Hi, and thank you for the reply. I was talking about dynamic NAT, or Static NAT, where you would have a pool of Public IP addresses and a pool of private addresses. In order to use one of the public IP addresses as your new source address, it has to be configured on the router, right? Or can you just have your ISP route you the subnet and they will see the source ip as it get’s NAT’d and know what to do with it.
I hope this makes more sense, I am not talking about PAT (layer 4) at all.
If I understand your question correctly, you have a subnet of /24 public IP from your ISP and you want to use it in a Dynamic NAT by which your private internal IP’s can go to the internet. If this is the case, you don’t need to have a pool of private IP’s as you mentioned. What you need is to configure a pool of your public IP in the Dynamic NAT by which each internal host will reserve one Public IP to go to the internet.
For example: if you have configured in your router a pool of 5 public IP’s then only 5 internal private IP’s at a time can go to the internet. In other word, every private IP will reserve an available public IP from the pool.
The rule is that RFC1918 IP addresses are not reachable or routable on the internet. That is a rule that ISPs are responsible for adhering to and implementing. There is no technological inability to routing these addresses, but by definition, everyone is required to adhere to it and that is why you cannot do it. But even if an ISP does accept them, when they try to hand them off to other networks, the routers on the Internet at large are configured to drop any such traffic.
Cisco’s OCGs mention this because it is expected that all Internet networks are configured to adhere to this rule.
There are two fundamental ways that you can check your NATting. The first is to use the show ip nat translations command which shows you how a NAT router is translating specific addresses. An example of the output can be found here:
NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.23.10:4 192.168.123.1:4 192.168.23.3:4 192.168.23.3:4
--- 192.168.23.10 192.168.123.1 --- ---
icmp 192.168.23.11:2 192.168.123.2:2 192.168.23.3:2 192.168.23.3:2
--- 192.168.23.11 192.168.123.2 --- ---
Secondly, you can use the debug ip packet debug command that will show you the source and destination of packets that arrive and that are sent on particular interfaces. This helps in verifying that IPs have actually been translated, and you’re not just seeing regular routing taking place. An example of the output in such a situation can be seen below:
IP: s=192.168.12.1 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
You can see both of these techniques in action in the following lessons:
Public web server have static PAT in our router . And Router forward the traffic after NAT to our firewall. Then firewall forward traffic to our internal server.
Suddenly the connection have dropped from public. Internal can see the page After 3 to 4 hours then connection is up. Why such behaviour is happened ? How to check the traffic during the downtime whether router NAT traffic correctly and forward to the next hop ? How to capture the logs to show the customer if it is not network issue ?
Public IP 184.108.40.206 443 Private IP 172.25.182.43 443
During the issue can see the request coming to the firewall . And response also leaving it. But the customer cant access it from internet.
Does the syslog which includes NAT translations also ? How to store the translation in the syslog ? pls advise
The above statement seems to indicate that traffic from the public Internet did indeed reach the web server, and the web server sent a response. This also tells us that the NAT router is working correctly since incoming requests reached the firewall. How do you prove that this took place? There are several ways in which you can use logs to show such traffic. One is syslog, about which you can learn more here for both IOS devices as well as ASA firewalls:
If you had your devices configured to collect logs locally, you may be able to show these logs using the appropriate commands as mentioned in the lessons above. In general, however, it’s a good idea to set up a syslog server that will collect and store these messages.
NAT translations can indeed be recorded using syslog. You can find out more information about how to monitor NAT translations and connections at this Cisco documentation:
You should be able to monitor all sessions as well by installing some monitoring software/system on the web server, the router, as well as the firewall, using tools such as SNMP or Netflow or Cisco Performance Monitor.
Yes, that is correct. If there are no more available ports, and no more IP addresses in the NAT pool for use on the outside interface, then the next device that will attempt to access the internet will not be able to.
However, this limitation will rarely happen. Remember that there are over 65000 TCP/UDP ports available for use. A NAT router will first run out of CPU and memory resources if too many translations take place before it ever runs out of available ports.
I have two ports 80 and 443 that when I scan my outside interface public ip, they come out as open.
I have not nat anything at all from the outside interface ip to anywhere(all it does is just an overload NAT), but I Natted from other public valid IPs that are routed to the same interface on ports 80 443 but those ips are not the same IP as the outside interface IP.
I checked the show udp(other than 18999 which is a cisco bug)
and show tcp brief(other than the mgmt int which is on a different local subnet)
nothing came up, it’s not listening to anything
Output of show ip nat trans
outside interface ip has no translations from 80 or 443(they are all overload nat translations)
I can go ahead and put on an ACL for it, but I am afraid the router is doing something essential on these ports that I m not aware of(this edge router is in production)
and aside from that I want to find out why those 2 ports are open at the first place?!
I can telnet to those ports and they came out open on port scanner as well
On ASR when I define two interfaces as INSIDE/OUTSIDE of the nat, is the nat by default also enable the ip virtual-reassembly on those interfaces?
what is open by default on an ASR router/or a router in gerneral(regardless of having a firewall behind it ofc) that should be closed, as a device hardening best practice for a network edge device?
I am curious, why a temporary overload translation on a random port e.g. 12234 when I try to telnet to that temp translation, the port won’t come out as open?, but there is a hole on router for that port mapped to a local ip and port
There may be several reasons for this. Ports may be open by various processes that are running on the router that may be using the internet-facing interface. Things like virtual templates, tunnels, VPN configurations, VTY lines, and NAT translation rules among other things, are capable of “opening” particular ports for an IP address that corresponds to the outside interface. You’ll have to do a bit of digging to see what else is running on the device.
You’re absolutely right that you shouldn’t try to block those ports since this is a production network. But keep in mind that conventional ACLs will only filter transient traffic, and not traffic destined to the router itself. If you want to filter such traffic, you must apply Control Plane Policing (CoPP). Now using CpPP, you can experiment during a maintenance window by temporarily blocking those ports. If you do this, first check if the ports are indeed blocked. If they are not, then it will give you a clue as to what kind of process may be keeping those ports open (as some processes take precedence as far as order of operations goes). If they are, then you may detect some other fault from the services using those ports, that may provide you with some valuable troubleshooting information. These are just thoughts that I hope will inspire you to troubleshoot and find the solution to the issue.
This command enables the Virtual fragmentation reassembly (VFR) feature. According to this Cisco documentation, when NAT is enabled on an interface, VFR is also automatically enabled. In some platforms, the ip virtual-reassembly command doesn’t actually appear in the interface configuration even if it is enabled. As stated in the same document, you do have the option of disabling it if you wish.
When we talk about closed ports, we’re talking about ports used not on transient traffic, but on traffic destined to the device itself. Ports are opened only if a feature is configured. For example, if you don’t configure SSH, port 22 will remain closed. If you don’t configure Telnet, or NAT, or SNMP, or any such features, all ports will refuse connection to the device itself. When these services are opened, then you can employ CoPP as mentioned before to be sure that you are securely providing access to them. As for hardening, you can take a look at the following documentation for best practices:
Such an overload translation will only allow return traffic from an already established traffic flow. Because such as translation was initiated from the inside, by a host requesting access to a resource on the internet, the router will only allow return traffic that matches the source and destination IP addresses and ports. Any attempt from another IP address/port combination, such as your attempt, will be rejected.
Technologically, carrier-grade NAT (CGNAT) and regular NAT function the same way. The differences between CGNAT and regular NAT have to do with the way they are implemented as well as with the scale of implementation.
CGNAT is an approach to IPv4 network design that simply moves the location of NAT from the edge of the enterprise to somewhere within the ISP’s network. In this way, an ISP can provide NAT services centrally for all of its customers rather than employing NAT at each individual customer. In essence, this simply shifts the NAT function and configuration from the customer premises to the ISP network.
The implementation of CGNAT requires that the ISP design their network accordingly. CGNAT requires NAT routers that are specially designed to handle the large volume of NAT translations that would result from such a design. Also, ISPs will have to provide private IP addresses to their customers and any port forwarding or static translations would have to be managed by the ISP based on the requirements of each customer.
The implementation of CGNAT primarily affects network design principles and not technological implementation methods.
This depends on the definition that the ISP places on that statement. I would assume that if you don’t want to use the ISP’s CGNAT, they should then give you connectivity where you can perform your own NAT at the network edge, and be provided with a public IPv4 address.
As mentioned in my previous post, you will never run out of ports on a NAT router. This is because you will first run out of resources (CPU, memory) before you run out of the 65000 available ports.
If however you (theoretically) do run out of ports, then adding additional IP addresses to the address pool of the outside interface will give you more translation options. Remember, you have 65000 ports available for translations for each outside IP address. Another option is to transition to IPv6 which will eliminate the need for NAT completely.
In this picture the admin is using multiple public ip addresses with the wan facing side of his router but it shows he has configured his wan interface with the ip address 220.127.116.11 /28 but he then says he will use a static nat for the honeypot and that this address will be the red 18.104.22.168 and does he need to apply it to the same interface with a secondary ip address command or will it automatically work with NAT because the address is within the /28 subnet and how is this possible if so?