Shulou(Shulou.com)06/01 Report--

Objective: to better understand the packet processing sequence of NAT in Cisco IOS through bi-directional NAT

Premise: it doesn't appear in the real world.

Environment:

R1 and R3 are simulated as PC, so that they can communicate normally without a gateway.

Define f0thumb 0 of R2 as ip nat inside;f1/0 and ip nat outside.

I will post the order of packet processing for Cisco IOS first.

NAT Overview

In this table, when NAT performs the global to local, or local to global, translation is different in each flow.

Inside-to-Outside

Outside-to-Inside

If IPSec then check input access list

If IPSec then check input access list

Decryption-for CET (Cisco Encryption Technology) or IPSec

Decryption-for CET or IPSec

Check input access list

Check input access list

Check input rate limits

Check input rate limits

Input accounting

Input accounting

Redirect to web cache

Redirect to web cache

Policy routing

NAT outside to inside (global to local translation)

Routing

Policy routing

NAT inside to outside (local to global translation)

Routing

Crypto (check map and mark for encryption)

Crypto (check map and mark for encryption)

Check output access list

Check output access list

Inspect (Context-based Access Control (CBAC))

Inspect CBAC

TCP intercept

TCP intercept

Encryption

Encryption

Queueing

Queueing

You can see that there are differences between NAT in different directions: 1. Inside source static needs to be routed before NAT

2. Outside source static needs to be NAT before routing

Let's first configure R2:

When R1 data goes from inside to outside, it will first check the routing table, then check the NAT entry and translate it to the ip address 172.16.1.101.

Just imagine, if you want to access the ip address of R3: 172.16.1.1, you must find a gateway, because there is no gateway, so we translate the ip address of 172.16.1.1 into 192.168.1.101. At this time, R1 accesses not 172.16.1.1 but 192.168.1.101.

At this point, let's look at the arp cache table.

If you are on juniper or check point firewall, you need to configure proxy-arp and manually add ARP entries.

At this time, let R1 visit 192.168.1.101, because the ARP entry is to be obtained from the interface of R2, so the packet of source: 192.168.1.1 purpose: 192.168.1.101 is thrown to R2 'f0Universe 0. R2 will first check to see if there is a route to 192.168.1.101, but because there is a directly connected route of 192.168.1.0 directly connected to f0bank 0. R2 will consider this "vexatious" data discarding. The next step is not to convert 192.168.1.1 to 172.16.1.101 and 192.168.1.101 to 172.16.1.1 because it is discarded.

You can see that f0plash 0 of R2 responds to R1 because there is an ARP entry, but does not convert the data and does not let telnet pass.

Let's see if NAT conversion is performed first when R3 accesses 172.16.1.101.

You can see that when 172.16.1.1 visits 172.16.1.101, it is converted to 192.168.1.101, and then 172.16.1.101 is converted to 192.168.1.1. At the same time, R2 forwards the packet to R1, but because R1 does not have a route and cannot be converted, so the reply is not established.

So, the reason why the reply is not valid is that there is no route to 192.168.1.101 on R2, so we add the route of 192.168.1.101 on R2, and the next hop is forwarded from f1max 0.

At this time, we will send data from R1 to 192.168.1.101.

You can see that the reply packet of 192.168.1.101 is received and telnet is successful.

And look at the conversion on R2.

192.168.1.1 visit 192.168.1.101 Magi R2 to see that there is a route to f1ap0, and then check the NAT entry

192.168.1.1 is converted to 172.16.1.101, and then the destination 192.168.1.101 is converted to 172.16.1.1, which becomes the source address: 172.16.1.101, the destination address: 172.16.1.1, and then forwarded from f1swap 0.

172.16.1.1 received the packet, saw that the source address was 172.16.1.101, then returned the packet to 172.16.1.101, converted it to 192.168.1.101, and then converted 172.16.1.101 to 192.168.1.1, which became the source address: 192.168.1.101, the destination address: 192.168.1.1, and then forwarded it from f0cord 0.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.