Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT for local originated packet

Hi,

I've configured a Cisco 3725 w/ IOS 12.(4)21a to implement  natting for local originated packet going out towards a  specific IP destination

Basically I configured ip nat outside on the egress i/f /(serial 0/0.100)

interface Serial0/0.100 point-point

ip address 172.16.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

!

and ip nat inside source list TO-DST interface serial 0/0.100 in global configuration mode

ip access-list extended TO-DST

permit ip host 10.10.10.1 host 172.16.10.3

!

ip nat inside source list TO-DST interface Serial0/0.100 overload

!

The C3725 has an entry for 172.16.10.3 in IP RIB and pinging from this router to dst is ok. Now a question arises.....

How can the router perform NAT if ip nat inside command is not configured on any interfaces ?

Thanks

18 REPLIES
Silver

NAT for local originated packet

Once you have NAT outside defined, all other interfaces are treated as inside for NAT translation.
Thanks.

New Member

NAT for local originated packet

But....this is a default behaviour ? And why then configure ip nat inside (on the the inside router interface) in a enterprise scenario to perform natting for inside hosts ?

Silver

NAT for local originated packet

Not sure. But you have designated a boundary:  an outside interface. And you do have a ip nat inside statement configured on the router.

Thanks.

New Member

NAT for local originated packet

.....just to better understand...In my scenario I've an outside interface (serial0/0.100 configured with ip nat outside) but I've not configured any inside interface (no interface has ip nat inside configured)

How can NAT work ? Is it a specific condition in which packets (ping) are local originated by the router itself ?

Thanks in advance

Re: NAT for local originated packet

Hi Carlo,

I think that you can solve that, tricking the router

int lo0

ip add 1.1.1.1 255.255.255.255

ip nat inside

!

route-map NAT-NH-LOOP

match

set ip next-hop 1.1.1.1

!

ip local policy route-map NAT-NH-LOOP

Regards

Dan

New Member

NAT for local originated packet

Yes, I know this trick (the local (ping) originated packet re-enter from loopback0 where ip nat inside is configured...)....but I do not understand why it works without ip nat inside on any interfaces...

NAT for local originated packet

I do not belive that NAT is performned

First do you have any other nat configured ?

Can you post :

debug ip nat

debug ip icmp

ping 172.16.10.3

unde all

Dan

New Member

NAT for local originated packet

R1#sh run int lo101

Building configuration...

Current configuration : 86 bytes

!

interface Loopback101

ip address 10.10.10.1 255.255.255.255

ip ospf 1 area 0

end

!

R1#sh run int s0/0.100

Building configuration...

Current configuration : 198 bytes

!

interface Serial0/0.100 point-to-point

ip address 172.16.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip ospf 1 area 0

snmp trap link-status

frame-relay interface-dlci 102

end

R1#sh runn | b access-list

ip access-list extended TO-DST

permit ip host 10.10.10.1 host 172.16.10.3

!

R1#sh run | in nat inside

ip nat inside source list TO-DST interface Serial0/0.100 overload

R1#

!

R1#

R1#debu ip nat

IP NAT debugging is on

R1#debu ip icmp

ICMP packet debugging is on

R1#

R1#

R1#

R1#sh deb

Generic IP:

  ICMP packet debugging is on

  IP NAT debugging is on

R1#

R1#ping 172.16.10.3 source loopback 101 r 2

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 172.16.10.3, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.1

!!

Success rate is 100 percent (2/2), round-trip min/avg/max = 108/122/136 ms

R1#

*Mar  1 00:11:09.623: NAT: s=10.10.10.1->172.16.1.1, d=172.16.10.3 [16]

*Mar  1 00:11:09.751: NAT*: s=172.16.10.3, d=172.16.1.1->10.10.10.1 [16]

*Mar  1 00:11:09.755: ICMP: echo reply rcvd, src 172.16.10.3, dst 10.10.10.1

*Mar  1 00:11:09.759: NAT: s=10.10.10.1->172.16.1.1, d=172.16.10.3 [17]

*Mar  1 00:11:09.863: NAT*: s=172.16.10.3, d=172.16.1.1->10.10.10.1 [17]

*Mar  1 00:11:09.867: ICMP: echo reply rcvd, src 172.16.10.3, dst 10.10.10.1

R1#

R1#u all

All possible debugging has been turned off

R1#

Any help is apreciated..

NAT for local originated packet

To my knowledge this is not expected !  Are you using real hardware ? What IOS/HW are you using on this one ?

Regards

Dan

New Member

NAT for local originated packet

Same behaviour (w/o any ip nat inside) on 'real' C7200

7200-RR1#sh ver

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.2(33)SRE3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Tue 25-Jan-11 08:35 by prod_rel_team

ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)

7200-RR1 uptime is 7 weeks, 5 days, 11 hours, 15 minutes

System returned to ROM by power-on

System restarted at 10:10:16 MET Mon Jan 23 2012

System image file is "disk2:c7200-adventerprisek9-mz.122-33.SRE3.bin"

Last reload type: Normal Reload

this time the ping source address is 172.16.217.230 (loop0) with destination 172.16.217.15

7200-RR1#debu ip nat

IP NAT debugging is on

7200-RR1#debu ip icmp

ICMP packet debugging is on

7200-RR1#

7200-RR1#

7200-RR1#sh deb

Generic IP:

  ICMP packet debugging is on

  IP NAT debugging is on

7200-RR1#

7200-RR1#ping 172.16.217.15 source loopback 0 repeat 2

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 172.16.217.15, timeout is 2 seconds:

Packet sent with a source address of 172.16.217.230

!!

