The NAT service allows a company to use as many private IP addresses as they need for devices inside of their network and then translate those addresses into publicly routable IP addresses.
Router might be a DHCP client, where one (or more) of its interfaces obtains an IP address from an external DHCP server.
Alternatively, a router can be configured to act as a DHCP server.
A router can also serve as a DHCP relay agent, which allows DHCP client broadcast traffic (that is, broadcast traffic a DHCP client sends in an attempt to dynamically discover a DHCP server) to be forwarded through the router, even though a router typically blocks broadcast traffic.
NAT Troubleshooting
- Some IP addresses are routable through the public Internet, whereas others are considered private and are intended for use within an organization.
- Because these private IP addresses might need to communicate outside of their local networks, NAT allows private IP addresses (as defined in RFC 1918) to be translated into Internet-routable IP addresses (that is, public IP addresses).
Types of NAT
Static NAT - A one-to-one mapping of private internal IP addresses to public external IP addresses
Dynamic NAT - A dynamic mapping of private internal IP addresses to a pool of public external IP addresses
NAT Overloading - Allows multiple private internal IP addresses to use a single public external IP address by keeping track of Layer 4 port numbers, which make each session unique (that is, Port Address Translation [PAT])
Overlapping NAT - Used when private internal IP addresses at one location overlap destination private internal IP addresses at another location
NAT terminology
Inside Local 10.1.1.1 A private IP address referencing an inside device
Inside Global 172.16.1.1 A public IP address referencing an inside device
Outside Local None A private IP address referencing an outside device
Outside Global 192.168.1.1 A public IP address referencing an outside device
NAT Terminology |
- word local as being similar to the Spanish word loco, which means crazy. It is a crazy made-up address (a private IP address not routable on the Internet).
- global remind you of the g in good - global address is a good (that is, routable on the Internet) IP address.
NAT extendable
ip nat inside source static 10.1.1.1 200.2.2.2 extendable! extendable - will allow you to have two NAT entries for the same source IP address.
ip nat inside source static 10.1.1.1 200.3.3.3 extendable
ip nat allow-static-host
Dynamic Address Resolution Protocol (ARP) learning will be disabled on this interface, and NAT will control the creation and deletion of ARP entries for the static-IP host.
Example Config:
interface ethernet 1
ip nat inside
!
ip nat allow-static-host
!
ip nat pool xyz 171.1.1.1 171.1.1.10 netmask 255.255.255.0 accounting WLAN-ACCT
access-list 1 deny ip 192.168.196.51
ip nat inside source list 1 pool net-208
Dynamic NAT Sample Configuration
172.16.1.1 172.16.1.10 - range from 172.16.1.1 to 172.16.1.10
interface FastEthernet1/0Potential NAT Troubleshooting Issues (NAT might cause an issue for end users):
ip address 10.1.1.100 255.255.255.0
ip nat inside
!
interface Serial 0/0
ip address 172.16.1.100 255.255.255.0
ip nat outside
!
ip nat pool OUTSIDE_POOL 172.16.1.1 172.16.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool OUTSIDE_POOL
!
access-list 1 permit 10.0.0.0 0.0.0.255
1) Using NAT over a VPN
- Some VPN protocols check the checksum of a packet to verify its integrity.
- The checksum calculated for a packet before NAT is different from a checksum calculated for that same packet after NAT (because performing NAT on a
packet changes IP address information).
- Therefore, a VPN protocol (for example, IPsec) might reject such a packet because it appears to have been altered.
- Workarounds are available, including NAT Traversal, NAT Transparency, and IPsec over TCP/UDP.
2) NAT hiding true IP address information
- Because NAT translates an inside IP address to an outside IP address, tracing a data flow from end to end for troubleshooting purposes can be challenging.
- You can start troubleshooting by using the show ip nat translation command to verify whether the translation does exist in the translation table.
3) Applications that are not NAT compatible
- When some applications initialize, they randomly determine what ports are going to be used for communication, which might be incompatible with how NAT handles incoming traffic.
- Some Voice over IP (VoIP) protocols face such an issue, as they select the User Datagram Protocol (UDP) port numbers to be used for their Real-time Transport Protocol (RTP) media streams.
- Also, when setting up communication with a remote device, an application might include IP address information in the payload of a packet. If the remote device at tempted to return traffic to the IP address embedded in that payload, that IP address might be unreachable because of the NAT translation.
- Therefore, you should avoid NAT for some applications; use NAT-aware applications, or configure NAT to work with NAT-unaware applications.
4) Delays experienced due to NAT’s processing
- Because NAT manipulates Layer 3 information of packets, the packets are subject to a bit more delay than they would otherwise experience.
- This delay might become more evident on routers performing numerous NAT translations.
Order of Operations for an Interface
- Critical for troubleshooting is an understanding of when NAT performs its translation in relation to other interface operations, such as evaluating an ACL.
For traffic flowing from the inside network into the outside network:
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. Policy-based routing (PBR)
6. Redirecting traffic to a web cache
7. NAT translating local to global addresses
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed
For traffic flowing from the outside network into the inside network:
1. Decryption of IPsec traffic
2. Input ACL applied
3. Input policing applied
4. Input accounting applied
5. NAT translating global to local addresses
6. Policy Based Routing (PBR)
7. Redirecting traffic to a web cache
8. Crypto map application
9. Output ACL applied
10. Cisco IOS Firewall inspection performed
11. TCP intercept feature applied
12. Encryption performed
Most common causes for a NAT issue
■ An ACL referenced by a NAT configuration is incorrect.
■ Inside and outside interfaces are not correctly assigned.
■ Incorrect IP addresses (or address ranges) are referenced by a NAT configuration.
■ Applications are not NAT aware.
■ A routing loop occurs as a result of a NAT address translation.
NAT Troubleshooting commands
clear ip nat translation *
! Removes all dynamic entries from a router’s NAT translation table
show ip nat translations
! Used to see all entries in a router’s NAT translation table
show ip nat statistics
! Used to display NAT configuration and statistical information on a router, such as inside and outside interfaces, total translations, number of expired translations, inside address ACL, and outside address pool information
debug ip nat
! Provides real-time information about NAT translations as they occur, including the IP address being translated and the IP identification number that can be used to match packets in the output with packets captured with a protocol analyzer
ip nat pool <pool-name> <start-ip> <end-ip>{netmask subnet-mask| prefix <length> prefix-length}
! Global configuration mode command that defines a pool of inside global addresses into which inside local addresses can betranslated
ip nat inside source list <access-list> pool <pool> <name> [overload]
! Global configuration mode command that associates an ACL defining an inside local address space with the specified pool of inside global addresses
! (Note: The overload keyword enables PAT, which allows multiple inside addresses to share a common outside address.)
ip nat translation max-entries <number>
! Global configuration mode command that specifies the maximum number of entries permitted in a router’s NAT table
ip nat{inside| outside}
! Interface configuration mode command that identifies an interface as an inside or outside NAT interface
DHCP Troubleshooting
- DHCP serves as one of the most common methods of assigning IP address information to a network host.
- if a client resides on a different network than the DHCP server, the next-hop router of the client should be configured as a DHCP relay agent.
- You can use the interface configuration mode command to configure a router interface to relay DHCP requests to either a unicast IP address or a directed broadcast address.
To configure the address to which the software forwards User Datagram Protocol (UDP) only broadcasts
ip helper-address <ip-address>DHCP Configurations
R1(config)# service dhcpAlso, IP 10.1.1.255 could be used, and is the directed broadcast IP address for the 10.1.1.0/24 network.
R1(config)# interface fa 0/0
R1(config-if)# ip helper-address 10.1.1.1
Although using a directed broadcast address might enable you to reach all DHCP servers on a particular subnet, Cisco recommends that you use a specific IP
address as opposed to a directed broadcast.
- One reason for this recommendation is that a directed broadcast causes all hosts on the target subnet to examine the DHCPDISCOVER packet, even if those hosts are not DHCP servers.
- Some routers block directed broadcasts (because of a potential security risk).
Port protocolWhat if Company XYZ needs to forward requests for a service not on this list?
37 Time
49 TACACS
53 DNS
67 BOOTP/DHCP Server
68 BOOTP/DHCP Client
69 TFTP
137 NetBIOS name service
138 NetBIOS datagram service
- The Cisco IOS software provides the global configuration command ip forward-protocol to allow an administrator to forward any UDP port in addition to the default eight.
- To forward UDP on port 517, use the global configuration command ip forward-protocol udp 517.
This command is used not only to add a UDP port to the default eight, but also to subtract an unwanted service from the default group.
RTA(config-if)#ip helper-address 192.168.1.254
RTA(config-if)#exit
RTA(config)#ip forward-protocol udp 517
RTA(config)#no ip forward-protocol udp 37
RTA(config)#no ip forward-protocol udp 49
DHCP Message Types
DHCPDISCOVER A client sends in an attempt to locate a DHCP server. Sent to 255.255.255.255 (broadcast) of using UDP port 67.Configure a router to act as a DHCP relay agent, realize that it relays a few other broadcast types in addition to a DHCP message:
DHCPOFFER A DHCP server sends in response to a DHCPDISCOVER message using UDP port 68.
DHCPREQUEST Request for IP configuration parameters sent from a client to a specific DHCP server.
DHCPDECLINE Sent from a client to a DHCP server to inform the server that an IP address is already in use on the network.
DHCPACK A DHCP server sends to a client and includes IP configuration parameters.
DHCPNAK A DHCP server sends this message to a client and informs the client that the DHCP server declines to provide the client with the requested IP configuration information
DHCPRELEAE A client sends this message to a DHCP server and informs the DHCP server that the client has released its DHCP lease, thus allowing the DHCP server to reassign the client IP address to another client.
DHCPINFORM Sent from a client to a DHCP server and requests IP configuration parameters. Such a message might be sent from an access server requesting IP configuration information for a remote client at taching to the access server.
■ TFTP
■ Domain Name System (DNS)
■ Internet Time Service (ITS)
■ NetBIOS name server
■ NetBIOS datagram server
■ BootP
■ TACACS
DHCP Client Configuration
R1(config)#int fa 0/0DHCP Server Configuration
R1(config-if)#ip address dhcp
ip dhcp excluded-address 10.8.8.1 <--- prevents DHCP from assigning the 10.8.8.1 IP address to a clientPotential DHCP Troubleshooting Issues
!
ip dhcp pool POOL-A
network 10.8.8.0 255.255.255.0
default-router 10.8.8.1
dns-server 192.168.1.1
netbios-name-server 192.168.1.2
...OUTPUT OMITTED...
A router not forwarding broadcasts
- By default, a router does not forward broadcasts, including DHCPDISCOVER broadcast messages.
- Therefore, a router needs to be explicitly configured to act as a DHCP relay agent (ip helper) if the DHCP client and DHCP server are on different subnets.
DHCP pool out of IP addresses
- A DHCP pool contains a finite number of addresses. Once a DCHP pool becomes depleted, new DHCP requests are rejected.
Misconfiguration
- The configuration of a DHCP server might be incorrect.
Duplicate IP addresses
- A DHCP server might hand out an IP address to a client that is already statically assigned to another host on the network.
- These duplicate IP addresses can cause connectivity issues for both the DHCP client and the host that had been statically configured for the IP address.
Redundant services not communicating
- Some DHCP servers can coexist with other DHCP servers for redundancy.
- For this redundancy to function, these DHCP servers need to communicate with one another. If this interserver communication fails, the DHCP servers can hand out overlapping IP addresses to their clients.
The “pull” nature of DHCP
- When a DHCP client wants an IP address, it can request an IP address from a DHCP server.
- DHCP server has no ability to initiate a change in the client IP address after the client obtains an IP address.
- DHCP client pulls information from the DHCP server, but the DHCP server cannot push information to the DHCP client.
DHCP Troubleshooting Syntax
show ip dhcp conflict
! Identifies any IP address conflicts a router identifies, along with the method the router used to identify the conflicts (this is, via ping or gratuitous ARP)
show ip dhcp binding
! Displays IP addresses that an IOS DHCP server assigns, their corresponding MAC addresses, and lease expirations
clear ip dhcp binding * <---Releases all current DHCP leases
clear ip dhcp conflict * <---Clears all currently identified DHCP conflicts
debug ip dhcp server events <---Provides real-time information about DHCP address assignments and database updates
debug ip dhcp server packet <---Displays real-time decodes of DHCP packets
ip helper-address <IP>
! Causes an interface to forward specific received UDP broadcasts to the destination IP address, which can be either a specific IP address or a directed broadcast address
ip dhcp excluded-address <beginning-IP> [ending-IP]
! Specifies a range of IP addresses not to be assigned to DHCP clients
ip dhcp pool <NAME> <-Creates a DHCP pool
network <network-address> <subnet-mask> <-Identifies a subnet to be used by a DHCP pool
default-router <IP> <-Specifies the IP of a default gateway to be given to a DHCP client
dns-server <IP> <-Configures the IP of a DNS server to be given to a DHCP client
netbios-name-server <IP> <-Defines the IP address of a WINS server to be given to a DHCP client
lease {days hours minutes| infinite} <-Determines the duration of a DHCP lease given to a DHCP client
IPv6 DHCP relay agent
Serves the purpose relaying the messages coming from the clients and server.
The DHCPv6 Relay Agent uses Relay forward/Reply messages to relay the messages between Servers and clients.