NAT Virtual Interface

This topic is to discuss the following lesson:

Hi Rene,

So far I know we dont use src rewrite for Outside NAT . For outsite NAT ,We use Port forwarding to a particular IP(Dont translate SRC IP Just rewrite DST IP).So how the problem occure .I think no issue on Legacy NAT or do me more explanation in which situation, we will use NAT Virtual Interface.Thanks

br//
zaman

Hi Zaman,

The most common NAT setup is to translate from inside to outside, translating only the source IP address. Port forwarding is also very common.

It’s unlikely to see this example often in a production network but understanding the “order of operation” might be important for CCIE R&S students.

The configuration of the NAT virtual interface might be a bit simpler. One problem though is that one some routers, it’s performance is worse than “legacy NAT” so that is something to check.

Rene

Awesome (Y)

This article is important, for having a good understanding of NAT.

I do understand that the real issue is : How to reach a WAN address from a LAN domain, by pinging a LAN address (that is supposed to be translated to the target WAN address). I do also understand that the solution is not supposed to use routing rules for jumping from LAN side to WAN side.

However, some points are confusing for me.

* Point-1

The issue is first demonstrated by typing the command below :

R1#ping 192.168.12.3 repeat 1

But ; the following explanation lines do no longer use it. Instead, the command below is always used (until the begining of the section “NAT Virtual Interface”) :

R3#ping 192.168.23.1 repeat 1

* Point-2

Hard to see (in the debug ouptut) the difference between using “add-route” or not-using “add-route” !

* Point-3

The text below lets suppose that it takes two “ip nat source static” commands for the configuration of NVI.

Now let’s convert our old two NAT commands into new NAT commands:
R2(config)#ip nat source static 192.168.12.1 192.168.23.1
R2(config)#ip nat source static 192.168.23.3 192.168.12.3

* Point-4

In the command below :

R2(config)#interface range GigabitEthernet 0/1 - 1

I would say “2” at the place of the last “1”

* Point-5

The first NVI configuration example (Static NAT) does not show that the initial issue has been solved. Again, why do the command below is not tried again ?

R1#ping 192.168.12.3 repeat 1

Hello Maodo

The command ping 19.168.12.3 repeat 1 is used to test if a NAT translation without a default route will function correctly.

The command ping 192.168.23.1 repeat 1 is a completely different test. which is testing the NAT translation between 192.168.23.1 and 192.168.12.1. This can be seen from the words: “Let’s try something else…” before the command as seen below:

Secondly:

There is no difference in the debug output for when the ping goes from R3 to R1. The difference is on the return of the ping. On the return of the ping, with no add-route command, there is no indication of a NAT translation, whereas with the add-route command, the translation occurs correctly.

With these two commands, we are implementing the TWO NAT translations that were implemented in the first section. These are two separate NAT translations creating two separate NVIs.

Yes you are correct, this should read interface range GigabitEthernet 0/1 - 2 I will inform @ReneMolenaar

With the NVI, this problem will have been solved. You can lab it up, test it out and let us know your results!

I hope this has been helpful!

Laz

Rene,

Regarding NAT VI I noticed a limitation I am having when configuring this and I was wondering if you can shed some light on this.

First off, great explanations and examples of NAT VI. Network Lessons has definitely been one of my go to sources for studying and I have been recommending this site to co-workers which find this site amazing as well.

Back to my question:

When I configure NAT VI I can test my nat translations from within my LAN hitting my WAN ip address ex: (12.1.1.1 port 80) but why can I no longer remote into that device through its local IP ?
From the example given below from 10.1.1.4 I can remote into 10.1.1.2 by hitting 12.1.1.1 port 80 but I cant remote into it locally by 10.1.1.2 80 which does work with domain NAT defining inside and outside interfaces.

ex:
LAN network 10.1.1.0/24
WAN network 12.1.1.0/24

nat translation:

ip nat source list NAT interface FastEthernet0/0 overload
ip nat source static tcp 10.1.1.2 80 12.1.1.1 80 extendable
ip nat source static tcp 10.1.1.4 443 12.1.1.1 443 extendable

Thanks in advance.

Hello Juan

From my understanding, this is your topology (correct me if I’m wrong:

image

You are translating:

  • 12.1.1.1:80 on the WAN interface to 10.1.1.2:80
  • 12.1.1.1:443 on the WAN interface to 10.1.1.4:443

So, you are able to remote into Device 1 from Device 2 ONLY when you connect via the 12.1.1.1:80 address and you cannot connect when you attempt to connect directly to 10.1.1.2. Correct?

If this is the case, then the NAT configuration has nothing to do with the problem. Any communication between Device 1 and Device 2 using the 10.1.1.0/24 IP addresses will be directly between them. So the only thing I can suggest is that there is an access list or a firewall rule on device 1 blocking any connectivity to it from a source address of 10.1.1.4.

Take a look at any such configuration and let us know your progress…

I hope this has been helpful!

Laz

Thanks Laz for the quick response. Great diagram depicts exactly what I was labbing. Its strange that it doesn’t work i did this in a lab enviroment with very basic configs. I Just ip’d the interfaces and setup up nat. The strange part is that it works perfectly fine using domian nat defining inside and outside interfaces. But once i remove those commands and add ip nat enable on the interfaces unless i define the mapped ip in this case 12.1.1.1 port 80 i cant remote into the device anymore using its real IP which is why i thought it was an NAT VI limitation.

Thanks Rene… that was lucid and laid threadbare… commendable effort mate.

I have a general question. For this demo you had turned off Fast Switching by no ip route-cache and your debugs show routed via RIB .

Is it safe to say… all NAT traffic will be punted to CPU, as IP addresses on the NAT devices are involved?

Thanks,
Ayyappan

Hello Ayyappan

The quick answer is “it depends.” Really it depends on the platform. For the Catalyst 6500 switches with 720 supervisors, for example, NAT is handled in hardware while with Supervisor 1 and 2, NAT is software switched.

According to the following Cisco documentation,

“Cisco IOS NAT supports Cisco Express Forwarding switching, fast switching, and process switching.”

Regardless, the fact that the no ip route-cache command has been applied does indeed mean that all packets entering the layer-3 interface will be process switched by the CPU instead of hardware, whether NATed or not.

I hope this has been helpful!

Laz