Explain this NAT behavior

acidsatyr wrote: »
I've been pondering about this for a while, maybe you can explain why this is working the way its working!!
Here's the scenario:
lo100
 --------R1-----------------R2
R1 lo100 = 12.0.0.1

R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.

The idea is to use NAT on R1 and translate source address to something R2 knows about.
Therefore there are two solutions - inside local to inside global (ip nat inside source...) and outside global to outside local (ip nat outside source).

Solution 1: ip nat inside source static 12.0.0.1 interface s1/0
int lo100 is ip nat inside
int s1/0 is ip nat outside
This works, lo100 is translated to s1/0 when going outside and R1 can ping R2.

Solution 2: ip nat outside source static 12.0.0.1 10.0.0.1
int lo100 is ip nat outside
int s1/0 is ip nat inside
This doesn't work! But i can't see why not - lo100 from outside should be translated to inside. The translation never happens.

Do you know why?

needs a translation back, when you stablish a session translatatting and inside address to a outside address that destination address is the one translatated not the source the source stays the same so when the packet get to the inside host the inside host doesnt know how to get back out, the reason it works for for the internet or when you are translatting for example smtp
ip nat inside source static tcp 10.1.1.1 25 1.1.1.1 25
is becasue you have this overload statement that is translatting back to 1.1.1.1
ip nat inside source list inside_nated 10.1.1.1 overload
ip access-list exteneded inside_nated
permit 10.1.1.0 0.0.0.255 any
otherwise the packet will be recived but it will never be sent back because the inside host doesnt know how to get back unless there is a route

I tried my best to understand what you are saying..

When a packet gets on inside interface and there is IL->IG translation (ip nat inside source...) the source gets translated to IG. When the response gets on outside interface with IG as destination, the destination is translated back to IL.

Likewise - when a packet gets on outside interface and there is OG->OL mapping (ip nat outside source...), the source of packet is translated to OL. When this packet is sent back, and received on inside interface, it is translated back to OG.

In my second example, OG should be translated to OL ie. address that R2 knows about. But the point is that translation never happens.

In my first scenario, IL is in fact translated to IG.

In both cases address should be translated to something that R2 knows about.

acidsatyr wrote: »

I tried my best to understand what you are saying..

When a packet gets on inside interface and there is IL->IG translation (ip nat inside source...) the source gets translated to IG. When the response gets on outside interface with IG as destination, the destination is translated back to IL.

Likewise - when a packet gets on outside interface and there is OG->OL mapping (ip nat outside source...), the source of packet is translated to OL. When this packet is sent back, and received on inside interface, it is translated back to OG.

In my second example, OG should be translated to OL ie. address that R2 knows about. But the point is that translation never happens.

In my first scenario, IL is in fact translated to IG.

In both cases address should be translated to something that R2 knows about.

it doesnt translate back only the destanation is translated the source stays the same
for xample i have this ip nat inside source static 10.1.1.1 1.1.1.1
if im comming in to destination 1.1.1.1 from source 2.2.2.2 to inside host 10.1.1.1
then the destination changes to 10.1.1.1 but the source stays the same if you dont have the overload statement it wont translate back to 1.1.1.1 and 10.1.1.1 wont know how to get back to 2.2.2.2

acidsatyr wrote: »

Solution 1: ip nat inside source static 12.0.0.1 interface s1/0
int lo100 is ip nat inside
int s1/0 is ip nat outside
This works, lo100 is translated to s1/0 when going outside and R1 can ping R2.

Seeing that you are using R1's lo100 as the source there will be no NAT involved at all because R1 will not translate for itself. The workaround would be policy routing.

acidsatyr wrote: »

Solution 2: ip nat outside source static 12.0.0.1 10.0.0.1
int lo100 is ip nat outside
int s1/0 is ip nat inside
This doesn't work! But i can't see why not - lo100 from outside should be translated to inside. The translation never happens.

Do you know why?

If 10.0.0.1 is R1's s1/0 IP address this won't work either. Try something like:

ip nat outside source static 12.0.0.1 10.0.0.10

Again, in order for all this to work you have to use policy routing. Try this:

access-list 100 permit ip 12.0.0.0 0.0.0.255 any

route-map LOCAL permit 10
match ip address 100
set interface Loopback100

ip local policy route-map LOCAL

Then ping R2 and specify R1's lo100 interface as the source.

If you are using Frame-Relay on the serial interfaces you will have to map IP 10.0.0.10 to the DLCI.

try a routing protocol

ilcram19-2 wrote: »

try a routing protocol

That won't accomplish anything in this scenario.

tim100 wrote: »

That won't accomplish anything in this scenario.

R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.

i see why

ilcram19-2 wrote: »

R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.

i see why

Explain why you would need a route to 12.0.0.1 if you are using NAT.

Hey tim100, you understand the scenario.

I know the policy routing seems like logical solution, the thing is why does R1 need it ONLY when doing ip nat outside source translation??

See when i do ip nat inside source and the packet is sources from lo100, R1 does translate it!

When R1 tries OG->OL translation (lo100 is now *outside interface*) the trnaslation never happens!

ps. there is another issue here -> when a packet comes to outside interface the NAT translation is done before routing. When packet arrives on inside (as is the case when lo100 is outside int.), the packet that arrives from R2 on R1's serial is first done with routing lookup and then translation. This is irrelevant to scenario as R1 never does that OG->OL translation; even if there is translation R1 will get echo-reply on its S1/0 not lo100.
But i need to know why translation never happens.

acidsatyr wrote: »

See when i do ip nat inside source and the packet is sources from lo100, R1 does translate it!

Do a "debug ip nat detail" on R1 and a "debug ip packet" on R2 and then source another ping from lo100. Let me know what debugging output you get from both routers. Also post a "sh ip route" from both routers.

Scenario 1

R1 config

ip nat inside source static 12.0.0.1 10.0.0.1

interface lo100
 ip nat inside
interface s1/0
 ip nat outside


debug ip nat detail
debug ip packet detail

R1#ping 10.0.0.2 source lo100 re 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 12.0.0.1 
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 8/14/20 ms
R1#
*Apr  2 10:09:17.059: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:09:17.063: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:09:17.063:     ICMP type=8, code=0
*Apr  2 10:09:17.063: NAT: i: icmp (12.0.0.1, 0) -> (10.0.0.2, 0) [0]     
*Apr  2 10:09:17.063: NAT: s=12.0.0.1->10.0.0.1, d=10.0.0.2 [0]
*Apr  2 10:09:17.075: NAT*: o: icmp (10.0.0.2, 0) -> (10.0.0.1, 0) [0]
*Apr  2 10:09:17.075: NAT*: s=10.0.0.2, d=10.0.0.1->12.0.0.1 [0]
*Apr  2 10:09:17.079: IP: tableid=0, s=10.0.0.2 (Serial1/0), d=12.0.0.1 (Loopback100), routed via RIB
*Apr  2 10:09:17.079: IP: s=10.0.0.2 (Serial1/0), d=12.0.0.1, len 100, rcvd 4
*Apr  2 10:09:17.079:     ICMP type=0, code=0
*Apr  2 10:09:17.079: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:09:17.079: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:09:17.083:     ICMP type=8, code=0
*Apr  2 10:09:17.083: NAT: i: icmp (12.0.0.1, 0) -> (10.0.0.2, 0) [1]     
*Apr  2 10:09:17.083: NAT: s=12.0.0.1->10.0.0.1, d=10.0.0.2 [1]
*Apr  2 10:09:17.087: NAT*: o: icmp (10.0.0.2, 0) -> (10.0.0.1, 0) [1]
*Apr  2 10:09:17.087: NAT*: s=10.0.0.2, d=10.0.0.1->12.0.0.1 [1]
*Apr  2 10:09:17.087: IP: tableid=0, s=10.0.0.2 (Serial1/0), d=12.0.0.1 (Loopback100), routed via RIB

R2:

*Apr  2 10:09:17.643: IP: tableid=0, s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:09:17.647: IP: s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:09:17.651: IP: tableid=0, s=10.0.0.2 (local), d=10.0.0.1 (Serial1/0), routed via FIB
*Apr  2 10:09:17.655: IP: s=10.0.0.2 (local), d=10.0.0.1 (Serial1/0), len 100, sending
*Apr  2 10:09:17.679: IP: tableid=0, s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:09:17.679: IP: s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:09:17.679: IP: tableid=0, s=10.0.0.2 (local), d=10.0.0.1 (Serial1/0), routed via FIB

As you can see the NAT is working when Inside local is translated to Inside Global.

Scenario 2

Ri config

ip nat outside source static 12.0.0.1 10.0.0.1

interface lo100
 ip nat outside
interface s1/0
 ip nat inside

R1#ping 10.0.0.2 source lo100 re 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 12.0.0.1 

*Apr  2 10:15:43.015: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:15:43.015: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:15:43.015:     ICMP type=8, code=0.
*Apr  2 10:15:45.015: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:15:45.019: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:15:45.023:     ICMP type=8, code=0.
Success rate is 0 percent (0/2)

R2#
*Apr  2 10:15:43.591: IP: tableid=0, s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:15:43.595: IP: s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:15:43.599: IP: s=10.0.0.2 (local), d=12.0.0.1, len 100, unroutable
R2#
*Apr  2 10:15:45.643: IP: tableid=0, s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:15:45.643: IP: s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:15:45.643: IP: s=10.0.0.2 (local), d=12.0.0.1, len 100, unroutable

No NAT translation. Why does NAT work only when local sourced address is on inside an not on outside?

jason_lunde

scratch that; I had an idea but I labbed it up, it didnt work....sorry dude.