Cart
One of the interesting options we can configure for legacy NAT on IOS is the “reversible” keyword. Normally when you implement a form of Dynamic translation on your device it only deals with traffic leaving your network (aka “inside”) – as the traffic matches a NAT rule an XLATE (NAT) entry is created that will be used to translate any subsequent packets matching that slot and also to de-translate the return traffic. And since this NAT slot is Extended (we will be using route-maps here), there is no way for any other flow to “utilize” it and e.g. initiate a new connection from the “outside” part of the network.
To overcome this issue (assuming that for some reasons we don’t want to use static translations) we can use the “reversible” keyword along with our Dynamic NAT config. This option does two things :
- Creates a “Parent” entry that can be used by outside users to initiate new connections to the translated address
- Restricts those users to only IP hosts that are part of the route-map configuration that will be allowed to create new outside->inside sessions)
Few other things you should remember when working with Reversible NAT :
- Does NOT work with PAT
- Although it can be configured with plain ACLs it does not have any effect then (it only makes sense to use this option with a route-map)
- For static translations the main driver for using this feature is point #2 from our list above
- The “match-interface” or “match next-hop” keywords are not supported for this feature
Let’s consider the following topology :
 |
Now we want to do here is to dynamically NAT packets with a source of 2.2.2.2 destined to 7.7.7.7 when going through R6. Simple stuff :
R6
access-list 100 permit ip host 2.2.2.2 host 7.7.7.7 route-map DNAT permit 10 match ip address 100 ip nat translation icmp-timeout 120 ip nat pool NPOOL 167.1.1.50 167.1.1.60 prefix-length 25 ip nat inside source route-map DNAT pool NPOOL int f0/0 ip nat inside int f0/1 ip nat outside
R6(config)#do sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0, occurred 04:49:22 ago
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
– Inside Source
[Id: 1] route-map DNAT pool NPOOL refcount 0
pool NPOOL: netmask 255.255.255.128
start 167.1.1.50 end 167.1.1.60
type generic, total addresses 11, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Unless we see packets matching our NAT rule no entries are created :
R6(config)#do sh ip nat translations verbose
Generating traffic…
R2#ping 7.7.7.7 source loop0 rep 2
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.!
Success rate is 50 percent (1/2), round-trip min/avg/max = 4/4/4 ms
So these are what are called “Extended” entries – they only match packets that belong to already established, particular flow :
R6(config)#do sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 167.1.1.50:0 2.2.2.2:0 7.7.7.7:0 7.7.7.7:0
icmp 167.1.1.50:1 2.2.2.2:1 7.7.7.7:1 7.7.7.7:1
Now although R6 is already proxying for 167.1.1.50 :
R6#sh ip alias
Address Type IP Address Port
Interface 10.26.26.6
Interface 167.1.1.6
Dynamic 167.1.1.50
We will not be able to initiate new connections because they will never match our XLATEs :
R7#telnet 167.1.1.51
Trying 167.1.1.51 …
% Connection refused by remote host
If you enabled TCP debug on R6 you would see the following message :
R6#
*May 6 01:10:51.994: Reserved port 0 in Transport Port Agent for TCP IP type 0
*May 6 01:10:51.994: TCP: connection attempt to port 0
*May 6 01:10:51.994: TCP: sending RST, seq 0, ack 3831098287
*May 6 01:10:51.994: TCP: sent RST to 167.1.1.7:25170 from 167.1.1.51:23
*May 6 01:10:51.994: Released port 0 in Transport Port Agent for TCP IP type 0 delay 240000
*May 6 01:10:51.994: TCP0: state was LISTEN -> CLOSED [0 -> UNKNOWN(0)]
*May 6 01:10:51.998: TCB 0x4A88ABA4 destroyed
Again, even that we are proxying for this IP address, we don’t expect any Telnet connections to come into this address (router knows it’s only for NAT purposes).
OK it is time to reconfigure our NAT – let’s make it reversible :
R6
no ip nat inside source route-map DNAT pool NPOOL ip nat inside source route-map DNAT pool NPOOL reversible
R2#ping 7.7.7.7 source loop0 rep 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.!
Success rate is 50 percent (1/2), round-trip min/avg/max = 1/1/1 ms
R6#sh ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 167.1.1.53:5 2.2.2.2:5 7.7.7.7:5 7.7.7.7:5
create 00:00:33, use 00:00:31 timeout:120000, left 00:01:28, Map-Id(In): 2,
flags:
extended, use_count: 0, entry-id: 7, lc_entries: 0
— 167.1.1.53 2.2.2.2 — —
create 00:00:33, use 00:00:33 timeout:3600000, left 00:59:26, Map-Id(In): 2,
flags:
extendable, global-only-entry, routemap-out2in, use_count: 1, entry-id: 6, lc_entries: 0
As you can see this time the router not only created an “Extended” entry but also a “Parent” one that can be used by outside hosts to initiate new connections to the inside (“global-only-entry”). Note that in some IOS versions this “Parent” entry is only created when return traffic (to the inside) is seen.
We will prepare R6 for incoming Telnet sessions and then try to initiate one from R7 :
R6
line vty 0 4 no login
R7#telnet 167.1.1.53
Trying 167.1.1.53 …
% Connection refused by remote host
OK, what’s the problem here? Well, R7 uses 167.1.1.7 as the source which is not part of our route-map… The only traffic allowed to open up a new connection in our config are “mirrored” packets – sourced from 7.7.7.7 :
R7#telnet 167.1.1.53 /source loop0
Trying 167.1.1.53 … Open
R2>
R6#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 167.1.1.53:11 2.2.2.2:11 7.7.7.7:11 7.7.7.7:11
tcp 167.1.1.53:23 2.2.2.2:23 7.7.7.7:38264 7.7.7.7:38264
— 167.1.1.53 2.2.2.2 — —
–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Support Engineer IPexpert, Inc.
URL: http://www.IPexpert.com
Tags: CCIE, CCIE Security, dynamic nat, reversible nat
Very interesting. Keep posting.
Thanks,
Elvin
Very good scenario, I like it.