NAT or CEF - Which takes precedence?

Unanswered Question
Feb 7th, 2010

Could any anyone confirm to me which of NAT or CEF takes precedence when both are configured on a router.

I have CEF enabled globally to load balance Internet traffic between two ISP connections on a per source/destination combination basis but also NATed (dynamically & statically) inside addresses to the 2 ISP connections using route maps. I would like to know what happens when a traffic is subject to the 2 features which is first consulted. Does the traffic get NATed first before being CEF switched or the other way? I have assumed until now that it is first CEF switched before being NATed. I however would like to be certain. I am especially concerned about static NAT where a connection was initated from outside through one of the ISP interfaces and a translation has already been created. Now since CEF sees the 2 paths as equal for the reply, does the NAT translation take precedence and therefore forward the reply back through the ISP interface the request came in from since a translation already exists even if CEF per source/destination algorithm prefers the other ISP connection?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tolugbala Sun, 02/07/2010 - 12:01

Hello Milan,

Thanks for your response. I've gone through the references but I dont think they have quite answered my question. I suppose I should explain better.

Suppose I have the following static NAT configurations on my dual internet router which map a global ip per ISP and port 25 to the same internal mail server ip address & smtp port.

ip nat inside source static tcp 25 25 extendable

ip nat inside source static tcp 25 25 extendable

Automatical two NAT translations are created thus

Inside Global         Inside Local       Outside Local   Outside Global    ---                   ---    ---                   ---

With CEF also enabled globally on the router for 2 equal preference static default routes, one through ISP1 & the other through ISP2, typing sh ip cef exact-route command gives         -> :FastEthernet0/1

This means traffic from to will be CEF switched through the second ISP interface (

My question is what happens if an SMTP connection request is initiated from through first ISP interface ( which would create a translation entry, for instance:

Inside Global          Inside Local        Outside Local           Outside  Global

to allow a response to flow back the same path?

Will the response from to that connection request disregard CEF (even though CEF switching algorithm has determined a different path for the pair's traffic) and follow the NAT translation or is it hard-bound to CEF and therefore get sent to through thus possibly breaking the establishment of a session?



milan.kulik Thu, 02/11/2010 - 07:33

Hi Bolu,

IMHO, the NAT process does not care which interface did the incoming packet take in a case of static NAT translations - it would just create two static entries in the translation table in your case.

And the outgoing packet would use one of them (the first probably) no matter which interface it would use when sent out.

So your config would not work properly.

IMHO, you need to use this feature

(see the config example) to fulfil your requests.

Edited: The example would need to be modified a little, using match interface or match ip next-hop would be necessary under the route-map in your case instead of matching IP address.



Message was edited by: milan.kulik

tolugbala Thu, 02/11/2010 - 14:16

Thanks again Milan,

I actually just went through the reference you cited a few hours before your notification of your post came in and I think it makes NAT more predictable but I'm afraid it still does not clarify my NAT/CEF interaction question. The reference clarifies for me conclusively how the traffic would follow back & forth given two abiguous static NAT translations exisiting on a router. Fine! What if CEF is enabled on the same router? Does CEF take place before NATing or does NATing take place before CEF?

Consider a router with 1 LAN interface and 2 WAN interfaces. The LAN interface has ip nat inside while the WAN interfaces have ip nat outside configuration. 2 ambiguous fully extended static NAT entries are configured as in my previous example for the same internal smtp server. Assume a connection to the smtp server is initiated from an outside global IP through WAN interface 1. Without CEF, I know that the reply would certainly follow the translation entry of the initial connection request (WAN interface 1) as NAT would always check for an existing translation entry and if one is found it would not bother consulting access-lists or even route maps. This is according to NAT order of operation. NAT would not use the second static entry since that would not match the reply's Destination Address & Port (DA & P) whereas the initial request through WAN interface 1 would have created a matching return path of DA & P. So far we are yet to introduce CEF and we know the return path. If we introduce CEF, does the return path remain the same? I mean when the LAN PC replies and the reply gets to the router's LAN interface, does CEF act on the reply first or is it NAT that acts on the reply first? Note that if CEF acts first, CEF would determine the return path by hashing the SA/DA pair. The SA would yet be the LAN IP and not the NATed IP. If however NAT acts on it first, NAT would have translated it to the entry and prevent CEF from switching.

So my question really is what is the order of operation between NAT & CEF?

From my lab tests, I have noticed that inside source dynamic NAT translations are first CEF switched before being NATed where both NAT & CEF are enabled on a router. I am however yet to be able to determine exactly the pattern for inside source static translations.



milan.kulik Fri, 02/12/2010 - 05:19

Hi Bolu,

a) I'd replace "CEF" with "routing" here, as NAT is many times not supported by CEF directly, causing punts to Process Switching.

b) I don't agree with "So far we are yet to introduce CEF and we know the return path." You always have to involve routing to get the path to forward the packet.

Look at the

and you'll see when sending packet out to the Internet, policy routing, routing are being run and then NAT inside to outside (local to global translation), while when receiving packet from the Internet, NAT outside to inside (global to local translation) is done firest and policy routing, routing then.

This makes sense if inside source routing is involved only.

IMHO, you need something more complex here.

Look at

for some ideas.

I'd try configuring outside source dynamic NAT additioanlly to your inside source static NAT.

Maybe using LAN interface IPaddress as the Outside Local address (with overload option) for all packets sent to both your Inside Global static addresses?

That way, incoming packets would create a dynamic NAT entry within the translation table when received.

Your server would reply to the same IP address all the time.

When a packet would be sent back to the Internet, you router would first look into the address translation table for the outside address translation, make the translation and based on the routing chose the outgoing interface.

Using the inside source static NAT with route maps I suggested in my previous reply, it would translate the packet source address then.

I see this VERY complicated.

Maybe it would be easier to involve two routers running a simple inside source static NAT?

You could configure a HSRP virtual address as a default GW in your LAN then. And that two routers would run iBGP to chose the correct outgoing path.

Would not that be easier?




This Discussion