Definitions
NAT Types
Static NAT — A one-to-one mapping of private to public IP addresses, best used for a device that needs access from outside the AS.
Dynamic NAT — A dynamic one-to-one mapping between private and public IP addresses, however, the mapping can vary and depends upon the addresses left in the pool.
NAT Overloading — PAT, allows multiple private addresses to masquerade as one public IP address by using layer 4 port numbers to differentiate sessions.
Overlapping NAT — Used when the same subnets are in use in two locations and addresses overlap.
NAT Address Types
Inside Local — A private address referencing an inside device.
Inside Global — A public address referencing an inside device.
Outside Local — A private address referencing an outside device.
Outside Global — A public address referencing an outside device.
The TSHOOT book had a good mnemonic that helps everything else fall in place, global starts with g, it means good, good being a routable address on the internet.
Order of operation for an interface, inside to outside network.
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. Policy-based routing (PBR)
6. Redirecting traffic to a web cache
7. NAT translating local to global addresses
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed
Order of operation for an interface, outside to inside network.
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. NAT translating global to local addresses
6. Policy Based Routing (PBR)
7. Redirecting traffic to a web cache
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed
Troubleshoot NAT
show ip nat statistics
Displays general NAT information of the router.
R1#sh ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Outside interfaces: Serial0/1/0.15 Inside interfaces: Serial0/0/0.12 Hits: 45 Misses: 5 CEF Translated packets: 50, CEF Punted packets: 0 Expired translations: 3 Dynamic mappings: -- Inside Source [Id: 1] access-list 10 pool WAN refcount 2 pool WAN: netmask 255.255.255.252 start 209.65.200.225 end 209.65.200.225 type generic, total addresses 1, allocated 1 (100%), misses 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0
sh ip nat translations
Shows the current translations on the router. These can be reset with the command clear ip nat translation *.
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 209.65.200.225:7 10.1.1.10:7 209.65.200.241:7 209.65.200.241:7
debug ip nat
Shows real time source and destination of NAT sessions on the router.
R1#debug ip nat IP NAT debugging is on R1# *Apr 27 23:29:54.137: NAT*: s=10.1.1.10->209.65.200.225, d=209.65.200.241 [31] *Apr 27 23:29:54.169: NAT*: s=209.65.200.241, d=209.65.200.225->10.1.1.10 [31] *Apr 27 23:29:54.253: NAT*: s=10.1.1.10->209.65.200.225, d=209.65.200.241 [32] *Apr 27 23:29:54.281: NAT*: s=209.65.200.241, d=209.65.200.225->10.1.1.10 [32] *Apr 27 23:29:54.369: NAT*: s=10.1.1.10->209.65.200.225, d=209.65.200.241 [33] *Apr 27 23:29:54.397: NAT*: s=209.65.200.241, d=209.65.200.225->10.1.1.10 [33] *Apr 27 23:29:54.485: NAT*: s=10.1.1.10->209.65.200.225, d=209.65.200.241 [34] *Apr 27 23:29:54.513: NAT*: s=209.65.200.241, d=209.65.200.225->10.1.1.10 [34] R1# *Apr 27 23:29:54.601: NAT*: s=10.1.1.10->209.65.200.225, d=209.65.200.241 [35] *Apr 27 23:29:54.629: NAT*: s=209.65.200.241, d=209.65.200.225->10.1.1.10 [35]