Exploring Cisco Network Address Translation ( NAT) - Part -I

Even though I worked with NAT configuration it still troublesome when configuring NAT on the Cisco Router (I prefer the Mikrotik way of configuration, simple but powerful).
First in the Cisco NAT world we have to understand these 4 terms. Directly taken from Cisco [1]

• Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
• Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
• Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
• Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
Following diagram depicts the terms in the actual traffic flow.




Following as depicted host1 and host 2 in the range if 192.168.100.0/24 range and 192.168.100.1 as the virtual ip for the HSRP group 10.
Simulated Inside network doesn’t have access to outside without natting.

R2#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)

First lets see what the options available for ip nat : (7200 Software (C7200-ADVENTERPRISEK9-M), 

R1(config)#ip nat ?
Stateful           Stateful NAT configuration commands 
create             Create flow entries
inside             Inside address translation
log                NAT Logging
outside            Outside address translation
piggyback-support  NAT Piggybacking Support
pool               Define pool of addresses
portmap            Define portmap of portranges
service            Special translation for application using non-standard port
sip-sbc            SIP Session Border Controller commands
source             Source address translation
translation        NAT translation entry configuration

1) stateful nat (SNAT) works with HSRP/or independently to smooth tcp transition when the active/primary router fails [2]. this feature simply sync the flow entries to other router udp it uses port 15555.

first HSRP configuration on the R1#
R1# 
interface FastEthernet1/0
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 10 ip 192.168.100.1
standby 10 priority 110
standby 10 name snat_hsrp

second we have to create ip nat stateful configuration . 

ip nat Stateful id 10 #id should be unique for each router
redundancy snat_hsrp // identify the hsrp group
mapping-id 100 // this id will be mapped with nat
protocol   udp // we can use either tcp or tcp

Then we have to create the NAT pool :
ip nat pool TEST2 117.117.117.1 117.117.117.1 netmask 255.255.255.0
ip nat inside source list 105 pool TEST2 mapping-id 100 overload 
// check the mapping id is matched here..

same as R8 configured 

R8#show run int fa2/0
Building configuration...

Current configuration : 192 bytes
!
interface FastEthernet2/0
ip address 192.168.100.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 10 ip 192.168.100.1
standby 10 name snat_hsrp
// stateful configuration. 


ip nat Stateful id 20 // id is different
redundancy snat_hsrp
mapping-id 100
protocol   udp
ip nat pool TEST2 117.117.117.1 117.117.117.1 prefix-length 24
ip nat inside source list 105 pool TEST2 mapping-id 100 overload

according to this configuration, if stateful nat is not configured only the R1 should have the natting flow entries ( HSRP priority 110). but if you check the R8 nat table same entries kept on R8. 

R8#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 117.117.117.1:55833 192.168.100.100:55833 116.116.116.5:22 116.116.116.5:22
tcp 117.117.117.1:55834 192.168.100.100:55834 116.116.116.5:22 116.116.116.5:22


[1]          “NAT: Local and Global Definitions - Cisco Systems.” [Online]. Available: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml. [Accessed: 14-Apr-2011].
[2]          “Scalability for Stateful NAT - Cisco Systems.” [Online]. Available: http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html. [Accessed: 15-Apr-2011].

Comments

Post a Comment

Popular posts from this blog

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in
Read more

PPTP Server as Cisco for Mikrotik Client

Image
Following configuration explains the Cisco as PPTP server and connecting two sites: Following Configuration needed to enable the VPDN and default server: vpdn enable ! vpdn-group Mtik ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool IPPOOL1 ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap pap ip local pool IPPOOL1 192.168.150.10 192.168.150.224 Few more additional things we need to keep the same ip address for the user: aaa new-model ! ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list Gobi attribute type addr 192.168.150.13 service ppp protocol ip mandatory attribute type route "10.0.0.0 255.255.255.0 192.168.150.13" attribute type interface-config "description Gobi-test" Finally apply the attribute list to the user: username gobi password 0 test username gobi aaa attri
Read more

proxy arp

Image
In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature. Note: Cisco by default enabled the proxy arp feature you have to disable it manually . Check the following Debug messages "debug arp" from the router. When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa *Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1 *Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1 *Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0 *Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000, dst 192.168.20.101 00aa.0041.1d00 FastEther
Read more