Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
0
Replies

NAT NVI; How does the packet traverse the router with NAT hairpining?

robo0003c
Level 1
Level 1

‎10-05-2013 09:41 AM - edited ‎03-04-2019 09:14 PM

If you have a topology with two internal networks on two diffrent VLANs (5 & 10) and one WAN link. VLAN 5 holds the client and VLAN 10 holds the server. The WAN inteface holds the public IP address space.

You apply "ip nat enable" on all three interfaces and let the VLAN 5 get NATed to a public IP address (193.10.10.2) if its destination is in the public IP address range. You set a static NAT to a public address (193.10.10.3) for the server on VLAN 10 for ssh.

Client VLAN 5: 192.168.5.10 -> 193.10.10.2

Server VLAN 10: 192.168.10.10 -> 193.10.10.3

Between all these interfaces you run Zone Based Firewall.

The scenario:

The client on VLAN 5 want to access ssh on the server on VLAN 10. It will do so by accessing it on its public IP address which is configured by static NAT to a public IP of 193.10.10.3.

The questions:

  • How will the packet traverse in the router and which service policys will affect the packet?

I know that with NAT NVI it will first route the packet then NAT it, and thereafter route it again.

So, the packet arrives on the VLAN 5 subinterface and gets routed to the WAN interface (due to the destination IP) and then NAT:ed to a public source IP and private destination IP (due to the NAT rules). Then its routed to the VLAN 10 subinterface and forwarded to the server.

When i tested this in my lab, the Zone Based Firewall policy that affected the packet was the one that was: VLAN5 to VLAN10 policy. Why didnt the service policy that specify: VLAN5 to WAN also affect the packet and also the policy: WAN to VLAN10? Since the packet gets routed to the WAN interface and thereafter to the VLAN10 interface.

Lastly:

  • Where does the NVI interface come in to the picture? It dosent seem to affect the packet when it traverses the router! I thought all ip nat enabled interfaces routed their traffic to the NVI interface.

Some IP debug output from the router:

*Mar  1 00:44:59.427: IP: tableid=0, s=192.168.5.10 (FastEthernet0/0.5), d=193.10.10.3 (FastEthernet0/1), routed via RIB

*Mar  1 00:44:59.427: IP: tableid=0, s=193.10.10.2 (FastEthernet0/0.5), d=192.168.10.10 (FastEthernet0/0.10), routed via RIB

*Mar  1 00:44:59.427: IP: s=193.10.10.2 (FastEthernet0/0.5), d=192.168.10.10 (FastEthernet0/0.10), g=192.168.10.10, len 92, forward

*Mar  1 00:44:59.431:     TCP src=51902, dst=22, seq=2882392150, ack=36529755, win=3712 ACK PSH

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card