Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
NAT Troubleshooting
Some IP addresses are routable through the public Internet, whereas others are considered
private and are intended for use within an organization. Because these private IP addresses
might need to communicate outside of their local networks, NAT allows private IP
addresses (as defined in RFC 1918) to be translated into Internet-routable IP addresses
(that is, public IP addresses).
Types of NAT
Table 10-2 identifies four types of NAT.
302 CCNP TSHOOT 642-832 Official Certification Guide
Sample NAT Topology
Consider Figure 10-1, which shows a basic NAT topology. Note that even though the IP
addresses of 172.16.1.1 and 192.168.1.1 are actually private IP addresses, for the purpose
of this discussion, assume they are publicly routable IP addresses. The reason for the use
of these private IP addresses to represent public IP addresses is to avoid using an entity’s
registered IP address in the example.
In the topology, a client with a private IP address of 10.1.1.1 wants to communicate with a
server on the public Internet. The IP address of the server is 192.168.1.1. Router R1 is configured
for NAT. Router R1 takes packets coming from 10.1.1.1 destined for 192.168.1.1
and changes the source IP address in the packet headers to 172.16.1.1 (which is assumed to
be a publicly routable IP address for the purposes of this discussion). When the server at
IP address 192.168.1.1 receives traffic from the client, the return traffic of the server is sent
to a destination address of 172.16.1.1. When router R1 receives traffic from the outside
network destined for 172.16.1.1, the router translates the destination IP address to 10.1.1.1
and forwards the traffic to the inside network, where the client receives the traffic.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
S0/0
172.16.1.100/24
Fa1/0
10.1.1.100/24
NAT-Enabled
Router
Client
10.1.1.1
Server
192.168.1.1
Source IP: 192.168.1.1
Destination IP: 10.1.1.1
Source IP: 192.168.1.1
Destination IP: 172.16.1.1
R1
Outside
Source IP: 172.16.1.1
Destination IP: 192.168.1.1
Inside
Source IP: 10.1.1.1
Destination IP: 192.168.1.1
Figure 10-1 Basic NAT Topology
Key
Topic
Table 10-3 Names of NAT IP Addresses
Advantage Definition
Inside Local A private IP address referencing an inside device
Inside Global A public IP address referencing an inside device
Outside Local A private IP address referencing an outside device
Outside Global A public IP address referencing an outside device
Table 10-4 Classifying the NAT IP Addresses in Figure 10-1
Advantage NAT IP Address Type
Inside Local 10.1.1.1
Inside Global 172.16.1.1
Outside Local None
Outside Global 192.168.1.1
Key
Topic
Chapter 10: IP Services Troubleshooting 303
To effectively troubleshoot a NAT configuration, you should be familiar with the terminology
describing the various IP addresses involved in a translation, as outlined in Table 10-3.
As a memory aid, remember that inside always refers to an inside device, whereas outside
always refers to an outside device. Also, think of the word local as being similar to the
Spanish word loco, which means crazy. That is what a local address could be thought of.
It is a crazy made-up address (that is, a private IP address not routable on the Internet).
Finally, let the g in global remind you of the g in good, because a global address is a
good (that is, routable on the Internet) IP address.
Based on these definitions, Table 10-4 categorizes the IP addresses previously shown in
Figure 10-1.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
304 CCNP TSHOOT 642-832 Official Certification Guide
Again, refer to Figure 10-1. Example 10-1 shows how router R1 in that figure can be configured
for dynamic NAT to support the translation shown.
Example 10-1 Dynamic NAT Sample Configuration
R1# show run
...OUTPUT OMITTED...
interface FastEthernet1/0
ip address 10.1.1.100 255.255.255.0
ip nat inside
!
interface Serial 0/0
ip address 172.16.1.100 255.255.255.0
ip nat outside
!
ip nat pool OUTSIDE_POOL 172.16.1.1 172.16.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool OUTSIDE_POOL
!
access-list 1 permit 10.0.0.0 0.0.0.255
...OUTPUT OMITTED...
In the example, ACL 1 identifies the inside addresses (the 10.1.1.0/24 network in this
example) to be translated. A pool of addresses named OUTSIDE_POOL is defined as
IP addresses in the range 172.16.1.1 to 172.16.1.10. The ip nat inside source list 1 pool
OUTSIDE_POOL command associates the internal range of addresses defined by ACL 1
with the range of outside addresses defined by the OUTSIDE_POOL pool. Finally, you
need to indicate what router interface is acting as the inside interface and what interface is
acting as the outside interface. Note that you can have multiple interfaces acting as inside
or outside interfaces. The ip nat inside command is issued for interface Fast Ethernet 1/0,
and the ip nat outside command is issued for Serial 0/0.
Potential NAT Troubleshooting Issues
From a troubleshooting perspective, adding NAT into a network introduces potential
troubleshooting issues. Consider the following situations in which NAT might cause an issue
for end users:
■ Using NAT over a VPN: Some VPN protocols check the checksum of a packet to
verify its integrity. The checksum calculated for a packet before NAT is different from
a checksum calculated for that same packet after NAT (because performing NAT on a
packet changes IP address information). Therefore, a VPN protocol (for example,
IPsec) might reject such a packet because it appears to have been altered.
Workarounds are available, including NAT Traversal, NAT Transparency, and IPsec
over TCP/UDP.
■ NAT hiding true IP address information: Because NAT translates an inside IP address
to an outside IP address, tracing a data flow from end to end for troubleshooting
purposes can be challenging. You can start troubleshooting by using the show ip
Key
Topic
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 10: IP Services Troubleshooting 305
nat translation command to verify whether the translation does exist in the translation
table.
