Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Aamer Akhter about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Mr. Akhter is also the vice-chair of the Certification Work Group of the MFA Forum.

Remember to use the rating system to let Mr. Akhter know if you have received an adequate response.

Mr. Akhter might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 24, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

63 REPLIES
Bronze

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

I have a kind of weird question.

Lets say I have a router with three interfaces, where E0 is nat outside, E1 and E2 are nat inside.

E0 is in a VRF called ZERO, E1 is in VRF called ONE and finally E2 is in a VRF called TWO.

Now assuming I already did the import/export rules. How would I nat, using overload, the source addresses from VRF’s ONE and TWO, to the ip on interface E0?

Like this:

ip nat source list 100 interface Ethernet 0 vrf ZERO overload

Or like this:

ip nat source list 100 interface Ethernet 0 vrf ONE overload

ip nat source list 100 interface Ethernet 0 vrf TWO overload

Is this at all possible?

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

tekha,

NAT such as you've described is certainly possible. The config would be the latter:

ip nat source list 100 interface Ethernet 0 vrf ONE overload

ip nat source list 100 interface Ethernet 0 vrf TWO overload

As a second route look up is done in the destination vrf, make sure that the router's VRF ZERO can route the packet after translation. In regular vrf hopping, only a single lookup is done (which is in the source vrf), and the destination IP does not actually have to be routable by the destination VRF on this particular.

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

OUR NAT Pool is becoming corupt and duplicate IP's on the public side is our main BIG problem! We just upgraded from IOS 12.2 to 12.3 to take advantage of the new rate-limiting features. My problem is that 2-3 times a day I have to perform a "clear ip nat trans *". We are an ISP with right around 1500 DSL users all doing NAT translations on the router. I have four full Class C addresses available in my NAT pool. When a DSL customer becomes infected with a virus that does some sort of probing and scanning our NAT pool gets "chewed up" and I have to clear it to restore service to our customers. Also, daily I see two customers with private addresses somehow getting NAT'ed to a Public IP that is already NAT'ed to someone else. So the customer has 50% packet loss in this case because two customers are sharing one public address. How this happens I dont know. It's almost like the previous customer who had that address never fully released it to the pool. Can you please offer some recomandations to me.

Thank You Very Much!

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

1. On the infected hosts probing/scanning and consuming the NAT pool, the NAT rate-limit feature is certainly one of the correct features. Additionally, you may want to use a combination of Netflow, and analyzer software to take protection measures.

2. For the second problem, where two customers are 'sharing' a public address: similar problems have been seen in SSG scenarios. I mention this because you have specifically called out being a DSL provider. I would highly recommend collecting the relevant information such as ‘show ip nat translation’ when the problem is occurring and contacting the TAC.

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Is it possible to create 2 NAT pools from contiguous address space while not using a middle portion of the addresses, while using a single source list.

For example we would like to use addresses 10.12.91.4 -.30 but not include addresses .15 - .19 in this NAT pool.

We tried creating 2 separate source lists with the same addressing and also another technique of statically NATing those unwanted addresses, but neither works.

e.g.

ip nat pool example1 10.12.91.4 10.12.91.30 netmask 255.255.255.0

ip nat inside source list 1 pool example1

ip nat inside source static 1.1.1.1 10.12.91.15

ip nat inside source static 1.1.1.2 10.12.91.16

ip nat inside source static 1.1.1.3 10.12.91.17

ip nat inside source static 1.1.1.4 10.12.91.18

ip nat inside source static 1.1.1.5 10.12.91.19

access-list 1 permit 192.168.0.0 0.0.255.255

Any help is much appreciated.

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Tony,

If you create two ranges under the pool the .15-.19 can be excluded from the pool. eg:

ip nat pool testPool prefix-length 24

address 10.12.91.4 10.12.91.14

address 10.12.91.20 10.12.91.30

ip nat inside source list 100 pool testPool

Regards,

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Aakhter,

Thanks for your help, the config you provided works perfectly.

Tony

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Aamer,

Any comments about “NAT Transversal” and the many “flavors” of NAT-T?

Universal Plug and Play-(UPnP) Internet Gateway Devices as manufactured by Linksys and others use a different form of NAT-T that is “controlled” by UPnP. At the present time, there seems to be no similar functionality in Cisco IOS especially for the ISR routers (800’s/1800’s) that are “targeted” toward the SMB market.

With Cisco’s “Trade-Up” program, there many be Linksys owners that wish to trade-up to Cisco SMB products, but need the UPnP/NAT-T functionality that was available to them on the Linksys platform. On the other hand, they may have devices or applications that require UPnP/NAT-T functionality.

I know that at one time Cisco was considering implementing UPnP/NAT-T for at least their SMB product line. Has there been any update on this?

Thanks,

Tim

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Tim,

Until the wider deployment of IPv6, NAT-T solutions are a fact of life. There is an IETF working group (MIDCOM) for a standardized solution (TIST), but as far as I know there has not be a great acceptance or industry consensus.

As you’ve already stated, that there are a variety of solutions that have been developed over the years.

With regards to UPnP, what I would be personally wary of are the security considerations (or more accurately, lack of) in the SMB market. But, your point of the upgrade from Linksys to IOS is taken. I am currently unaware of any public posture on UPnP specifically for NAT-T by Cisco. I’ll find out and update this thread.

Regards,

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Aamer,

Thanks for the update!

Without UPnP some common "support tools" used by SMB's just do not function. One happens to be "Remote Assistance" which just does not like non-UPnP NAT devices on either end.

Some additional information may be “gleaned” from the following:

Step-by-Step Guide to Remote Assistance

Published: July 1, 2001 | Updated: August 15, 2001

By John Kaiser

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rmassist.mspx

Description of the Remote Assistance Connection Process

Article ID : 300692

Last Review : January 15, 2006

Revision : 6.1

http://support.microsoft.com/default.aspx?scid=kb;en-us;300692

Supported connection scenarios for Remote Assistance

Article ID : 301529

Last Review : January 25, 2006

Revision : 2.2

http://support.microsoft.com/default.aspx/kb/301529/

Offering Remote Assistance

Microsoft Corporation

June 2003

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpchealth/html/remoteassistanceapi.asp

Microsoft Helpdesk Use of Remote Assistance in Windows XP Professional

Published: May 1, 2002 | Updated: October 1, 2004

http://www.microsoft.com/technet/itsolutions/msit/deploy/hlpratcs.mspx

"Remote Assistance" offers a "low cost", "no touch" (meaning nothing has to be installed or configured on the client side) solution for SMB's, and is in "common use".. However, in most cases UPnP is required.

Thanks,

Tim

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hi,

Static Nat and Route-map.

My network has got DMZ(192.168.0.0/24) and LAN(172.29.8.0/24) segments.

I want to do static nat one of the DMZ server 192.168.0.10 to LAN address 172.29.8.180.

And also want to alow the DMZ server to to be access from Internet.

I have VPN setup between LAN 172.29.8.0/24 and 172.29.150.0/24 (H.0).

So after the doing the static NAT of DMZ server(192.168.0.10) to LAN address(172.29.8.180) is it possible to access the DMZ server from H.O thru VPN?

!

interface FastEthernet0/0

description Interface Inside$FW_INSIDE$

ip address 172.29.8.100 255.255.255.0

!

interface FastEthernet0/1

description Interface Outside$FW_OUTSIDE$

ip address A.B.C.2 255.255.255.0

!

interface Vlan1

description Interface DMZ$FW_DMZ$

ip address 192.168.0.1 255.255.255.0

!

ip nat pool pool-1 A.B.C.30 A.B.C.31 netmask 255.255.255.0

ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload

ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1 extendable no-alias

ip nat inside source static 192.168.0.10 172.29.8.180 route-map VPN-DMZ-LAN extendable no-alias

!

route-map SDM_RMAP_1 permit 1

match ip address 104

!

route-map VPN-DMZ-LAN permit 1

match ip address 115

!

#show access-list 104

Extended IP access list 104

10 deny ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

20 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255 <<<===Is this statement required?

30 permit ip 192.168.0.0 0.0.0.255 any

40 permit ip 172.29.8.0 0.0.0.255 any

#

#show access-list 115

Extended IP access list 115

10 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

#

HO will access the server(192.168.0.10) in DMZ with IP address 172.29.8.180, as the VPN is between 172.29.150.0/24(HO) and 172.29.8.0/24(BO).

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hello,

In general the answer to the qustion if the VPN'd users can access the DMZ server via the translated address is yes.

A couple of comments on the config:

1. You will need 'ip nat outside' on FE0/0, and FE0/1. You will need 'ip nat inside' on Vlan1.

2. For the translation attached to route-map VPN-DMZ-LAN, you will need to remote the no-alias. This is needed because the router needs to respond to arp requests for 172.29.8.180.

3. I don't belive that acl115 is correct, as it doesn't have the DMS range in it. Perhaps something like:

10 permit ip 192.168.0.0 0.0.255.255 172.29.8.0 0.0.0.255

20 permit ip 192.168.0.0 0.0.255.255 172.29.150.0 0.0.0.255

4. I believe that acl104 should be similar to:

10 deny ip 192.168.0.0 0.0.0.255 172.29.8.0 0.0.0.255

20 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255

30 permit ip 192.168.0.0 0.0.0.255 any

Regards,

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hi,

I have attached config file.

The VPN is between 172.29.8.0/24(B.O) and 172.29.150.0(H.O)

So why the ACL ip 192.168.0.0 0.0.255.255 172.29.8.0 0.0.0.255

ip 192.168.0.0 0.0.255.255 172.29.150.0 0.0.0.255

is needed?

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Ah ok, so after looking at your config, I understand now that this router IS the vpn gateway and that the vpn gateway is not another router connected via the LAN.

The acl entries:

ip 192.168.0.0 0.0.255.255 172.29.8.0 0.0.0.255

ip 192.168.0.0 0.0.255.255 172.29.150.0 0.0.0.255

Is to capture traffic from the DMZ to the LAN/VPN. It was my impression that you wanted that DMZ server to be avaliabe via a 172 address to the LAN and DMZ.

BTW, you didn't set this in the requirements, but keep in mind that this config will not allow internet access for your LAN hosts-- only for the DMZ. I believe that was your intention, but just making sure.

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Below is the modified config. Is it correct?

Will the H.O able to access the DMZ server(192.168.0.10) with ip address 172.29.8.180 thru VPN?

Will B.O LAN pc`s able to access the DMZ server(192.168.0.10) with ip address 172.29.8.180 or with same 192.168.0.10?

Will the Internet side user`s able to access the DMZ server(192.168.0.10) with ip address A.B.C.24?

From my prevoius attached file, is the ACL 111 and ACL 110 correct for modified static NAT statement?

mapping 192.168.0.10==>>172.29.8.180 and 192.168.0.10==>>A.B.C.24

ip nat pool pool-1 A.B.C.20 A.B.C.2 netmask 255.255.255.0

ip nat inside source route-map SDM_RMAP_1 pool pool-1 overload <<=======NAT for LAN side pc`s to access Internet=>

ip nat inside source static 192.168.0.10 A.B.C.24 route-map SDM_RMAP_1 extendable <<========NAT for Internet side pc`s to access DNZ server=>

ip nat inside source static 192.168.0.10 172.29.8.180 route-map VPN-DMZ-LAN extendable <<======NAT for VPN/LAN side pc`s to access DNZ server=>

access-list 104 deny ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

access-list 104 deny ip 192.168.0.0 0.0.0.255 172.29.8.0 0.0.0.255

access-list 104 deny ip 192.168.0.0 0.0.0.255 172.29.150.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.0.255 any

access-list 104 permit ip 172.29.8.0 0.0.0.255 any

access-list 115 permit ip 172.29.8.0 0.0.0.255 172.29.150.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.255.255 172.29.150.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.255.255 172.29.8.0 0.0.0.255

route-map SDM_RMAP_1 permit 1

match ip address 104

!

route-map VPN-DMZ-LAN permit 1

match ip address 115

!

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

examples20010,

can you please unicast me (aakhter@cisco.com) your email address? I will try to set this up and get a writeup done over the weekend.

Regards,

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hi

I have a strange thing happening with 2600 which has static NAT rules for certain servers internally.

If there is a reboot of the server the 2600 begins to proxy arp the IP address of the server concerned. the only way I can restore connectivity is to remove the static rule (internal and external) and then reapply them.

Have you seen this before ? is there any way I can stop this happening ?

Thanks

Dave

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Dave,

Are you saying that the router is responding to arps for the server on the 'nat inside' interface? If so, this does not sound correct and you should contact TAC. The output of the following commands may helpfull:

show tech

show ip nat translations verbose

show ip route (for server address)

show arp

If the router is responding to ARPs on the nat outside interface for the global address, that is normal. You may disable this behavior via the 'no-alias' option.

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

I have 2 Routers That I want Fully Redundant connected to multiple ISPS. I nat the Private Address to multiple Outside Addresses with Route-Maps, so I cannot use the redundancy command. How do I get the NAT to share a virtual Mac address with another router?

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hello,

Technically NAT-wise, using different inside global addresses is not wrong. The translation from R1 will be transmitted to R2. If R2 happens to receive a return packet from his ISP using the inside global from R1, R2 will happily translate it to the inside local address.

In a diagram:

|-R1----ISP1---

PC----| |---S

|-R2----ISP2---

So, even if R1 and R2 are by them selves translating to different addresses they do tell each other the translation. So a tranaction such as

PC->R1->ISP1->S->ISP2->R2->PC

is possible.

The problem is that ISP2 will generally not know that R2 is capable of routing the address that R1 translated the IP source field to. What might be done is that the PC user can buy an IP address range and advertise this range to both ISP1 and ISP2. Having this advertised address might seem to negate the need for having different outside addresses, but the enterprise may want to use certian ISPs for certain traffic while allowing a backup redundant path.

In the case that R2 can not convince ISP2 that it can route the translated address, the return traffic will not be able to make it to R2, whic h makes the state-full NAT entries more of a problem at fail time because R2 will continue to try to translate using R1's translation.

In the latter case, it would seem that the best solution would be to enable HSRP/VRRP but not stateful NAT. This will require the sessions to be reestablished under the new outside addresses, with no complications/mistranslations from the NAT side.

Regards,

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Correct, and in that scenario I cannot get the NAT to use the HSRP mac address

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hello,

With regards to route-maps and SNAT and HSRP I am able to use the HSRP address as well as SNAT sharing the xlate table between peers. The IOS revision is 12.4(4)T1.

R1

--

ip nat Stateful id 1

redundancy test

mapping-id 10

protocol tcp

ip nat pool pool1 100.100.100.1 100.100.100.200 prefix-length 24

ip nat source static 6.6.6.6 5.5.5.5 route-map match5

ip nat inside source route-map nmap pool pool1 mapping-id 10

!

access-list 100 permit ip host 10.10.70.70 host 1.1.1.1

access-list 101 permit ip host 6.6.6.6 any

!

route-map nmap permit 10

match ip address 100

!

route-map match5 permit 10

match ip address 101

R2

--

ip nat Stateful id 1

redundancy test

mapping-id 10

protocol tcp

ip nat pool pool1 200.200.200.1 200.200.200.200 prefix-length 24

ip nat inside source list 100 pool pool1 mapping-id 10

!

access-list 100 permit ip any any

Regards,

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hi,

I have the following question and hope you can help:

It is possible to have an IPsec Tunnel between two IOS Routers with overlapping LANs?

