What if a border router does not have NAT?

johnifanx98 · August 2012

Suppose an inside host sends a packet to an outside global host. Would the router just discard the packet because of no NAT, or, blindly forwards it as if it's a valid packet?

Also, if a router is identified as a border router, like one interface connected to an inside network, and another interface connected to a public network, would NAT configuration a mandatory thing?

NetworkVeteran · August 2012

johnifanx98 wrote: »

Suppose an inside host sends a packet to an outside global host. Would the router just discard the packet because of no NAT or, blindly forwards it as if it's a valid packet?

If NAT is not involved, those terms have no meaning. There is simply host1's address and host2's address. Packets aren't forwarded blindly--they're forwarded based on the destination IP address and routing table, and discarded based on access control lists.

mapletune · August 2012

It really depends on each individual case, what kind of internet service do they have, etc.

But always remember, a router "routes packets at L3" and most of the times using IP addressing protocol.

Thus, different sides of the connection will have different CIDR/subnet. So, if your service provider gives you 1 ip for your router. and X number of IPs in another subnet for your hosts, then you can just config your router to route between the X number of hosts and the SP directly.

That will not be the case most of the times. NAT is pretty much standard.

If an inside host with private class ip domain sends a packet to the outside world, and the router is configured with a default route to the Service Provider, then it will forward that packet to the service provider. The SP will just drop it.

As for the 2nd question, like i said before, NAT is pretty much "mandatory".

cheers,
Mike

johnifanx98 · August 2012

I should not use the word "blindly". What I meant is the packet is forwarded according to the routing table, but the response will not come back correctly since no NAT.

You've mentioned "access control list". What is it and how does it help discard such non-NAT packets? I did not find this thing in my CCNA book...

Thanks,

johnifanx98 · August 2012

mapletune wrote: »

It really depends on each individual case, what kind of internet service do they have, etc.

But always remember, a router "routes packets at L3" and most of the times using IP addressing protocol.

Thus, different sides of the connection will have different CIDR/subnet mask. So, if your service provider gives you 1 ip for your router. and X number of IPs in another subnet for your hosts, then you can just config your router to route between the X number of hosts and the SP directly.

That will not be the case most of the times. NAT is pretty much standard.

If an inside host with private class ip domain sends a packet to the outside world, and the router is configured with a default route to the Service Provider, then it will forward that packet to the service provider. The SP will just drop it.

As for the 2nd question, like i said before, NAT is pretty much "mandatory".

cheers,
Mike

Mike, could you explaine a bit more how/why Service provide discards such packets (with non-sense source IP)?

And, also will a router err if started without NAT configured?

mapletune · August 2012

johnifanx98 wrote: »

You've mentioned "access control list". What is it and how does it help discard such non-NAT packets? I did not find this thing in my CCNA book...

@ then i suggest getting a new book...

It basically lists the rules to turn features on or off. For example: allow traffic or not, give priority QoS, etc.

mapletune · August 2012

johnifanx98 wrote: »

Mike, could you explaine a bit more how/why Service provide discards such packets (with non-sense source IP)?
And, also will a router err if started without NAT configured?

Because Private IP Addresses are define by the RFC 1918 and RFC 4193 standards. I'll refer you to those if you want to know why. But for now, Private IPs are NON-ROUTABLE in the internet.

A router will not "err" (i assume you mean have errors and break) if it runs without NAT.

vishaw1986 · August 2012

Hey John ,

Router discard packet only when it find no router for the particular subnet , NAT has no relation with the routing . NAT is only the translations of the address .
NAT is Mandatory only when your are using private address range inside your network . For communication with the external network you need translation , so in that case you use NAT .

The IT Guy · August 2012

unless the outside global network is in the routing table or you have your gateway of last resort set out your inside global interface, the premise router will discard the packet because it has no clue where to send it

You have stated that NAT is not configured, which means no translation.
So even if you had a public address assigned to your inside global interface, no NAT = no translation from private to public. No translation between your NAT inside/NAT outside interfaces that would typically connect you to the ISP via some type of WAN connection.

Roguetadhg · August 2012

Just a friendly reminder - there's different versions of NAT in ICND2. PAT is what is most often referred to when people speakith "NAT". It utilizes 1 public IP for many people, at the same time! Gotta love Port Address Translation. At least, when people say "NAT", I really think "PAT".

There's other types: Dynamic NAT and Static NAT. Each implementations have their uses, so don't just forget about them!

Whoosh! And away to Security!

Diggs · August 2012

To my knowledge the packet would be forwarded as usual to the ISP however the ISP's router would discard the packet due to an ACL configured to prevent source private RFC 1918 addresses from being publicly routed.

networker050184 · August 2012

ISPs aren't going to put ACLs on the customer facing ports usually. Whats going to be used is most likely uRPF.

johnifanx98 · August 2012

mapletune wrote: »

@ then i suggest getting a new book...

It basically lists the rules to turn features on or off. For example: allow traffic or not, give priority QoS, etc.

I realized that ACL is just another name of "access list". I did not miss it

Diggs · August 2012

networker050184 wrote: »

ISPs aren't going to put ACLs on the customer facing ports usually. Whats going to be used is most likely uRPF.

Thanks for the clarification....can't remember where I read / heard that was the case.

networker050184 · August 2012

I won't say none of them use ACLs, but of the 20 or so large ISP networks I've worked on not a single one used customer facing ACLs to block RFC1918 sourced traffic.

What if a border router does not have NAT?

Comments