Nat

1© 2007 Cisco Systems, Inc. All rights reserved.NAT-Config/Troubleshooting
NAT/PAT
Config & Troubleshooting
N.T.C
7/11/2015

Agenda
 NAT Overview
• NAT Operations
• NAT Config & Troubleshooting
• NAT Redundancy
• NAT in MPLS/VRF environment

Why Use NAT?
• Typical examples of NAT :
– You need to connect to the Internet and your hosts do not have
globally unique IP addresses
– You change over to a new ISP that requires you to renumber
your network
– Two intranets with duplicate addresses merge
Outside
10.1.1.1
10.1.1.2
Inside
Internet
NAT
border
router
SA
200.1.1.1SA
10.1.1.1

NAT Implementation Considerations
Advantages
Conserves legally
registered addresses
Hide internal network
Increases flexibility in IP
addressing design
Eliminates address
renumbering as ISP
changes
Disadvantages
Translation introduces
switching path delays
Certain applications will not
function with NAT enabled

Private IP address ranges
Class A - 10.0.0.0/8
Class B - 172.16.0.0/19
Class C – 192.168.0.0/16
• These IP addresses are not advertised on Internet.
• Defined in RFC 1918
N.B. Even though NAT is typically used to translate a private IP
to a public IP, there are scenarios where NAT is used to
translate a private IP to another private IP or a public IP to
private IP, etc…

Agenda
• NAT Overview
 NAT Operations
• NAT Redundancy

NAT Address Terminology
Internet
Inside
10.1.1.1
10.1.1.2
Host B
150.1.1.1
A
C
B
B
SA
10.1.1.1
DA
10.1.1.1
SA
200.1.1.1
DA
200.1.1.1
Inside Global
IP Address
200.1.1.1
Inside Local
IP Address
10.1.1.1
Outside Local
IP Address
150.1.1.1
Outside Global
IP Address
150.1.1.1
NAT table
AB C

NAT & Routing
Outside
(Internet)
Inside
B
(Private IP)
• Inside Local (IL) → Typically learnt via IGP
• Inside Global (IG) → ‘owned’ by NAT router, no local
route, should be known Outside
• Outside Global (OG) → Typically using a default route
• Outside Local (OL) → ‘owned’ by NAT router, need
local route pointing to Outside, should be advertised
Inside
IGP Default route

NAT Operations
• NAT functions:
– Dynamic NAT
– Dynamic NAT with
overloading
– Static NAT
– Translation outside global
addresses
Internet
Inside
10.1.1.1
10.1.1.2
Inside Local
IP Address
10.1.1.1
10.1.1.2
NAT table
Inside Global
IP Address
200.1.1.1
200.1.1.2

Translating Inside Local Addresses
Dynamic NAT
10.1.1.2
10.1.1.1
200.1.1.2
200.1.1.1
NAT table
Inside Local
IP Address
Inside Global
IP Address
10.1.1.3 200.1.1.3
Internet
Inside
10.1.1.1
10.1.1.2
Host B
150.1.1.1
1
3
SA
10.1.1.1
DA
10.1.1.1
SA
200.1.1.1
DA
200.1.1.1
10.1.1.2
10.1.1.3
4
5
2
• A pool of public IP is defined [200.1.1.x]
• Need as many public IP as internal hosts !
• Traffic should be initiated from Inside
• Not used oftenly in practice

Dynamic NAT with Overloading
10.1.1.2:1723
10.1.1.3:1024
NAT table
200.1.1.1:1723
200.1.1.1:11024
150.1.1.1:23
150.1.1.1:23
TCP
TCP
10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23TCP
Internet
Inside
10.1.1.1
Host B
150.1.1.1
1
3
SA
10.1.1.1
DA
10.1.1.1
SA
200.1.1.1
DA
200.1.1.1
10.1.1.2
10.1.1.3
4
5
2
Host C
150.1.2.1
DA
200.1.1.1
4
Inside Global IP
Address: Port
Outside Global
IP Address: Port
Protocol Inside Local IP
Address: Port
TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23
Same address is used for
different internal users !

Static NAT
Internet
Inside
10.1.1.1
Host B
150.1.1.1
10.1.1.5
NAT
75.1.1.1
Web
Server
Mail
Server
 Typically used to provide access from Outside
to internal servers
 Can map TCP/UDP ports to different Internal
servers
10.1.1.5  75.1.1.1:80
10.1.1.1  75.1.1.1:25

Translating Outside Global Addresses
NAT table
Internet
Inside
10.1.1.1
10.1.1.2
Host B
150.1.1.1
3
1SA
10.1.1.1
10.1.1.2
10.1.1.3
4
2
Host B should appear
as an inside host
Inside Global
IP Address
200.1.1.1
Inside Local
IP Address
10.1.1.1
Outside Local
IP Address
10.1.1.100
Outside Global
IP Address
150.1.1.1
DA
10.1.1.100
1SA
200.1.1.1
DA
150.1.1.1
DA
200.1.1.1
SA
150.1.1.1
5
DA
10.1.1.1
SA
10.1.1.100
1
N.B. there should be a route for 10.1.1.100 pointing to outside

NAT – Order of Operations
Inside to Outside
• If IPSec then check input access list
• decryption for CET (Cisco Encryption
Technology) or IPSec
• check input access list
• check input rate limits
• input accounting
• policy routing
• Routing
• redirect to web cache
• NAT inside to outside (local to global
translation)
• crypto (check map and mark for
encryption)
• check output access list
• inspect (Context based Access Control
(CBAC))
• TCP intercept
• encryption
Outside to Inside
• If IPSec then check input access list
• decryption for CET or IPSec
• check input access list
• check input rate limits
• input accounting
• NAT outside to inside (global to local
translation)
• policy routing
• routing
• redirect to web cache
• crypto (check map and mark for
encryption)
• check output access list
• inspect CBAC
• TCP intercept
• encryption

Agenda
• NAT Overview
• NAT Operations
 NAT Config & Troubleshooting
• NAT Redundancy

10.1.1.2
10.1.1.1
200.1.1.2
200.1.1.1
NAT table
Inside Local
IP Address
Inside Global
IP Address
10.1.1.3 200.1.1.3
Internet
Inside
10.1.1.1
10.1.1.2
Host B
150.1.1.1
1
3
SA
10.1.1.1
DA
10.1.1.1
SA
200.1.1.1
DA
200.1.1.1
10.1.1.2
10.1.1.3
4
5
2
- Static NAT
- Dynamic NAT
One public IP for
every internal hosts !

Static NAT Configuration Example
ip nat inside source static 10.1.1.1 200.1.1.1
! OR
ip nat inside source static network 10.1.1.0 200.1.1.0 /24
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 120.16.2.1 255.255.255.0
ip nat outside
This interface
connected to
the outside
world.
This interface
connected to
the inside
network.
NAT# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 200.1.1.1 10.1.1.1 --- ---
NAT#

Static NAT – Example 1
Internet
Inside
10.1.1.1
Host B
150.1.1.1
10.1.1.5
NAT
75.1.1.1
Web
Server
Mail
Server
10.1.1.5  75.1.1.1:80
10.1.1.1  75.1.1.1:25
ip nat inside source static tcp 10.1.1.5 80 75.1.1.1 80
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 75.1.1.1 255.255.255.0
ip nat outside

Static NAT – Example 2 – Port Rewrite
Internet
Inside
10.1.1.8
Host B
150.1.1.1
10.1.1.2
NAT
75.1.1.1
Web
Server
TFTP
Server
10.1.1.2:8080  75.1.1.1:80 [tcp]
10.1.1.8:69  75.1.1.1:69 [udp]
ip nat inside source static udp 10.1.1.8 69 75.1.1.1 69
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 75.1.1.1 255.255.255.0
ip nat outside

!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 75.1.1.1 255.255.255.0
ip nat outside
Static NAT – ARP cache
NAT#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.10 - aabb.cc00.6600 ARPA Ethernet0/0
Internet 10.1.1.1 122 aabb.cc00.6500 ARPA Ethernet0/0
Internet
Ethernet (75.1.1.0/24)
OUTIN
Eth0/0 Eth1/0
→ ARP entry created
for inside global
N.B. For dynamic nat, ARP
entry is created as soon as
first NAT entry is created
for the inside global

NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
route-map Specify route-map
vrf Specify vrf
<cr>
Static NAT Options

NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 extendable
NAT(config)#ip nat inside source static 10.1.1.1 100.1.1.1 extendable
Static NAT Options - extendable
• Creates extended entries for every translated flows
• Necessary to support 2 entries for same inside local IP
• First packet sent by user creates the extended entry so traffic back from
server could use same ISP
Rem : NAT has no influence on packet forwarding, i.e. packets coming in from
ISP1 will be sent back with source IP of ISP1 but CEF might send packets
through ISP2 link !!!
NAT#sh ip nat translations
tcp 200.1.1.1:23 10.1.1.1:23 150.1.1.1:64493 150.1.1.1:64993
tcp 100.1.1.1:23 10.1.1.1:23 18.1.1.1:16564 18.1.1.1:16564
--- 200.1.1.1 10.1.1.1 --- ---
--- 100.1.1.1 10.1.1.1 --- ---
Internet
ISP1
(200.1.1.0/24)
ISP2
(100.1.1.0/24)
Server
User
User

NAT(config)# no ip nat create flow-entries
Extended entries
• Extended entries are automatically created in all recent
releases
• Use following command to disable automatic creation of
extended entries
• Can use then extendable keyword to create extended
entries for selected static NAT

NAT(config)#ip nat inside source static 10.1.1.1 120.16.1.5 no-alias
Static NAT Options – no-alias
NAT#sh ip arp
Internet
Ethernet (120.16.1.0/24)
OUTIN
Eth0/0 Eth1/0
→ no ARP entry created for inside global

NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 no-payload
Static NAT Options
ip nat inside source static 10.1.1.1 200.1.1.1 route-map COND [reversible]
!
access-list 150 permit tcp any host 150.1.1.1
!
route-map COND permit 10
match ip address 150
• Source IP/port appears in payload of many applications
• IOS NAT code supports payload modification (ALG - Application Layer Gateway)
for some applications (FTP, H323, DNS, …) BUT not all
• Can specify port number used by application (if different from default) with “ip nat
services” global configuration command
• No-payload option disables ALG (payload modification) for this entry
N.B. There is no way to disable ALG for dynamic NAT
• Adds conditions for a static NAT entry (only acl in route-map supported)
• Only traffic matching route-map is allowed to be translated
• Works from OUT to IN since CSCec54909 (12.4(2.11)) with "reversible"
keyword

ip nat pool PUBLIC 200.1.1.1 200.1.1.254
netmask 255.255.255.0
ip nat inside source list 1 pool PUBLIC
!
access-list 1 permit 10.1.1.0 0.0.0.255
Dynamic NAT Configuration
N.B. Traffic should be initiated from inside but once inside local is associated
with an inside global, other sessions could be initiated from outside
NAT#
NAT# ! No entry as long as no traffic received from inside
NAT#
NAT# ! We generate traffic …
NAT#
tcp 200.1.1.1:27354 10.1.1.1:27354 150.1.1.1:23 150.1.1.1:23
--- 200.1.1.1 10.1.1.1 --- ---
tcp 200.1.1.2:16554 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23
--- 200.1.1.2 10.1.1.5 --- ---

NAT(config)#ip nat pool PUBLIC prefix-length 24
NAT(config-ipnat-pool)#address 200.1.1.1 200.1.1.10
NAT(config-ipnat-pool)#address 100.1.1.1 100.1.1.20
Dynamic NAT Pool Options
ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 type match-host
• Prefix-length defines host part
• Keeps host part in translation
• If not possible, no translation occurs
• Addresses are prepopulated (consume memory) CSCdp05523
ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 add-route
• Adds static route pointing to NVI (Nat Virtual Interface)
• Static route subnet mask is prefix-length defined in pool
• Used in VRF environment where NAT NVI is required
• Can define discontinuous pool

NAT(config)#ip nat inside source list 1 pool PUBLIC ?
mapping-id Associate a mapping id to this mapping
overload Overload an address translation
reversible Allow out->in traffic
vrf Specify vrf
Dynamic NAT Options

Dynamic NAT Options - overload
10.1.1.2:1723
10.1.1.3:1024
NAT table
200.1.1.1:1723
200.1.1.1:11024
150.1.1.1:23
150.1.1.1:23
TCP
TCP
10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23TCP
Internet
Inside
10.1.1.1
Host B
150.1.1.1
1
3
SA
10.1.1.1
DA
10.1.1.1
SA
200.1.1.1
DA
200.1.1.1
10.1.1.2
10.1.1.3
4
5
2
Host C
150.1.2.1
DA
200.1.1.1
4
Inside Global IP
Address: Port
Outside Global
IP Address: Port
Address: Port
TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23
Same address is used for
different internal users !

Dynamic NAT Config with Overloading
ip nat pool ovrld-nat 200.1.1.1 200.1.1.1
netmask 255.255.255.0
ip nat inside source list 1 pool ovrld-nat overload
! OR
ip nat inside source list 1 interface Serial0/0 overload
!
NAT#
NAT# ! No entry as long as no traffic received from inside
NAT#
NAT# ! We generate traffic …
NAT#
tcp 200.1.1.1:19250 10.1.1.1:19250 150.1.1.1:23 150.1.1.1:23
tcp 200.1.1.1:16564 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23
Icmp 200.1.1.1:9 10.1.1.2:9 150.1.1.1:9 150.1.1.1:9

NAT(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
Dynamic NAT Options
• Using list allows to check source IP -> std access-list. Extended acl
should be used via route-map
• Using route-map enforces conditional NAT, i.e. only packets
matching route-map are translated. Can use extended acl, match on
interface/next-hop

ip nat pool PUB_1 200.1.1.1 200.1.1.1 netmask 255.255.255.0
!
ip nat inside source route-map WWW pool PUB_1 overload
ip nat inside source route-map TELNET pool PUB_2 overload
ip nat inside source route-map OTHERS pool PUB_3 overload
!
route-map WWW permit 10
route-map TELNET permit 10
route-map OTHERS deny 10
match ip address 150 151
route-map OTHERS permit 20
!
access-list 150 permit tcp any any eq www
access-list 151 permit tcp any any eq telnet
Dynamic NAT Options – route-map
• Example 1
 All HTTP traffic is seen outside as coming from 200.1.1.1
 All TELNET traffic is seen outside as coming from 200.1.1.2
 Rest of traffic is seen as coming from 200.1.1.3
icmp 200.1.1.3:7 10.1.1.1:7 150.1.1.1:7 150.1.1.1:7
tcp 200.1.1.2:11158 10.1.1.1:11158 150.1.1.1:23 150.1.1.1:23
tcp 200.1.1.1:37312 10.1.1.1:37312 150.1.1.1:80 150.1.1.1:80

ip nat pool PUB 200.1.1.1 200.1.1.1 netmask 255.255.255.0
!
ip nat inside source route-map COND pool PUB overload
!
route-map COND deny 10
route-map COND permit 20
!
access-list 150 permit ip any 10.0.0.0 0.255.255.255
Access-list 150 permit ip any 192.168.0.0 0.0.255.255
Dynamic NAT Options – route-map
• Example 2
 A single link to reach Internet and Intranet remote sites
 Translation only if destination IP is a public IP
Internet
Remote site
Intranet
MPLS/VPN
Internet + Intranet
traffic
In Out

Translating Outside Global Addresses -
Static
NAT table
Internet
Inside
10.1.1.1
10.1.1.2
Host B
150.1.1.1
3
1SA
10.1.1.1
10.1.1.2
10.1.1.3
4
2
Host B should appear
as an inside host
Inside Global
IP Address
200.1.1.1
Inside Local
IP Address
10.1.1.1
Outside Local
IP Address
10.1.1.100
Outside Global
IP Address
150.1.1.1
DA
10.1.1.100
1SA
200.1.1.1
DA
150.1.1.1
DA
200.1.1.1
SA
150.1.1.1
5
DA
10.1.1.1
SA
10.1.1.100
1

Configuring Example
ip nat outside source static 150.1.1.1 10.1.1.100
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip route 10.1.1.100 255.255.255.255 120.16.2.2
--- --- --- 10.1.1.100 150.1.1.1
icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.100:2 150.1.1.1:2
--- 200.1.1.1 10.1.1.1 --- ---
From inside to outside, routing occurs before NAT, then there should be
a route for destination of original packet.

