nat overload(pat)

Answered Question
Feb 22nd, 2009

hi every body!

h1, h2 are connected to l2 switch which is connected to routeA , routerA is connected to routerB via s0

Suppose routerA is performing nat using PAT. The router A is using so'ip as inside golabal.

Now h1 and h2 send ping packets to router A. PAT requires udp or tcp port, and ping does not use tcp/udp ports , it uses icmp which is layer 3 protocol. With that in mind, how can router A multiplex the two pings as there is no port number ?

I ran the test and shocked to find that ra indeed uses the port number. I ping from h1(199.199.199.10) to 200.200.200.2 Below is the result on ra(nat router):

RouterA#show ip nat translation

Pro Inside global Inside local Outside local Outside global

icmp 200.200.200.1:512 199.199.199.10:512 200.200.200.2:512 200.200.200.2:512

-------------------------

I am just wondering about the port numbers. h1 sends the ping packet with src port 512

ra does not change the port, it uses the same port number.

How about if two hosts h1 and h2 send ping packets to ra with same src port say 512,? will ra now intervene and change the port number for one of the connection?

Second thing that puzzles me is icmp being layer 3 protocol, should not use tcp or udp ports , but in my test i find ping packets with port numbers. Any insight?

thanks a lot!

I have this problem too.
0 votes
Correct Answer by badalam_nt about 7 years 9 months ago

Hi Sarah,

During a set of pings (5 pings for instance) all those pings will have the same ICMP Identifier value.

Then the router will use this ICMP Identifier field from the ICMP header, in place of that UDP/TCP port, and so only one translation entry will be done by the router:

Pro Inside global Inside local Outside local Outside global

icmp : : : :

A more complicated issue is when the ping is fragmented, as then the ICMP header is contained only in the first fragment. To deal with this case the router then performs one deeper look inside the IP header for checking the IP Identifier value in order to see if that IP packet is a fragment for which the router has already a translation entry.

More details on this ICMP fragmentation with NAT are to be found on the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml

Correct Answer by Giuseppe Larosa about 7 years 9 months ago

Hello Sarah,

no udp/tcp headers are used simply the ipv4 header is translated changing the source ip address and the header checksum.

the icmp header allows to send and receive the translated packets without any ambiguity for the presence of the two fields identifier and sequence number.

this means the router needs to store the state of icmp packets to know that icmp reply with id x has to be translated to inside local 10.10.10.3 instead of 10.10.10.4.

From this point of view the sh ip nat translations shows the states of translations:

for icmp is enough to associate identifier x with an inside local address

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Giuseppe Larosa Sun, 02/22/2009 - 12:21

Hello Sarah,

this is a very good question.

ICMP header is minimal but provides space for a message type code and for a sequence number and an identifier.

Guess: can be this identifier field

see

http://security.maruhn.com/iptables-tutorial/x1078.html')">http://security.maruhn.com/iptables-tutorial/x1078.html')">http://security.maruhn.com/iptables-tutorial/x1078.html')">http://security.maruhn.com/iptables-tutorial/x1078.html

*

Identifier - This is set in the request packet, and echoed back in the reply, to be able to keep different ping requests and replies together.

*

Sequence number - The sequence number for each host, generally this starts at 1 and is incremented by 1 for each packet.

This can be enough to perform a basic multiplexing of ICMP packets and to be able to send answers back to inside hosts.

the protocol is declared to be icmp.

The meaning of 512 should be looked in the security or ip services command reference.

Edit:

unfortunately it is not explained

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1013751

Guess: can be this identifier field

Hope to help

Giuseppe

sarahr202 Sun, 02/22/2009 - 13:05

Thanks Giuseppe!

You are right, what i think as udp/tcp port number, is in fact the " identifier" in the icmp header.

The question is if a router, performing nat using "pat",receives a packet such as ping without any udp or tcp ports, will it generate the udp/tcp header and subsitute the src port number by " identifier" to keep the connection/ sockets unique?

thanks a lot!

Correct Answer
Giuseppe Larosa Sun, 02/22/2009 - 13:20

Hello Sarah,

no udp/tcp headers are used simply the ipv4 header is translated changing the source ip address and the header checksum.

the icmp header allows to send and receive the translated packets without any ambiguity for the presence of the two fields identifier and sequence number.

this means the router needs to store the state of icmp packets to know that icmp reply with id x has to be translated to inside local 10.10.10.3 instead of 10.10.10.4.

From this point of view the sh ip nat translations shows the states of translations:

for icmp is enough to associate identifier x with an inside local address

Hope to help

Giuseppe

Correct Answer
badalam_nt Sun, 02/22/2009 - 13:53

Hi Sarah,

During a set of pings (5 pings for instance) all those pings will have the same ICMP Identifier value.

Then the router will use this ICMP Identifier field from the ICMP header, in place of that UDP/TCP port, and so only one translation entry will be done by the router:

Pro Inside global Inside local Outside local Outside global

icmp : : : :

A more complicated issue is when the ping is fragmented, as then the ICMP header is contained only in the first fragment. To deal with this case the router then performs one deeper look inside the IP header for checking the IP Identifier value in order to see if that IP packet is a fragment for which the router has already a translation entry.

More details on this ICMP fragmentation with NAT are to be found on the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml

Actions

This Discussion