NAT Virtual Interface

October 25, 2008 at 9:20 pm | Posted in IP Services, NAT | Leave a comment

IEWB1 Ver5 Task 13.29

Configure NAT on R5 without using any ip nat inside or outside command, so that traffic source from VLAN8 on SW2 is seen as being sourced from 155.1.188.0/24.

Configuration

R5#
int e0/0 
 ip nat enable
int s0/0
 ip nat enable
int s0/1
 ip nat enable
router rip
 redistribute static metric 1

ip nat pool NET188 155.1.188.1 155.1.188.254 netmask 255.255.255.0 add-route
ip nat source list VLAN8 pool NET188
!
!
ip access-list standard VLAN8
 permit 155.1.8.0 0.0.0.255

Verification

Rack1SW2#ping 155.1.45.4 source vlan8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.45.4, timeout is 2 seconds:
Packet sent with a source address of 155.1.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 42/47/51 ms

Rack1R5#sh ip nat tran
Pro Inside global      Inside local       Outside local      Outside global
Rack1R5#sh ip nat ?
  nvi           NVI information
  statistics    Translation statistics
  translations  Translation entries
Rack1R5#sh ip nat nvi translation
Pro Source global      Source local       Destin  local      Destin  global
--- 155.1.188.1        155.1.8.8          ---                ---

 

Doc CD Navigation

  • Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
  • Part 6: NAT
  • Configuring NAT for IP Address Conservation
  • How to Configure NAT for IP Address Conservation
  • Configuring the NAT Virtual Interface

TCP Load Distribution with NAT

October 25, 2008 at 1:03 pm | Posted in IP Services, NAT | Leave a comment

IEWB1 Vol5 Task 13.26

Configure R5 so that when SW2 telnets to the IP 155.1.58.55, it is redirected to R1 R2 R4 in an even distribution.

 

R5#

ip nat pool SERVERS netmask 255.255.255.0 type rotary
 address 155.1.0.1 155.1.0.2
 address 155.1.0.4 155.1.0.4
ip nat inside destination list TELNET pool SERVERS
!
!
ip access-list extended TELNET
 permit tcp any host 155.1.58.55 eq telnet

Rack1SW2#
ip route 155.1.58.55 255.255.255.255 155.1.58.5

Alternatively, we can replace a static route on SW2 with an ip alias command on R5

Rack1R5(config)#ip alias ?
  A.B.C.D  IP address to alias to a port

Rack1R5(config)#ip alias 155.1.58.55 ?
  <0-65535>  IP port number

Rack1R5(config)#ip alias 155.1.58.55 23

 

 
Verification from SW2

Rack1SW2#telnet 155.1.58.55
Trying 155.1.58.55 … Open

Rack1R1#exit

[Connection to 155.1.58.55 closed by foreign host]
Rack1SW2#telnet 155.1.58.55
Trying 155.1.58.55 … Open

Rack1R2#exit

[Connection to 155.1.58.55 closed by foreign host]
Rack1SW2#telnet 155.1.58.55
Trying 155.1.58.55 … Open

Rack1R4#exit

[Connection to 155.1.58.55 closed by foreign host]
Rack1SW2#telnet 155.1.58.55
Trying 155.1.58.55 … Open

Rack1R1#exit

NAT for overlapping networks

October 25, 2008 at 11:36 am | Posted in IP Services, NAT | Leave a comment

IEWB1 v5 Task 13.25

R1 and R2 both have a new loopback1 with IP address of 10.0.0.0/24. Configure R1 so that R2 can access R1 loopback using IP of 11.0.0.0/24, while that traffic from R2 appear to R1 as from 22.0.0.0/24 subnet.

 

Configuration

Rack1R1#sh run | in interface|nat|ip route

interface Loopback1
 ip add 10.0.0.1 255.255.255.0
 ip nat inside
interface Serial0/0
 ip nat outside
interface Serial0/1
 ip nat outside

router rip
 network 11.0.0.0

ip route 11.0.0.0 255.255.255.0 Null0
ip route 22.0.0.0 255.255.255.0 Serial0/1

ip nat pool R2_LOOP1_POOL 22.0.0.1 22.0.0.254 prefix-length 24
ip nat inside source static network 10.0.0.0 11.0.0.0 /24
ip nat outside source list R2_LOOP1_REAL pool R2_LOOP1_POOL

 

Debugging

See a debugging sample when there’s a typo mistake in the NAT POOL
ip nat outside source list R2_LOOP1_REAL pool R2_LOO1_POOL
Rack1R1#debug ip nat detailed