■ Applications that are not NAT compatible: When some applications initialize,
they randomly determine what ports are going to be used for communication, which
might be incompatible with how NAT handles incoming traffic. Some Voice over IP
(VoIP) protocols face such an issue, as they select the User Datagram Protocol (UDP)
port numbers to be used for their Real-time Transport Protocol (RTP) media streams.
Also, when setting up communication with a remote device, an application might
include IP address information in the payload of a packet. If the remote device attempted
to return traffic to the IP address embedded in that payload, that IP address
might be unreachable because of the NAT translation. Therefore, you should avoid
NAT for some applications; use NAT-aware applications, or configure NAT to work
with NAT-unaware applications.
■ Delays experienced due to NAT’s processing: Because NAT manipulates Layer 3
information of packets, the packets are subject to a bit more delay than they would
otherwise experience. This delay might become more evident on routers performing
numerous NAT translations.
Order of Operations for an Interface
Also critical for troubleshooting is an understanding of when NAT performs its translation
in relation to other interface operations, such as evaluating an ACL. This order of operations
depends on the direction of the traffic flow (that is, flowing from the inside network
to the outside network or vice versa). Following is a listing of the order of interface operations
for traffic flowing from the inside network into the outside network:
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. Policy-based routing (PBR)
6. Redirecting traffic to a web cache
7. NAT translating local to global addresses
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed
Following is a listing of the order of interface operations for traffic flowing from the outside
network into the inside network. Notice, for example, that an output ACL might need
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
306 CCNP TSHOOT 642-832 Official Certification Guide
Table 10-5 NAT Troubleshooting Commands
Command Description
clear ip nat translation * Removes all dynamic entries from a router’s NAT translation
table
show ip nat translations Used to see all entries in a router’s NAT translation table
to reference a translated IP address for a packet as opposed to the original IP address of
the packet.
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. NAT translating global to local addresses
6. Policy Based Routing (PBR)
7. Redirecting traffic to a web cache
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed
Now that you have reviewed the basic operation of NAT, consider some of the most
common causes for a NAT issue:
■ An ACL referenced by a NAT configuration is incorrect.
■ Inside and outside interfaces are not correctly assigned.
■ Incorrect IP addresses (or address ranges) are referenced by a NAT configuration.
■ Applications are not NAT aware.
■ A routing loop occurs as a result of a NAT address translation.
NAT Troubleshooting Syntax
Table 10-5 provides a reference table of commands that could be useful in troubleshooting
a NAT configuration.
Key
Topic
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 10: IP Services Troubleshooting 307
Table 10-5 NAT Troubleshooting Commands
Command Description
show ip nat statistics Used to display NAT configuration and statistical information on
a router, such as inside and outside interfaces, total translations,
number of expired translations, inside address ACL, and outside
address pool information
debug ip nat Provides real-time information about NAT translations as they
occur, including the IP address being translated and the IP identification
number that can be used to match packets in the output
with packets captured with a protocol analyzer
ip nat pool pool-name
start-ip end-ip {netmask
subnet-mask | prefixlength
prefix-length}
Global configuration mode command that defines a pool of inside
global addresses into which inside local addresses can be
translated
ip nat inside source list
access-list pool poolname
[overload]
Global configuration mode command that associates an ACL
defining an inside local address space with the specified pool of
inside global addresses (Note: The overload keyword enables
PAT, which allows multiple inside addresses to share a common
outside address.)
ip nat translation maxentries
number
Global configuration mode command that specifies the maximum
number of entries permitted in a router’s NAT table
ip nat {inside | outside} Interface configuration mode command that identifies an interface
as an inside or outside NAT interface
Example 10-2 provides sample output from the show ip nat translations command and
how to change this output with the clear ip nat translation * command. Initially, the show
ip nat translations command shows three statically configured NAT translations and one
dynamically learned translation (which is highlighted in the output). Then, after issuing
the clear ip nat translation * command, the dynamically learned NAT entry is deleted
from the IP NAT table, leaving the three statically configured NAT entries.
Example 10-2 show ip nat translations and clear ip nat translation * Command Output
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.1.12 192.168.0.1 --- ---
--- 192.168.1.13 192.168.0.2 --- ---
tcp 192.168.1.27:23 192.168.0.27:23 192.168.1.50:1158 192.168.1.50:1158
--- 192.168.1.27 192.168.0.27 --- ---
(Continued)
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
308 CCNP TSHOOT 642-832 Official Certification Guide
R1# clear ip nat translation *
R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.1.12 192.168.0.1 --- ---
--- 192.168.1.13 192.168.0.2 --- ---
--- 192.168.1.27 192.168.0.27 --- ---
Example 10-3 provides sample output from the show ip nat statistics command. The output
shows which interfaces are acting as the inside and outside interfaces and the current
number of static and dynamic translations.
Example 10-3 show ip nat statistics Command Output
R1#show ip nat statistics
Total active translations: 4 (3 static, 1 dynamic; 1 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 10 Misses: 0
CEF Translated packets: 5, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Example 10-4 provides sample output from the debug ip nat command. The output shows
that when a source IP address of 192.168.1.50 is attempting to communicate with a destination
IP address of 192.168.1.27, the router translates the destination IP address into
192.168.0.27. Also, when a source IP address of 192.168.1.11 is attempting to communicate
with a destination IP address of 192.168.1.50, the router translates the source IP
address of 192.168.1.11 into an IP address of 192.168.1.27.
No comments:
Post a Comment