Static NAT and NAT order of operation

October 24, 2008 at 10:00 pm | Posted in IP Services, NAT | Leave a comment
IEWB1 v5 Task 13.21

Topo:
R4 ------------ R5 ------------- SW2
  155.1.45.0/24    155.1.58.0/24

The objective is to have R4 be able to telnet SW2 using 155.1.45.8, and SW2 be able to telnet R4 using 155.1.58.4

Rack1R5#sh run | in interface|nat|ip route
interface Ethernet0/0
 ip nat inside
interface Serial0/1
 ip nat outside
ip nat inside source static 155.1.58.8 155.1.45.8
ip nat outside source static 155.1.45.4 155.1.58.4
ip route 155.1.58.4 255.255.255.255 Serial0/1

The first NAT statement is straigh forward. It is used so that outside world can see SW2 VL58 with the IP off 155.1.45.8.

155.1.58.8 is Inside Local
155.1.45.8 is Inside Global

We need to translate Inside traffic. As the direction is Inside to Outside, those above IP addresses are SOURCE IP. That’s why we need “ip nat inside source static”
The second NAT statement is less usual. It is used for the second task so that SW2 can telnet R4 using 155.1.58.4

155.1.45.4 is Outside Global
155.1.58.4 is OUtside Local

As the direction is from Outside to Inside, those IP are Source. That’s why we need “ip nat outside source” translation.

NAT order of operation:

As traffic arrives on an outside interface, it is NAT translated, before being routed. Therefore, we do not need static route for 155.1.45.8, because traffic from outside, destined for 155.1.45.8 have the destination IP translated to 155.1.58.8 which is already routeable.

On the other hand, traffic arriving on an inside interface is routed, before translated.
When R5 received traffic from Local LAN heading to 155.1.58.4, it does not know that it need to route toward R4, unless we have the static route for the host route 155.1.58.4/32 configured, which overrides the connected route for the LAN subnet 155.1.58.0/24.

BTW, we do not need static route for 155.1.58.4/32 on SW2, because the above route is automatically advertized into RIP by R5 and SW2 will have it installed as a RIP route. Static routes pointing to an interface (instead of a next-hop IP address) are treated as directed route by RIP.

Rack1R5#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                155.1.58.4         155.1.45.4
--- 155.1.45.8         155.1.58.8         ---                ---
R5#debug ip nat detailed
*Apr  7 02:55:54.571: NAT: i: icmp (155.1.58.8, 9) -> (155.1.58.4, 9) [61]    
*Apr  7 02:55:54.571: NAT: s=155.1.58.8->155.1.45.8, d=155.1.58.4 [61]
*Apr  7 02:55:54.571: NAT: s=155.1.45.8, d=155.1.58.4->155.1.45.4 [61]
*Apr  7 02:55:54.603: NAT*: o: icmp (155.1.45.4, 9) -> (155.1.45.8, 9) [61]
*Apr  7 02:55:54.603: NAT*: s=155.1.45.4->155.1.58.4, d=155.1.45.8 [61]
*Apr  7 02:55:54.603: NAT*: s=155.1.58.4, d=155.1.45.8->155.1.58.8 [61]
*Apr  7 02:55:54.607: NAT: i: icmp (155.1.58.8, 9) -> (155.1.58.4, 9) [62]    
*Apr  7 02:55:54.607: NAT: s=155.1.58.8->155.1.45.8, d=155.1.58.4 [62]
*Apr  7 02:55:54.607: NAT: s=155.1.45.8, d=155.1.58.4->155.1.45.4 [62]
*Apr  7 02:55:54.635: NAT*: o: icmp (155.1.45.4, 9) -> (155.1.45.8, 9) [62]
*Apr  7 02:55:54.635: NAT*: s=155.1.45.4->155.1.58.4, d=155.1.45.8 [62]
*Apr  7 02:55:54.635: NAT*: s=155.1.58.4, d=155.1.45.8->155.1.58.8 [62]

More info on Nat order of operation

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: