Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Order Of Operations NAT

Is someone able to confirm this is the correct order of operations for NAT.

Is there anything else that can be added to this network flow to make if more complete?

NAT Order Of Operations.jpg

Any assistance is greatly appreciated.

Everyone's tags (4)
6 REPLIES
Cisco Employee

Order Of Operations NAT

Hello Tom,

I have always used the following document as a reference:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Best regards,

Peter

New Member

Re: Order Of Operations NAT

Cheers for the reply Peter,

That was the article I was working with.

I dont understand how the Decryption occurs in an Inside-To-Outside translation

or the encryption of an Outside-To-Inside translation?

Inside-to-Outside

Outside-to-Inside

  • If IPSec then check input access list
  • decryption - for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption - for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing
Cisco Employee

Re: Order Of Operations NAT

Hello Thomas,

I would hypothesize that the decryption in the in-to-out and encryption in the out-to-in paths are related to IPsec VPNs in which the clients are considered "inside" and they are accessing the outside internet. Think of a teleworker using a IPsec-protected access to internet via his/her company infrastructure. After creating an IPsec tunnel terminated at an interface marked as "inside", the teleworker's IPsec-protected traffic arrives at the router, is decrypted and after routing out through an "outside" interface, it is being NATted. For the return traffic, it is NATted from "outside" to "inside", then sent to the teleworker IPsec-encrypted.

This is I how understand it.

Best regards,

Peter

New Member

Re: Order Of Operations NAT

Cheers Peter,

So is this a correct interpretation of the NAT order of operations for an encrypted packet?

NAT Order Of Operations_NATTraversal.jpg

New Member

http://www.cisco.com/c/en/us

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

!

inside-to-outside
!
policy routing
routing
nat translation
!
outside-to-inside
nat translation
policy-routing
routing

!

HTH

New Member

Hello guys,

Hello guys,

I have the same problem and as I can see here, this is not answered yet.

I looked after this topic and I found the following:

Inside-to-Outside:

  • policy routing
  • routing
  • NAT inside to outside (local to global translation)

Outside-to-Inside:

  • NAT outside to inside (global to local translation)
  • policy routing
  • routing

I understand that by out-to-in direction NATing happens first and only then routing, this is logical, since the main point would be in to route only a private IP in the intern network instead of a public one.

But in case of in-to-out direction, I don't see the logic of making routing before NATing.

In order to properly route the packet with a public destination address, it first has to be NATted back from the private IP.

Did I understand something incorrectly?

Thanks in advance!

2680
Views
0
Helpful
6
Replies
CreatePlease to create content