Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
3
Replies

PAT translation problem and query

David Ng
Level 1
Level 1

‎04-03-2012 10:14 AM - edited ‎03-04-2019 03:54 PM

This is about PAT translation problem and query

I hope some experts can help to comment

-----------------------------------------------------------------
Configuraiton of a CE router (simple NAT)
-----------------------------------------------------------------
interface GigabitEthernet0/0
ip address 207.100.231.78 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
...
interface GigabitEthernet0/1.131
encapsulation dot1Q 131
ip address 192.168.131.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
...
interface GigabitEthernet0/1.6
encapsulation dot1Q 6
ip address 192.168.6.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 6 ip 192.168.6.254
standby 6 priority 95
standby 6 preempt
standby 6 track 1 decrement 10
!
...
ip nat inside source list 1 interface GigabitEthernet0/0 overload
...
access-list 1 permit 192.168.131.0 0.0.0.255
access-list 1 permit any
...........

-----------------------------------------------------------------
Command log
-----------------------------------------------------------------
show ip nat translation

Pro Inside global         Inside local          Outside local         Outside global
....
udp 207.100.231.78:1028    192.168.144.70:5062   223.156.159.139:9860  223.156.159.139:9860
udp 207.100.231.78:1028    192.168.146.33:5062   223.156.159.139:9860  223.156.159.139:9860
....

-----------------------------------------------------------------
Query on a simple PAT
-----------------------------------------------------------------
1. When a IP send out to an internet host, and the peer host (223.156.159.139)  return packet to the CE router WAN,
   what is the key parameters inside the packet CIsco router will use it to look up NAT router table for return to "Inside local" ?

   "Inside global" only ??

    or

   "Inside global" + "Outside global"


2. In normal condition, will cisco router find a unique WAN udp port no. for "Inside global"  for outgoing connection ?
   Should "inside global" be system unique ?
   or
   Should "inside global"+ "Outside global" system unique ?

  
3. Regarding the above command log output, why there is two entries with same "inside global" in translation table ?

Pro Inside global         Inside local          Outside local         Outside global
....
udp 207.100.231.78:1028    192.168.144.70:5062   223.156.159.139:9860  223.156.159.139:9860
udp 207.100.231.78:1028    192.168.146.33:5062   223.156.159.139:9860  223.156.159.139:9860
....

   Remark:
   It is confirmed by packet capture, packet sending out by 192.168.146.33:5062 cannot get back reply from peer hosts.
   The reply sent back to ip 192.168.144.70:5062. This make the trouble

   After clear nat translation, all 600 NAT session become normal.
   In addtion, tThe port no. of "Inside global" becomes unqiue again.


4. Before clear NAT, I also found other cases that many overlapped entries of "INside global", here is the example

   Is all the entries valid ?
   I suppose the "Inside global" (ip+port) to be system unique

   Why it happen ?
   How to avoid the problem ?

show ip nat translation
Pro  Inside global          Inside local           Outside local          Outside global
....

show ip nat translation

Pro  Inside global          Inside local           Outside local          Outside global

....

udp 207.100.231.78:1027 192.168.6.49:1025 213.166.214.121:123 213.166.214.121:123

udp 207.100.231.78:1027 192.168.144.119:1025 213.166.214.121:123 213.166.214.121:123

udp 207.100.231.78:1027 192.168.146.35:5062 203.176.254.231:9860 203.176.254.231:9860

udp 207.100.231.78:1027 192.168.146.56:1025 213.166.214.121:123 213.166.214.121:123

udp 207.100.231.78:1027 192.168.146.102:5062 223.156.159.139:9860 223.156.159.139:9860


Thank you

Labels:
0 Helpful
3 Replies 3

Neeraj Arora
Level 3
Level 3

‎04-05-2012 08:21 AM

Daivd,

My first recommendation to you while using NAT is: NEVER use "permit any" or "permit ip any any" in the NAT ACL. It can have unwanted or wierd effect while translation, which is kind of what you are experiencing

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#nat-bp

1. when a return packet comes to outside interface, it will check for Inside global + Port no as it should be unique

2. While performing PAT, port number is the main parameter which act as an identifier for different sessions. this is because a single inside user can have multiple session towards Internet eg a single user can open multiple websites at a single point of time and with the use of port numbers, router keep a tab of separate sessions

3. this is not normal, its either because of "permit any" in the ACL or IOS bug

4. Again either due to misconfig of ACL or IOS bug. Read the best practice section in the above mentioned document

Do correct the ACL and then test again after clearing the NAT translation table.

hope it helps

Neeraj

0 Helpful

David Ng
Level 1
Level 1
In response to Neeraj Arora

‎04-09-2012 10:10 AM

Hi, Neerj

thank you for the suggestion.

Some more information about the problem :

The problem does not happen after clear ip nat translation.

After clear ip nat translation, the "Inside Global + port" become system unique. Even after a week of time, the 1000 nat entries (udp) are still system unique. The problem may only happen when there are many terminals (Phone using DHCP) restart around the same time.

I will make the change accordingly and observe if problem happen again.

BTW, About the item 1

"when a return packet comes to outside interface, it will check for Inside global + Port no as it should be unique"

I think that Cisco IOS PAT is a kind of port-restricted cone rather than full-cone as I try to send packet back from some

internet host to one of th "Inside Global + Port" but not able to get any packet inside. So, i think that the PAT may

also check the source address/port with the "Outside Global + port" in the nat table.

Thank you

0 Helpful

Neeraj Arora
Level 3
Level 3
In response to David Ng

‎04-10-2012 06:30 AM

David,

when packet is coming back, although the router will check the Inside global + unique Port no. to determine the flow & its corresponding translation, but that packet also has to match the Outside local + Port + Outside Global + port as well, only then that packet will be considered as a response

And when you initiated a session from outside, the source ip (or Outside Global in NAT terms) & the port would never match the exisiting translations and hence it did not work. you need to remember the ThumbRule: PAT is always for Inside->Outside traffic and unidirectional in nature. It will not work for ANY sessions initiated from outside/Internet

I guess as you mentioned, try the steps and then check if it really solves your problem

Neeraj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card