We get a lot of examples on NAT configuration based on inside NAT aka source NAT but we rarely use outside NAT aka destination NAT. In this article we will discuss about a used case of destination NAT.

Before we start our discussion on destination NAT (‘ip nat outside source static X Y’ command) and what it does, lets refresh the NAT terminology and general rules.

NAT comes handy when we want to mask/hide our IP address while communicating. Both source and destination IP addresses can be NATed on the router (let’s call as boundary router).

NAT order of operation:

  1. When a packet arrives on an interface which is configured as ‘ip nat inside’,
    • The Packet is first checked if it qualifies as per the NAT access-list aka interested traffic.
    • The packet is then checked for the destination address.
    • If the destination is reachable via an interface which is configured ‘ip nat outside’ then before sending the actual packet out on the egress interface, the source address will be masked/NATed.
  2. When the return packet arrives on an interface which is configured as ‘ip nat outside’,
    • The packet is first compared with a matching entry in the NAT translation table.
    • If a matching entry is found then the destination IP and port will be replaced as per the entry before being routed toward the internal port.

 

NAT terminology

These below mentioned terminology is dependent on your perspective or the network you control. The network you control or view is, inside to your network and rest all outside of your presence.

Inside Local         – The IP address of the inside network as viewed locally (e.g. your LAN network or private network)

Inside Global       – The IP address of the inside network as viewed by outside world (e.g. your public IP on WAN interface)

Outside Local     – The IP address of the outside network as viewed you

Outside Global   – The IP address of the outside network as viewed outside world

Now coming to our topic of destination NAT:

  1. As the name suggest here the destination IP will be masked/NATed.
  2. This is used when we are dealing with overlapping network scenarios.

 

Let’s have our small topology ready

NAT

R1 (loopback 1 – 123.123.123.1/24)

R3 (loopback 3 – 123.123.123.3/24)

R1 and R3 both have default static routes pointing to R2.

Now if you see both R1 and R3 has an overlapping network of 123.123.123.0/24. If we want to reach R3 loopback IP of 123.123.123.3 from R1’s loopback interface 123.123.123.1, then with usual config it won’t work. Because R1 will not send the packet out as the destination IP address falls under his connected interface of loopback 1.

To confirm this lets enable “debug ip packet” on R1

R1#ping 123.123.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.3, timeout is 2 seconds:

*Apr 29 05:29:29.357: IP: s=123.123.123.1 (local), d=123.123.123.3, len 100, local feature, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 05:29:29.357: IP: s=123.123.123.1 (local), d=123.123.123.3 (Loopback1), len 100, sending
*Apr 29 05:29:29.357: IP: s=123.123.123.1 (local), d=123.123.123.3 (Loopback1), len 100, sending full packet
*Apr 29 05:29:29.362: IP: s=123.123.123.1 (Loopback1), d=123.123.123.3, len 100, input feature, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 05:29:29.362: IP: s=123.123.123.1 (Loopback1), d=123.123.123.3 (Loopback1), len 100, rcvd local pkt.
*Apr 29 05:29:31.358: IP: s=123.123.123.1 (local), d=123.123.123.3, len 100, local feature, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 05:29:31.358: IP: s=123.123.123.1 (local), d=123.123.123.3 (Loopback1), len 100, sending
*Apr 29 05:29:31.358: IP: s=123.123.123.1 (local), d=123.123.123.3 (Loopback1), len 100, sending full packet
*Apr 29 05:29:31.363: IP: s=123.123.123.1 (Loopback1), d=123.123.123.3, len 100, input feature, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 05:29:31.363: IP: s=123.123.123.1 (Loopback1), d=123.123.123.3 (Loopback1), len 100, rcvd local pkt.
<Output Truncated>

As you see from above debug output of R1, the packets are not egressing out on E0/0 as the network 123.123.123.0/24 is connected on loopback 1.

Now to achieve our result we need to change the destination address here, so that we can fool R1 router.

Let’s tell R1 loopback 1 that 123.123.123.3 = 33.33.33.33. If it wants to reach 123.123.123.3, it has to send the traffic to 33.33.33.33.

How we will do that. Here is the config

int eth 0/0
ip nat outside

int loop 1
ip nat inside

ip nat outside source static 123.123.123.3 33.33.33.33

Now let’s ping from R1 loopback interface 1 to 33.33.33.33 and enable debug ip nat

R1#ping 33.33.33.33 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 123.123.123.1 

*Apr 29 06:07:09.120: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [60].
*Apr 29 06:07:11.120: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [61].
*Apr 29 06:07:13.123: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [62].
*Apr 29 06:07:15.124: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [63].
*Apr 29 06:07:17.124: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [64].
Success rate is 0 percent (0/5)
R1#
R1#
R1#show ip nat tra
R1#show ip nat translations 
Pro Inside global Inside local Outside local Outside global
--- --- --- 33.33.33.33 123.123.123.3
icmp 123.123.123.1:12 123.123.123.1:12 33.33.33.33:12 123.123.123.3:12
R1#

We did not get the response back. What went wrong?

If you look at the debug output we can notice that our config on R1 is working fine. The destination ip is now changed to 123.123.123.123.3 before being sent out of Ethernet 0/0.

*Apr 29 06:07:09.120: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [60].

The final packet when egress out of R1, has source ip as 123.123.123.1 and destination ip as 123.123.123.3.

If the destination NAT is working on R1 as expected then what went wrong then why the response is not coming back?

If you say to check the remote end R3, you are correct.

On R3, it is usual config. NAT is not configured. So when the packet reaches R3, it has source ip of 123.123.123.1 and destination ip of 123.123.123.3. When R3 generates the reply packet it won’t be sent out of its interface as 123.123.123.0/24 is a connected network.

So to achieve our result, let’s fool R3 now 🙂 .

Config on R3:

int eth 1/0
ip nat outside

int loop 3
ip nat inside

ip nat outside source static 123.123.123.1 11.11.11.11

Now lets do the same ping test from R1 loopack 1 to ip address 33.33.33.33

R1#
R1#ping 33.33.33.33 source loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 123.123.123.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
R1#

WoW !!! We have the response now. The ping is successful.

Now we should have a look at the debug ip nat output on R1

R1#
*Apr 29 06:26:39.430: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [75]
*Apr 29 06:26:39.432: NAT*: s=123.123.123.3->33.33.33.33, d=123.123.123.1 [75]
*Apr 29 06:26:39.437: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [76]
*Apr 29 06:26:39.440: NAT*: s=123.123.123.3->33.33.33.33, d=123.123.123.1 [76]
*Apr 29 06:26:39.444: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [77]
*Apr 29 06:26:39.446: NAT*: s=123.123.123.3->33.33.33.33, d=123.123.123.1 [77]
*Apr 29 06:26:39.451: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [78]
*Apr 29 06:26:39.453: NAT*: s=123.123.123.3->33.33.33.33, d=123.123.123.1 [78]
*Apr 29 06:26:39.458: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [79]
*Apr 29 06:26:39.459: NAT*: s=123.123.123.3->33.33.33.33, d=123.123.123.1 [79]
R1#show ip nat translations 
Pro Inside global Inside local Outside local Outside global
--- --- --- 33.33.33.33 123.123.123.3
icmp 123.123.123.1:15 123.123.123.1:15 33.33.33.33:15 123.123.123.3:15
R1#

ICMP Echo request:

The actual ping request packet was with source as 123.123.123.1 and destination as 33.33.33.33. Destination NAT config on R1 changed the destination IP address from 33.33.33.33 to 123.123.123.3 and then the packet moved out from eth 0/0.

*Apr 29 06:26:39.430: NAT: s=123.123.123.1, d=33.33.33.33->123.123.123.3 [75]

ICMP Echo Reply:

On return the actual icmp reply came as source 123.123.123.3 destination 123.123.123.1. Once the packet reached eth 0/0 of R1, the NAT table entry was checked. As NAT table entry was present the packet source IP address was changed from 123.123.123.3 to 33.33.33.33.

*Apr 29 06:26:39.432: NAT*: s=123.123.123.3->33.33.33.33, d=123.123.123.1 [75]

We should have a look at debug ip nat output on R3 as well.

R3#
*Apr 29 06:26:39.431: NAT: s=123.123.123.1->11.11.11.11, d=123.123.123.3 [75]
*Apr 29 06:26:39.431: NAT: s=123.123.123.3, d=11.11.11.11->123.123.123.1 [75]
*Apr 29 06:26:39.438: NAT*: s=123.123.123.1->11.11.11.11, d=123.123.123.3 [76]
*Apr 29 06:26:39.439: NAT: s=123.123.123.3, d=11.11.11.11->123.123.123.1 [76]
*Apr 29 06:26:39.445: NAT*: s=123.123.123.1->11.11.11.11, d=123.123.123.3 [77]
*Apr 29 06:26:39.445: NAT: s=123.123.123.3, d=11.11.11.11->123.123.123.1 [77]
*Apr 29 06:26:39.452: NAT*: s=123.123.123.1->11.11.11.11, d=123.123.123.3 [78]
*Apr 29 06:26:39.453: NAT: s=123.123.123.3, d=11.11.11.11->123.123.123.1 [78]
*Apr 29 06:26:39.459: NAT*: s=123.123.123.1->11.11.11.11, d=123.123.123.3 [79]
*Apr 29 06:26:39.459: NAT: s=123.123.123.3, d=11.11.11.11->123.123.123.1 [79]
IOU3#
IOU3#show ip nat translations 
Pro Inside global Inside local Outside local Outside global
--- --- --- 11.11.11.11 123.123.123.1
icmp 123.123.123.3:15 123.123.123.3:15 11.11.11.11:15 123.123.123.1:15
R3#

 

I hope my example have clarified some of your doubts you earlier had on destination NAT.

 

 

Note:-
If you are wondering how R2 was routing the packets I have configured two static routes on R2.
ip route 123.123.123.1 255.255.255.255 12.12.12.1
ip route 123.123.123.3 255.255.255.255 23.23.23.3
The focus of this article is to show the config and working functionality of destination NAT. To simplify the setup I have put specific routes on R2 for end to end connectivity.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s