12 Replies Latest reply: Dec 13, 2019 7:13 AM by jh RSS

    Big Challenge in NAT on cisco router

    Vahid

      Hi. I have problem with NAT in Cisco router both IOS and IOS xe. Does anyone have a solution to this problem?

      NAT.png

      R3 is owned by a customer and independent organization. The network range of 172.16.0.0/24 is used by the clients of this customer in order to be able to communicate with our Server (X) which has IP address of 2.2.2.2

      there are two challenges :

      1) we don't import customer source addresses into our routing network. So, It's  necessary to do source NAT for 172.16.0.0/24 to 1 IP address (such as 192.168.200.1 which is assigned to this customer) - PAT is required.

       

      2) The customer does not route our server IP address (2.2.2.2) and we are supposed to use the connected interface IP addresses for that (1.1.23.2). therefor, we have to do destination NAT at the same time and same place for this customer in order to change 1.1.23.2 to 2.2.2.2

       

      To solve the first problem, we changed the direction of "ip nat inside" and "ip nat outside", As it shown in figure above, So toward the customer will be ip nat inside. Now, since the traffic flow is from inside to outside, simply we can use ip nat inside source list. Note that : "IP nat outside" command does not support overload and PAT.

       

      But the second problem is still exists. According to traffic flow, We can not do destination NAT using interface IP address. (1.1.23.2) Router is doing routing before outside NAT and given that it has local host route (L) of 1.1.23.2 in routing table, NAT won't be done.  

      How we can solve the problem??

        • 1. Re: Big Challenge in NAT on cisco router
          Francesco

          Do you want to try :

           

          R2# ip nat outside source static  1.1.23.X  2.2.2.2

          where 2.2.2.2 is Outside Global

          and 1.1.23.X is the Outside local

           

          F.

          • 2. Re: Big Challenge in NAT on cisco router
            Ing_Percy

            Hi!

             

            I have an example in GNS3 that could help you

            nat-outside-inside.jpg

            R1(config)#int f0/0

            R1(config-if)#ip nat inside

            R1(config)#int s0/0

            R1(config-if)#ip nat outside

            R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0

            R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255

            R1(config)# ip nat inside source list 1 interface Serial0/0 overload

            R1(config)# ip nat inside source static 192.168.1.10 50.50.50.1

             

            R2(config)#int f0/0

            R2(config-if)#ip nat inside

            R2(config)#int s0/0

            R2(config-if)#ip nat outside

            R2(config)#ip route 0.0.0.0 0.0.0.0 s0/0

            R2(config)# access-list 1 permit 172.16.1.0 0.0.0.255

            R2(config)# ip nat inside source list 1 interface Serial0/0 overload

            R2(config)# ip nat inside source static 172.16.1.10 60.60.60.2

             

            R3(config)#int s0/0

            R3(config-if)#ip add 50.50.50.2 255.255.255.252

            R3(config-if)#no shut

            R3(config)#int s0/1

            R3(config-if)#ip add 60.60.60.1 255.255.255.252

            R3(config-if)#no shut

             

            Analysis

            HostA ping HostB

            Echo ping

            nat-outside-inside2.jpg

            Reply ping

            nat-outside-inside3.jpg

            Nat table of R1 before ping between Host1 and Host2nat-outside-inside4.jpg

            Nat table of R2 before ping between Host1 and Host2

            nat-outside-inside5.jpg

            Nat Table of R1 after Ping

            nat-outside-inside6.jpg

            Nat Table of R2 after Ping

            nat-outside-inside7.jpg

            Regards!

            • 3. Re: Big Challenge in NAT on cisco router
              jh

              You could use the NAT NVI to make life easy.

              • 4. Re: Big Challenge in NAT on cisco router
                Vahid

                We had this scenario in IOS Router before. (Cisco 2951). Since 2900 series just allow for power redundancy through the use of an external RPS device, we had to change to new versions (4431) and unfortunately NAT Enable is removed from IOS xe!!

                • 5. Re: Big Challenge in NAT on cisco router
                  Vahid

                  Thanks Ing_Percy.

                  You've implemented NAT in two devices (R1 and R2). This is different from our scenario. "Destination NAT to our router interface for Customer" + "Source NAT (PAT) for Customer" both at the same time on the same device which is our Edge router.

                  • 6. Re: Big Challenge in NAT on cisco router
                    Vahid

                    Hi.

                    ip nat outside source static  1.1.23.X  2.2.2.2 is wrong.

                    ip nat outside source static 2.2.2.2 1.1.23.X is current and ...

                    It depends on what X is. If X is 2, It would be our Interface IP address and exactly what I'm looking for. But it doesn't work due to NAT outside is done after routing.

                    • 7. Re: Big Challenge in NAT on cisco router
                      Ing_Percy

                      Hi!

                       

                      Here is a lab that could give you an idea, applying PBR

                      nat-ab1.JPG

                      Information of R3:

                       

                      R3#sh ip route | b Gateway

                      Gateway of last resort is 1.1.23.2 to network 0.0.0.0

                      S*    0.0.0.0/0 [1/0] via 1.1.23.2

                            1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

                      C        1.1.23.0/24 is directly connected, FastEthernet0/0

                      L        1.1.23.3/32 is directly connected, FastEthernet0/0

                            172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

                      C        172.16.0.0/24 is directly connected, Loopback0

                      L        172.16.0.1/32 is directly connected, Loopback0

                       

                      Information of R2:

                       

                      R2#sh run

                      <output omitted>

                      interface FastEthernet0/0

                      ip address 1.1.23.2 255.255.255.0

                      ip nat inside

                      ip policy route-map EXAMPLE

                      !

                      interface FastEthernet1/0

                      ip address 1.1.12.2 255.255.255.0

                      ip nat outside

                      !

                      ip nat inside source list 1 pool DYN overload

                      !

                      ip nat pool DYN 192.168.200.1 192.168.200.1 netmask 255.255.255.252

                      !

                      ip nat outside source static 2.2.2.2 8.8.8.8

                      !

                      access-list 1 permit 172.16.0.0 0.0.0.255

                      !

                      route-map EXAMPLE permit 10

                      match ip address 100

                      set ip next-hop 1.1.12.1

                      !

                      access-list 100 permit ip any host 8.8.8.8

                       

                      R2#sh ip route | b Gateway

                      Gateway of last resort is not set

                            1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

                      C        1.1.12.0/24 is directly connected, FastEthernet1/0

                      L        1.1.12.2/32 is directly connected, FastEthernet1/0

                      C        1.1.23.0/24 is directly connected, FastEthernet0/0

                      L        1.1.23.2/32 is directly connected, FastEthernet0/0

                            2.0.0.0/32 is subnetted, 1 subnets

                      S        2.2.2.2 [1/0] via 1.1.23.3

                            172.16.0.0/24 is subnetted, 1 subnets

                      S        172.16.0.0 [1/0] via 1.1.23.3

                       

                      Information of R1:

                       

                      R1#sh ip route | b Gateway

                      Gateway of last resort is not set

                            1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

                      C        1.1.12.0/24 is directly connected, FastEthernet1/0

                      L        1.1.12.1/32 is directly connected, FastEthernet1/0

                            2.0.0.0/32 is subnetted, 1 subnets

                      C        2.2.2.2 is directly connected, Loopback0

                            192.168.200.0/30 is subnetted, 1 subnets

                      S        192.168.200.0 [1/0] via 1.1.12.2

                       

                      Testing

                       

                      Applying ping from R3 (172.16.0.1) to R1 (8.8.8.8)

                      nat-ab2.JPG

                      Checking NAT table in R2

                      nat-ab3.JPG

                      When the packet arrived to R2, it applied Source and destination NAT:

                      172.16.0.1 was translated to 192.168.200.1 (SOURCE)

                      8.8.8.8 was translated to 2.2.2.2 (DESTINATION)

                       

                      Now, as the packet is traveling from INSIDE to OUTSIDE, we must check the "order of operation"

                      Inside-to-OutsideOutside-to-Inside
                      • If IPSec then check input access list
                      • decryption - for CET (Cisco Encryption Technology) or IPSec
                      • check input access list
                      • check input rate limits
                      • input accounting
                      • redirect to web cache
                      • policy routing
                      • routing
                      • NAT inside to outside (local to global translation)
                      • crypto (check map and mark for encryption)
                      • check output access list
                      • inspect (Context-based Access Control (CBAC))
                      • TCP intercept
                      • encryption
                      • Queueing
                      • If IPSec then check input access list
                      • decryption - for CET or IPSec
                      • check input access list
                      • check input rate limits
                      • input accounting
                      • redirect to web cache
                      • NAT outside to inside (global to local translation)
                      • policy routing
                      • routing
                      • crypto (check map and mark for encryption)
                      • check output access list
                      • inspect CBAC
                      • TCP intercept
                      • encryption
                      • Queueing

                      Without PBR, then R2 will apply "routing" before than NAT (inside-to-outside), but as the packet is destined to 8.8.8.8 and we don't have route to it, then the packet will be dropped.

                       

                      For that reason, I applied Policy-based routing (PBR) to send any packet destinated to 8.8.8.8 to next-hop ip address 1.1.12.1. When this forwarding decision was done, then the destination address of the packet will translated (8.8.8.8 to 2.2.2.2) and sent to this next-hop ip address.

                       

                      In wireshark, I captured the packet that ingress to the R1

                      nat-ab4.JPG

                      For that reason, the packet can reach the ip address 2.2.2.2

                       

                      Regards!

                      • 8. Re: Big Challenge in NAT on cisco router
                        jh

                        Why do you need to use PAT in the first point?

                        • 9. Re: Big Challenge in NAT on cisco router
                          jh

                          If you remove the need for overloading the external 172 network to just one IP and instead map network 172.16.0.0/24 to a dedicated inside network e,g, 192.168.200.0/24 you could achieve your aim easily.

                          • 10. Re: Big Challenge in NAT on cisco router
                            Kanan

                            Hi,

                             

                            what I understand: you have customer device (in picture R3) and network behind the R3. You have interconnection with customer and no routing, only directly P2P connected network. Customer hosts must have access to internal server yes? Am I correct?

                            If yes,

                            Let customer do NAT to interface (PAT), and you will do regular static NAT (ip nat inside source static). Interface toward customer route will be ip nat outside, and interface toward local network will be ip nat inside.

                             

                            Regards,

                            • 11. Re: Big Challenge in NAT on cisco router
                              Francesco

                              Hi Vahid,

                               

                              X would be any number belonging to that subetn; it is a /24 right?

                               

                              If I understand correctly you want the internal Server to be presented outside is it were sitting on the external Subnet, so that client can access it without having a route to your server real IP address.

                               

                              Router will create an alias for that IP address you have selected (i.e. 10.1.23.10) and it will be like having a host with that IP address connected to the external segment.

                               

                              Did I miss something?

                              F.

                              • 12. Re: Big Challenge in NAT on cisco router
                                jh

                                Seems not much response from the OP. I can't offer too many more suggestions.

                                If you want to keep the inside/outside as per your diagram, all else I can suggest is to use a different IP on the inside network and hope that helps

                                e.g. something like...

                                int gi0/0

                                ip nat inside

                                int gi1/0

                                ip nat outside

                                ip nat pool POOL 192.168.200.1 192.168.200.1 prefix-length 24

                                ip nat inside source list 1 pool POOL overload

                                ip nat outside source static tcp 2.2.2.2 23 1.1.23.222 2222 no-alias

                                ip route 1.1.23.222 255.255.255.255 1.1.12.1