IOS overlapping NAT

Posted on January 21, 2010 by jimmy

There are not many situations where the ordering of lines in the router configuration really matters (except from inside acl:s or different kind of “maps”). But when dealing with address translations it´s really important because they are processed in the same order as they were added in the running-config.

Lets say that I want to hide my internal network 10.0.20.00/24 on the outside, behind a pool of addresses 10.99.99.99-199. I do like this:

ip nat pool MYNATPOOL 10.99.99.99 10.99.99.199 netmask 255.255.255.0 add-route


ip nat source list ACL_INSIDE_NAT pool MYNATPOOL

ip access-list extended ACL_INSIDE_NAT permit ip 10.0.20.0 0.0.0.255 any !

But what if I later decides to make an exception to this? My internal host 10.0.20.0 should be translated to 10.99.98.100. Then I add this line:

ip nat source static 10.0.20.100 10.99.98.100

If (and only if!) I have any active translations for my inside host when adding this static NAT I will get this warning:

r3(config)#ip nat source static 10.0.20.100 10.99.98.100 r3(config)# *Jan 21 14:14:51.999: %Non-Static entry already exists

This can be avoided by clearing all active translation prior to adding this command:

an 21 14:24:01.747: %Non-Static entry already exists r3#clear ip nat nvi trans * *Jan 21 14:24:09.091: NAT-NVI: deleting alias for 10.99.99.99 r3# r3#conf t Enter configuration commands, one per line. End with CNTL/Z. r3(config)#ip nat source static 10.0.20.100 10.99.98.100 r3(config)#

Even still, what we did was to configure the translation in the wrong order which will make our inside .100-host still to be translated with the ip nat source list-command since the access-list includes .100 and this command is above the static.

This can be avoided in two ways. Either You clear all active translations, remove both lines and put them back in the proper order:

r3(config)#do clear ip nat nvi trans * r3(config)#no ip nat source static 10.0.20.100 10.99.98.100 r3(config)#no ip nat source list ACL_INSIDE_NAT pool MYNATPOOL r3(config)# r3(config)#ip nat source static 10.0.20.100 10.99.98.100 r3(config)#ip nat source list ACL_INSIDE_NAT pool MYNATPOOL

Another way to solve it is to make the translations non-overlapping by excluding .100 from the ip nat source list:

r3(config)#ip access-list extended ACL_INSIDE_NAT r3(config-ext-nacl)#5 deny ip host 10.0.20.100 any r3(config-ext-nacl)# r3# r3#sh ip access-list ACL_INSIDE_NAT Extended IP access list ACL_INSIDE_NAT 5 deny ip host 10.0.20.100 any 10 permit ip 10.0.20.0 0.0.0.255 any (3 matches)

Posted in Cisco Security

Cisco ASA Anyconnect licensing for dummies, updated!

The picture below should be self-explaining. Click it for a larger version. Edit 2014: There was some errors in the logics around AEA-licenses. The picture below is now corrected. Please do not use the old version (v1.1). Let me explain this. First of all, Advanced Endpoint Assessment (AEA) is a feature where you can do advanced posture checks Continue Reading →

Cisco ASA hairpinning

Cisco Pix/ASA hairpinning The term hairpinning comes from the fact that the traffic comes from one source into a router or similar devices, makes a U-turn and goes back the same way it came. Visualize this and you see something that looks like a hairpin. Hairpinning is only relevant when the firewall is in routed mode since the "turnaround" of Continue Reading →

IOS overlapping NAT

New posts

Popular Posts

Signuppp

IOS overlapping NAT

New posts

Popular Posts

Tags

Signuppp