NAT Question - Confused !!

Answered Question
Aug 16th, 2010
User Badges:

I have this configuration on one of my router.


#ip nat inside source static 10.151.16.47 213.234.32.69 route-map ABC reversible


#sh route-mapABC

route-map ABC, permit, sequence 10
  Match clauses:
    ip address (access-lists): 102
  Set clauses:
  Policy routing matches: 0 packets, 0 byte


#sh access-lists 102
Extended IP access list 102
    10 permit ip host 10.151.16.47 10.10.125.0 0.0.0.255 (140 matches)
    20 permit ip host 10.151.16.47 10.10.126.0 0.0.0.255 (4 matches)
    30 permit ip host 10.151.16.47 10.10.130.0 0.0.0.255 (11 matches)
    40 permit ip host 10.151.16.47 10.10.131.0 0.0.0.255 (3 matches)


Network topology is (10.151.16.47 subnet, IP NAT Inside) gi 0/1 --> R 3825 --->  gi 0/0 (IP NAT Outside, 10.10.125/126/130/131.0 Subnet)


This is a reverse nat, meaning Destination NAT but i am unable to understand how its work. when some one from 10.10.125.0 access 10.151.16.47.


Could any body explain plz. Thanks.


Correct Answer by kathpric about 6 years 9 months ago

It depends which direction the traffic is going, inside to outside, or outside to inside.  Here is a document that covers both:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


-Kathy

Correct Answer by Jon Marshall about 6 years 9 months ago

munawar.zeeshan wrote:


Yh, that make sense. 2 more Qs,


1- Is the above configuration ok? You see any issue in it ?


2- So as u said, in case of destination NAT, the ACL, IP NAT INSIDE SOURCE STATIC.... commands will be read in reverse direction. right ?


1) Looks okay but then again depends on what you are trying to achieve. Difficult to say.


2) All NATs are source AND destination, it just depends on which direction the traffic is flowing. So yes i guess you could say you can read your statement in reverse order to understand the destination side of it.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 08/16/2010 - 14:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

munawar.zeeshan wrote:


I have this configuration on one of my router.


#ip nat inside source static 10.151.16.47 213.234.32.69 route-map ABC reversible


#sh route-mapABC

route-map ABC, permit, sequence 10
  Match clauses:
    ip address (access-lists): 102
  Set clauses:
  Policy routing matches: 0 packets, 0 byte


#sh access-lists 102
Extended IP access list 102
    10 permit ip host 10.151.16.47 10.10.125.0 0.0.0.255 (140 matches)
    20 permit ip host 10.151.16.47 10.10.126.0 0.0.0.255 (4 matches)
    30 permit ip host 10.151.16.47 10.10.130.0 0.0.0.255 (11 matches)
    40 permit ip host 10.151.16.47 10.10.131.0 0.0.0.255 (3 matches)


Network topology is (10.151.16.47 subnet, IP NAT Inside) gi 0/1 --> R 3825 --->  gi 0/0 (IP NAT Outside, 10.10.125/126/130/131.0 Subnet)


This is a reverse nat, meaning Destination NAT but i am unable to understand how its work. when some one from 10.10.125.0 access 10.151.16.47.


Could any body explain plz. Thanks.



It's only a destination NAT if the packets are originating from outside. If the packets are originating from the inside it is a source NAT ie. the above statement means -


1) if the host 10.151.16.47 sends a packet to any of the 4 networks in acl 102 then the source address is changed to 213.234.32.69


and


2) if any host on the 4 networks in acl 102 sends a packet to 213.234.32.69 the destination address is changed to 10.151.16.47


Jon

munawar.zeeshan Mon, 08/16/2010 - 14:41
User Badges:

Yh, that make sense. 2 more Qs,


1- Is the above configuration ok? You see any issue in it ?


2- So as u said, in case of destination NAT, the ACL, IP NAT INSIDE SOURCE STATIC.... commands will be read in reverse direction. right ?

Correct Answer
Jon Marshall Mon, 08/16/2010 - 14:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

munawar.zeeshan wrote:


Yh, that make sense. 2 more Qs,


1- Is the above configuration ok? You see any issue in it ?


2- So as u said, in case of destination NAT, the ACL, IP NAT INSIDE SOURCE STATIC.... commands will be read in reverse direction. right ?


1) Looks okay but then again depends on what you are trying to achieve. Difficult to say.


2) All NATs are source AND destination, it just depends on which direction the traffic is flowing. So yes i guess you could say you can read your statement in reverse order to understand the destination side of it.


Jon

munawar.zeeshan Mon, 08/16/2010 - 15:08
User Badges:

Sorry, one more thing.


When a packet is arrived at router, will it first match ACL, undergo NATing or check routing. What will be the sequence of these three activities in the same scenario/config as mentioned before in my post.


Also how you will read this NAT statement, in both directions. The ACL IPs are not in the IP NAT statemnet. Can u plz eloborate for me. Thanks in advance.


# ip nat inside source static 208.38.23.206 10.151.0.200 route-map XYZ reversible


#sh route-map XYZ

route-map forManila, permit, sequence 10
  Match clauses:
    ip address (access-lists): 104
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

#sh access-lists 104
Extended IP access list 104
    10 permit ip 10.150.0.0 0.0.255.255 host 144.36.169.251 (425 matches)
    20 permit ip 10.150.0.0 0.0.255.255 host 144.36.168.216
    30 permit ip 10.150.0.0 0.0.255.255 host 144.36.175.18 (373144 matches)
    40 permit ip 10.150.0.0 0.0.255.255 host 144.36.55.88


Message was edited by: munawar.zeeshan

munawar.zeeshan Tue, 08/17/2010 - 09:16
User Badges:

Thanks Price, It was helpful.


Now waiting for reply to my last query, as stated above too.



"How you will read this NAT statement, in both directions. The ACL IPs are not in the IP NAT statemnet. Can u plz eloborate for me. Thanks in advance.


# ip nat inside source static 208.38.23.206 10.151.0.200 route-map XYZ reversible


#sh route-map XYZ

route-map forXYZ, permit, sequence 10
  Match clauses:
    ip address (access-lists): 104
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

#sh access-lists 104
Extended IP access list 104
    10 permit ip 10.150.0.0 0.0.255.255 host 144.36.169.251 (425 matches)
    20 permit ip 10.150.0.0 0.0.255.255 host 144.36.168.216
    30 permit ip 10.150.0.0 0.0.255.255 host 144.36.175.18 (373144 matches)
    40 permit ip 10.150.0.0 0.0.255.255 host 144.36.55.88 "

kathpric Tue, 08/17/2010 - 15:39
User Badges:
  • Cisco Employee,

That configuration shouldn't work.  From inside to outside, a packet with source 208.38.23.206 will be checked against the route map and fail since the access-list doesn't match for 208.38.23.206 as a source IP.  If you did have an ACL entry that matches the source IP of 208.38.23.206, it would also check the destination IP of the packet against the ACL in order as per usual ACL checks.


For outside to inside, a packet with destination 10.151.0.200 will be checked against the reverse of this access-list.  It will fail since it doesn't match 10.151.0.200.  If your ACL was changed to:


#sh access-lists 104
Extended IP access list 104
    10 permit ip any host 144.36.169.251
    20 permit ip any host 144.36.168.216
    30 permit ip any host 144.36.175.18
    40 permit ip any host 144.36.55.88


In this case then NAT would take place from inside to outside if the destination of the packet were any of the four 144.36.x.x hosts you have defined.  From outside to inside, NAT would be successful if the source of the packet were one of these four IPs.

Actions

This Discussion