cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14765
Views
50
Helpful
7
Replies

NAT with Reversible option

snarayanaraju
Level 4
Level 4

Hi Experts,

I have a query in one fundamental concept

In NAT, I am seeing the optional keyword "reversible". Cisco Literature says as below:

"(Optional) Enables outside-to-inside initiated sessions to use route maps for destination-based NAT."

I tried hard to understand and googled enough to know the use of this command. But I am not able to get any clues.

I tried this in a Lab environment also. The setup is as below:

R1 ---> R4-----> R5

R4 NAT CONFIG:

ip nat pool 1 150.1.4.100 150.1.4.101 prefix-length 24

ip nat pool 2 150.1.4.200 150.1.4.201 prefix-length 24

ip nat inside source route-map SAIRAM-1 pool 1

ip nat inside source route-map SAIRAM-2 pool 2

It is working fine If I initated icmp traffic from R1 to R5 Loopback (155.1.55.55). Once the NAT translation entry is created in R4 I am able to ping R1 NATed IP (150.1.4.101 defined in pool) from R5

But after clearing NAT translation, I am not able to ping 155.1.4.101.

I expected that that from R5 i will be able to ping R1 NATed IP 150.1.4.101 even before the traffic is initiated from R1. It failed to work!!!!!

Can you give your valuable time to tell me with an example the purpose of this command

Thanks in advance

sairam

1 Accepted Solution

Accepted Solutions

Hello Sairam,

I haven't used the "no-alias" personally but I believe that it can be attributed mostly to conserving system resources.

You can imagine that if you are using a large NAT pool that contains hundreds of addresses, maintaining all those aliases can be quite memory and CPU consuming. In that case, you can use the "no-alias" keyword and instead advertise the address range of the NAT pool in a routing protocol, for example:

ip nat pool MyPool 192.0.2.0 192.0.2.255 netmask 255.255.255.0

!

ip route 192.0.2.0 255.255.255.0 Null0

!

router XXX

redistribute static ...

!

ip nat inside source list YYY pool MyPool no-alias

Best regards,

Peter

View solution in original post

7 Replies 7

royalblues
Level 10
Level 10

The configs posted would create a dynamic NAT entry when the traffic is sourced from the inside network. Hence the ping works from outside only when there is already an established entry.

With the Reversible keyword, the entry should be created as soon as the router detects traffic flow from the opposite direction.

Else you will need static NAT entries to be able to ping from outside to inside.

ip nat inside source static 150.1.4.100 150.1.4.101

HTH

Narayan

Hi Narayan

Thanks for your prompt reply.

Infact I tried "reversible" keyword. It is also not working. you are very correct that Dynamic NAT will work only if traffic is initiated from Inside->outside.

I learned that "reversible" keyword is solution for this so that when the traffic is initiated from Outside will work by creating nat translation entry.

But it is not working in my case. Am i doing any mistake here.

Sairam

Sairam,

The "reversible" keyword is only applicable when you are using route-maps to check which inside addresses shall be translated.

Consider this configuration:

ip nat pool MyPool 192.0.2.10 192.0.2.10 netmask 255.255.255.0

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

route-map MyRouteMap permit 10

match ip address 1

!

ip nat inside source route-map MyRouteMap pool MyPool

Now, when I ping from 10.0.0.1 some outside address, the "show ip nat translation" on this router looks like follows:

R2(config)#do show ip nat tran

Pro Inside global Inside local Outside local Outside global

icmp 192.0.2.10:4 10.0.0.1:4 192.0.2.2:4 192.0.2.2:4

R2(config)#

Note that only a particular entry for the flow of ping packets was created here. This would happen for all flows initiated from inside - the entry would be so specific on the transport protocol, addresses and ports that it would be impossible to initiate a new flow from outside and have it delivered to the inside device because it would not match any entry in the NAT translation table.

Now let's add the "reversible" keyword and see what happens:

ip nat inside source route-map MyRouteMap pool MyPool

R2(config)#do show ip nat tran

icmp 192.0.2.10:5 10.0.0.1:5 192.0.2.2:5 192.0.2.2:5

--- 192.0.2.10 10.0.0.1 --- ---

R2(config)#

Note that there are now two entries. The first one is specific to the flow, however, the second entry simply puts the inside private and public address into mutual correspondence. Now, if somebody from outside initiates a connection to the address 192.0.2.10 (the inside global in this case), it will be translated back to the 10.0.0.1 thanks to this "template" entry that is not specific to any flow, just to the two corresponding addresses.

Moreover, this entry does not expire:

R2(config)#do clear ip nat tran *

R2(config)#do show ip nat tran

Pro Inside global Inside local Outside local Outside global

--- 192.0.2.10 10.0.0.1 --- ---

R2(config)#

So after a first packet went from inside to outside, the router with the "reversible" keyword created a mapping and entered this template entry into the NAT translation table so that for the future, a traffic from outside can come in and be forwarded to the inside machine.

Please ask further.

Best regards,

Peter

Hi Peter,

Felt glad to see you again. Believe it I have to record your answer as it is very detailed and to the point. Thanks for your efforts. I didnt find it in google so far with these much detail.

I tested this again in my home Lab and found this subtle difference. Also I take this chance to ask another clarification.

My observation is "route-map" is used in two places in NAT statement

1st. Is for matching inside source traffic

2nd. After global NAT pool list (ip nat inside source list 1 pool 2 route-map xx

My understanding is, it is used when the traffc comes from outside to inside and to match the Route-map. Is that correct.

If so, I also observered that when i tried to map certain global ip to certain inside local ip using using the below command, it didnt work unless i used the keyword no-alias after reversible keyword. Meaning, If i remove no-alias keyword, I am able to ping the inside host from any ip address of outside. If i add no-alias keyword, then in am able to ping the inside ip address only from the ip address of outside defined in the route-map TEST

COMMAND:

ip nat inside source static 10.1.1.1 150.1.45.5 route-map TEST reversible no-alias

Why and what is this no-alias keyword does and how it is significant in my scenario?

Hope you will help me and thanks in advance

sairam

Hello Sairam,

Believe me, it is also a pleasure for me to be back in touch with you.

Regarding the route-map used in two places in a NAT statement - I am sorry but I cannot confirm that. At least in my 12.4(12) IOS that I am doing my experiments with, the route-map is usable only instead of the "list" keyword. Have a look here:

R2(config)#ip nat inside source list 1 pool Test ?

mapping-id Associate a mapping id to this mapping

oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from outgoing Interface. All packets matching translation are forwarded over Interface for duration of translation.

overload Overload an address translation

reversible Allow out->in traffic

vrf Specify vrf

Regarding the "no-alias" keyword - I am somewhat puzzled by your description of what happened but let me just explain the "no-alias" and let's see if it somewhat correlates to your findings.

Imagine that you have a directly connected Ethernet network 192.0.2.0/24, and you are using the range of addresses 192.0.2.11 till 192.0.2.19 in your NAT pool. If a machine from inside wants to talk to somebody outside, the router will assign it some IP address from that NAT pool - say, 192.0.2.11 - and rewrite the IP address of the sender. However, when a reply comes back, that reply will be addressed to 192.0.2.11, and it will have to be encapsulated in some Ethernet frame with some destination MAC address. Obviously, it should be the MAC address of your router but how shall your neighbors know about it?

Your router solves this problem by creating artificial ARP entries for all addresses in the NAT pool to make sure that whenever its neighbor asks for the MAC address of any IP in that pool, your router will respond with its own MAC address.

Now, the keyword "no-alias" prevents this behavior. The router will not create those artificial ARP entries and will not answer on such requests. The neighboring routers will need to be specifically configured in their routing tables to deliver the packets for respective IP addresses in the NAT pool to your router.

Does it somehow explain what is happening to you? Can you post the entire configuration and the IP addresses you are using to test the NAT?

Best regards,

Peter

Hi Peter,

I tested the "no-alias" command. It is working perfectly as you mentioned. my observation is as below:

"show ip aliases" is not having entry for global inside ip address if "no-alias" command is included in the nat statement.

What is the advantage / purpose of this command? Any security reasons.

sairam

Hello Sairam,

I haven't used the "no-alias" personally but I believe that it can be attributed mostly to conserving system resources.

You can imagine that if you are using a large NAT pool that contains hundreds of addresses, maintaining all those aliases can be quite memory and CPU consuming. In that case, you can use the "no-alias" keyword and instead advertise the address range of the NAT pool in a routing protocol, for example:

ip nat pool MyPool 192.0.2.0 192.0.2.255 netmask 255.255.255.0

!

ip route 192.0.2.0 255.255.255.0 Null0

!

router XXX

redistribute static ...

!

ip nat inside source list YYY pool MyPool no-alias

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: