Saturday, October 3, 2009

NAT Overload

In this post i'll configure NAT Overload (PAT) on my Cisco router.

NAT is primarily used for the following purposes.

  • To efficiently utilise public IP addresses and slow the depletion of IP version 4 addresses.
  • To help mask the internal IP address ranges from external sources.
  • To aid in the merge of similiarly addressed networks.

NAT can either be used in a one to many configuration (PAT), or a one to one configuration (Static or Dynamic). Here I'll cover NAT Overload.


When used in a one to many configuration the router uses the port numbers to remember connections. For example:

Internal - External
192.168.1.1:4567 - 80.233.1.67:4567
192.168.1.2:3458 - 80.233.1.67:3458

The same external address is used however the external address uses the internal addresses source port number as its own source port number.


Configuration

To configure NAT Overload so all my internal hosts on the address subnet 192.168.2.0 (defined in the access list in step 3) use the address 192.168.2.200 (as defined in the NAT pool in step 2).


1. Name the interfaces.

Secure#conf t
Secure(config)#interface eth 0
Secure(config-if)#ip nat inside
Secure(config)#interface eth 1
Secure(config-if)#ip nat outside
Secure(config-if)#exit



2. Create the Pool of addresses to be used to NAT

Secure(config)#ip nat pool Secure-Pool 192.168.2.10 192.168.2.10 net 255.255.255.0



3. Create a standard ACL that identifies addresses that will be NAT'd

Secure(config)#ip access-list standard 10
Secure(config-std-nacl)#permit 192.168.2.0 0.0.0.255


4. Enable NAT
Secure(config)#ip nat inside source list 10 pool Secure-Pool overload

When I ping the external host all traffic is seen as coming from the address that I set up in the pool.



All works well but because of my lab setup I need to change the pool address to one that works on my other network which connects to the internet.

Secure(config)#no ip nat inside source list 10 pool Secure-Pool overload
Secure(config)#ip nat pool Secure-Pool 10.0.1.199 10.0.1.199 net 255.255.255.0
Secure(config)#ip nat inside source list 10 pool Secure-Pool overload

Now from my lab I can get access to the web and if I ping a host on my lab net I see the correct NAT address returned.





Troubleshooting and Debugging

A useful show command for looking at active translations is:

Secure#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.0.1.199:768 192.168.2.4:768 10.0.1.5:768 10.0.1.5:768
--- 10.0.1.199 192.168.2.4 --- ---



For looking at translations as they happen you can use:

Secure#terminal monitor
Secure#debug ip nat detailed
IP NAT detailed debugging is on
Secure#
*Sep 27 14:09:52.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56303]
*Sep 27 14:09:52.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56303]
*Sep 27 14:09:52.903: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56303]
*Sep 27 14:09:52.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [32653]
*Sep 27 14:09:52.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [32653]
Secure#
*Sep 27 14:09:53.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56304]
*Sep 27 14:09:53.903: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56304]
*Sep 27 14:09:53.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [61886]
*Sep 27 14:09:53.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [61886]
Secure#
*Sep 27 14:09:54.907: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56305]
*Sep 27 14:09:54.907: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56305]
*Sep 27 14:09:54.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [47007]
*Sep 27 14:09:54.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [47007]
Secure#
*Sep 27 14:09:55.907: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56306]
*Sep 27 14:09:55.907: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56306]
*Sep 27 14:09:55.915: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [28657]
*Sep 27 14:09:55.915: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [28657]
Secure#

In the output above we can see that were looking at ICMP traffic from 192.168.2.4 to 10.0.1.5 which is NAT'd to 10.0.1.199.


For NAT statistics:

Secure#sh ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 1 extended)
Outside interfaces:
Ethernet1
Inside interfaces:
Ethernet0
Hits: 4295 Misses: 212
CEF Translated packets: 3413, CEF Punted packets: 1847
Expired translations: 637
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 2 pool Secure-Pool refcount 2
pool Secure-Pool: netmask 255.255.255.0
start 10.0.1.199 end 10.0.1.199
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
Secure#

No comments: