NAT NVI; How does the packet traverse the router with NAT hairpining?
If you have a topology with two internal networks on two diffrent VLANs (5 & 10) and one WAN link. VLAN 5 holds the client and VLAN 10 holds the server. The WAN inteface holds the public IP address space.
You apply "ip nat enable" on all three interfaces and let the VLAN 5 get NATed to a public IP address (18.104.22.168) if its destination is in the public IP address range. You set a static NAT to a public address (22.214.171.124) for the server on VLAN 10 for ssh.
Client VLAN 5: 192.168.5.10 -> 126.96.36.199
Server VLAN 10: 192.168.10.10 -> 188.8.131.52
Between all these interfaces you run Zone Based Firewall.
The client on VLAN 5 want to access ssh on the server on VLAN 10. It will do so by accessing it on its public IP address which is configured by static NAT to a public IP of 184.108.40.206.
How will the packet traverse in the router and which service policys will affect the packet?
I know that with NAT NVI it will first route the packet then NAT it, and thereafter route it again.
So, the packet arrives on the VLAN 5 subinterface and gets routed to the WAN interface (due to the destination IP) and then NAT:ed to a public source IP and private destination IP (due to the NAT rules). Then its routed to the VLAN 10 subinterface and forwarded to the server.
When i tested this in my lab, the Zone Based Firewall policy that affected the packet was the one that was: VLAN5 to VLAN10 policy. Why didnt the service policy that specify: VLAN5 to WAN also affect the packet and also the policy: WAN to VLAN10? Since the packet gets routed to the WAN interface and thereafter to the VLAN10 interface.
Where does the NVI interface come in to the picture? It dosent seem to affect the packet when it traverses the router! I thought all ip nat enabled interfaces routed their traffic to the NVI interface.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.