unicast Flows

Lab Configuring and Verifying Standard ACLs Topology

Lab Advanced Telnet Operations Instructor Version 2500

Internet Control Message Protocol (ICMP)

Configuring the Eight-Port FXS RJ-21 Module

How to configure MB5000 Serial Port Bridge mode

H

Configuring IP SLAs ICMP Echo Operations

Transcription:

Table of Contents NAT Order of Operation...1 Document ID: 6209...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...1 NAT Overview...1 NAT Configuration and Output...2 Related Information...5 i

NAT Order of Operation Document ID: 6209 Introduction Prerequisites Requirements Components Used Conventions NAT Overview NAT Configuration and Output Related Information Introduction This document illustrates that the order in which transactions are processed using Network Address Translation (NAT) is based on whether a packet is going from the inside network to the outside network, or from the outside network to the inside network. Prerequisites Requirements Readers of this document should have knowledge of the following topic: Network Address Translation (NAT). For more information on NAT, see How NAT Works. Components Used This document is not restricted to specific software and hardware versions. Note: The information in this document is based on the Software Version, Cisco IOS Software Release 12.2(27) Conventions For more information on document conventions, refer to the Cisco Technical Tips Conventions. NAT Overview In the table below, when NAT performs the global to local, or local to global, translation is different in each flow. Inside to Outside Outside to Inside If IPSec then check If IPSec then check input access list input access list

decryption for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting policy routing routing redirect to web cache NAT inside to outside (local to global translation) crypto (check map and mark for encryption) check output access list inspect (Context based Access Control (CBAC)) TCP intercept encryption Queueing decryption for CET or IPSec check input access list check input rate limits input accounting NAT outside to inside (global to local translation) policy routing routing redirect to web cache crypto (check map and mark for encryption) check output access list inspect CBAC TCP intercept encryption Queueing NAT Configuration and Output The following example demonstrates how the order of operations can effect NAT. In this case, only NAT and routing are shown. In the above example, Router A is configured to translate the inside local address 171.68.200.48 to 172.16.47.150, as shown in the configuration below. version 11.2 no service udp small servers no service tcp small servers hostname Router A enable password ww ip nat inside source static 171.68.200.48 172.16.47.150 This command creates a static NAT translation between 171.68.200.48 and 172.16.47.150 ip domain name cisco.com ip name server 171.69.2.132

interface Ethernet0 no ip address shutdown interface Serial0 ip address 172.16.47.161 255.255.255.240 ip nat inside Configures Serial0 as the NAT inside interface no ip mroute cache no ip route cache no fair queue interface Serial1 ip address 172.16.47.146 255.255.255.240 ip nat outside Configures Serial1 as the NAT outside interface no ip mroute cache no ip route cache no ip classless ip route 0.0.0.0 0.0.0.0 172.16.47.145 Configures a default route to 172.16.47.145 ip route 171.68.200.0 255.255.255.0 172.16.47.162 line con 0 exec timeout 0 0 line aux 0 line vty 0 4 password ww login end The translation table indicates that the intended translation exists. Router A#show ip nat translation Pro Inside global Inside local Outside local Outside global 172.16.47.150 171.68.200.48 The following output is taken from Router A with debug ip packet detail and debug ip nat enabled, and a ping issued from device 171.68.200.48 destined for 172.16.47.142. Note: Debug commands generate a significant amount of output. Use them only when traffic on the IP network is low, so other activity on the system is not adversely affected. Before issuing debug commands, please see Important Information on Debug Commands. IP: s=172.16.47.161 (local), d=171.68.200.48 (Serial0), len 56, sending ICMP type=3, code=1

IP: s=172.16.47.161 (local), d=171.68.200.48 (Serial0), len 56, sending ICMP type=3, code=1 IP: s=172.16.47.161 (local), d=171.68.200.48 (Serial0), len 56, sending ICMP type=3, code=1 Since there are no NAT debug messages in the output above, you know that the existing static translation is not being used and that the router does not have a route for the destination address (172.16.47.142) in its routing table. The result of the non routable packet is an ICMP Unreachable message, which is sent to the inside device. However, Router A has a default route of 172.16.47.145, so why is the route considered non routable? Router A has no ip classless configured, which means if a packet destined for a "major" network address (in this case, 172.16.0.0) for which subnets exist in the routing table, the router does not rely on the default route. In other words, issuing the no ip classless command turns off the router's ability to look for the route with the longest bit match. To change this behavior, you have to configure ip classless on Router A. The ip classless command is enabled by default on Cisco routers with IOS Version 11.3 and above. Router A#configure terminal Enter configuration commands, one per line. End with CTRL/Z. Router A(config)#ip classless Router A(config)#end Router A#show ip nat translation %SYS 5 CONFIG_I: Configured from console by console nat tr Pro Inside global Inside local Outside local Outside global 172.16.47.150 171.68.200.48 Repeating the same ping test as before, we see that the packet gets translated and the ping is successful. Ping Response on device 171.68.200.48 D:\>ping 172.16.47.142 Pinging 172.16.47.142 with 32 bytes of data: Reply from 172.16.47.142: bytes=32 time=10ms TTL=255 Reply from 172.16.47.142: bytes=32 time<10ms TTL=255 Reply from 172.16.47.142: bytes=32 time<10ms TTL=255 Reply from 172.16.47.142: bytes=32 time<10ms TTL=255 Ping statistics for 172.16.47.142: Packets: Sent = 4, Received = 4, Lost = 0 (0%) Approximate round trip times in milli seconds: Minimum = 0ms, Maximum = 10ms, Average = 2ms Debug messages on Router A indicating that the packets generated by device 171.68.200.48 are getting translated by NAT. Router A# *Mar 28 03:34:28: IP: tableid=0, s=171.68.200.48 (Serial0), d=172.16.47.142 (Serial1), routed via RIB *Mar 28 03:34:28: NAT: s=171.68.200.48 >172.16.47.150, d=172.16.47.142 [160] *Mar 28 03:34:28: IP: s=172.16.47.150 (Serial0), d=172.16.47.142 (Serial1), g=172.16.47.145, len 100, forward *Mar 28 03:34:28:

*Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150 >171.68.200.48 [160] *Mar 28 03:34:28: NAT*: s=171.68.200.48 >172.16.47.150, d=172.16.47.142 [161] *Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150 >171.68.200.48 [161] *Mar 28 03:34:28: NAT*: s=171.68.200.48 >172.16.47.150, d=172.16.47.142 [162] *Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150 >171.68.200.48 [162] *Mar 28 03:34:28: NAT*: s=171.68.200.48 >172.16.47.150, d=172.16.47.142 [163] *Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150 >171.68.200.48 [163] *Mar 28 03:34:28: NAT*: s=171.68.200.48 >172.16.47.150, d=172.16.47.142 [164] *Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150 >171.68.200.48 [164] Router A#undebug all All possible debugging has been turned off The above example shows that when a packet is traversing inside to outside, a NAT router checks its routing table for a route to the outside address before it continues to translate the packet. Therefore, it is important that the NAT router has a valid route for the outside network. The route to the destination network must be known through an interface that is defined as NAT outside in the router configuration. It is important to note that the return packets are translated before they are routed. Therefore, the NAT router must also have a valid route for the Inside local address in its routing table. Related Information Configuring Network Address Translation: Getting Started Verifying NAT Operation and Basic NAT Troubleshooting NAT: Local and Global Definitions How Does Multicast NAT Work on Cisco Routers? NAT Support Page Technical Support Cisco Systems All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Mar 29, 2006 Document ID: 6209

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback