CCNP Tshoot - IP Services Troubleshooting (NAT, DHCP)

The NAT service allows a company to use as many private IP addresses as they need for devices inside of their network and then translate those addresses into publicly routable IP addresses.

Router might be a DHCP client, where one (or more) of its interfaces obtains an IP address from an external DHCP server.
Alternatively, a router can be configured to act as a DHCP server.
A router can also serve as a DHCP relay agent, which allows DHCP client broadcast traffic (that is, broadcast traffic a DHCP client sends in an attempt to dynamically discover a DHCP server) to be forwarded through the router, even though a router typically blocks broadcast traffic.

NAT Troubleshooting
 - Some IP addresses are routable through the public Internet, whereas others are considered private and are intended for use within an organization.
 - Because these private IP addresses might need to communicate outside of their local networks, NAT allows private IP addresses (as defined in RFC 1918) to be translated into Internet-routable IP addresses (that is, public IP addresses).

Types of NAT
Static NAT  - A one-to-one mapping of private internal IP addresses to public external IP addresses
Dynamic NAT  - A dynamic mapping of private internal IP addresses to a pool of public external IP addresses
NAT Overloading  - Allows multiple private internal IP addresses to use a single public external IP address by keeping track of Layer 4 port numbers, which make each session unique (that is, Port Address Translation [PAT])
Overlapping NAT   - Used when private internal IP addresses at one location overlap destination private internal IP addresses at another location

NAT  terminology
Inside Local     A private IP address referencing an inside device
Inside Global   A public IP address referencing an inside device
Outside Local  None         A private IP address referencing an outside device
Outside Global  A public IP address referencing an outside device

NAT Terminology
 - inside always refers to an inside device, whereas outside always refers to an outside device.
 - word local as being similar to the Spanish word loco, which means crazy. It is a crazy made-up address (a private IP address not routable on the Internet).
 - global remind you of the g in good - global address is a good (that is, routable on the Internet) IP address.

Dynamic NAT Sample Configuration   - range from to
interface FastEthernet1/0
ip address
ip nat inside
interface Serial 0/0
ip address
ip nat outside
ip nat pool OUTSIDE_POOL netmask
ip nat inside source list 1 pool OUTSIDE_POOL
access-list 1 permit
Potential NAT Troubleshooting Issues (NAT might cause an issue for end users):
1) Using NAT over a VPN
 - Some VPN protocols check the checksum of a packet to verify its integrity.
 - The checksum calculated for a packet before NAT is different from a checksum calculated for that same packet after NAT (because performing NAT on a
packet changes IP address information).
 - Therefore, a VPN protocol (for example, IPsec) might reject such a packet because it appears to have been altered.
 - Workarounds are available, including NAT Traversal, NAT Transparency, and IPsec over TCP/UDP.

2) NAT hiding true IP address information
 - Because NAT translates an inside IP address to an outside IP address, tracing a data flow from end to end for troubleshooting purposes can be challenging.
 - You can start troubleshooting by using the show ip nat translation command to verify whether the translation does exist in the translation table.

3) Applications that are not NAT compatible
 - When some applications initialize, they randomly determine what ports are going to be used for communication, which might be incompatible with how NAT handles incoming traffic.
 - Some Voice over IP (VoIP) protocols face such an issue, as they select the User Datagram Protocol (UDP) port numbers to be used for their Real-time Transport Protocol (RTP) media streams.
 - Also, when setting up communication with a remote device, an application might include IP address information in the payload of a packet. If the remote device at tempted to return traffic to the IP address embedded in that payload, that IP address might be unreachable because of the NAT translation.
 - Therefore, you should avoid NAT for some applications; use NAT-aware applications, or configure NAT to work with NAT-unaware applications.

4) Delays experienced due to NAT’s processing
 - Because NAT manipulates Layer 3 information of packets, the packets are subject to a bit more delay than they would otherwise experience.
 - This delay might become more evident on routers performing numerous NAT translations.

Order of Operations for an Interface
 - Critical for troubleshooting is an understanding of when NAT performs its translation in relation to other interface operations, such as evaluating an ACL.
For traffic flowing from the inside network into the outside network:
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. Policy-based routing (PBR)
6. Redirecting traffic to a web cache
7. NAT translating local to global addresses
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed

For traffic flowing from the outside network into the inside network:
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. NAT translating global to local addresses
6. Policy Based Routing (PBR)
7. Redirecting traffic to a web cache
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed

Most common causes for a NAT issue
■ An ACL referenced by a NAT configuration is incorrect.
■ Inside and outside interfaces are not correctly assigned.
■ Incorrect IP addresses (or address ranges) are referenced by a NAT configuration.
■ Applications are not NAT aware.
■ A routing loop occurs as a result of a NAT address translation.

NAT Troubleshooting commands
clear ip nat translation *
! Removes all dynamic entries from a router’s NAT translation table

show ip nat translations
! Used to see all entries in a router’s NAT translation table

show ip nat statistics
! Used to display NAT configuration and statistical information on a router, such as inside and outside interfaces, total translations, number of expired translations, inside address ACL, and outside address pool information

debug ip nat
! Provides real-time information about NAT translations as they occur, including the IP address being translated and the IP identification number that can be used to match packets in the output with packets captured with a protocol analyzer

ip nat pool <pool-name> <start-ip> <end-ip>{netmask subnet-mask| prefix <length> prefix-length}
! Global configuration mode command that defines a pool of inside global addresses into which inside local addresses can betranslated

ip nat inside source list <access-list> pool <pool> <name> [overload]
! Global configuration mode command that associates an ACL defining an inside local address space with the specified pool of inside global addresses
! (Note: The overload keyword enables PAT, which allows multiple inside addresses to share a common outside address.)

ip nat translation max-entries <number>
! Global configuration mode command that specifies the maximum number of entries permitted in a router’s NAT table

ip nat{inside| outside}
! Interface configuration mode command that identifies an interface as an inside or outside NAT interface

DHCP Troubleshooting
 - DHCP serves as one of the most common methods of assigning IP address information to a network host.
 - if a client resides on a different network than the DHCP server, the next-hop router of the client should be configured as a DHCP relay agent.
 - You can use the interface configuration mode command to configure a router interface to relay DHCP requests to either a unicast IP address or a directed broadcast address.
To configure the address to which the software forwards User Datagram Protocol (UDP) only broadcasts
ip helper-address <ip-address>
DHCP Configurations
R1(config)# service dhcp
R1(config)# interface fa 0/0
R1(config-if)# ip helper-address
Also, IP could be used, and is the directed broadcast IP address for the network.
Although using a directed broadcast address might enable you to reach all DHCP servers on a particular subnet, Cisco recommends that you use a specific IP
address as opposed to a directed broadcast. 
 - One reason for this recommendation is that a directed broadcast causes all hosts on the target subnet to examine the DHCPDISCOVER packet, even if those hosts are not DHCP servers.
 - Some routers block directed broadcasts (because of a potential security risk).
Port  protocol
37    Time
49    TACACS
53    DNS
67    BOOTP/DHCP Server
68    BOOTP/DHCP Client
69    TFTP
137   NetBIOS name service
138   NetBIOS datagram service
What if Company XYZ needs to forward requests for a service not on this list?
 - The Cisco IOS software provides the global configuration command ip forward-protocol to allow an administrator to forward any UDP port in addition to the default eight.
 - To forward UDP on port 517, use the global configuration command ip forward-protocol udp 517.
This command is used not only to add a UDP port to the default eight, but also to subtract an unwanted service from the default group.
RTA(config-if)#ip helper-address
RTA(config)#ip forward-protocol udp 517
RTA(config)#no ip forward-protocol udp 37
RTA(config)#no ip forward-protocol udp 49

DHCP Message Types
DHCPDISCOVER A client sends in an attempt to locate a DHCP server. Sent to (broadcast) of  using UDP port 67.
DHCPOFFER    A DHCP server sends in response to a DHCPDISCOVER message using UDP port 68.
DHCPREQUEST  Request for IP configuration parameters sent from a client to a specific DHCP server.
DHCPDECLINE  Sent from a client to a DHCP server to inform the server that an IP address is already in use on the network.
DHCPACK      A DHCP server sends to a client and includes IP configuration parameters.
DHCPNAK      A DHCP server sends this message to a client and informs the client that the DHCP server declines to provide the client with the requested IP configuration information
DHCPRELEAE  A client sends this message to a DHCP server and informs the DHCP server that the client has released its DHCP lease, thus allowing the DHCP server to reassign the client IP address to another client.
DHCPINFORM   Sent from a client to a DHCP server and requests IP configuration parameters. Such a message might be sent from an access server requesting IP configuration information for a remote client at taching to the access server.
Configure a router to act as a DHCP relay agent, realize that it relays a few other broadcast types in addition to a DHCP message:
■ Domain Name System (DNS)
■ Internet Time Service (ITS)
■ NetBIOS name server
■ NetBIOS datagram server
■ BootP

DHCP Client Configuration
R1(config)#int fa 0/0
R1(config-if)#ip address dhcp
DHCP Server Configuration
ip dhcp excluded-address    <--- prevents DHCP from assigning the IP address to a client
ip dhcp pool POOL-A
Potential DHCP Troubleshooting Issues
A router not forwarding broadcasts
 - By default, a router does not forward broadcasts, including DHCPDISCOVER broadcast messages.
 - Therefore, a router needs to be explicitly configured to act as a DHCP relay agent (ip helper) if the DHCP client and DHCP server are on different subnets.

DHCP pool out of IP addresses

 - A DHCP pool contains a finite number of addresses. Once a DCHP pool becomes depleted, new DHCP requests are rejected.

 - The configuration of a DHCP server might be incorrect.

Duplicate IP addresses
 - A DHCP server might hand out an IP address to a client that is already statically assigned to another host on the network.
 - These duplicate IP addresses can cause connectivity issues for both the DHCP client and the host that had been statically configured for the IP address.

Redundant services not communicating
 - Some DHCP servers can coexist with other DHCP servers for redundancy.
 - For this redundancy to function, these DHCP servers need to communicate with one another. If this interserver communication fails, the DHCP servers can hand out overlapping IP addresses to their clients.

The “pull” nature of DHCP
When a DHCP client wants an IP address, it can request an IP address from a DHCP server.
 - DHCP server has no ability to initiate a change in the client IP address after the client obtains an IP address.
 - DHCP client pulls information from the DHCP server, but the DHCP server cannot push information to the DHCP client.

DHCP Troubleshooting Syntax
show ip dhcp conflict  
! Identifies any IP address conflicts a router identifies, along with the method the router used to identify the conflicts (this is, via ping or gratuitous ARP)

show ip dhcp binding
! Displays IP addresses that an IOS DHCP server assigns, their corresponding MAC addresses, and lease expirations

clear ip dhcp binding *       <---Releases all current DHCP leases
clear ip dhcp conflict *      <---Clears all currently identified DHCP conflicts
debug ip dhcp server events   <---Provides real-time information about DHCP address assignments and database updates
debug ip dhcp server packet   <---Displays real-time decodes of DHCP packets

ip helper-address <IP>
! Causes an interface to forward specific received UDP broadcasts to the destination IP address, which can be either a specific IP address or a directed broadcast address

ip dhcp excluded-address <beginning-IP> [ending-IP]
! Specifies a range of IP addresses not to be assigned to DHCP clients

ip dhcp pool <NAME>    <-Creates a DHCP pool
 network <network-address> <subnet-mask> <-Identifies a subnet to be used by a DHCP pool
 default-router <IP>                  <-Specifies the IP of a default gateway to be given to a DHCP client
 dns-server <IP>                      <-Configures the IP of a DNS server to be given to a DHCP client
 netbios-name-server <IP>             <-Defines the IP address of a WINS server to be given to a DHCP client
 lease {days hours minutes| infinite} <-Determines the duration of a DHCP lease given to a DHCP client