NAT to support locally generated traffic

August 6, 2008 at 10:39 am | Posted in NAT | Leave a comment

The objective of this sample configuration is to set up telnet portforwarding, so that traffic from outside, and also from R3 itself to 150.1.3.1 should end up on an inside telnet server R1 (10.1.13.1/24). Although the configuration used port-forwarding (nat static tcp), the scenario should also work with one to one host static mapping as well.

References
http://blog.internetworkexpert.com/2008/02/15/the-inside-and-outside-of-nat/
http://blog.internetworkexpert.com/2008/07/15/a-curious-nat-scenario/

The topology:

R1———-R3———-R2
inside  NAT  outside

LAN:10.1.13.3/24
WAN:155.1.23.3/24
Loopback0 on R3: 150.1.3.3/24

R1 is the actual Telnet server behind the NAT device (R3), R2 is the external public
hosts. If external device telnet to 150.1.3.1, it should end up on R1
(10.1.13.1/24)

The WORKING CONFIG:
——————

R3#sh run | in interface|nat|address|ip route
ip telnet source-interface Loopback0
interface Loopback0
ip address 150.1.3.3 255.255.255.0
ip nat outside

interface Serial1/2
ip address 10.1.13.3 255.255.255.0
ip nat inside

interface Serial1/3
ip address 155.1.23.3 255.255.255.0
ip nat outside

ip route 155.1.13.33 255.255.255.255 150.1.3.254
ip nat inside source static tcp 10.1.13.1 23 150.1.3.1 23 extendable
ip nat outside source static 150.1.3.3 155.1.13.33

If we remove outside source static and static route

no ip nat inside source static tcp 10.1.13.1 23 150.1.3.1 23 extendable
no ip nat outside source static 150.1.3.3 155.1.13.33

access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any eq telnet any

debug ip packet detailed 100

R3#telnet 150.1.3.1
Trying 150.1.3.1 …
*Mar  1 01:34:01.983: IP: tableid=0, s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), routed via FIB
*Mar  1 01:34:01.987: IP: s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), len 44, sending
*Mar  1 01:34:01.991:     TCP src=34779, dst=23, seq=144327356, ack=0, win=4128 SYN

*Mar  1 01:34:02.179: IP: tableid=0, s=10.1.13.1 (Serial1/2), d=150.1.3.3 (Loopback0), routed via RIB
*Mar  1 01:34:02.183: IP: s=10.1.13.1 (Serial1/2), d=150.1.3.3, len 44, rcvd 4
*Mar  1 01:34:02.187:     TCP src=23, dst=34779, seq=634135065, ack=144327357, win=4128 ACK SYN

*Mar  1 01:34:02.191: IP: tableid=0, s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), routed via FIB
*Mar  1 01:34:02.195: IP: s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), len 40, sending
*Mar  1 01:34:02.199:     TCP src=34779, dst=23, seq=144327357, ack=0, win=0 RST

% Connection timed out; remote host not responding

! R1 try to open a TCP session with the source IP of 150.1.3.3 and the destination IP of 150.1.3.1
! However, the TCP SYN ACK received from R1 is source from 10.1.13.1. This source IP address never gets
! translated to 150.1.3.1 because on the inside interface routing decision kicks in first and only then
! translation rules get applied followed by forwarding. Packets on the NAT outside are first translated
! and then routed.

R3 therefore sends TCP RST because it receives packets from IP addresses that it does not expect.

If we force the source IP of 10.1.13.1 translated to 150.1.3.1, then all is fine.

ip nat outside source static 150.1.3.3 155.1.13.33
ip route 155.1.13.33 255.255.255.255 150.1.3.254

R3#telnet 150.1.3.1
Trying 150.1.3.1 … Open

R1#exit

*Mar  1 02:05:15.947: IP: tableid=0, s=155.1.13.33 (local), d=10.1.13.1 (Serial1/2), routed via FIB
*Mar  1 02:05:15.951: IP: s=155.1.13.33 (local), d=10.1.13.1 (Serial1/2), len 44, sending
*Mar  1 02:05:15.955:     TCP src=52962, dst=23, seq=571196906, ack=0, win=4128 SYN

*Mar  1 02:05:16.151: IP: tableid=0, s=10.1.13.1 (Serial1/2), d=155.1.13.33 (Loopback0), routed via RIB
*Mar  1 02:05:16.151: IP: s=150.1.3.1 (Serial1/2), d=150.1.3.3 (Loopback0), g=150.1.3.254, len 44, forward
*Mar  1 02:05:16.155:     TCP src=23, dst=52962, seq=867877048, ack=571196907, win=4128 ACK SYN

*Mar  1 02:05:16.163: IP: tableid=0, s=150.1.3.1 (Loopback0), d=150.1.3.3 (Loopback0), routed via RIB
*Mar  1 02:05:16.167: IP: s=150.1.3.1 (Loopback0), d=150.1.3.3 (Loopback0), len 44, rcvd 3
*Mar  1 02:05:16.171:     TCP src=23, dst=52962, seq=867877048, ack=571196907, win=4128 ACK SYN

Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: