NAT
Inside to Global back to Inside
Problem
Traditional NAT does not allow to access the outside global address from the inside. For example, you have created port address translation with
ip nat inside source static tcp 12.12.12.254 80 23.23.23.254 80
and want to access the webserver with its "official" address, 23.23.23.23 from the LAN (inside). This doesnt work with traditional IOS NAT and requires other methods, like split DNS.
Reason is the way NAT is implemented; inside->outside NAT happens after routing. Basically, you try to contact an address that lives on the same interface you are coming from (inside).
Solution
However, with the introduction of NAT Virtual Interface (NVI), there are no inside/outside domains anymore. This makes life easier - no need to cope with ip nat inside/outside definitions anymore, you simply specify "ip nat enable" at each interface participating in address translation.
With NVI, the router now does route lookup twice, one before the NAT decision, to determine if the NAT rules you configured apply, and then another lookup to forward the packet. This allows for the scenario described above:
ip nat source static tcp 12.12.12.254 80 23.23.23.254 80
For this to work, you usually require translation of the clients on the inside local network 12.12.12.0, too, to avoid asymmetric traffic flow, especially when you run IOS FW feature set. Without that, the server 12.12.12.254 would see traffic from the client IPs sourced from 12.12.12.0/24 and return traffic directly, bypassing the NAT on the router.
ip access-list extended INSIDE permit ip 12.12.12.0 0.0.0.255 any ! ip nat source list INSIDE interface FastEthernet0/1 overload
Config and Reference
Caveats
- Note the difference in the syntax, NVI is configured with "ip nat" opposite to traditional nat "ip nat [inside|outside]".
- Some of the NVI config statements do not support route-maps for granular translation control.
- In general, you will loose some visibility/flexibility/granularity, because you dont tell explicitly: "this net is inside" etc.
Links
Detailed analysis from a slightly different angle
Sample config
(R1) -- 12.12.12.0 -- (R2) -- 23.23.23.0 -- (R3) R1: interface FastEthernet0/0 ip address 12.12.12.254 255.255.255.0 secondary ! for testing only ip address 12.12.12.1 255.255.255.0 duplex auto speed auto ip route 23.23.23.0 255.255.255.0 FastEthernet0/0 12.12.12.2 R2: interface FastEthernet0/0 ip address 12.12.12.2 255.255.255.0 ip nat enable duplex auto speed auto ! interface FastEthernet0/1 ip address 23.23.23.2 255.255.255.0 ip nat enable duplex auto speed auto ! ip nat source list INSIDE interface FastEthernet0/1 overload ip nat source static tcp 12.12.12.254 23 23.23.23.254 23 extendable ip nat source static tcp 12.12.12.254 80 23.23.23.254 80 extendable ! ip access-list extended INSIDE permit ip 12.12.12.0 0.0.0.255 any R3: interface FastEthernet0/0 ip address 23.23.23.3 255.255.255.0 duplex auto speed auto R1#telnet 23.23.23.254 Trying 23.23.23.254 ... Open Password required, but none set R1# R2#sh ip nat nvi translations Pro Source global Source local Destin local Destin global tcp 23.23.23.2:44076 12.12.12.1:44076 23.23.23.254:23 12.12.12.254:23 tcp 23.23.23.254:23 12.12.12.254:23 --- --- tcp 23.23.23.254:80 12.12.12.254:80 --- --- [Connection to 23.23.23.254 closed by foreign host] R1#telnet 23.23.23.254 80 Trying 23.23.23.254, 80 ... Open R1# R3#telnet 23.23.23.254 Trying 23.23.23.254 ... Open Password required, but none set [Connection to 23.23.23.254 closed by foreign host] R3#
Ubuntu IPtables NAT
PC --> (eth1)Ubuntu(eth0) --> Internet
root@ubuntu:~# echo 1 > /proc/sys/net/ipv4/ip_forward root@ubuntu:~# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@ubuntu:~# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state \ --state RELATED,ESTABLISHED -j ACCEPT root@ubuntu:~# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT