[c-nsp] Still confused by Cisco's NAT syntax
Ang Kah Yik
me at bangky.net
Tue Jun 19 20:45:03 EDT 2007
Hi, NAT can be quite confusing.
This is my view of it, but please feel free to correct if I'm wrong
> 1. If packet arrives on an interface marked as "inside"
> 2. AND route for packet destination address is known via an interface
> marked as "outside"
> 3. THEN translate source address
-------------------------------------------------------------------------
Seems correct, but I believe that for step 2, the packet is simply
routed to the appropriate egress interface first, then goes on to step 3
where source address is translated.
So in some sense, the router won't need to know whether the destination
address is "outside" at this point in time (step 2).
-------------------------------------------------------------------------
>since the router does not know the outgoing
> interface yet at the time it has to perform NAT, it does not know if the
> outgoing interface is going to be "inside" or "outside". so how does
it know
> it is supposed to NAT ? Or maybe outside-to-inside NAT is applied to ANY
> packet that enters the router on an "outside" interface, whatever its
> destination?... So in this case, NAT is triggered based on "arriving on
> outside" only?
-------------------------------------------------------------------------
iirc, if NAT is configured on an interface, then when packet enters on
an "outside" interface, NAT will be triggered when packets arrive from
the outside to this interface.
1)Packet comes in, router looks up NAT translation table and modifies
the IP Dest Field to the inside local address to which a mapping can be
found in the translation table.
2)Packet is then routed to the appropriate egress interface by the usual
routing process.
-------------------------------------------------------------------------
Hope this helps. Cheers
--
bangky
Vincent De Keyzer wrote:
> Hello list,
>
>
>
> after all these years, I am still not quite sure I understand Cisco's NAT
> syntax.
>
>
>
> I have read the famous "NAT Order of Operation" (CCO doc ID: 6209), and
> "Configuring Network Address Translation: Getting Started" (CCO doc ID:
> 13772) documents, and I have two questions.
>
>
>
> Let's first look at "inside-to-outside" translation. My understanding is the
> following:
>
> 1. If packet arrives on an interface marked as "inside"
> 2. AND route for packet destination address is known via an interface
> marked as "outside"
> 3. THEN translate source address
>
>
>
> So in this case, NAT is triggered by a combination of "arriving on inside"
> and "departing on outside".
>
>
>
> My first question is: is my understanding of "inside-to-outside NAT"
> correct?
>
>
>
> Then comes "outside-to-inside" translation. things get trickier.
>
>
>
> Cisco says that first comes NAT, then comes routing. This is confusing (and
> this is my second question): since the router does not know the outgoing
> interface yet at the time it has to perform NAT, it does not know if the
> outgoing interface is going to be "inside" or "outside". so how does it know
> it is supposed to NAT ? Or maybe outside-to-inside NAT is applied to ANY
> packet that enters the router on an "outside" interface, whatever its
> destination?... So in this case, NAT is triggered based on "arriving on
> outside" only?
>
>
>
> Vincent
>
>
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list