Translating Outside Global Addresses -
Dynamic
Internet
Inside
10.1.1.2
Host
150.1.1.1
510.1.1.1
1All hosts on Internet should
appear as internal hosts
[10.1.1.128-159]
1SA
200.1.1.1
DA
150.1.1.1
DA
200.1.1.1
SA
150.1.1.1
3
DA
10.1.1.1
SA
10.1.1.100
4
1SA
10.1.1.1
DA
10.1.1.100
NAT table2
180.1.1.1
Host
10.1.1.1:80 200.1.1.1:80 10.1.1.129:1024TCP
10.1.1.1:80 200.1.1.1:80 10.1.1.128:1024TCP
Inside Global IP
Address: Port
Outside Local
IP Address: Port
Address: Port
NAT table2
Host
180.1.1.1
Outside Global
IP Address: Port
150.1.1.1:1024
180.1.1.1:1024
Overloading
not supported

Configuring Example
ip nat pool OUT 10.1.1.128 10.1.1.159 prefix-length 24
ip nat outside source list 1 pool OUT
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip route 10.1.1.128 255.255.255.224 serial 0/0
!
access-list 1 permit any
--- --- --- 10.1.1.128 150.1.1.1
--- --- --- 10.1.1.129 180.1.1.1
icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.128:2 150.1.1.1:2
icmp 200.1.1.1:3 10.1.1.1:3 10.1.1.129:3 180.1.1.1:3
--- 200.1.1.1 10.1.1.1 --- ---
N.B. there should be a route for pool used for outside source translation

NAT(config)#ip nat translation ?
dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
pptp-timeout Specify timeout for NAT PPTP flows
routemap-entry-timeout Specify timeout for routemap created half entry
syn-timeout Specify timeout for NAT TCP flows after a SYN and no
further data
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flows
NAT timeout
• Dynamic NAT entries should be deleted when not used anymore
• Each NAT entry has an inactivity counter (left …)
• There are different timeout depending on type of traffic
• All these timeouts are reset when a packet uses the entry
• Basic timeout (when no else matches) is by default set to 86400 sec (1day)
• When huge amount of NAT entries, maintaining timeout is very CPU
intensive and could cause high CPU utilization (IP NAT Ager process)

NAT(config-if)# ip virtual-reassembly
VFR (Virtual Fragment Reassembly)
• Layer4 (TCP, UDP) informations are available only in first
fragment of an IP packet
• NAT cannot do overloading without layer4 informations
• Idea is for NAT router to reassemble the packet although it’s
not the destination of packet
• This command is automatically added when NAT is enabled
on an interface
• Can specify the following options :
• Max-reassemblies (default 64) : max number of fragments belonging
to different IP packet which could be stored at any given time
• Max-fragments (default 16) : max number of fragments stored for a
given IP packet
• Timeout (default 3 sec) : max time to receive all fragments of an IP
packet

NAT(config)#ip nat service ?
H225 H323-H225 protocol
allow-h323-even-rtp-ports Allow even RTP ports for H323
allow-h323-keepalive Allow H323 KeepAlive
allow-sip-even-rtp-ports Allow even RTP ports for SIP
allow-skinny-even-rtp-ports Allow even RTP ports for Skinny
fullrange allocate all available port of 1 to 65535
list Specify access list describing global addresses
ras H323-RAS protocol
sip SIP protocol
skinny skinny protocol
NAT Services

NAT(config)# ip nat service allow-h323-keepalive
NAT Services
• Introduced by CSCsa62551
• Background : when NAT modifies payload, length of TCP
segment might change so ALG uses a sequence-fixup to
adapt TCP seq# accordingly. This seq-fixup keeps track of
next expected seq# and delta and adapt the seq# if it’s equal
or higher than the expected next seq#.
• Problem is H323 KA seq# uses previous seq# – 1 so seq-
fixup doesn’t work for H323 KA
• This feature modifies seq-fixup to take care of H323 KA
• Disabled by default
• Need to enable it when TCP keepalives are sent on H323 port
(1720)

NAT(config)# ip nat service allow-h323-even-rtp-ports
NAT(config)# ip nat service allow-sip-even-rtp-ports
NAT(config)# ip nat service allow-skinny-even-rtp-ports
NAT Services
• Introduced by CSCsa86914
• Background : RTP sessions use classically even UDP port
numbers and related RTCP sessions use the next available
port (odd port). Some applications accept only RTP sessions
using even port and refuse RTP sessions using odd port.
• NAT selects the next available port+1 for H323/SIP/SKINNY
fixup in the NAT translations. NAT does NOT check for
even/odd pair for RTPRTCP port numbers.
• This feature changes H323/SIP/SKINNY fixup to use only
even port for RTP session
• Need to enable this when application expects RTP to use
even port only.

NAT(config)# ip nat service fullrange udp/tcp port [1-511]
NAT Services
• Introduced by CSCed93887
• Background : when NAT modifies a port, it uses a new port in
same range as original port. Ranges are [1-511], [512- 1023],
[1024-65535].
• Problem : when many sessions with same source port are
initiated, NAT could run out of free ports in the same range.
Typical example is IKE using source UDP port 500.
• This feature allows NAT to use full port range [1-65535] for
packets coming in with source port specified in command
• Example : ‘ip nat service fullrange udp port 500’ allows NAT
to use full port range for IKE traffic. Otherwise, only 511 IKE
connections are allowed

NAT(config)# ip nat service list <acl> ESP spi-match
NAT Services - IPSEC
• Introduced by CSCdw17198
• Acl should match the outside global address of the IPSEC
server/concentrator
• Background :
• IPSEC peers can negotiate NAT-T (NAT-Transversal) to add a UDP header
on top of ESP packets so NAT could use UDP port for overloading
• NAT-T is on by default on IOS devices -> (config)#no crypto ipsec nat-
transparency udp-encaps’ on IPSEC client/server to disable this
• Without NAT-T, NAT uses SPI (part of ESP header) for overloading
• Difficulty comes from the fact there is one SPI per direction so NAT router
should ‘bind’ both SPIs
• Limitations :
• NAT router accepts only one connection to same outside server at a time as
long as SPI binding is not done. Once SPI binding is done, another
connection could be initiated
• NAT router should first see ESP packet from IN to OUT

Internet
OUTIN
IPSEC Server
150.1.1.1
10.1.1.0/24
.1
.2
.3
IPSEC Clients
esp 200.1.1.1:0 10.1.1.1:SPI1 150.1.1.1:0 150.1.1.1:0
esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:SPI2
• Client 1 initiates connection with SPI1, this creates the first NAT
entry
• If at that moment, client 2 initiates a connection to same server,
this packet is dropped by NAT router
• When server replies (with SPI2) to client 1 request, a second
NAT entry is created and associated with first one, i.e. any esp
packets from server with SPI2 are dispatched to client 1

*Apr 13 12:09:03.307: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=5940943A, IG=200.1.1.1
*Apr 13 12:09:03.307: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0x5940943A, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1
*Apr 13 12:09:03.307: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply
*Apr 13 12:09:03.307: NAT: creating portlist proto 50 globaladdr 200.1.1.1
*Apr 13 12:09:03.307: NAT: creating ESP portlist for IG=200.1.1.1
*Apr 13 12:09:03.311: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [80]
*Apr 13 12:09:03.311: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [80]
.... [server doesn't reply for any reason]
*Apr 13 12:09:13.415: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [88]
*Apr 13 12:09:13.415: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [88]
.... [a second client tries to establish a IPSEC connection to same server]
*Apr 13 12:09:47.059: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.2, SPI=1BF6BAA5, IG=200.1.1.1
*Apr 13 12:09:47.059: NAT: IPSec: another inside host (10.1.1.1) is trying to open an ESP conn to 150.1.1.1, cannot process request from 10.1.1.2
*Apr 13 12:09:47.059: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Apr 13 12:09:47.059: NAT: IPSec: another inside host (10.1.1.1) is trying to open an ESP conn to 150.1.1.1, cannot process request from 10.1.1.2
*Apr 13 12:09:47.059: NAT: translation failed (A), dropping packet s=10.1.1.2 d=150.1.1.1
*Apr 13 12:10:04.711: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [98]
*Apr 13 12:10:04.711: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [98]
*Apr 13 12:10:04.711: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x7FB18572, IG=200.1.1.1, IL=10.1.1.1
... [SPI of first session is bound -> now second client can establish a ESP connection]
*Apr 13 12:10:12.587: NAT: IPSec: created In->Out ESP translation IL=10.1.1.2 SPI=0x1BF6BAA5, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1
*Apr 13 12:10:12.587: NAT: IPSec: Inside host (IL=10.1.1.2) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply
*Apr 13 12:10:12.591: NAT: i: esp (10.1.1.2, 0x1BF6BAA5) -> (150.1.1.1, 0x0) [22]
*Apr 13 12:10:12.591: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [22]
*Apr 13 12:10:12.591: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x1093AEB7, IG=200.1.1.1, IL=10.1.1.2
esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:7FB18572
esp 200.1.1.1:0 10.1.1.1:5940943A 150.1.1.1:0 150.1.1.1:0
esp 200.1.1.1:0 10.1.1.2:0 150.1.1.1:0 150.1.1.1:1093AEB7
esp 200.1.1.1:0 10.1.1.2:1BF6BAA5 150.1.1.1:0 150.1.1.1:0

NAT Services – SPI matching
• If IPSEC responder supports SPI matching (on Cisco IOS
device -> (config)# crypto ipsec nat-transparency spi-matching),
SPI used by responder is not randomly generated anymore
but computed based on MD5 hash done on incoming SPI
• This allows NAT router to calculate what’s the SPI of out-to-in
esp packets once first in-to-out esp packet is received
• This allows many inside clients to initiate simultaneously esp
connection to same outside server
• Disabled by default
• If outside server (150.1.1.1) uses SPI-matching, this command
will enable SPI-matching for this server on NAT router
• Rem: if server matched in acl does NOT use SPI matching, esp
session cannot be translated (return packet is dropped) !
NAT(config)# ip nat service list 1 ESP spi-match
NAT(config)# access-list 1 permit 150.1.1.1

*Apr 13 14:09:40.899: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=ED19E956, IG=200.1.1.1
*Apr 13 14:09:40.899: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0xED19E956, IG=200.1.1.1,
OL=150.1.1.1, OG=150.1.1.1
*Apr 13 14:09:40.899: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host
(OG=150.1.1.1), wait for Out->In reply
*Apr 13 14:09:40.899: NAT: creating portlist proto 50 globaladdr 200.1.1.1
*Apr 13 14:09:40.899: NAT: creating ESP portlist for IG=200.1.1.1
*Apr 13 14:09:40.899: NAT: i: esp (10.1.1.1, 0xED19E956) -> (150.1.1.1, 0x0) [184]
*Apr 13 14:09:40.899: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [184]
… [esp packet from server is received and it matches calculated SPI]
*Apr 13 14:09:40.903: NAT: ESP: SPIs matched
*Apr 13 14:09:40.903: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x5FF2220B, IG=200.1.1.1, IL=10.1.1.1
esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:5FF2220B
esp 200.1.1.1:0 10.1.1.1:ED19E956 150.1.1.1:0 150.1.1.1:0
NAT Services – SPI-matching

NAT(config)# ip nat service list <acl> IKE preserve-port
NAT Services
• Introduced by CSCdu76854 – see ENG-114802
• Acl should match the outside global address of the IPSEC
server/concentrator
• Source port 500 is preserved, multiplexing is done on
initiator cookie (part of IKE header)
• Initiator cookie is visible with ‘show ip nat translations verbose’
• Disabled by default (breaks some IPSEC implementations in
Phase 1 rekeying)
NAT(config)# ip nat service list <acl> ftp tcp port <1-65535>
• Acl should match the outside global address of the FTP server
• Allows FTP server to use non-default port (21) for control session

*Apr 13 15:29:08.179: NAT: address not stolen for 10.1.1.1, proto 17 port 500
*Apr 13 15:29:08.179: NAT: preserving IKE port for source addr 10.1.1.1, destination addr 150.1.1.1, initiator cookie 0x4EBDB5C
*Apr 13 15:29:08.179: NAT: [0] Allocated Port for 10.1.1.1 -> 200.1.1.1: wanted 500 got 500
*Apr 13 15:29:08.179: NAT: i: udp (10.1.1.1, 500) -> (150.1.1.1, 500) [258]
*Apr 13 15:29:08.179: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [258]
*Apr 13 15:29:08.243: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [302]
*Apr 13 15:29:08.243: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.1 [302]
... [second inside client initiate an IKE session]
*Apr 13 15:29:25.135: NAT: preserving IKE port for source addr 10.1.1.2, destination addr 150.1.1.1, initiator cookie 0x28810D1E
*Apr 13 15:29:25.135: NAT: [0] Allocated Port for 10.1.1.2 -> 200.1.1.1: wanted 500 got 3
[without IKE preserve-port command, source UDP port would have been set to 3]
*Apr 13 15:29:25.139: NAT: i: udp (10.1.1.2, 500) -> (150.1.1.1, 500) [72]
*Apr 13 15:29:25.139: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [72]
*Apr 13 15:29:25.207: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [306]
*Apr 13 15:29:25.207: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.2 [306]
[out-to-in packet are dispatched to correct internal host based on initiator cookie]
udp 200.1.1.1:500 10.1.1.1:500 150.1.1.1:500 150.1.1.1:500
udp 200.1.1.1:500 10.1.1.2:500 150.1.1.1:500 150.1.1.1:500
NAT Services – IKE Preserve-port
NAT#sh ip nat translations verbose
udp 200.1.1.1:500 10.1.1.1:500 150.1.1.1:500 150.1.1.1:500
create 00:00:29, use 00:00:12 timeout:300000, left 00:04:47, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 40, lc_entries: 0
initiator cookie: 0xAFD17956, Entry type : 0
udp 200.1.1.1:500 10.1.1.2:500 150.1.1.1:500 150.1.1.1:500
flags:
extended, use_count: 0, entry-id: 41, lc_entries: 0
initiator cookie: 0x9716334C, Entry type : 0

NAT(config)# ip nat service sip tcp/udp port [port]
NAT(config)# ip nat service skinny tcp port [port]
NAT Services
• SIP and skinny services are enabled by default on standard
ports (5060 for SIP and 2000 for skinny-SCCP)
• These commands had been introduced to allow customers to
use non standard port for these protocols
• Can also be used to disable ALG processing on the standard
port if another application uses this port

NAT(config)# ip nat service h225
NAT(config)# ip nat service ras
NAT Services
• Introduced by CSCdx40184
• H323-H225 and H323-RAS services are enabled by default
• These commands had been introduced to allow to turn these
services off
• Had been initially introduced because of some H323
vulnerabilities
• Could be useful if another application uses these ports…

Verifying NAT
icmp 120.6.2.1:5 10.1.1.10:5 150.1.1.1:5 150.1.1.1:5
NAT#sh ip nat translations verbose
icmp 120.6.2.1:5 10.1.1.10:5 150.1.1.1:5 150.1.1.1:5
flags:
extended, use_count: 0, VRF : A, entry-id: 3, lc_entries: 0
NAT#sh ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
Serial2/0
Inside interfaces:
Ethernet0/0
Hits: 9042 Misses: 3
CEF Translated packets: 9045, CEF Punted packets: 14
Expired translations: 2
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 interface Serial2/0 refcount 1
Queued Packets: 0

NAT#debug ip nat ?
<1-99> Access list
detailed NAT detailed events
fragment NAT fragment events
generic NAT generic ALG handler events
h323 NAT H.323 events
ipsec NAT IPSec events
nvi NVI events
port NAT PORT events
pptp NAT PPTP events
route NAT Static route events
sip NAT SIP events
skinny NAT skinny events
vrf NAT VRF events
wlan-nat WLAN NAT events
<cr>
Troubleshooting NAT
• Various NAT debug
• Can specify a standard acl to limit debug output

*Aug 8 20:04:19.675: NAT: Allocated Port for 10.1.1.10 -> 120.6.2.1: wanted 19964 got
19964
*Aug 8 20:04:19.675: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5860]
*Aug 8 20:04:19.675: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5860]
*Aug 8 20:04:19.675: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5860]
*Aug 8 20:04:19.691: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7604]
*Aug 8 20:04:19.691: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7604]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5861]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5861]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5862]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5862]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5863]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5863]
*Aug 8 20:04:19.711: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7605]
*Aug 8 20:04:19.711: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7605]
*Aug 8 20:04:19.711: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7606]
*Aug 8 20:04:19.711: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7606]
Troubleshooting NAT
debug ip nat detail

router#show ip nat trans
udp 192.168.2.2:1220 10.1.1.2:1120 171.69.2.132:53 171.69.2.132:53
tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23
tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23
router#clear ip nat trans udp inside 192.168.2.2 10.1.1.2 1220
171.69.2.132 53 171.69.2.132 53
tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23
tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23
Clearing NAT Translation Entries
All entries are cleared.
192.168.2.2 is cleared.
Router#sh ip nat trans
tcp 200.1.1.1:11003 10.1.1.1:11003 150.1.1.1:23 150.1.1.1:23
tcp 200.1.1.1:1067 10.1.1.5:1067 150.1.1.1:23 150.1.1.1:23
router#clear ip nat trans *
router#

Troubleshooting NAT
• Get details about what exactly is failing (specific traffic or all
traffic ? traffic from IN to OUT or from OUT to IN ? etc…)
→ Should end up with an example of problematic traffic (source
and destination IP, where is the source and destination, etc…)
• Check NAT table for impacted traffic -> ‘sh ip nat trans | i x.x.x.x’
• Run ‘debug ip nat <acl>’ with acl matching impacted flow
• Check with acl hitcounts packet hits the NAT router on correct
interface (caution : acl hitcount are not always reliable on
hardware platform)
• Check you can ping inside local and outside global from NAT
router (caution : there could be a FW denying ICMP)
• Use inside global (outside local) as secondary on outside (inside)
interface and do extended ping to outside global (inside local)
with secondary as source
• Check there is an ARP entry for inside global and outside local if
Ethernet interface -> ‘sh ip arp <interface>’

Troubleshooting NAT
Application specific issue
If problem is related to a specific application/protocol (ping works
but not telnet or ftp…) :
• Check if static port translation is configured
• Check if packets hit the NAT router with acl hitcounts (could be
acl or FW on the path filtering packets)
• Check it’s not a ‘packet size issue’ using ping with small and big
size
• Check if application/protocol requires ALG (Application Layer
Gateway). If yes, a sniffer trace from IN and OUT could identify
which field in payload is not correctly handled

Agenda
• NAT Overview
• NAT Operations
 NAT Redundancy

NAT Redundancy
Several scenarios
• 1 Router – 2 Providers
• 2 Routers – 1 Provider
• 2 Routers – 2 Providers – no dedicated public pool
• 2 Routers – 2 Providers – dedicated public pool

NAT Redundancy
1 Router – 2 Providers
• 2 Providers used in a failover scenario (or simultaneously)
• ISP1 is the primary, ISP2 the backup
• We use NAT overload with public IP provided by ISPs
• If ISP1 fails, NAT should use IP of ISP2
Internet
ISP1
(200.1.1.0/24)
ISP2
(100.1.1.0/24)
Inside
10.0.0.0/8
S1/0
S2/0
Eth0/0
• Existing sessions are lost during failover
• Special care should be taken about sessions initiated from
outside (static NAT) if ISPs have a source IP check (uRPF, acl)

ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Serial1/0
ip nat outside
!
interface Serial2/0
ip nat outside
!
ip nat inside source route-map ISP1 interface Serial1/0 overload
ip nat inside source route-map ISP2 interface Serial2/0 overload
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 0.0.0.0 0.0.0.0 Serial2/0 100
!
route-map ISP1 permit 10
match ip address 1
match interface Serial1/0
!
route-map ISP2 permit 10
match ip address 1
match interface Serial2/0
!
NAT Redundancy
1 Router – 2 Providers

NAT Redundancy
2 Routers – 1 Provider (1 public pool)
• 2 NAT routers used in a failover scenario
• In normal conditions, all traffic passed through NAT1 router
• Should provide redundancy for static and dynamic NAT
• HSRP is used on Inside and Outside interfaces
N.B. Existing sessions could be maintained
Internet
Inside
10.0.0.0/8
NAT1
NAT2
200.1.1.0/24

NAT Redundancy
2 Routers – 1 Provider
Stateful NAT
• Idea is to mirror on standby SNAT router NAT entries created by SNAT
active router
• When SNAT active router goes down, SNAT standby router is ready to
do the translations (with same inside global IP/port)
• It permits to keep existing sessions
• NAT entries are mirrored via a TCP session established permanently
between SNAT peers or by UDP acknowledged packets
• IP-Redundancy mode (HSRP) or Primary/Backup mode
Internet
Inside
10.0.0.0/8
NAT1
NAT2
ACTIVE
STANDBY
TCP/UDP

NAT Redundancy - SNAT
ip nat inside
standby 1 name HSRP_IN
!
ip nat Stateful id 1
redundancy HSRP_IN
mapping-id 10
!
ip nat pool PUB 200.1.2.1 200.1.2.1 prefix-length 24
ip nat inside source list 1 pool PUB mapping-id 10 overload
!
ip route 10.1.1.0 255.255.255.0 200.1.1.3 10
!
ip nat inside
!
redundancy HSRP_IN
mapping-id 10
!
ip nat pool PUB 200.1.2.1 200.1.2.1 prefix-length 24
ip nat inside source list 1 pool PUB mapping-id 10 overload
!
NAT1
Router
NAT2
Router

NAT1#sh ip snat distributed verbose
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 10.1.1.2
: Local NAT id 1
: Peer Address 10.1.1.3
: Peer NAT id 2
: Mapping List 10
: InMsgs 4, OutMsgs 8, tcb 0x261B7E8, listener 0x0
NAT2#sh ip snat distributed verbose
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: STANDBY
: State READY
: Local Address 10.1.1.3
: Local NAT id 2
: Peer Address 10.1.1.2
: Peer NAT id 1
: Mapping List 10
: InMsgs 9, OutMsgs 4, tcb 0x2971C18, listener 0x2971760
NAT1
Router
NAT2
Router

NAT1#sh ip nat translations verbose
icmp 200.1.2.1:1 10.1.1.50:1 150.1.1.1:1 150.1.1.1:1
flags:
extended, use_count: 0 nat_id: 1 nat_entry_num: 2 nat_mapping_id[in]: 10
nat_mapping_id[out]: 0, entry-id: 4, lc_entries: 0
NAT1#
NAT1#NAT1#sh ip snat peer 10.1.1.3
Show NAT Entries created by peer: 10.1.1.3
NAT1#
NAT2#sh ip nat translations verbose
icmp 200.1.2.1:1 10.1.1.50:1 150.1.1.1:1 150.1.1.1:1
create 00:01:05, use 00:00:00 timeout:60000, timing-out, Map-Id(In): 1,
flags:
extended, created-by-remote, use_count: 0 nat_id: 1 nat_entry_num: 2
nat_mapping_id[in]: 10 nat_mapping_id[out]: 0, entry-id: 3, lc_entries: 0
NAT2#
NAT2#sh ip snat peer 10.1.1.2
Show NAT Entries created by peer: 10.1.1.2
icmp 200.1.2.1:1 10.1.1.50:1 150.1.1.1:1 150.1.1.1:1
NAT2#
NAT1
Router
NAT2
Router

NAT1#debug ip snat
NAT1#debug ip tcp packet
NAT1#
*Aug 6 15:01:05.207: SNAT (snd msg): Add new entry for router-id 1
*Aug 6 15:01:05.207: SNAT (sndmsg): Found Peer to ADD entry
*Aug 6 15:01:05.207: SNAT (write2net): 10.1.1.2 <---> 10.1.1.3 send message
*Aug 6 15:01:05.207: tcp0: O ESTAB 10.1.1.3:15555 10.1.1.2:44014 seq 4243310795
DATA 116 ACK 1259957032 PSH WIN 64591
*Aug 6 15:01:05.227: tcp0: I ESTAB 10.1.1.3:15555 10.1.1.2:44014 seq 1259957032
DATA 116 ACK 4243310795 PSH WIN 65024
ACK 1259957148 WIN 64475
ACK 4243310911 WIN 64908
*Aug 6 15:01:05.459: SNAT (readfromnet 1): There is some pending data on tcp. Value:116
NAT1#debug ip snat
NAT1#debug ip tcp packet
NAT1#
*Aug 6 15:01:05.575: SNAT (snd msg): Add new entry for router-id 2
*Aug 6 15:01:05.575: SNAT (sndmsg): Found Peer to ADD entry
*Aug 6 15:01:05.575: SNAT (write2net): 10.1.1.3 <---> 10.1.1.2 send message
DATA 116 ACK 4243310795 PSH WIN 65024
DATA 116 ACK 1259957032 PSH WIN 64591
ACK 4243310911 WIN 64908
ACK 1259957148 WIN 64475
*Aug 6 15:01:06.359: SNAT (readfromnet 1): There is some pending data on tcp. Value:116
NAT1
Router
NAT2
Router
debug ip snat [std_acl] [detail]

redundancy HSRP_IN
protocol udp
as-queuing disable
Interface Ethernet0/0
standby delay reload delay
standby 1 preempt delay minimum|reload|sync
SNAT additional commands
• Recommended protocol is UDP (more scalable)
• When snat is activated, an additional delay might be seen for
packet requiring creation of a new NAT entry
• Active NAT router should buffer the packet till it receives
confirmation from backup SNAT router that entry had been
populated
• Useless if no assymetric routing OUT-to-IN, ‘as-queuing disable’
removes this extra delay
• Delay should be introduced in HSRP to make sure SNAT gets the
time to converge before it becomes HSRP active

• Several phases in SNAT implementation
• Phase 2 (introduced in 12.3(7)T) added support for :
– ALGs (Application Layer Gateway) failover
– Asymmetric routing for out->in traffic
– Distribution of all forms of dynamic-NAT-entries (created by static
NAT, etc…)
• Next phases (3,4) should add support for :
• Bidirectional mirroring (actually, only entries on SNAT active router
are mirrored)
• More than 2 SNAT routers
• …

NAT Redundancy
Static Inside NAT
• Problem : if both NAT routers create an ARP entry for inside global IP, we
have a duplicate IP problem -> only 1 NAT router should create the alias
• To avoid problems with some ALG protocols (FTP,...), reflexive acl, etc…,
traffic should be handled by same router in both directions.
• Traffic from Inside is handled by HSRP active router on Inside LAN
• Traffic from Internet is handled by router replying to Provider ARP request
→ Inside global IP should be owned (i.e. inserted in ARP cache) by HSRP active
router on inside LAN.
Rem : other solution is to use non-directly connected IPs for inside global
Internet
Inside
10.0.0.0/8
NAT1
NAT2
200.1.1.0/24
HSRP_OUT
HSRP_IN
10.1.1.100
server

NAT Redundancy
ip address 10.1.1.2 255.255.255.0
ip nat inside
standby 1 ip 10.1.1.1
standby 1 priority 120
!
ip address 200.1.1.2 255.255.255.0
ip nat outside
standby 2 priority 120
standby 2 name HSRP_OUT
!
ip nat inside source static 10.1.1.100 200.1.1.100 redundancy HSRP_IN
ip address 10.1.1.3 255.255.255.0
ip nat inside
!
ip address 200.1.1.3 255.255.255.0
ip nat outside
standby 2 name HSRP_OUT
!
ip nat inside source static 10.1.1.100 200.1.1.100 redundancy HSRP_IN
NAT1
Router
NAT2
Router

NAT Redundancy
NAT1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et0/0 1 120 Active local 10.1.1.3 10.1.1.1
Et1/0 2 120 Active local 200.1.1.3 200.1.1.1
NAT1#
NAT1#sh ip arp
Internet 10.1.1.1 - 0000.0c07.ac01 ARPA Ethernet0/0
Internet 200.1.1.1 - 0000.0c07.ac02 ARPA Ethernet1/0
NAT1#
NAT2#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et0/0 1 100 Standby 10.1.1.2 local 10.1.1.1
Et1/0 2 100 Standby 200.1.1.2 local 200.1.1.1
NAT2#
NAT2#sh ip arp
NAT2#
NAT1
Router
NAT2
Router

NAT Redundancy
Static Outside NAT
• Same issue as Static Inside NAT but for outside local IP
• Traffic from Internet is handled by HSRP active router on outside
ethernet (assuming there is no inside NAT or inside NAT uses a pool ≠
200.1.1.0/24)
• Traffic from Inside is handled by router replying to ARP request for
outside local IP address
→ Outside local IP should be owned (i.e. inserted in ARP cache) by HSRP
active router on outside ethernet.
Internet
Inside
10.0.0.0/8
NAT1
NAT2
200.1.1.0/24
HSRP_OUT
HSRP_IN
150.1.1.1
server
Server 150.1.1.1 should
appear as an internal host

NAT Redundancy
2 Router – 2 Providers – Provider IPs
• We use NAT overload with public IP provided by ISPs
• 2 Providers used simultaneously or in a failover scenario
• If used simultaneously, cannot use per packet load-balancing
• If one NAT router or one ISP fails, packets should be rerouted to other
NAT router
• For session initiated from outside (static NAT), should make sure packets
are sent back via border router it came from (PBR, nat outside source)
• SNAT not useful in this scenario
N.B. Existing sessions are lost during failover
Internet
ISP1
(200.1.1.0/24)
ISP2
(100.1.1.0/24)
Inside
10.0.0.0/8
NAT1
NAT2

NAT Redundancy
2 Router – 2 Providers – Dedicated Public Pool
• Customer has its own public IP pool (195.1.1.0/24)
• BGP is used to advertise this pool on Internet
• SNAT permits to use both providers simultaneously for inbound
traffic
• Without SNAT, only one ISP can be used at a time because
 Traffic should come back from Internet via same ISP
 No control on inbound traffic
N.B. Existing sessions could be maintained
Internet
ISP1
(200.1.1.0/24)
ISP2
(100.1.1.0/24)
Inside
10.0.0.0/8
NAT1
NAT2
195.1.1.0/24
BGP
BGP

Agenda
• NAT Overview
• NAT Operations
• NAT Redundancy
 NAT in MPLS/VRF environment

VRF Introduction
• VRFs are used on PE routers in MPLS/VPN network to isolate different
customers within the same physical router
• Can be used without MPLS → VRF-lite
• Each VRF (Virtual Routing & Forwarding) has its own Routing & CEF table so
routes/traffic from different customers are kept private
• VRFs permits to create several virtual routers within a single physical router
• One (sub-)interface can be attached to only one VRF
One physical
router
Global IP RouterVirtual Router
for Customer A
P Router
Customer A
Site #1
Customer A
Site #2
Customer B
Site #1
VRF Routing Table
Global
Routing Table
Customer A
Site #3
Virtual Router
for Customer B
VRF Routing Table
Site #2
Customer B

