Understand Cisco NAT

Understand Cisco NAT
A lot of things have happened to configure a NAT.
1. Inside and Outside
Many people who have configured NAT in Cisco have a question, that is, the difference between inside and outside! The following describes the NAT execution sequence in the Cisco official documentation:

Note the red and blue circles. For inside-outside, NAT occurs after the route, and for outside-inside, NAT occurs before the route. This is the only thing we need to remember so far.
1. Problem
The reason for confusion is not anything else, it is not good at the inside, outside name, in fact, if you change inside-outside into POST-ROUTING, the outside-inside into PRE-ROUTING, it is very easy to understand, the most important thing is that after the name is changed, NAT does not seem to be related to the inside/outside network port of the device, but to the "Route", although there is no change in nature.
We will introduce it later. In fact, when we understand Cisco's NAT, we cannot take the inside and outside into consideration separately. inside and outside are just a location limitation word, representing "somewhere ", specifically, whether "Go Somewhere" or "come from somewhere" requires an adverbs, which are source and destination. Before going into details about this, you should use the inside and outside separately.
Next, let me explain how important the relationship between NAT and routing is! Considering the following data streams, I take the "Route" action as the center:
Forward packet: --> NAT point1 --> route --> NAT point2 -->
Return package: <-- NAT point1 <-- route <-- NAT point2 <--
Let's take a look at what actions should be done on NAT point1 and NAT point2. First, we first consider that the source IP address of the forward packet is converted to NAT point2, so for the return packet, the destination address is converted to NAT point2. After the return packet is converted to the destination address, when a route query occurs, the data packet is returned normally and there is no problem. Now, considering that the source IP address of the forward packet is converted to NAT point1, according to the principle of installing the NAT hook operation in the same location of the data stream, the destination IP address of the returned packet can only be converted to NAT point1, the route query is based on the destination address before the destination address is converted. That is to say, the route result is not the real route result. To send the returned data packet to the destination, the route table can only be queried Based on the destination address after the conversion. However, even if the query result for the destination route before the conversion is actually a false one, you also need to map it into a real result (this is what to do with the add-route parameter in the ip nat outside source, as detailed in the following example ). Here is an example:


To enable the returned packet to reach 1.1.1.2, you must map the route to 2.2.2.4 to the E0 side. Therefore, you must add one:
Ip route 2.2.2.4 255.255.255.255.255 1.1.1.2
That is to say, set the next hop before the destination address translation to the next hop after the destination address translation.
This is the linkage between NAT and routing. In Cisco, if you use ip nat outside source to set NAT, you will encounter the above problem. You can manually add a route ing before the address translation of a reverse packet, you can also add the add-route parameter after the command line. The add-route parameter will automatically add the route for you. what it actually does is:
A. query the destination address A after destination address B is converted according to the NAT ing table;
B. Search for the next hop C Where the destination address A is located;
C. Set the next entry to C.
We can see that there is indeed a problem with source address translation on the outside, that is, the PRE-ROUTING, but it can be solved through the add-route parameter for route re ing. The normal and reasonable situation is to convert the source address on inside, that is, POST-ROUTING. In fact, although we are doing source address conversion, the problem is always that the destination address of the reverse data packet is converted. A reasonable situation is that the destination address must be converted before the route, and forward data should be reversed, that is, place the source address translation after the route. If you do not understand the Cisco Domain concept, you will definitely think: Do not convert the source address on the outside!
So far, let me summarize it. Cisco completely splits the relationship between routes and NAT. Unlike Linux, DNAT is always performed before the route. No matter the configured DNAT or the reverse DNAT of SNAT, it is always performed before the route, in this way, you can perform route query on the converted destination address. If this is correct, you will be surprised that Cisco can go to the PREROUTING (outside) perform SNAT (ip nat outside source), resulting in reverse packet DNAT in POSTROUTING... but it's not that simple!
Cisco will not design a NAT architecture that is so unreasonable and confusing because of mistakes. What is the reason for Cisco's design? The following two sections 2 and 3 provide some tips.
2. About policy routing
We know that standard IP routing is based on the target address, but to add more policies, policy routing can use the source address to influence the route query results. In this sense, source address translation is necessary before routing, but this will lead to reverse Destination Address Translation after routing! Exactly:
A. Place the SNAT before the route for policy routing
B. To avoid adding-route (although it is indeed not a problem and is automatic), place DNAT before the route
A trade-off is required! However, Cisco does not perform symmetric design on the five HOOK points as Linux does. Cisco divides the Domain, that is, inside and outside.
3. About Domain and NAT domain
Cisco devices are generally connected to two network environments. One is internal and the other is external public. This divides the interface into two domains, one is internal domain, that is, inside. The other is an external domain, that is, outside! The name of this method is so good that it is used in many fields, such as nat. However, once used in nat, it is confusing. Therefore, I propose that you do not understand the Cisco architecture very well. Please try to use POST/PRE ROUTING to understand inside and outside. However, what we want to do in this section is to clarify that it is reasonable to use inside and outside.
For NAT, IP addresses are converted, and IP addresses can be divided into Global addresses and Local addresses. The former is a public IP address that can be routed, and the latter is a private IP address. From the inside domain to the outside Domain, all Local addresses must be converted to the Global address. The first principle is, the Global address cannot appear in the inside domain or DMZ domain without permission (the router may not exist! The decision point is the route! Therefore, the address translation from outside to inside must be completed before the route. This requires that the address translation from inside to outside must be completed after the route. That is:
Ip nat inside source
It must occur after the route, and:
Ip nat outside source
It must occur before the route.
If you define an interface such as FE0/0 as outside, you need to enable ip nat outside on the interface, the packet that enters from this interface will query the NAT table before the route. If the corresponding table item is found, NAT will be executed. Similarly, if an interface such as FE0/1 is defined as inside, you need to enable ip nat inside on the interface. In this way, the packet that enters from this interface performs route search first, then, query the NAT table. If the corresponding table item is found, perform the NAT operation.
3. 1. Design of the conversion direction and switch point-Cisco NAT
This section describes how to use the Domain and how to interpret the ip nat inside | outside source | destination command. This section summarizes the ultimate theory of Cisco NAT design. For simplicity, I will not introduce the four addresses defined by Cisco and their associations with source/Target IP addresses and directions. These concepts are additional concepts, it is the easiest way to get people away and finally get stuck.
Cisco does not use technical terms such as "pre/post routing" as Linux to define NAT behavior, but is completely defined according to the Domain. The so-called Domain, that is, the two sides of the router belong to the inside, the other side belongs to outside. All NAT services are classified into the following four types:
1> convert the source address from inside to outside
2> switch the target address from inside to outside
3> source address conversion from outside to inside
4> switch the target address from outside to inside
Where 1 and 4 are mutually hidden, and 2 and 3 are mutually hidden. So far, we have found that Cisco NAT is not as simple as Linux. Linux actually defines two types of NAT:
I> SNAT, source address conversion
Ii> DNAT: Destination Address Translation
Then other constraints are built-in during design:
DNAT is executed before the route, and SNAT is executed after the route, including implicit rules.
This is the ultimate difference between Cisco and Linux's NAT design! Their focus is different. Cisco emphasizes the user's domain, while Linux emphasizes the rationality of the technology itself (how to configure it requires imagination ). Let's take a look at the Linux NAT design benchmark. Linux NAT takes effect globally. There is no saying that "Apply NAT to interfaces", so the interface becomes a match. Therefore, the Administrator only needs to write match/target.
For Cisco, to export all the four NAT configuration interfaces to engineers, You need to define the inside interface and outside interface, that is, the interface on which inside nat is applied, the interface on which outside nat is applied. By now, all four types of NAT must be combined with any type of interfaces (inside/outside. This breaks the Balance Point and becomes the saddle surface. You cannot find a point to complete everything in pre routing and post routing. For example, if interface E1 enables inside nat, e0 enables outside nat, indicating that E1 is the inside interface and E0 is the outside interface. Therefore, we consider two types of conversion from inside to outside. One is to convert the source address, the other is to convert the target addresses. Do we put them in one location or on either side of a "virtual equilibrium" (not necessarily routing), that is, two locations? Let's look at the two figures below, which actually represent two constraints:




The two figures show a typical saddle surface. The origin is the route. The reason why there is an origin is because the Domain-Based Configuration, data packets from inside to outside or, in turn, must go through a point. From the figure on the Cisco website at the top of this article, we can see that Domain-based NAT behavior is not just a NAT, it must be associated with ACL matching, encryption, decryption, and other operations. The IP addresses on which these operations depend are associated with NAT. Therefore, Domain-based NAT behavior must be on both sides of the routing behavior. Because Cisco is configured according to the Domain, that is, inside/outside (applying specific Domain rules on interfaces), this design method is inevitable. For Linux, NAT is global, the interface is only a match, so it is completely designed according to the routing constraints.
Now, we can summarize the meaning of ip nat inside | outside source | destination. I formulated this command:
Ip nat P H
H indicates whether to perform source conversion or target conversion. H also has a more concealed meaning, that is, it and P indicate the direction of data, that is, the data is P-H. For example, ip nat inside destination indicates that the data is inside (from outside) and the destination address is converted; ip nat outside source indicates that the data is sent to inside using outside as the source, convert the source address.
4. Cisco destination Conversion
However, how to convert the target address is to convert it to an internal Local address when accessing a public Global address, which is also called address ing, how Does Cisco do this? In fact, the ISO version of many Cisco devices does not allow you to do DNAT as unlimited as Linux does, but only allow you to map specific IP addresses + TCP/UDP port pairs or full IP addresses. This is definitely the target address translation on outside. In the opposite direction, it is the source address conversion on inside, that is:
Ip nat inside source static tcp $ local_ip $ local_port $ global_ip $ global_port
Note: It must be static NAT, which involves the next section to describe "how to install NAT"
The customized nat ip NAT inside destination for TCP Server Load balancer is not covered in this article.
Ii. How to install NAT
0. Style
Linux NAT is based on 5 tuples, that is, the NAT result is associated with a stream (conntrack, this association results in the consistency of the NAT policies of all data packets of a single stream belonging to a quintuple. This rigid rule is a little tough, therefore, I have made several patches on Linux to make up for Linux's shortcomings. Of course, RAWNAT can also be used.
For Cisco, NAT is not associated with a stream unless it is Stateful. Since it is not associated with a stream, what should we do? Cisco will install the "One NAT ing policy" to the system's inside NAT table or outside NAT table at a specific time. For packets entering from the network port, match the NAT rules in the inside NAT table or the outside NAT table based on whether the network port is inside or outside.
Both the inside NAT table and the outside NAT table have two copies. One is the SNAT table and the other is the DNAT table. The data structure of the NAT table can be [plain].
NAT table {type: SNAT or DNAT direction: inside or outside nodes: local/global mapping}
For each data packet, you must use the source IP address to query the SNAT table and the target IP address to query the DNAT table. However, for Linux, you only need to query the conntrack structure, and then retrieve the nat results recorded in the first packet query.
1. Static NAT
Static NAT is a one-to-one NAT ing, that is, the conversion between a Local IP address and a Global IP address. When the configuration takes effect, the NAT translation rule is added to the NAT table.
1.1.Cisco
When a NAT entry is added to the inside direction:
Ip nat inside source static a B
The system will add the source address conversion of a-> B to the SNAT table of inside, and add the target address conversion of B-> a to the DNAT table of outside.
All subsequent data packets, whether initiated internally or externally, will be checked and matched based on whether the interface enables inside nat or outside nat.
1.2.Linux
Linux is based on conntrack, so even if you use
Iptables-t nat-a postrouting-s a-j SNAT -- to-source B
Only for the first packet that matches the policy, the NAT Party a of Linux appears as a match. Therefore, it strictly matches the source address of the first packet, therefore, packets in the opposite direction do not match, so Linux NAT is unidirectional.
2. Dynamic NAT
Dynamic NAT does not specify the converted address when it is configured, but determines the address to be converted when the first data packet with a conversion requirement (determined by the ACL) arrives. Therefore, when the configuration takes effect, no NAT rules will be added to the NAT table.
2.1.Cisco Mode
When a dynamic NAT entry is added to the inside direction:
Ip nat pool NAME...
Ip nat inside source list $ acl pool NAME
...
The system does not add any NAT rules. Only when a packet matches the acl and the NAT request is to be triggered will the system dynamically (calculated based on the pool type) select an IP address to be converted from the pool, add it to the inside SNAT table, and generate and add the target address conversion rules to the outside DNAT table.
Therefore, Cisco dynamic NAT is one-way. Therefore, when a reverse packet enters, it does not match the acl, does not trigger the generation of NAT rules, and does not match any NAT rules.
2.2.Linux
Again, in Linux nat, the IP address to be converted is a match, so the principle is the same, whether it is one-to-one conversion or one-to-many conversion. Linux does not distinguish static conversion from dynamic conversion. In the kernel, the so-called NAT ing table will never appear. The NAT rules added by iptables will not generate a ing, and packets will not generate a ing after they are successfully matched with nat, nat results exist only in conntrack as part of tuple.
3. Query Method
3.1.Linux
For Linux nat queries, the first package matches iptables nat table rules one by one. For subsequent packages, it is converted to a conntrack hash query for a quintuple group.
3.2.Cisco
For Cisco, SNAT and DNAT can only occur in PREROUTING and POSTROUTING, unlike in Linux, but not in PREROUTING or POSTROUTING, therefore, no matter which nat HOOK point is used, you must use the source IP address and target IP address of the data packet to query the SNAT table and DNAT table respectively. In this case, the query process can be abstracted to become an independent virtual interface, which is NVI!
Iii. Use NVI virtual Interfaces
0. Virtual Interface Concept
This will not be said. The tap of OpenVPN and the VTI of Cisco IPSec VPN, including the NVI described below, all belong to virtual interfaces, and all virtual interfaces can import data packets through routing, as for what operations are performed in the interface, this is where the Virtual Interface is "virtual". You can export data packets to character devices, encrypt and decrypt data packets, or perform NAT...
1. Linux 2.4 nat route
In Linux 2.4, nat route depends on policy routing. It is a super failure and is not well written by myself.
2. Cisco domainless NAT
Domainless means no longer distinguishing between inside and outside, but simply doing NAT. This is a hot and refreshing implementation in Cisco, and there is no so-called balance point, then, the HOOK points for NAT processing in both directions are no longer symmetric Based on the equilibrium point, and all NAT operations are performed on the PREROUTING. However, Cisco does not add any configuration, and HOOK mounting is implemented, what are the advantages of using a Virtual Interface called NAT Virtual Interface? To be honest, it cannot be seen from the interface, but from its implementation point of view, you can use the routing method to import all the packages of interfaces with ip nat enable configuration into this Virtual Interface limit 0. Then, query the SNAT table and DNAT table respectively with the source address and target address of the data packet, perform NAT Based on the result, and then enter the real route query. The overall process is shown in:


It can be seen that no matter the direction, no matter the route, as long as the packet enters a physical network card with ip nat enable configuration, NAT matching and successful matching will be performed, both SNAT and DNAT are performed here. Although this implementation is very bold, it solves all the problems and the balance point does not exist. The NAT has been completed before the data packets enter the real route query. In the view of the router, the NAT operation is hidden, as if the data packet was the same.
Of course, the Domainless NAT is no longer associated with any other operations, and the ACL, VPN-interested stream matching, policy routing, and so on are not related to NAT. The NAT Design of Cisco Domainless is more distinct from that of Linux. Although the NAT Design of Linux is also Domainless, it is similar to that of Cisco Domain-based NAT, because the NAT of the two must be linked with other Filter operations, for Linux, NAT behavior needs to be linked with a large number of Netfilter actions.
Iv. Summary and ideas
By using Cisco NAT, I have some ideas that need to be recorded for the time being.
1. Relationship with Microsoft and free
When I configured Cisco, I felt like I was using the Microsoft system. When you encounter a bottleneck, you are helpless! On Microsoft's system, I want to implement single-arm NAT. I want to bring the source when configuring the route. After a long time, I did not get the result. I felt the same way when I configured Cisco! Although sometimes higher IOS versions can solve the problem (the same as Microsoft ). In general, using these things makes you feel less free, there are too few places to be able to HACK, and the threshold for HACK operations is too high. When using them, you have to be so worried that you can either get in one breath, as long as you encounter obstacles, even a small obstacle, you may not be able to get through.
Linux is just the other side of things. UNIX is in the middle. If you operate on Linux, your behavior will not be blocked. Even if you encounter problems, the system will not prevent you from writing a program or kernel module, or even re-ordering the kernel. Even if it is not so in-depth, it is enough to take a look at iproute2 and iptables. the built-in parameters allow you to complete almost all the operations. In this sense, users who are used to Linux may also require better Cisco's extended access control list. In fact, in the face of Netfilter's almost unlimited scalability, what is the "extension" of Cisco's extended access control list reflected in ??
I bought a mobile phone instead of hack, and I didn't write code to install it on my mobile phone. I just wanted to use it to make phone calls, send messages, and access the internet. So I didn't buy Android, because the values were quite different, I don't buy any cell phone associated with Microsoft. No matter how good it is, I bought iOS because it is associated with UNIX. In fact, Apple is closed, but it is not the technology itself, it is the value orientation and design. In fact, it is because it is not a technology that is closed. After jailbreak, you will face an original Open UNIX. Openness is gold, and openness is everything.
2. Functional Technical Points and Solutions
If you encounter a problem and want to solve the problem, there are two ways. The first way is to find the functional technical points to solve the problem separately, for example, if you want to implement an ACL-based address ing, if you are using Linux BOX, then this functional technical point is iptables, but if you are using a Cisco low-end router, the document clearly states that it is not supported. This is the second way, that is, to completely deny the original scheme and say, "Why do we need to do this? XX will be better. We have a complete set of solutions to meet all your needs .". Generally, Cisco, Microsoft, and IBM provide solutions. Functional Technical points on their systems often have short boards. They can only be used in combination with others. Therefore, if you want to use hack, never use it based on these systems. You will be bored. On these systems, this will not work either. It will not work either. This cannot be changed, and that cannot be changed, when I use more, people will become rigid, and it will not be nice to speak, "any technical problem can be solved." It is impossible for people who use these closed systems !!!"
3. Personnel conflict
I have been in conflict with people for several times in a week and proved that my ideas are correct after I finish my work. So again, I feel that the level of most so-called senior network administrators is so junk, horizontal junk personality is also arrogant, which is really angry and sad. The views of these spammers are basically divided into two categories:
1> impossible to do things that have not been done
Because I have never done this before, it is impossible to say, or even deny my technical solution. I appeared as a developer, which made the other Party feel that I do not understand the network and have no experience. First, they did not do it. Second, I did not have a professional title in the network field, this makes them arrogant.
2> if you take things for granted, you just need to shoot your head and say yes. In fact, you cannot.
I want to map the udp Service one-to-one and two-way:
Ip nat inside source udp 1.1.1.1 12345 2.2.2.2 12345
During the test, they had to use ping for testing! This is clearly a udp ing. How can I use ping ?! However, they have to use ping. I told them they cannot perform full ing, because it will also convert irrelevant addresses that should not be converted, because they know that NAT can be done through ACL + pool, so they think this can be done by using the ACL matching address on the outside Port... this is silly! I want to convert the target address. It also needs to be bidirectional, that is to say, no matter the data stream is initiated from there! Those guys don't even know when to install the NAT translation item into the system!
I am glad to say that I am a network engineer! Let's look at our NA/NP/IE/NE/SE. Without exception, we have a back-to-back question. Many certificates have been obtained, but TMD does not understand the basic principles of the network! Let's look at the real CCIE, such as Petr Lapukhov, 4 xCCIE/CCDE in ccie r & S, IP Services:
Petr Lapukhov's career in IT begain 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in your network deployment projects. petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R & S, Security, SP, and Voice) on a daily basis for policyears. when not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.
Looking at people's experiences, from programming, to more and more, from computer architecture, TCP/IP stack, to UNIX, Cisco is just a platform that masters attach all of this, if he is not working on Cisco, But joining the IBM camp or developing the Linux kernel, can you tell me that people are not in the circle? Remember, don't think of programmers as people who don't understand the network.