Troubleshooting NAT / PAT

ReneMolenaar · December 27, 2016, 11:57pm

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccnp-tshoot/troubleshooting-nat-pat/

talk2seeni · May 28, 2015, 12:22pm

Hi Rene,
Interesting scenarios and explained by you clearly.

Thanks,
Srini

kayoumt · October 1, 2017, 7:01pm

I’m confused about the 172.16.1.0 subnet.
I guess the address 172.16.1.1 does somehow configure automatically in the HOST.

Two questions :

1 - Why the static rule is simply not something like ip route 172.16.1.0 255.255.255.0 192.168.12.1 ?

2 - How come a private (inside) network (172.16.1.0) be advertised for outside of the NAT ?

lagapidis · October 2, 2017, 3:17pm

Hello Maodo

The 172.16.1.0 subnet is a range of addresses that are given to us by the ISP that will be used to translate the INSIDE addresses to the OUTSIDE. In other words, when the Host communicates to the outside world, the 192.168.12.1 address will be translated to 172.16.1.X when it traverses the NAT router. So from the NAT router outwards, all communication occurs with the IP address 172.16.1.X. Note that this subnet essentially “exists” on the F1/0 interface of the NAT router. In a sense, it coexists with the 192.168.23.2 IP address on that interface.

Now concerning your questions:

We could add a static route as you suggest, however, a dynamic routing protocol is preferable. Using BGP to advertise this network from the NAT router to the ISP router means that any future changes will be automatically updated. Also, dynamic routing is more elegant. An ISP may have hundreds of customers and you wouldn’t want to go into the ISP router every time there is a change to be made, every time a new user is connected or every time a client cancels their connection.

Although it is true that the vast majority of NAT implementations occur on the EDGE of the network and thus translate between public and private addresses, the use of private and public addresses on the inside and outside of NAT respectively is not a requirement. The ranges used in this example are used just for educational purposes.

It is true however that you would never use private addresses on the Internet.

I hope this has been helpful!

Laz

kayoumt · October 3, 2017, 1:51am

Ok ! Ok ! I see. It’s “Dynamic NAT”, as it is explained by the following lesson.

There’s, unfortunately, something confusing in the output of show ip nat translations. The column “Inside global” does not seem to have any relation with the green “Inside” box of the schema.

ReneMolenaar · October 4, 2017, 9:41am

Hi @kayoutoure,

The inside global address is indeed the IP address on the outside interface of the NAT router, it’s the address that you translate to. This can be a bit confusing, if you see the word “inside” you might start looking at the green inside box but you won’t find it there….

Rene

wilder7bc · September 21, 2018, 10:17pm

Working on the ISP side at Level 3 Communication and Zayo I always found it interesting because on the academic side they always say BGP is not really needed unless you need to do load balancing across multiple ISP.

However, when your actual out there in the real world that doe not seem to be how the majority do it. Basically I would say the majority use BGP even for single connections. Laz Hypothesis sounds as reasonable as any that its easier for the ISP so they just go with BGP. I never really asked that question and most of the guys and girls around me probably just followed the norm as well.

I will say that normally you only get your small subnet. The ISP will give you a /30 or /29 no questions asked. You can even get a /28 without to much issues. However if I remember correct you start having to submit a IPJ (IP Justification Form) @ /28 and larger (larger refers to the amount of IPs not the number as the smaller the number the larger amount of IPs…its a bit backwards thinking but that’s just the jargon type language used)

Most customers just get a peer connection and then have default routes only sent to them. By a peer connection that just means they get their 2-6 IPs of which the ISP uses one of those for their side of the connection. Then on the inside NAT is done by the customer such as in the scenario but with just a single subnet assigned to the customer.

Then some customers need more maybe they have multiple servers. Most times we will still only go with a single subnet but they might get a /28 or /27. They can use this for a larger NAT Pool or may have some DMZ servers or equipment.

Then yet others will have exactly like the scenario or even larger. Meaning they have a subnet that they peer with the ISP but they may have prefixes (another odd term when I first started working for ISP as I like to say subnets lol… but you get use to it quickly) that they purchased on their own and have registered with ARIN (if in the US) or others.

In that later case they might have multiple prefixes and these they would advertise through BGP with the network command such as in the scenario. Service Provider side is interesting and a bit different as often they use ISIS for their IGP (which I am not as familiar with) and they use MPLS and VRF, and Elan and Eline as well as BGP.

I was a bit lost when I first got into it but you soon get a list of commands to use to trouble shoot most of the problems that happen. Its all fiber as well so you are trouble shooting a lot of fiber and light issues.

I am certainly not an expert on SP side though I do have about a year hands on experience with it. and I normally study at home as well as I like learning about things and hate having unanswered questions. My favorite though is still corporate enterprise side which is what we study in regular routing and switching using IOS and IOS XE.

I did learn about IOS XR though which is an entirely different beast as well as Juniper and Alcatel Lucent (I am still not an ALU fan, probably because to me its really different. I have trouble shot BGP and MPLS on it however and increased size of allowed prefixes when that was exceeded and caused BGP to stop working and go active but it was definitely not comfortable for me).

Anyway my consulting gig with the ISP ended so I am not working with those technologies currently and back in the job market and excited to see where my next employment opportunity will take me. Real world experience combined with academic training and learning really accelerates your growth.

If you have strong background in one areas however I believe it makes the others easier to pick up in minutes and hours in what otherwise might takes weeks or months.

Anyway this was nice section I enjoyed it.