Exploring Cisco Network Address Translation ( NAT) - Part -I

Even though I worked with NAT configuration it still troublesome when configuring NAT on the Cisco Router (I prefer the Mikrotik way of configuration, simple but powerful).
First in the Cisco NAT world we have to understand these 4 terms. Directly taken from Cisco [1]

• Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
• Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
• Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
• Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
Following diagram depicts the terms in the actual traffic flow.




Following as depicted host1 and host 2 in the range if 192.168.100.0/24 range and 192.168.100.1 as the virtual ip for the HSRP group 10.
Simulated Inside network doesn’t have access to outside without natting.

R2#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)

First lets see what the options available for ip nat : (7200 Software (C7200-ADVENTERPRISEK9-M), 

R1(config)#ip nat ?
Stateful           Stateful NAT configuration commands 
create             Create flow entries
inside             Inside address translation
log                NAT Logging
outside            Outside address translation
piggyback-support  NAT Piggybacking Support
pool               Define pool of addresses
portmap            Define portmap of portranges
service            Special translation for application using non-standard port
sip-sbc            SIP Session Border Controller commands
source             Source address translation
translation        NAT translation entry configuration

1) stateful nat (SNAT) works with HSRP/or independently to smooth tcp transition when the active/primary router fails [2]. this feature simply sync the flow entries to other router udp it uses port 15555.

first HSRP configuration on the R1#
R1# 
interface FastEthernet1/0
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 10 ip 192.168.100.1
standby 10 priority 110
standby 10 name snat_hsrp

second we have to create ip nat stateful configuration . 

ip nat Stateful id 10 #id should be unique for each router
redundancy snat_hsrp // identify the hsrp group
mapping-id 100 // this id will be mapped with nat
protocol   udp // we can use either tcp or tcp

Then we have to create the NAT pool :
ip nat pool TEST2 117.117.117.1 117.117.117.1 netmask 255.255.255.0
ip nat inside source list 105 pool TEST2 mapping-id 100 overload 
// check the mapping id is matched here..

same as R8 configured 

R8#show run int fa2/0
Building configuration...

Current configuration : 192 bytes
!
interface FastEthernet2/0
ip address 192.168.100.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 10 ip 192.168.100.1
standby 10 name snat_hsrp
// stateful configuration. 


ip nat Stateful id 20 // id is different
redundancy snat_hsrp
mapping-id 100
protocol   udp
ip nat pool TEST2 117.117.117.1 117.117.117.1 prefix-length 24
ip nat inside source list 105 pool TEST2 mapping-id 100 overload

according to this configuration, if stateful nat is not configured only the R1 should have the natting flow entries ( HSRP priority 110). but if you check the R8 nat table same entries kept on R8. 

R8#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 117.117.117.1:55833 192.168.100.100:55833 116.116.116.5:22 116.116.116.5:22
tcp 117.117.117.1:55834 192.168.100.100:55834 116.116.116.5:22 116.116.116.5:22


[1]          “NAT: Local and Global Definitions - Cisco Systems.” [Online]. Available: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml. [Accessed: 14-Apr-2011].
[2]          “Scalability for Stateful NAT - Cisco Systems.” [Online]. Available: http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html. [Accessed: 15-Apr-2011].

Comments

Post a Comment

Popular posts from this blog

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in
Read more

mikrotik queue tree - Per connection queuing.

Image
One of the cool feature on Mikrotik queuing is Per Connection Queuing . we can equally distribute the bandwidth among Number of users.[1] This setup explores the per connection queuing in the congestion situation and how to utilize the priority queuing features. [Please note Mikrotik Queue lowest priority value have highest priority eg: queue priority 7 traffic gets highest preference over queue priority 8  ] In this test setup 192.168.92.50 and 51 given 512Kbps per connection queuing(PCQ) Priority 6 . 192.168.52 and 54 placed under 256Kbps PCQ (Priority 8) and further youtube users given 384Kbps irrespective to the queue they are currently placed ( FIFO) . 1) Bridge setup - " Don't forget to enable the bridge firewall :) " /interface bridge add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1522 \ max-message-age=20s mtu=1500 name=br_traffic_shaper priority=0x8000 protocol-mode=none
Read more

Decoding BGP Notification Error

Following Log messages are normal in the IX scenario but decode the error message is quite interesting: We will see why this error message popped up : : %BGP-3-NOTIFICATION: sent to neighbor 10.10.194.236 2/7 (unsupported/disjoint capability) 0 bytes  FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0039 0104 xx0D 00B4 C06A 1102 1C02 0601 0400 0200 0102 0280 0002 0202 0002 0246 0002 0641 0400 00C4 0D its a raw hex out  of the BGP open message and starts from the marker  16byte FF so the actual output starts from 0039  2 byte length value : 00 39 - 57 1 byte Type : 01 open message 1 byte Version : 04 2 byte ASN : xx0D  [ modified to remove the relevant information ] 2 byte holdtime : 00 B4 - 180 Seconds 4 byte BGP identifier : C06A 1102 [ modified ] 1 byte Optional parameter length : 1C   - 28 bytes Refer RFC: http://tools.ietf.org/html/rfc5492 http://tools.ietf.org/html/draft-ietf-idr-ext-opt-param-02 http://www.iana.org/assignments/capability-codes/capability-c
Read more