*Mar  1 01:12:35.771: NAT: alloc — pool R2_LOO1_POOL not found
*Mar  1 01:12:35.775: NAT: failed to allocate address for 10.0.0.2, list/map R2_LOOP1_REAL
*Mar  1 01:12:35.775: NAT*: o: icmp (10.0.0.2, 11) -> (11.0.0.1, 11) [44]    
*Mar  1 01:12:35.775: NAT*: o: icmp (10.0.0.2, 11) -> (11.0.0.1, 11) [44]
*Mar  1 01:12:35.775: NAT*: s=10.0.0.2, d=11.0.0.1->10.0.0.1 [44]
*Mar  1 01:12:35.775: NAT: alloc — pool R2_LOO1_POOL not found
*Mar  1 01:12:35.779: NAT: failed to allocate address for 10.0.0.1, list/map R2_LOOP1_REAL
*Mar  1 01:12:35.779: NAT: translation failed (L), dropping packet s=10.0.0.1 d=10.0.0.2
no ip nat outside source list R2_LOOP1_REAL pool R2_LOO1_POOL
ip nat outside source list R2_LOOP1_REAL pool R2_LOOP1_POOL

Rack1R1#
*Mar  1 01:17:36.987: NAT*: o: icmp (10.0.0.2, 13) -> (11.0.0.1, 13) [46]    
*Mar  1 01:17:36.987: NAT*: o: icmp (10.0.0.2, 13) -> (11.0.0.1, 13) [46]
*Mar  1 01:17:36.991: NAT*: s=10.0.0.2->22.0.0.1, d=11.0.0.1 [46]
*Mar  1 01:17:36.991: NAT*: s=22.0.0.1, d=11.0.0.1->10.0.0.1 [46]
*Mar  1 01:17:36.991: NAT: i: icmp (10.0.0.1, 13) -> (22.0.0.1, 13) [46]    
*Mar  1 01:17:36.991: NAT: s=10.0.0.1->11.0.0.1, d=22.0.0.1 [46]
*Mar  1 01:17:36.991: NAT: s=11.0.0.1, d=22.0.0.1->10.0.0.2 [46]
Doc CD Navigation

  • Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
  • Part 6: NAT
  • Configuring NAT for IP Address Conservation
  • Configuration Examples for Configuring NAT for IP Address Conservation
  • Allowing Overlapping Networks to Communicate Using NAT

 or

  • Translating Overlapping Address: Example

Static NAT and NAT order of operation

October 24, 2008 at 10:00 pm | Posted in IP Services, NAT | Leave a comment
IEWB1 v5 Task 13.21

Topo:
R4 ------------ R5 ------------- SW2
  155.1.45.0/24    155.1.58.0/24

The objective is to have R4 be able to telnet SW2 using 155.1.45.8, and SW2 be able to telnet R4 using 155.1.58.4

Rack1R5#sh run | in interface|nat|ip route
interface Ethernet0/0
 ip nat inside
interface Serial0/1
 ip nat outside
ip nat inside source static 155.1.58.8 155.1.45.8
ip nat outside source static 155.1.45.4 155.1.58.4
ip route 155.1.58.4 255.255.255.255 Serial0/1

The first NAT statement is straigh forward. It is used so that outside world can see SW2 VL58 with the IP off 155.1.45.8.

155.1.58.8 is Inside Local
155.1.45.8 is Inside Global

We need to translate Inside traffic. As the direction is Inside to Outside, those above IP addresses are SOURCE IP. That’s why we need “ip nat inside source static”
The second NAT statement is less usual. It is used for the second task so that SW2 can telnet R4 using 155.1.58.4

155.1.45.4 is Outside Global
155.1.58.4 is OUtside Local

As the direction is from Outside to Inside, those IP are Source. That’s why we need “ip nat outside source” translation.

NAT order of operation:

As traffic arrives on an outside interface, it is NAT translated, before being routed. Therefore, we do not need static route for 155.1.45.8, because traffic from outside, destined for 155.1.45.8 have the destination IP translated to 155.1.58.8 which is already routeable.

On the other hand, traffic arriving on an inside interface is routed, before translated.
When R5 received traffic from Local LAN heading to 155.1.58.4, it does not know that it need to route toward R4, unless we have the static route for the host route 155.1.58.4/32 configured, which overrides the connected route for the LAN subnet 155.1.58.0/24.

BTW, we do not need static route for 155.1.58.4/32 on SW2, because the above route is automatically advertized into RIP by R5 and SW2 will have it installed as a RIP route. Static routes pointing to an interface (instead of a next-hop IP address) are treated as directed route by RIP.

Rack1R5#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                155.1.58.4         155.1.45.4
--- 155.1.45.8         155.1.58.8         ---                ---
R5#debug ip nat detailed
*Apr  7 02:55:54.571: NAT: i: icmp (155.1.58.8, 9) -> (155.1.58.4, 9) [61]    
*Apr  7 02:55:54.571: NAT: s=155.1.58.8->155.1.45.8, d=155.1.58.4 [61]
*Apr  7 02:55:54.571: NAT: s=155.1.45.8, d=155.1.58.4->155.1.45.4 [61]
*Apr  7 02:55:54.603: NAT*: o: icmp (155.1.45.4, 9) -> (155.1.45.8, 9) [61]
*Apr  7 02:55:54.603: NAT*: s=155.1.45.4->155.1.58.4, d=155.1.45.8 [61]
*Apr  7 02:55:54.603: NAT*: s=155.1.58.4, d=155.1.45.8->155.1.58.8 [61]
*Apr  7 02:55:54.607: NAT: i: icmp (155.1.58.8, 9) -> (155.1.58.4, 9) [62]    
*Apr  7 02:55:54.607: NAT: s=155.1.58.8->155.1.45.8, d=155.1.58.4 [62]
*Apr  7 02:55:54.607: NAT: s=155.1.45.8, d=155.1.58.4->155.1.45.4 [62]
*Apr  7 02:55:54.635: NAT*: o: icmp (155.1.45.4, 9) -> (155.1.45.8, 9) [62]
*Apr  7 02:55:54.635: NAT*: s=155.1.45.4->155.1.58.4, d=155.1.45.8 [62]
*Apr  7 02:55:54.635: NAT*: s=155.1.58.4, d=155.1.45.8->155.1.58.8 [62]

More info on Nat order of operation

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

NAT with load-balancing

August 22, 2008 at 3:27 pm | Posted in NAT | 1 Comment

If we want telnet /http traffic from outside to a virtual IP address (or WAN IP) be load-balanced on a multiple physical servers, we can do inside destination nat translation. Normally the physical IP range is consecutive, but we can also do load-balance over non-consecutive IP range as well.

Configuration

SW1
|
|
|— R1 ——-(R3)Internet
|
|
SW2

ip nat pool SERVERS prefix-length 24 type rotary
address 10.1.1.11 10.1.1.11
address 10.1.1.22 10.1.1.22
ip nat inside destination list TELNET pool SERVERS
!
ip access-list extended TELNET
permit tcp any host 13.0.0.1 eq telnet
!

interface Serial1/1
ip address negotiated
ip nat outside

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside

Verification

R3#telnet 13.0.0.1
Trying 13.0.0.1 … Open

SW1>exit

[Connection to 13.0.0.1 closed by foreign host]
R3#telnet 13.0.0.1
Trying 13.0.0.1 … Open

SW2>exit

[Connection to 13.0.0.1 closed by foreign host]
R3#

R1#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
tcp 13.0.0.1:23        10.1.1.11:23       13.0.0.3:37754     13.0.0.3:37754
tcp 13.0.0.1:23        10.1.1.22:23       13.0.0.3:35071     13.0.0.3:35071

Doc CD Navigation

  • Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
  • Part 6: NAT
  • Configuring NAT for IP Address Conservation
  • Configuration Examples for Configuring NAT for IP Address Conservation
  • Avoiding Server Overload Using Load Balancing: Example

NAT to support locally generated traffic

August 6, 2008 at 10:39 am | Posted in NAT | Leave a comment

The objective of this sample configuration is to set up telnet portforwarding, so that traffic from outside, and also from R3 itself to 150.1.3.1 should end up on an inside telnet server R1 (10.1.13.1/24). Although the configuration used port-forwarding (nat static tcp), the scenario should also work with one to one host static mapping as well.

References
http://blog.internetworkexpert.com/2008/02/15/the-inside-and-outside-of-nat/
http://blog.internetworkexpert.com/2008/07/15/a-curious-nat-scenario/

The topology:

R1———-R3———-R2
inside  NAT  outside

LAN:10.1.13.3/24
WAN:155.1.23.3/24
Loopback0 on R3: 150.1.3.3/24

R1 is the actual Telnet server behind the NAT device (R3), R2 is the external public
hosts. If external device telnet to 150.1.3.1, it should end up on R1
(10.1.13.1/24)

The WORKING CONFIG:
——————

R3#sh run | in interface|nat|address|ip route
ip telnet source-interface Loopback0
interface Loopback0
ip address 150.1.3.3 255.255.255.0
ip nat outside

interface Serial1/2
ip address 10.1.13.3 255.255.255.0
ip nat inside

interface Serial1/3
ip address 155.1.23.3 255.255.255.0
ip nat outside

ip route 155.1.13.33 255.255.255.255 150.1.3.254
ip nat inside source static tcp 10.1.13.1 23 150.1.3.1 23 extendable
ip nat outside source static 150.1.3.3 155.1.13.33

If we remove outside source static and static route

no ip nat inside source static tcp 10.1.13.1 23 150.1.3.1 23 extendable
no ip nat outside source static 150.1.3.3 155.1.13.33

access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any eq telnet any

debug ip packet detailed 100

R3#telnet 150.1.3.1
Trying 150.1.3.1 …
*Mar  1 01:34:01.983: IP: tableid=0, s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), routed via FIB
*Mar  1 01:34:01.987: IP: s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), len 44, sending
*Mar  1 01:34:01.991:     TCP src=34779, dst=23, seq=144327356, ack=0, win=4128 SYN

*Mar  1 01:34:02.179: IP: tableid=0, s=10.1.13.1 (Serial1/2), d=150.1.3.3 (Loopback0), routed via RIB
*Mar  1 01:34:02.183: IP: s=10.1.13.1 (Serial1/2), d=150.1.3.3, len 44, rcvd 4
*Mar  1 01:34:02.187:     TCP src=23, dst=34779, seq=634135065, ack=144327357, win=4128 ACK SYN

*Mar  1 01:34:02.191: IP: tableid=0, s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), routed via FIB
*Mar  1 01:34:02.195: IP: s=150.1.3.3 (local), d=10.1.13.1 (Serial1/2), len 40, sending
*Mar  1 01:34:02.199:     TCP src=34779, dst=23, seq=144327357, ack=0, win=0 RST

% Connection timed out; remote host not responding

! R1 try to open a TCP session with the source IP of 150.1.3.3 and the destination IP of 150.1.3.1
! However, the TCP SYN ACK received from R1 is source from 10.1.13.1. This source IP address never gets
! translated to 150.1.3.1 because on the inside interface routing decision kicks in first and only then
! translation rules get applied followed by forwarding. Packets on the NAT outside are first translated
! and then routed.

R3 therefore sends TCP RST because it receives packets from IP addresses that it does not expect.

If we force the source IP of 10.1.13.1 translated to 150.1.3.1, then all is fine.

ip nat outside source static 150.1.3.3 155.1.13.33
ip route 155.1.13.33 255.255.255.255 150.1.3.254

R3#telnet 150.1.3.1
Trying 150.1.3.1 … Open

R1#exit

*Mar  1 02:05:15.947: IP: tableid=0, s=155.1.13.33 (local), d=10.1.13.1 (Serial1/2), routed via FIB
*Mar  1 02:05:15.951: IP: s=155.1.13.33 (local), d=10.1.13.1 (Serial1/2), len 44, sending
*Mar  1 02:05:15.955:     TCP src=52962, dst=23, seq=571196906, ack=0, win=4128 SYN

*Mar  1 02:05:16.151: IP: tableid=0, s=10.1.13.1 (Serial1/2), d=155.1.13.33 (Loopback0), routed via RIB
*Mar  1 02:05:16.151: IP: s=150.1.3.1 (Serial1/2), d=150.1.3.3 (Loopback0), g=150.1.3.254, len 44, forward
*Mar  1 02:05:16.155:     TCP src=23, dst=52962, seq=867877048, ack=571196907, win=4128 ACK SYN

*Mar  1 02:05:16.163: IP: tableid=0, s=150.1.3.1 (Loopback0), d=150.1.3.3 (Loopback0), routed via RIB
*Mar  1 02:05:16.167: IP: s=150.1.3.1 (Loopback0), d=150.1.3.3 (Loopback0), len 44, rcvd 3
*Mar  1 02:05:16.171:     TCP src=23, dst=52962, seq=867877048, ack=571196907, win=4128 ACK SYN

Create a free website or blog at WordPress.com.
Entries and comments feeds.