Facts of NAT
NAT Inside: The Source Address of the Packet is translated as the Packet hits the INSIDE interface, if the NAT Router finds that the destination IP is not directly attached and it has a ROUTE to the destination.
The DA of the Packet changes as a Packet hits the OUTSIDE interface. Then it gets ROUTED.
NAT Outside: The Destination Address of the Packet changes as the Packet hits the INSIDE interface. Then it gets ROUTED to the destination. When the Packet hits the OUTSIDE interface, it is ROUTED first then the Source Address of the Packet changes.
NAT Inside:
e0/0 from R1 is the outside interface and e0/1 is the inside. A static NAT inside is configured as follows:
R1(config)#ip nat inside source static 13.0.0.3 100.0.0.1
With this configuration a packet sourced from the inside having a Source IP of 13.0.0.3 will be translated to 100.0.0.1 and routed to its destination.
R3#ping 12.0.0.2 repeat 1
R1#NAT*: s=13.0.0.3->100.0.0.1, d=12.0.0.2 [5]
A packet will not get translated if the destination is directly attached or if it does not have a route to the destination. Let us now send packet to some destination of R1 loopback 0
R3#ping 111.1.1.1 repeat 1
R1#ICMP: echo reply sent, src 111.1.1.1, dst 13.0.0.3
When a packet with any Source IP hits on the outside interface destined to 100.0.0.1 will get translated to 13.0.0.3
R1#NAT*: s=12.0.0.2, d=100.0.0.1->13.0.0.3 [5]This also implies packets from any Source, for example let’s send a packet to 100.0.0.1 from 222.2.2.2 which is the loopback zero interface of R2. In this case the packet’s destination is translated as its original destination was 100.0.0.1. But when R3 replies, the reply packets Source IP will not get translated because R1 does not have a route to 222.2.2.2
R1#NAT*: s=222.2.2.2, d=100.0.0.1->13.0.0.3 [22]
NAT Outside:
e0/0 from R1 is the outside interface and e0/1 is the inside. A static NAT inside is configured as follows:
R1(config)#ip nat outside source static 12.0.0.2 100.0.0.1
With this configuration a packet sourced from the IP of 12.0.0.2 will get translated to 100.0.0.1 as it hits the Outside interface, if there is a route to the destination. Let us send a packet to the destination of 13.0.0.3
R2#ping 13.0.0.3 repeat 1
R1#NAT: s=12.0.0.2->100.0.0.1, d=13.0.0.3 [32]R1#ICMP: dst (100.0.0.1) host unreachable sent to 13.0.0.3NAT used to solve overlapping network
Case: 1
Solved with Inside Translation:
Here in this scenario R1 could translate the SA of R3 from 34.0.0.34 to 30.0.0.3 as the packet hits the Inside interface e0/1 of R1. As the packet arrives at R2 and hits it’s Outside interface e0/0, it translates the destination address from 40.0.0.4 to 34.0.0.34.
Thus when the packet arrives at R4 it will have a SA of 30.0.0.3. When it answers to DA of 30.0.0.3 from 34.0.0.4, the SA gets translated to 40.0.0.4 as it hits the Inside interface e0/1 of R2. When this packet hits the Outside interface of R1, it translates the DA to 34.0.0.34 because the packet is destined to 30.0.0.3.
We must take care of the routes to reach 30/8 and 40/8 networks, only then the Inside translation works.
R1: ip nat inside source static 34.0.0.34 30.0.0.3R1: ip route 40.0.0.0 255.0.0.0 12.0.0.2R2: ip nat inside source static 34.0.0.34 40.0.0.4R2: ip route 30.0.0.0 255.0.0.0 12.0.0.1Solved with Outside Translation:
When R3 sends a packet to the DA of 40.0.0.4 gets translated to 34.0.0.34. Then when the packet hits the Outside interface of R2 the SA gets translated to 30.0.0.3 because the DA of the packet is 34.0.0.34. Thus when the packet arrives at R4, it will have a SA of 30.0.0.3.
Now when it replies the 30.0.0.3, because of the SA of 34.0.0.34, R2 translates the DA to 34.0.0.34. Finally when the packet arrives at R1, the SA is translated to 40.0.0.4 because it’s destined to 34.0.0.34.
R1: ip nat outside source static 34.0.0.34 40.0.0.4R1: ip route 40.0.0.0 255.0.0.0 12.0.0.2R2: ip nat outside source static 34.0.0.34 30.0.0.3R2: ip route 30.0.0.0 255.0.0.0 12.0.0.1
It’s funny to see the network capture having the SA and DA being the same on the connection between R1 & R2. 😀
