NAT configuration application and priority

There are three common NAT modes

1. Type 1: static address translation
2. Type 2: dynamic address translation
3. Type 3: port multiplexing

Static address translation

interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/1
 ip address 1.1.1.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
 static 192.168.1.1 1.1.1.1


R1#

After the interface is configured, NAT is configured, and the internal and external ports are specified.
Test Unicom

R1#ping  1.1.1.2  source  192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/20 ms
R1#

Static port mapping

R1(config)#do show run | s   nat
 ip nat inside
 ip nat outside
ip nat inside source static tcp 192.168.1.1 1921 interface Ethernet0/0 1921 
ip nat inside source static 192.168.1.1 1.1.1.1
R1(config)#

Dynamic address translation

interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/1
 ip address 1.1.1.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
ip nat pool NATPOOL 1.1.1.1 1.1.1.1 netmask 255.255.255.252
!
access-list 1 permit 0.0.0.0 255.255.255.252

View NAT session

R1#ping 1.1.1.2 source   e 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/24 ms
R1#show ip nat s
R1#show ip nat statistics 
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  Ethernet0/1
Inside interfaces: 
  Ethernet0/0
Hits: 30  Misses: 0
CEF Translated packets: 15, CEF Punted packets: 0
Expired translations: 3
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1#

Port address Translation

interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/1
 ip address 1.1.1.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 half-duplex
!
ip nat inside source list 10 interface Ethernet0/1 overload
!

access-list 10 permit any

Test it.

R1(config)#
R1(config)#do ping  1.1.1.2 sou e 0/1    

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/24 ms
R1(config)#do show ip nat s
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
  Ethernet0/1
Inside interfaces: 
  Ethernet0/0
Hits: 40  Misses: 0
CEF Translated packets: 20, CEF Punted packets: 0
Expired translations: 3
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 10 interface Ethernet0/0 refcount 1
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1(config)#

In addition, when NAT and route exist at the same time, that is, in this topology, R1 has a default route out, and R2 has a receipt route of 192.168.0.0/30. When both NAT and non NAT can reach 1.1.1.2, the priority of NAT and route is higher.

Add default on R1,
R2 add receipt;

R1(config)#ip route  0.0.0.0 0.0.0.0 1.1.1.2 
R1(config)#
R2(config)#ip route 192.168.1.0 255.255.255.252 1.1.1.1
R2(config)#
R2(config)#

Test it.

R2(config)#do ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
R2(config)#

DEBUG on R1

R1#debug  ip packet           
IP packet debugging is on
R1#
R1#debug ip nat            
IP NAT debugging is on
R1#debug ip nat  detailed  
IP NAT detailed debugging is on
R1#

PING R2 on R3 to see R1 echo.

 R3(config)#do ping 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/28 ms
R3(config)#
R1(config)#
*Mar  1 05:15:55.778: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), routed via FIB
*Mar  1 05:15:55.782: NAT: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [90]
*Mar  1 05:15:55.782: IP: s=1.1.1.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), g=1.1.1.2, len 100, forward
*Mar  1 05:15:55.782:     ICMP type=8, code=0
*Mar  1 05:15:55.802: NAT: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [90]
*Mar  1 05:15:55.802: IP: tableid=0, s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), routed via FIB
*Mar  1 05:15:55.802: IP: s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), g=192.168.1.2, len 100, forward
*Mar  1 05:15:55.806:     ICMP type=0, code=0
*Mar  1 05:15:55.822: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), routed via FIB
*Mar  1 05:15:55.822: NAT: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [91]
*Mar  1 05:15:55.822: IP: s=1.1.1.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), g=1.1.1.2, len 100, forward
*Mar  1 05:15:55.822:     ICMP type=8, code=0
*Mar  1 05:15:55.826: NAT: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [91]
*Mar  1 05:15:55.826: IP: tableid=0, s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), routed via FIB
*Mar  1 05:15:55.826: IP: s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), g=192.168.1.2, len 100, forward
*Mar  1 05:15:55.826:     ICMP type=0, code=0
*Mar  1 05:15:55.842: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), routed via FIB
*Mar  1 05:15:55.842: NAT: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [92]
*Mar  1 05:15:55.842: IP: s=1.1.1.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), g=1.1.1.2, len 100, forward
*Mar  1 05:15:55.842:     ICMP type=8, code=0
*Mar  1 05:15:55.854: NAT: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [92]
*Mar  1 05:15:55.854: IP: tableid=0, s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), routed via FIB
*Mar  1 05:15:55.854: IP: s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), g=192.168.1.2, len 100, forward
*Mar  1 05:15:55.854:     ICMP type=0, code=0
*Mar  1 05:15:55.874: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), routed via FIB
*Mar  1 05:15:55.874: NAT: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [93]
*Mar  1 05:15:55.874: IP: s=1.1.1.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), g=1.1.1.2, len 100, forward
*Mar  1 05:15:55.874:     ICMP type=8, code=0
*Mar  1 05:15:55.874: NAT: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [93]
*Mar  1 05:15:55.874: IP: tableid=0, s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), routed via FIB
*Mar  1 05:15:55.874: IP: s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), g=192.168.1.2, len 100, forward
*Mar  1 05:15:55.874:     ICMP type=0, code=0
*Mar  1 05:15:55.894: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), routed via FIB
*Mar  1 05:15:55.894: NAT: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [94]
*Mar  1 05:15:55.894: IP: s=1.1.1.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), g=1.1.1.2, len 100, forward
*Mar  1 05:15:55.894:     ICMP type=8, code=0
*Mar  1 05:15:55.898: NAT: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [94]
*Mar  1 05:15:55.898: IP: tableid=0, s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), routed via FIB
*Mar  1 05:15:55.898: IP: s=1.1.1.2 (Ethernet0/1), d=192.168.1.2 (Ethernet0/0), g=192.168.1.2, len 100, forward
*Mar  1 05:15:55.898:     ICMP type=0, code=0
R1(config)#
R1(config)#

Remove receipt route on R2

R2(config)# no ip route 192.168.1.0 255.255.255.252 1.1.1.1
R2(config)#

R3 PING operation to view R1 echo

R3(config)#do ping 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/52 ms
R3(config)#
R1(config)# 
*Mar  1 04:59:20.890: NAT: [0] Allocated Port for 192.168.1.2 -> 1.1.1.1: wanted 14 got 14
*Mar  1 04:59:20.890: NAT*: i: icmp (192.168.1.2, 14) -> (1.1.1.2, 14) [55]
*Mar  1 04:59:20.890: NAT*: i: icmp (192.168.1.2, 14) -> (1.1.1.2, 14) [55]
*Mar  1 04:59:20.894: NAT*: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [55]
*Mar  1 04:59:20.938: NAT*: o: icmp (1.1.1.2, 14) -> (1.1.1.1, 14) [55]
*Mar  1 04:59:20.938: NAT*: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [55]
*Mar  1 04:59:20.946: NAT*: i: icmp (192.168.1.2, 14) -> (1.1.1.2, 14) [56]
*Mar  1 04:59:20.946: NAT*: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [56]
*Mar  1 04:59:20.958: NAT*: o: icmp (1.1.1.2, 14) -> (1.1.1.1, 14) [56]
*Mar  1 04:59:20.958: NAT*: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [56]
*Mar  1 04:59:20.966: NAT*: i: icmp (192.168.1.2, 14) -> (1.1.1.2, 14) [57]
*Mar  1 04:59:20.966: NAT*: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [57]
*Mar  1 04:59:20.978: NAT*: o: icmp (1.1.1.2, 14) -> (1.1.1.1, 14) [57]
*Mar  1 04:59:20.978: NAT*: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [57]
*Mar  1 04:59:20.986: NAT*: i: icmp (192.168.1.2, 14) -> (1.1.1.2, 14) [58]
*Mar  1 04:59:20.986: NAT*: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [58]
*Mar  1 04:59:21.002: NAT*: o: icmp (1.1.1.2, 14) -> (1.1.1.1, 14) [58]
*Mar  1 04:59:21.002: NAT*: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [58]
*Mar  1 04:59:21.006: NAT*: i: icmp (192.168.1.2, 14) -> (1.1.1.2, 14) [59]
*Mar  1 04:59:21.006: NAT*: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [59]
*Mar  1 04:59:21.022: NAT*: o: icmp (1.1.1.2, 14) -> (1.1.1.1, 14) [59]
*Mar  1 04:59:21.022: NAT*: s=1.1.1.2, d=1.1.1.1->192.168.1.2 [59]
R1(config)# 
R1(config)# 
*Mar  1 05:00:21.086: NAT: expiring 1.1.1.1 (192.168.1.2) icmp 14 (14)
R1(config)# 

Based on the above DEBUG information, NAT and route reachability are configured at the same time,

R1(config)#
*Mar  1 05:15:55.778: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), routed via FIB
*Mar  1 05:15:55.782: NAT: s=192.168.1.2->1.1.1.1, d=1.1.1.2 [90]
*Mar  1 05:15:55.782: IP: s=1.1.1.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/1), g=1.1.1.2, len 100, forward

When the router receives the data packet, it will first check the table and check the FIB table, that is, publish. The FIB table is generated according to the routing table. It mainly stores the effective route. The routing table belongs to the control layer and FIB belongs to the forwarding layer. After knowing how the data packet is outgoing, it reaches the specified interface and finds that NAT is configured, so the NAT operation is carried out. The source address is 192.168.1.2 Convert to 1.1.1.1. The destination address remains unchanged.
Then the modified packets are forwarded through E0/0,
In the case of no reachable route, directly through NAT conversion, outgoing.

Comprehensive supplement

The packet forwarding order is
Destination NAT, policy route, route, source nat

Published 5 original articles, won praise 1, visited 87
Private letter follow

Tags: Session

Posted on Wed, 15 Jan 2020 02:56:11 -0500 by jaikob