Let's face a situation. You have a network with 2 routers (one router and one L3 switch) as you can see on the this diagram:
The LAN network is using private addresses (RFC1918) and is routed to the Internet via the R2 L3 switch-router. L3 switch-routers as the R2 are generally not capable of doing NAT/PAT (it may be a L3 switch). So the switch-router R2 is just sending send each packet from the LAN network to the router R1 where we are going to do PAT (network + port address translation) for the private address range used in LAN.
This situation is a little bit tricky, as in a normal situation, where there is one interface on a router connected to a LAN and an another interface connected to the Internet, you can write down the "ip nat inside" to the LAN interface, and the "ip nat outside" command to the Internet interface, add some additional "ip nat source ..." commands to the configuration and the NAT/PAT router is ready.
Well, in our situation we have the router R1 with only one interface, which is connected to the Internet and is used to route the LAN traffic as well. If you try to put the "ip nat inside" and the "ip nat outside" to the same interface, only one of these command will remain in the interface configuration (the last entered). And as you know, the NAT process is applied only to packets, which are traveling through an inside to an outside interface.
The workaround for this situation is to create a loopback interface, which will be used by PBR as a next hop interface for packets coming from the LAN network to the Ethernet interface of the router R2 (PBR - Policy Based Routing). The loopback will be configured with the "ip nat inside" command. After the packets go through the loopback interface, they will go through the "ip nat inside" configuration, and continue their journey to the Internet. The path to the Internet is over the Ethernet connection where we can put the "ip nat outside" configuration command. Now that means, when the packets from the LAN network will arrive to the router R1, they will go through the loopback interface where they will turn back but use the "nat inside" settings. On the way back (to the Internet by default route) then they will leave the router on the "nat outside" Ethernet interface. Obviously now we can apply the NAT/PAT process to these packets.
R1's configuration:
R1#sh run !Building configuration...! The special loopback interface used for turning packets around inside the router interface Loopback0 description NATLO ! This IP address can be any, just update the next hop in PBR ip address 172.16.255.253 255.255.255.252 ! Let's mark packets going through this interface as packets with nat inside flag ip nat inside ! This is the actual real interface used for incomming and outgoing traffic as well interface Ethernet1/0 description Inet ! should be public IP address ip address 5.0.0.1 255.255.255.0 ! disable ICMP redirect messages - may be useful no ip redirects ! Finaly when we get a packet flagged with "nat inside", the router can apply the NAT/PAT process ip nat outside ! Route incomming packets from LAN by PBR rules ip policy route-map toNat ! The default router to Internet (ISP) ip route 0.0.0.0 0.0.0.0 5.0.0.2 ! ACL for PBR and NAT/PAT access-list 1 remark LAN_IPs access-list 1 permit 192.168.1.0 0.0.0.255 ! PAT as always ip nat inside source list 1 interface Ethernet1/0 overload ! and the PBR route-map toNat permit 10 match ip address 1 ! The next hop should be an IP address from the Lo 0 IP network (except the Lo0 address!) set ip next-hop 172.16.255.254 ! R1#debug ip nat *Mar 30 00:56:14.019: NAT: s=192.168.1.2->5.0.0.1, d=1.1.1.1 [90] *Mar 30 00:56:14.119: NAT: s=5.0.0.2, d=5.0.0.1->192.168.1.2 [132] R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 5.0.0.1:18 192.168.1.2:18 1.1.1.1:18 1.1.1.1:18
You can find more information about this topic pretty well documented in the Cisco's paper called "Network Address Translation on a Stick". Enjoy :-)
8 comments:
Hi, jozjan...
Many thx for the article
This article explained this well. Thank you.
You are welcome :-)
thx for the article
good job
how R1 knows about the route to 192.168.1.0/24?
@Anonymous: in the displayed configuration we are missing a static route (or some sort of Dynamic Routing Protocol) to the 192.168.1.0/24 network trough the R2 router.
I think this blog is pretty cool,it has a lot of good and interesting content,good for you I hope you can add more useful information and upgrade your site,I like it,it has full details about router configuration and remember there are good medicines to reduce fever and it's always important take care so much about our health
Thank you very much, very intersting thing!!!
Post a Comment