How Cisco IOS Unicast NAT works (2)

This blog goes on (1) http://www.bkjia.com/net/201209/158328.html

In a more complex situation, when the access control list is configured and the IPSec packets are routed through NAT, the IPSec packets are processed in the ACL/NAT/Routing order.
Before introducing the case, the following message execution sequence is also given.
In the following sequence table, NAT performs address translation from local to global and from global to local respectively, and the execution sequence is also different. Packet from Inside to Outside: Inside-to-Outside
• Check input access list • routing • NAT inside to outside (local to global translation) • crypto (check map and mark for encryption) • check output access list • encryption! When packets are sent from inside to outside, (1) first check the ACL of the incoming excuses, (2) Search for the route table and find the next hop and outbound interfaces. (3) the next step is to execute NAT translation and convert the local address to the global address. When the packet arrives at the outbound interface, (4) trigger crypto map. if the request meets the ACL in crypto, start the establishment of ipsec VPN tunnel, (5) then perform encryption and forward the encrypted ESP packets... It should be noted that, after matching the crypto map, the interface's outbound ACL detection is not targeted at encrypted packets that match the Crypto.
Packet from external to internal:
Outside-to-Inside • If IPSec then check input access list • decryption-for CET or IPSec • check input access list • NAT outside to inside (global to local translation) • routing! When packets are sent from outside to inside, (1) first judge if the packets match the ipsec sa, perform decryption (2), and then perform the inbound ACL detection. If the packets do not meet the requirements, drop (3) next, perform NAT translation to convert the global Address to the local address. (4) Search for the route table and decide the output interface and Next Hop corresponding to the converted destination address. Note that the ACL detection in step 2 is required because it is a non-VPN packet and is a conventional decrypted packet. The topology used is still shown. The difference is that r1 is also a NAT router, and site to site ipsec tunnel is created between 10.1.1.1 of r1 and 10.2.2.3 of r3. The subnet after r1 is 172.1.1.1/32, and the subnet after r3 is 172.3.3.3/32. Static NAT is configured on r1, which translates the inside local address 172.1.1.1 into the inside global address 1.1.10. The basic configurations of R1, R2, and R3 routers are as follows: R1!
! The vpn configuration is as follows:
Crypto isakmp policy 2
Hash md5
Authentication pre-share
Group 5
Crypto isakmp key cisco1 address 10.2.2.3
!
!
Crypto ipsec transform-set r1 esp-des esp-md5-hmac
!
Crypto map r1map 1 ipsec-isakmp
Set peer 10.2.2.3
Set transform-set r1
Match address 101
!
!
Interface Loopback0
Ip address 172.1.1.1 255.255.255.0
Ip nat inside
!
Interface FastEthernet0/0
No ip address
Shutdown
Duplex half
!! Nat configuration and vpn configuration on the Interface
Interface Ethernet1/0
Ip address 10.1.1.1 255.255.255.0
Ip nat outside
No ip route-cache cef
No ip route-cache
Duplex half
Crypto map r1map
!! Static nat configuration ip nat inside source static 172.1.1.1 255.1.1.10
Ip classless
Ip route 0.0.0.0 0.0.0.0 10.1.1.2
No ip http server
No ip http secure-server
!
! The ACL to be matched when the vpn crypto map is triggered
Access-list 101 permit ip host 1.1.10 host 172.3.3.3
! R2! Because it is a vpn, no additional routes need to be added during the test.
Interface Ethernet1/0
Ip address 10.1.1.2 255.255.255.0
Duplex half
!
Interface Ethernet1/1
Ip address 10.2.2.2 255.255.255.0
Duplex half
! R3! The following figure shows the vpn configuration.
Crypto isakmp policy 2
Hash md5
Authentication pre-share
Group 5
Crypto isakmp key cisco1 address 10.1.1.1
!
!
Crypto ipsec transform-set r3 esp-des esp-md5-hmac
!
Crypto map r3map 1 ipsec-isakmp
Set peer 10.1.1.1
Set transform-set r3
Match address 101
!
!
Interface Loopback0
Ip address 172.3.3.3 255.255.255.0
!! Vpn configuration on the Interface
Interface Ethernet1/1
Ip address 10.2.2.3 255.255.255.0
Duplex half
Crypto map r3map
!
Ip classless
Ip route 0.0.0.0 0.0.0.0 10.2.2.2
No ip http server
No ip http secure-server
!
! The ACL required to trigger crypto map
Access-list 101 permit ip host 172.3.3.3 host limit 1.1.10
!
The test is as follows: use the extended ping of ring kickback. To make it easy for you to see the processing order of the packets, the log caught below corresponds to the configuration of an incorrect vpn acl, so that you can see the matching log of crypto map. (The preceding vro configuration is correct.) r1 # ping
Protocol [ip]:
Target IP address: 172.3.3.3
Repeat count [5]:
Datemedisize [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.1.1.1
Type of service [0]:

Set DF bit in IP header? [No]:
Validate reply data? [No]:
Data pattern [0 xABCD]:
Loose, Strict, Record, Timestamp, Verbose [none]:
Sweep range of sizes [n]:
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.1.1.1 * Oct 12 22:38:59. 619: IP: tableid = 0, s = 172.1.1.1 (local), d = 172.3.3.3 (Ethernet1/0), routed via FIB
* Oct 12 22:38:59. 619: IP: s = 172.1.1.1 (local), d = 172.3.3.3 (Ethernet1/0), len 100, sending
* Oct 12 22:38:59. 619: NAT: s = 172.1.1.1-> listen 1.1.10, d = 172.3.3.3 [50]
* Oct 12 22:38:59. 619: IP: s = 10.1.1.10 (local), d = 172.3.3.3 (Ethernet1/0), len 100, output crypto map check failed.
From the preceding packet analysis, we can see that during the packet from inside to outside, (1) first, we will find the route table and find the route to the peer subnet to determine the next hop and outbound interface, (2) then perform NAT translation. The local address 172.1.1.1 will be converted to the global address 255.1.1.10. (3) The last is the crypto map that matches the vpn.
Finally, the complete matching sequence of packets from inside to outside and from outside to inside is provided in Cisco IOS. From Inside to Outside: Inside-to-Outside
• If IPSec then check input access list • decryption-for CET (Cisco Encryption Technology) or IPSec • check input access list • check input rate limits • input accounting • redirect to web cache • policy routing • routing
• NAT inside to outside (local to global translation) • crypto (check map and mark for encryption) • check output access list • inspect (Context-based Access Control (CBAC )) • TCP intercept • encryption • Queueing from outside to inside:
Outside-to-Inside • If IPSec then check input access list • decryption-for CET or IPSec • check input access list • check input rate limits • input accounting • redirect to web cache • NAT outside to inside (global to local translation) • policy routing • routing
• Crypto (check map and mark for encryption) • check output access list • inspect CBAC • TCP intercept • encryption • Queueing
NAT technology is widely used. NAT is a layer-3, layer-4, or even layer-7 technology. The implementation of NAT in Cisco router IOS is different from that in Cisco ASA/PIX Firewall. In addition to Cisco, NAT has many flexible implementations and deployment capabilities.
If there is time later, I will write more NAT applications to see how NAT is compatible with application-layer protocols (such as DNS, ICMP, ESP, and SIP) and how to deploy the Server Load balancer to meet customers' special needs (such as NAT Server Load balancer ).