My situation: LAN1 ---837 ----INTERNET----837--- LAN2

LAN1 and LAN2 have the subnet 10.0.0.0/24.

The LANs must communicate through the IPsec Tunnel (LAN1 to LAN2 and viceversa w/o "NAT in overload") and the Router must also perform "NAT in overload" for Internet navigation.

Best regards,

Thomas

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Thomas,

This is certainly possible. I will try to come up with the config if I find some time. But the general idea is to remember that in IOS, the order of processing is such that on an outgoing packet NAT is followed by crypto. This means that the crypto proxy acls must match on the post-NAT addresses.

As for the separation between internet access and LAN1 and LAN2 traffic, you much use route-maps to separate out the traffic such that the LAN1/LAN2 dual NAT pools are denied for the internet directed traffic.

The other thing to remember as both sides are getting NATted you will need to setup static mappings for servers.

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Thomas,

I did a writeup for this situation over the weekend. Please find the pdf attached.

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Thanks, thats it!

New Member

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

hello sir..

what is the impact of restricting a particular subnet using access list and same time..that subnet comes thro inbound to router using NAT..so.that filteration purpose goes missing.

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

NAT & asymmetric routing

Dear mr Akther,

Please take a look at the following config-exerpt, I have a theoretical question about it.

Interface Tunnel-X

description Tunnel to Remote

ip address 192.168.7.1 255.255.255.0

tunnel source

tunnel destination

!

interface ATM0/0.1 point-to-point

description Internet side

ip address

ip nat outside

!

interface FastEthernet0/0

description Inside LAN

ip address x.x.x.x 255.255.255.0

ip nat inside

ip route 0.0.0.0 0.0.0.0

ip route Tunnel-X

The issue is as follows:

GRE tunnel-source is at the same IP as the Internet outside adress.

NAT-overload (or PAT) is applied by a standard ACL matching all traffic sourced from the x.x.x.x (inside) network.

This concept is intended to access the internet and at the same time exchange traffic with a remote site over the GRE tunnel.

Initially it appeared to work as it should but I observed translation entries for traffic to the remote site.

It looks as if traffic for the remote site is natted (overload on outside interface) BEFORE being sent to the GRE tunnel.

The problem with this would be that the return traffic is sent with a destination address matching the NAT-overload IP.

This would cause the return traffic to be sent without GRE encapsulation and it's associated encryption.

It would be a situation where we have asymmetric routing, using the tunnel only in one direction.

The concept of this design assumes that traffic from nat-inside to Tunnel-X will not be natted.

This is expected while the packets do not pass a nat-outside interface.

My observation is, the traffic IS being natted before being sent to the GRE process with the described asymmetric routing as a result.

My question: Is it logical to assume that nat is applied to all outgoing traffic when the tunnel-source is on the outside interface?

Cisco Employee

Re: ASK THE EXPERT – NETWORK ADDRESS TRANSLATION

Hello,

The order of operations is as shown below. Depending on how where your access-list is applied and the direction of NAT, the access-list policy may or may not be effective.

Inside-to-Outside

---------------------

If IPSec then check input access list

decryption - for CET (Cisco Encryption Technology) or IPSec

check input access list

check input rate limits

input accounting

policy routing

routing

redirect to web cache

NAT inside to outside (local to global translation)

crypto (check map and mark for encryption)

check output access list

inspect (Context-based Access Control (CBAC))

TCP intercept

encryption

Outside-to-Inside

-----------------

If IPSec then check input access list

decryption - for CET or IPSec

check input access list

check input rate limits

input accounting

NAT outside to inside (global to local translation)

policy routing

routing

redirect to web cache

crypto (check map and mark for encryption)

check output access list

inspect CBAC

TCP intercept

encryption

http://www.cisco.com/warp/public/556/5.html

547
Views
16
Helpful
63
Replies
CreatePlease to create content