Router(config)#ip vrf CUST_A
Router(config-vrf)#rd 1:1
Router(config-vrf)#exit
Router(config)#interface ethernet0/0
Router(config-if)#ip vrf forwarding CUST_A
VRF Configuration
• Need first to create VRFs :
• Each VRF needs a unique RD (Route Distinguisher)
2 possible formats ( ASN:nn or IP-address:nn)
• Assign interface to VRF :
• Example :
ip vrf <VRF_name>
rd <RD_value>
ip vrf forwarding <VRF_name>

NAT-VRF
• VRF Routing & CEF table are similar to Global Routing and CEF
table, we can then configure NAT within a VRF
• Need to specify VRF name in NAT commands
• Example :
ip vrf CUST_A
rd 1:1
!
interface ethernet0/0
ip vrf forwarding CUST_A
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip nat inside source static 10.1.1.1 200.1.1.1 vrf CUST_A

ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip vrf forwarding CUST_B
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface serial 2/0
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip address 50.1.1.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface serial 2/0 vrf CUST_A overload
ip nat inside source list 2 interface serial 3/0 vrf CUST_B overload
!
NAT in VRF-lite Examples
E0/0
E1/0
S2/0
S3/0
IN
OUT
IN
OUT

NAT#sh ip nat translations vrf CUST_A
tcp 120.6.2.1:19250 10.1.1.1:19250 150.1.1.1:23 150.1.1.1:23
tcp 120.6.2.1:16564 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23
Icmp 120.6.2.1:9 10.1.1.2:9 150.1.1.1:9 150.1.1.1:9
NAT#
NAT#
NAT#sh ip nat translations vrf CUST_B
tcp 50.1.1.1:18050 10.1.1.2:18050 180.1.1.1:23 180.1.1.1:23
tcp 50.1.1.1:21660 10.1.1.5:21660 180.1.1.1:23 180.1.1.1:23
Icmp 50.1.1.1:1 10.1.1.2:1 180.1.1.1:1 180.1.1.1:1
NAT in VRF-lite Examples
E0/0
E1/0
S2/0
S3/0
IN
OUT
IN
OUT
N.B. - “sh ip nat translation” shows all entries (verbose keyword shows VRF entry is bound to)
- This VRF (in-VRF) information is used to know which VRF inside local IP address belongs to
- NTD (NAT Translation Database – NAT translation table is only a part of it) keeps track of VRF
outgoing interface belongs to (out-VRF).
- Only packets belonging to that out-VRF (which could be different to in-VRF) are allowed to
use this existing NAT entry

ip route vrf CUST_A 0.0.0.0 0.0.0.0 120.6.2.2 global
(VRF traffic matching the default route is sent to
120.6.2.2 which is reachable via the global routing table)
ip route 10.0.0.0 255.0.0.0 ethernet 0/0 10.1.1.1
(Traffic in global routing table matching this static
route is sent in VRF ethernet 0/0 is attached to)
VRF – Packet Leaking
• Packet leaking permits packets from VRF to reach Global routing
table
• Implementation of packet leaking requires 2 static routes
• VRF static route which points to a global next-hop
• Global static route which points to VRF interface
• Example :
ip route vrf <vrf_name> <subnet> <mask> <next-hop> global
ip route <subnet> <mask> <vrf_int> [next-hop]

ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 120.6.2.2 global
ip route vrf CUST_B 0.0.0.0 0.0.0.0 120.6.2.2 global
!
!
NAT VRF – Packet leaking VRF -> Global
E0/0
E1/0
S2/0
IN OUT
IN
Internet
N.B. There is no static route in global table pointing to VRF interface for traffic back from Internet.
A match is found in NAT table for the flow and a layer3 lookup is done in in-VRF routing table
(in-VRF is stored in NAT table)
There is a check as well to see if packet comes from out-VRF (stored in NTD)

ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
ip vrf SERVICE
rd 1:3
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip vrf forwarding SERVICE
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
ip route vrf CUST_B 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
!
!
NAT VRF – Packet leaking VRF -> VRF
E0/0
E1/0
S2/0
IN OUT
IN
Internet

ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
ip vrf SERVICE
rd 1:3
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip vrf forwarding SERVICE
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
ip route vrf CUST_B 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
!
ip nat inside source static 10.1.1.20 200.1.1.1 vrf CUST_A
NAT VRF – Packet leaking – Static NAT
E0/0
E1/0
S2/0
IN OUT
IN
Internet
• packets entering via any outside interface could use the static NAT entry
(there is no possible check on out-VRF)
• if we try to create exact same static NAT entry in 2 different VRFs, command is
refused and ‘similar static NAT entry already exists’ message is displayed
N.B.
10.1.1.20

MPLS/VPN - Intro
• MPLS is used in the provider cloud to connect different PEs
• VRFs are defined on PEs to separate customers
• Traffic sent across provider cloud is labeled (2 labels)
• Top label (LDP/TDP) identifies egress PE
• Inner label (BGP) identifies the VPN
Provider Cloud
MPLS
PE1
CE1
CE2
PE2 CE2
Customer B
10.0.0.0/8
Customer A
10.0.0.0/8
Common Servers
200.1.1.1/24
Provider offers a set of Common Services (VoIP, Web Hosting,…)
MPLS interface
in Global table

NAT - MPLS/VPN – 2 Options
• NAT on ingress PE (PE1)
+ Easy to configure
- Not very scalable if many PEs
• NAT on egress PE (PE2)
+ Scalable
- More complex to configure
Provider Cloud
MPLS
PE1
CE1
CE2
PE2 CE2
Customer B
10.0.0.0/8
Customer A
10.0.0.0/8
Common Servers
200.1.1.1/24
Provider offers a set of Common Services (VoIP, Web Hosting,…)

ip vrf CUST_A
rd 1:1
route-target both 1:1
route-target import 1:100
route-target export 1:101
!
ip vrf CUST_B
rd 1:2
route-target import 1:100
route-target export 1:101
!
interface serial0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
!
interface serial1/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
!
interface serial2/0
ip address 120.6.2.1 255.255.255.252
mpls ip
ip nat outside
!
router bgp 1
address-family ipv4 vrf CUST_A
redistribute static
address-family ipv4 vrf CUST_B
redistribute static
!
ip route vrf CUST_A 200.1.2.1 255.255.255.255 10.1.1.2
ip route vrf CUST_B 200.1.2.2 255.255.255.255 10.1.1.2
!
ip nat pool A 200.1.2.1 200.1.2.1 prefix-length 24
ip nat pool B 200.1.2.2 200.1.2.2 prefix-length 24
ip nat inside source route-map NAT_A pool A vrf CUST_A overload
ip nat inside source route-map NAT_B pool B vrf CUST_B overload
!
route-map NAT_A permit 10
route-map NAT_B permit 10
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 200.1.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.255.255.255 200.1.1.0 0.0.0.255
NAT MPLS/VPN – Ingress PE
PE1
CE1
CE2
MPLS
S0/0
S1/0
S2/0
Inside global addresses we need
to advertise in MPLS

ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
ip vrf COMMON
rd 1:3
!
interface serial0/0
ip address 120.4.2.1 255.255.255.255
mpls ip
ip nat inside
!
interface FastEthernet1/0
ip vrf forwarding COMMON
ip address 200.1.1.1 255.255.255.0
ip nat outside
!
router bgp 1
address-family ipv4 vrf CUST_A
redistribute static
address-family ipv4 vrf CUST_B
redistribute static
!
ip route vrf CUST_A 200.1.1.0 255.255.255.0 FastEthernet1/0 200.1.1.2
ip route vrf CUST_B 200.1.1.0 255.255.255.0 Fastethernet1/0 200.1.1.2
!
ip nat pool COM_POOL 200.1.2.1 200.1.2.3 prefix-length 24
ip nat inside source route-map NAT_COM pool COM_POOL vrf CUST_A overload
ip nat inside source route-map NAT_COM pool COM_POOL vrf CUST_B overload
!
route-map NAT_COM permit 10
!
NAT MPLS/VPN – Egress PE
PE2 CE2
MPLS
S0/0
fa1/0
N.B.
- 200.1.2.0/30 should be known by CE2
- packets back from servers match
existing NAT entries
- a layer3 lookup is done in in-vrf
where labels are found

• Used to tackle limitations of classical NAT implementation
which binds address space (interface) to either Inside OR
Outside domain (not both)
• Idea is to direct traffic destined to fake IP (source global) to a
virtual interface. This allows to do NAT operation AFTER
routing decision in ALL cases
 no need to define Inside/Outside domain anymore
• Interfaces just need to be NAT ‘enable’
• NAT NVI ‘trigger’ : packet comes from a NAT enabled interface
and is forwarded to a NAT enabled interface
NAT NVI – Nat Virtual Interface
VRF A
VRF B
E0/0
E1/0
S2/0
IN OUT
IN
Internet
X
X
X
ip nat enable
ip nat enable
ip nat enable

Goal is to allow scenarios such as following :
• VRF A and VRF B use same private address space
• Hosts in VRF A and VRF B should use NAT to go on Internet
• Hosts in VRF A should use NAT to reach server in VRF B
NAT NVI – Nat Virtual Interface
VRF A
VRF B
Internet
HostA
ServerB
Server
Global
10.1.1.10
10.1.1.10
E0/0
E1/0
S2/0

ip vrf A
rd 1:1
!
ip vrf B
rd 1:2
!
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
ip address 200.1.1.1 255.255.255.252
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global
ip route vrf B 0.0.0.0 0.0.0.0 200.1.1.2 global
!
ip nat source list 1 interface serial 2/0 vrf A overload
ip nat source list 2 interface serial 2/0 vrf B overload
!
NAT NVI – Config Example – to Internet
VRF A
VRF B
Internet
HostA
ServerB
Server
Global
10.1.1.10
10.1.1.10
150.1.1.1

Host A generates a ping to 150.1.1.1 :
• A first entry is created in NVI NAT table of VRF A (src_VRF)
• A second entry is created in global NVI NAT table (dst_VRF) to
allow the traffic back (note that source/destination are inversed to
match traffic back)
NAT#sh ip nat nvi translations vrf A verbose
Pro Source global Source local Destin local Destin global
icmp 200.1.1.1:5 10.1.1.10:5 150.1.1.1:5 150.1.1.1:5
create 00:00:28, use 00:00:28 timeout:60000, left 00:00:31,
flags:
extended, routemap-out2in, use_count: 0, src_VRF: A, entry-id: 3, lc_entries: 0
NAT#sh ip nat nvi translations verbose
icmp 150.1.1.1:5 150.1.1.1:5 200.1.1.1:5 10.1.1.10:5
flags:

Host B generates a ping to 150.1.1.1 :
• An entry is created in NVI NAT table of VRF B
• A second entry is created in global NVI NAT table to allow the traffic
back (src_VRF tells which VRF packet needs to be forwarded to)
NAT#sh ip nat nvi translations vrf B verbose
icmp 200.1.1.1:1 10.1.1.10:1 150.1.1.1:1 150.1.1.1:1
flags:
extended, routemap-out2in, use_count: 0, src_VRF: B, entry-id: 9, lc_entries: 0
icmp 150.1.1.1:1 150.1.1.1:1 200.1.1.1:1 10.1.1.10:1
flags:
icmp 150.1.1.1:5 150.1.1.1:5 200.1.1.1:5 10.1.1.10:5
flags:

ip vrf A
rd 1:1
!
ip vrf B
rd 1:2
!
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
ip address 200.1.1.1 255.255.255.252
ip nat enable
!
!
ip nat source static 10.1.1.10 200.1.1.10 vrf B
!
NAT NVI – Config Example – To Server B
VRF A
VRF B
Internet
HostA
ServerB
Server
Global
10.1.1.10
10.1.1.10
150.1.1.1

Host A generates a ping to Server B (200.1.1.10)
• A second entry is created in NVI NAT table of VRF B (dst_VRF) to
allow the traffic back (note that src_VRF and dst_VRF are recorded
since both source and destination IP are translated)
icmp 200.1.1.1:11 10.1.1.10:11 200.1.1.10:11 10.1.1.10:11
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, dst_VRF: B, entry-id: 12,
lc_entries: 0
icmp 200.1.1.10:11 10.1.1.10:11 200.1.1.1:11 10.1.1.10:11
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, dst_VRF: B, entry-id: 12,
lc_entries: 0
--- 200.1.1.10 10.1.1.10 --- ---
create 00:06:01, use 00:00:15 timeout:0,
flags:
static, routemap-out2in, use_count: 1, src_VRF: B, entry-id: 11, lc_entries: 0

Internet Server (150.1.1.1) generates a ping to Server B (200.1.1.10)
• A first entry is created in Global NVI NAT table (src_VRF)
• A second entry is created in NVI NAT table of VRF B (dst_VRF) to allow
the traffic back (note that only dst_VRF is recorded in extended entry
since only destination IP is translated)
icmp 150.1.1.1:1 150.1.1.1:1 200.1.1.10:1 10.1.1.10:1
flags:
extended, outside, routemap-out2in, use_count: 0, dst_VRF: B, entry-id: 14, lc_entries: 0
icmp 200.1.1.10:1 10.1.1.10:1 150.1.1.1:1 150.1.1.1:1
flags:
extended, outside, routemap-out2in, use_count: 0, dst_VRF: B, entry-id: 14, lc_entries: 0
--- 200.1.1.10 10.1.1.10 --- ---
flags:
static, routemap-out2in, use_count: 1, src_VRF: B, entry-id: 11, lc_entries: 0

ip vrf A
rd 1:1
!
ip vrf B
rd 1:2
!
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
ip address 200.1.1.1 255.255.255.252
ip nat enable
!
!
ip nat source static 10.1.1.10 200.1.1.10 vrf B
ip nat source static 150.1.1.1 10.1.2.150
!
NAT NVI – Other Example
VRF A
VRF B
Internet
HostA
ServerB
Server
Global
10.1.1.10
10.1.1.10
150.1.1.1
Server 150.1.1.1 should be
reachable via a private IP
‘ip nat outside source’ scenarios could be achieved
with ‘ip nat source’ command in dst VRF

Host A generates a ping to Internet Server using 10.1.2.150
• A second entry is created in global NVI NAT table (dst_VRF) to allow the
traffic back (note dst_VRF doesn’t appear – because it’s Global table ??)
icmp 200.1.1.1:18 10.1.1.10:18 10.1.2.150:18 150.1.1.1:18
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, entry-id: 16, lc_entries: 0
icmp 10.1.2.150:18 150.1.1.1:18 200.1.1.1:18 10.1.1.10:18
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, entry-id: 16, lc_entries: 0
--- 10.1.2.150 150.1.1.1 --- ---
flags:
static, routemap-out2in, use_count: 1, entry-id: 15, lc_entries: 0

• Internet Server is still reachable via public IP 150.1.1.1
• Host B generates a ping to 150.1.1.1
• A first entry is created in NVI NAT table of VRF B (src_VRF)
• A second entry is created in global NVI NAT table (dst_VRF) to allow the
traffic back
icmp 200.1.1.1:2 10.1.1.10:2 150.1.1.1:2 150.1.1.1:2
flags:
icmp 150.1.1.1:2 150.1.1.1:2 200.1.1.1:2 10.1.1.10:2
flags:
--- 10.1.2.150 150.1.1.1 --- ---
flags:
static, routemap-out2in, use_count: 0, entry-id: 15, lc_entries: 0

NetWork Training Center
www.facebook.com/ciscoedu2014

Nat

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Nat

Ähnlich wie Nat (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Nat