Professional Documents
Culture Documents
Rules:
Traffic entering inside NAT interface is routed 1st then NATted
Traffic entering outside NAT interface is NATted 1st then routed
NAT Order of Operation
Natting Types
• NAT operates on a router and translates the private (inside
local) addresses within the internal network into public (inside
global) addresses before any packets are forwarded to
another network. This functionality gives you the option to
configure NAT so that it will advertise only a single address for
your entire network to the outside world
!
int <LAN>
ip nat inside
!
int <WAN>
ip nat outside
!
ip nat inside source static 172.31.17.78 57.228.104.113
!
router bgp 65000
network 57.228.104.113 mask 255.255.255.255
!
- The Natted IP must be advertised so remote sites can get back to 172.31.17.78
- If 172.31.17.78 is not part of LAN subnet , you need to add cascaded static route of it on router
Static Natting
• Example 2 (prom914)
=====================
!
int <LAN>
ip nat inside
!
int <WAN>
ip nat outside
!
ip nat inside source static 172.31.11.10 57.228.104.131 route-map
Production_access_to_America_IDNet
!
router bgp 65000
network 57.228.104.131 mask 255.255.255.255
!
route-map Production_access_to_America_IDNet permit 10
match ip address Production_access_to_America_IDNet
Static Natting
!
ip access-list extended Production_access_to_America_IDNet
permit ip host 172.31.11.10 167.144.89.0 0.0.0.255
permit ip host 172.31.11.10 167.144.99.0 0.0.0.255
permit ip host 172.31.11.10 167.144.32.0 0.0.0.255
...
...
...
- This Type of Natting is called conditional natting , it restricts Natting to the permitted Destination IPs
Static Natting
• Example 3 ( paar073 )
====================
!
int <LAN>
ip nat outside
!
int <WAN>
ip nat inside
!
ip nat outside source static 10.16.0.45 57.253.153.39 vrf claesnet add-route
!
ip route vrf claesnet 57.253.153.39 255.255.255.255 10.16.240.137
Static Natting
!
router bgp 65000
address-family ipv4 vrf claesnet
network 57.253.153.39 mask 255.255.255.255
!
- When traffic comes on outside interface , traffic is first natted then routed , but when traffic comes on
inside interface , traffic is first routed then natted
- IMPORTANT ===> For outside NAT : Make sure to have a route for the “outside local” to the outside
NAT interface, or add the keyword “add-route” at the end of the “ip nat outside source static”
command,
Static Natting
• Example 4
===========
!
ip nat inside source static 10.0.0.1 100.0.0.2 extendable
ip nat inside source static 10.0.0.1 200.0.0.2 extendable
!
- Application used when router had two Internet connections (two public IPs) , The “extendable” option
allows static NAT mappings of one Inside Local Address (private address) to multiple Inside Global
addresses (public addresses), the keyword “extendable” is added to the end of the mapping statements
- This is a good option for accessing one a server via two Internet connections, the traffic can come from
any internet connection, that public address gets translated to the same private address (server
address), this raises no ambiguity
Dynamic Natting &Overloading
• Example 1 ( prom613 )
====================
!
57.253.2.64 255.255.255.224 : 57.253.2.65 --> 57.253.2.94
57.253.2.64 255.255.255.240 : 57.253.2.65 --> 57.253.2.78
!
access-list 110 deny ip host 10.10.0.13 any
access-list 110 deny ip host 172.31.7.57 any
access-list 110 deny ip host 172.31.2.5 any
access-list 110 deny ip host 172.31.17.76 host 57.253.125.16
access-list 110 deny ip host 172.31.17.76 host 57.253.125.17
access-list 110 deny ip host 172.31.17.77 host 57.253.125.16
access-list 110 deny ip host 172.31.17.77 host 57.253.125.17
access-list 110 permit ip 172.31.0.0 0.0.255.255 any
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!
!
ip nat pool DYNat 57.253.2.65 57.253.2.73 netmask 255.255.255.240
!
Dynamic Natting &Overloading
!
ip nat inside source list 110 pool DYNat vrf Alliancenet_ICN overload
!
router bgp 65000
address-family ipv4 vrf Alliancenet_ICN
network 57.253.2.64 mask 255.255.255.224
!
ip route vrf Alliancenet_ICN 57.253.2.64 255.255.255.224 GigabitEthernet0/1 10.10.0.2
!
- Any traffic matches ACL110 will be source Natted with IPs from range 57.253.2.65 --> 57.253.2.73
- This type of NAT is a variation on dynamic NAT. With dynamic NAT, there is always a one to one relationship
between inside and outside addresses ,if the address pool is exhausted, traffic from the next addresses requesting
translation will be dropped.
- With overloading, instead of a one to one relationship, traffic is translated and given a specific outside port
number to communicate with; in this situation, many internal hosts can be using the same outside address while
utilizing different port numbers.
Dynamic Natting &Overloading
• Example 2 (prom612)
======================
!
interface Loopback1
description --- to GMSNET
ip address 57.228.104.253 255.255.255.255
!
!
ip access-list extended To_GMSNET
permit ip 10.10.0.0 0.0.0.255 57.6.17.64 0.0.0.63
permit ip 10.10.0.0 0.0.0.255 57.233.33.0 0.0.0.63
permit ip 10.10.0.0 0.0.0.255 57.255.0.0 0.0.0.255
….
….
….
!
Dynamic Natting &Overloading
!
router bgp 65000
network 57.228.104.253 mask 255.255.255.255
!
ip nat inside source list To_GMSNET interface Loopback1 overload
!
- Any Traffic matches ACL To_GMSNET will be source Natted to loopback1 IP and with unique port
address
Dynamic Natting &Overloading
• Example 3 ( prom612 )
=======================
!
ip nat pool CFMUNet_SourceIP 57.210.120.65 57.210.120.65 netmask 255.255.255.0
ip nat inside source list Access-to-CFMUnet pool CFMUNet_SourceIP overload
!
router bgp 65000
network 57.210.120.65 mask 255.255.255.255
!
ip route 57.210.120.65 255.255.255.255 GigabitEthernet0/0
!
- like previous example , but natting is done like that as trick in situation you don't need static
advertisement of PAT IP and loopback interface and you need to add dependency on physical interface
status , can be used for example in MCS setups while same NAT IP to be configured on both routers
Dynamic Natting &Overloading
===========
Special Note
===========
• In case you have server is connected behind router and you
need to configure Natting for server, always make sure you
are using static natting , because server is never initating the
request and it only responds to remote request , so if remote
host for example tried to connect to server and NAT table
doesn’t have entry “ in case dynamic natting is used “ , the
connection will fail
NAT Virtual Interface Design
• Cisco has introduced a new feature called NAT Virtual
Interface; NVI removes the requirements to configure an
interface as either NAT inside or NAT outside. An interface can
be configured to use NAT or not use NAT.
• You can use the command ‘ip nat source …’ without specifying
the inside/outside tag and enable the nat to the
interfaces using the command ‘ip nat enable’.
• For instance, if you use legacy statement:
Router(config)#interface range fastEthernet 0/0
Router(config-if-range)#ip nat inside
Router(config)#interface range fastEthernet 0/1
NAT Virtual Interface Design
Router(config-if-range)#ip nat outside
Router(config)#ip nat inside source static 172.16.0.6
10.16.0.5
• Legacy NAT is domain based NAT. You need to define inside and
outside. And the order of routing and NAT is different.
Traffic from outside, NAT first then routing.
Traffic from inside, routing first then NAT.
NAT Virtual Interface Design
• The new NAT virtual interface has no difference between
interface outside or inside.
1. First it will check the packet to see if it needs to be NAT
2. If it needs to be NAT, it will be routed to the virtual interface
then doing the NAT.
3. After the NATed, it will be routed again.
Any questions