NAT
NAT Concepts
- NAT Zero is same as Nat Exemption. It means No NAT for VPN Traffic an a Cisco ASA firewall.
Hair-Pin NAT
When a client out on the Internet it establishes a connection to the web server, the router performs NAT.
But when accessed from LAN using Public IP, an issue occurs:
1. Client: Source = 192.168.1.10 & destination = 1.1.1.1 2. Router destination NATs it to 192.168.1.2 & replaces the destination IP address in the packet.
Source remains same = 192.168.1.10. 3. Server sees that source IP is on the same subnet. It does not reply back to the router,
but sends directly 192.168.1.10 with a source IP of 192.168.1.2. 4. The client receives the reply packet, but discards it because it expects a packet back from 1.1.1.1,
& not from 192.168.1.2.
| Step 1 | Source IP 192.168.1.10 |
Destination IP 1.1.1.1 |
|---|---|---|
| Step 2 | Source IP 192.168.1.10 |
Destination IP 192.168.1.2 |
| Step 3 | Source IP 192.168.1.2 |
Destination IP 192.168.1.10 |
To fix the issue, an additional NAT rule is needed on the router to enforce all reply traffic flows through the router, despite being on the same subnet.
With that additional rule, the flow now changes:
1. Router now is doing both Destination & Source NAT. Destination IP = 192.168.1.2, & Source IP = 192.168.1.1. 2. Server sends the reply with Source = 192.168.1.2 to router with IP = 192.168.1.1. 3. Router determines that packet is from previous session and undoes both Source and Destination NAT,
and puts the original source & destination IPs.
| Step 1 | Source IP 192.168.1.10 |
Destination IP 1.1.1.1 |
|---|---|---|
| Step 2 | Source IP 192.168.1.1 |
Destination IP 192.168.1.2 |
| Step 3 | Source IP 192.168.1.2 |
Destination IP 192.168.1.1 |
| Step 4 | Source IP 1.1.1.1 |
Destination IP 192.168.1.10 |
LAB
Overlapping Subnets
 This section is under construction.
|
Server with no Reverse Route
The Internal Server does not have a reverse route.
Or the default route is pointing to another interface.
- Scenario
| Step | Source Address | Destination Address |
|---|---|---|
| 1 | 100.1.1.1 | 1.1.1.1 |
| 2 | 100.1.1.1 | 10.1.1.1 |
| 3 | 10.1.1.1 | 100.1.1.1 |
- The packet will reach from client to 1.1.1.1 on internet.
- The firewall has a NAT-DST policy which will translate the destination address to 10.1.1.1
- The Web Server does not have a reverse route for the Client at 100.1.1.1
- The Reply packet will be dropped at the source itself.
- Workaround - Implement NAT-SRC also along with NAT-DST
| Step | Source Address | Destination Address |
|---|---|---|
| 1 | 100.1.1.1 | 1.1.1.1 |
| 2 | 10.1.1.2 | 10.1.1.1 |
| 3 | 10.1.1.1 | 10.1.1.2 |
| 4 | 1.1.1.1 | 100.1.1.1 |
- Implement NAT-SRC along with NAT-DST in the same firewall policy.
- Now the packet arrived at Web Server will have a Source address of 10.1.1.2 & Destination address of 10.1.1.1
- Server will assume that the packet originated from the Local LAN.
- Server will ARP for the Destination address 10.1.1.2 & send the reply packet.
- The firewall will re-translate the packet to the original Source(1.1.1.1) & destination(100.1.1.1) addresses.
- This is also used in Dialup VPN when the user after connecting is not able to reach the resource.
- References
{{#widget:DISQUS
|id=networkm
|uniqid=NAT
|url=https://aman.awiki.org/wiki/NAT
}}