Double NAT

Answered Question
Jan 8th, 2009

Can some one please help me to understand the below configuration

For instance, if R4 and R5 both have a subnet of 10.0.0.0/24, then one of the router e.g. R4 have to do double-nat translation.

(10.0.0.0/24) R4 -- R5 (10.0.0.0/24)

|

R1

So i found the below config for R4

interface Loopback0

ip address 150.1.4.4 255.255.255.0

interface FastEthernet0/0

ip address 10.0.0.4 255.255.255.0

ip nat inside

interface Serial0/0.1 point-to-point

ip address 155.1.0.4 255.255.255.0

ip nat outside

frame-relay interface-dlci 405

interface Serial0/1

ip address 155.1.45.4 255.255.255.0

ip nat outside

ip nat inside source static network 10.0.0.0 44.44.44.0 /24

ip nat outside source static network 10.0.0.0 55.55.55.0 /24

The engineer for the above config initiate a ping from R4 to 55.55.55.5 and the ping is successful.

Can some one please explain me the flow of packet when you initiate the ping from R1 to 55.55.55.5

Ok since the packet would be coming on Fa0/0 and the interface being configured as ip nat inside, so the source ip would be natted to 44.44.44.1 which i could see from the debug capture.

So now the SA:44.44.44.1 and DA: 55.55.55.5

This packet would now be routed through serial interface configured to be ip nat outside.

This where i do not understand how does the DA is natted to 10.0.0.5

My understanding is ip nat outside translate the source address.

So would there be NAT configured on R5 and in this senario what if a user from R5 Lan wants to communicate with R1, so do we need the same config as above in R5.

Can some one please explain this to me..

thanks in advance

I have this problem too.
0 votes
Correct Answer by lejoe.thomas about 5 years 3 months ago

Hi,

There are two styles for this configuration since R4 and R5 both have the same IP subnet.

1) Configure NATTING on both R4 and R5

2) The one configured here, configure bidirectional NAT only on one of the routers, namely R4 in this case.

So to make this happen,

We need to translate inside address on R4 to something unique. As you correctly noted inside address on R4 is translated to the 44.44.44.0/24 subnet.Now for the packets that return from R5 (with source 10.0.0.0/24), the source address must be translated on R4.

Hence the statement

ip nat outside source static network 10.0.0.0 55.55.55.0 /24

So with above configuration R4 sees R5's 10.0.0.0/24 subnet as 55.55.55.0/24 and R5 sees's R4's 10.0.0.0/25 subnet as 44.44.44.0/24

I hope the example of the ping to 55.55.55.5 from R1 would make things clear.

1)First source address (in 10.0.0.0/24 subnet) is translated to 44.44.44.1

2)Next destination address (55.55.55.5) is translated to 10.0.0.5. When packets go from inside to outside, NAT outside statement translate the destination address, this is the case here. When packets go from outside to inside, nat outside statment translates the source address of packet

3) So packet is forwarded to R5 with SA 44.44.44.1 and with destination address 10.0.0.5. R5 (or the host with that address) replies with SA:10.0.0.5 and DA:44.44.44.1.

4)On R4, as said before NAT outside statement translates Source Address when packets go from outside to inside. So SA:10.0.0.5 is mapped back to 55.55.55.5 and DA:44.44.44.1 is mapped back to the translated address in 10.0.0.0/24 subnet on R4.

The only thing you need be aware is which address is translated in NAT outside statement, depending on the direction.

To sum it up

ip nat inside : translates source address from inside to outside and destination address from outside to inside.

ip nat outside: translates source address from outside to inside and destination address from inside to outside.

The inside and outside refers to interface configured as ip nat inside or ip nat outside.

So would there be NAT configured on R5 and in this senario what if a user from R5 Lan wants to communicate with R1, so do we need the same config as above in R5.

No all the NATing takes place on R4. R5 would see hosts in R4's LAN as 44.44.44.0/24 subnet.

HTH

Lejoe

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
inetmarks Thu, 01/08/2009 - 19:10

Thanks for the link, ok what i understand is we would require NAT on ISP router if they need internal access.

Ok let us say if we have R4 and R5 is connected by a metro Ethernet a point to point connection, so in this case we do not have a ISP router in between. In this case will this config still work.