Success rate is 100 percent (2/2), round-trip min/avg/max = 28/28/28 ms

7200-RR1#

Mar 17 21:30:23.451 MET: NAT: ICMP id=8->1024

Mar 17 21:30:23.451 MET: NAT: s=172.16.217.230->172.16.203.230, d=172.16.217.15 [37]

Mar 17 21:30:23.479 MET: NAT*: ICMP id=1024->8

Mar 17 21:30:23.479 MET: NAT*: s=172.16.217.15, d=172.16.203.230->172.16.217.230 [37]

Mar 17 21:30:23.479 MET: ICMP: echo reply rcvd, src 172.16.217.15, dst 172.16.217.230, topology BASE, dscp 0 topoid 0

Mar 17 21:30:23.479 MET: NAT: ICMP id=8->1024

Mar 17 21:30:23.479 MET: NAT: s=172.16.217.230->172.16.203.230, d=172.16.217.15 [38]

Mar 17 21:30:23.507 MET: NAT*: ICMP id=1024->8

Mar 17 21:30:23.507 MET: NAT*: s=172.16.217.15, d=172.16.203.230->172.16.217.230 [38]

Mar 17 21:30:23.507 MET: ICMP: echo reply rcvd, src 172.16.217.15, dst 172.16.217.230, topology BASE, dscp 0 topoid 0

7200-RR1#

Any idea ? Carlo.

Re: NAT for local originated packet

Hi Carlo,

Tested and found the same behavior.

It seams that the router considers the control-plane as an inside interface.

Have a look at this link :

http://ieoc.com/forums/p/18741/161550.aspx

Regards

Dan

New Member

NAT for local originated packet

great explaination !

Another question related to NAT....

Having a router an inside and outside interface configured, the only NAT option supported on outside interface is ip nat ouside source ...... while on inside i/f source/destination natting (ip nat inside source/destination ) is supported

Why these differences exist from a configuration point of view ?

Thanks

NAT for local originated packet

Hi Carlo,

ip nat inside/outside source  list/route-map is for Source NAT and the flow must be initiated from the interface specified in the command - this does not apply for the static command.

ip nat inside/outside source static - is bidirectional - meaning that the packet could be initiated on any interface (inside or outside ) this means that is not only Source NAT but also Destination NAT,

ip nat inside destination is used for loadbalancing, the packet must be initiated from OUTSIDE.

Regards

Dan

New Member

NAT for local originated packet

Hi Dan,

just to better understand...

ip nat outside source lis/route-map create a dynamic NAT entry (when flow is outside initiated) to translate outside-global -> outside-local

From you answer it seem to me ip nat inside destination list/route-map works the same way

If this is right, what are differences between them ?

Thanks a lot

NAT for local originated packet

Hi Carlo ,

ip nat outside source lis/route-map - translates the source when flow is entering the outside and going to inside

ip nat inside destination - translate the destination when flow is entering the outside and goint to inside

If it's simple to remember : the command ip nat tells you were is the host/network that will be translated.

Regards

Dan

New Member

NAT for local originated packet

Thinking again about it.......

I think the "right" syntax for destination address translation of packets entering from outside and going to inside should be

ip nat outside destination instead of "ip nat inside destination"

After all here we are translating the Inside global (IG) address into Inside Local (IL) address as destination for a packet entering from outside i/f...

Does it make sense ?

NAT for local originated packet

Hi Carlo,

As far as I know "ip nat outside destination" is not available. Destination keyword is only available on ip nat inside and is used for load-balancing.

There are 2 types of nat : static and list ( acl and route-map ). The main difference between them is that static creates a bidirectional translation. This means that , unlinke the 'list' nat, the packet can be originated on any interface (outisde|inside).

In your case you need to configure a static nat. IOS will DNAT in case of a packet arriving on the outside interface with the destination of Outside Global according to your nat statement

Regards,

Dan

New Member

NAT for local originated packet

Thanks Dan for the answer....

The spirit of the question asked to clarify doubts about terminology: if I understand correctly the configuration statement ip nat inside destination (used for load-balancing ....) perform translation of packets' destination address entering from outside interface (following configured rules of course)... that address is mapped to a 'real' server address chosen into a 'rotary' servers pool ....

Now, if that is right, the router is translating the inside global address in an inside local (the address of the choosen sever in the pool) ... so, based on this reasonings, I was thinking about the syntax ip nat ouside destination instead of 'ip nat inside destination'....

Carlo

1223
Views
0
Helpful
18
Replies
CreatePlease to create content