Since i am very new to cisco. I would very much appreciate if some one could help me to give a packet flow.

Such as, in the earlier scenario when R1 initiate the ping to 55.55.55.5 i understand the source would be natted to 44.44.44.1 and the destination would be 55.55.55.5.

On the R5 lan end the device ip would be in 10.0.0.0/24 subnet, so where/when does the destination ip get natted. I am really missing the packet flow.

Please help me to understand this. Thanks a lot.

Correct Answer
lejoe.thomas Thu, 01/08/2009 - 20:05

Hi,

There are two styles for this configuration since R4 and R5 both have the same IP subnet.

1) Configure NATTING on both R4 and R5

2) The one configured here, configure bidirectional NAT only on one of the routers, namely R4 in this case.

So to make this happen,

We need to translate inside address on R4 to something unique. As you correctly noted inside address on R4 is translated to the 44.44.44.0/24 subnet.Now for the packets that return from R5 (with source 10.0.0.0/24), the source address must be translated on R4.

Hence the statement

ip nat outside source static network 10.0.0.0 55.55.55.0 /24

So with above configuration R4 sees R5's 10.0.0.0/24 subnet as 55.55.55.0/24 and R5 sees's R4's 10.0.0.0/25 subnet as 44.44.44.0/24

I hope the example of the ping to 55.55.55.5 from R1 would make things clear.

1)First source address (in 10.0.0.0/24 subnet) is translated to 44.44.44.1

2)Next destination address (55.55.55.5) is translated to 10.0.0.5. When packets go from inside to outside, NAT outside statement translate the destination address, this is the case here. When packets go from outside to inside, nat outside statment translates the source address of packet

3) So packet is forwarded to R5 with SA 44.44.44.1 and with destination address 10.0.0.5. R5 (or the host with that address) replies with SA:10.0.0.5 and DA:44.44.44.1.

4)On R4, as said before NAT outside statement translates Source Address when packets go from outside to inside. So SA:10.0.0.5 is mapped back to 55.55.55.5 and DA:44.44.44.1 is mapped back to the translated address in 10.0.0.0/24 subnet on R4.

The only thing you need be aware is which address is translated in NAT outside statement, depending on the direction.

To sum it up

ip nat inside : translates source address from inside to outside and destination address from outside to inside.

ip nat outside: translates source address from outside to inside and destination address from inside to outside.

The inside and outside refers to interface configured as ip nat inside or ip nat outside.

So would there be NAT configured on R5 and in this senario what if a user from R5 Lan wants to communicate with R1, so do we need the same config as above in R5.

No all the NATing takes place on R4. R5 would see hosts in R4's LAN as 44.44.44.0/24 subnet.

HTH

Lejoe

inetmarks Thu, 01/08/2009 - 21:53

Hi Lejoe,

Thanks for the explanation. I always thought only the source address gets Natted and not the destination, now i understood the concept.

In my scenario R4 run a point to point metro ethernet connection to R5. And they both are on 192.168.0.0/24 subnet. The lan on each end have overlapping subnet.

I had tried configuring ip nat inside on both the router R4 and R5 and it did not work, now with your explanation i understood why it did not work.

I would like to try doing NATting just on R4 and see if this helps, and i am kind of positive about this.

Will reply you soon.

Thanks again

lejoe.thomas Thu, 01/08/2009 - 22:32

Hi Ang,

Since the links are point-to-point, the configuration should be all the more easier.

Assuming R4 is the NAT router, add the following

#R4

ip route 55.55.55.0 255.255.255.0 next-hop-R5

#R5

ip route 44.44.44.0 255.255.255.0 next-hop-R4

Now for example, a host (192.168.0.5) on R4's LAN needs to access a host R5's LAN (55.55.55.2)

This is how the mapping will occur

s=192.168.0.5->44.44.44.5, d=55.55.55.2

s=44.44.44.5, d=55.55.55.2->192.168.1.2

HTH

Lejoe

inetmarks Sun, 01/11/2009 - 20:33

Hi Lejoe,

I tested Double NAT and it worked well.

Thank you.

Actions

Login or Register to take actions

This Discussion

Posted January 8, 2009 at 5:44 PM
Stats:
Replies:6 Avg. Rating:5
Views:366 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard