RE: NAT order of operation [7:64037]

[Symon Thurlow]

I had a look at the link, and this is the flow for inside-outside:

If IPSec then check input access list
decryption - for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
policy routing
routing
redirect to web cache
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption

It makes sense to me to route first and NAT later, because until the
router has performed the routing function, it can't know what interface
to send the packet out. Once it knows the interface to send the packet
out, it will know if NAT is required or not, and no further routing
decisions are required.

For outside-inside, this is the flow:

If IPSec then check input access list
decryption - for CET or IPSec
check input access list
check input rate limits
input accounting
NAT outside to inside (global to local translation)
policy routing
routing
redirect to web cache
crypto (check map and mark for encryption)
check output access list
inspect CBAC
TCP intercept
Encryption

The router must perform NAT first, so that it will know the real
destination address, and then it can make a routing decision based on
the real destination address.

So a very simplified (some detail left out) example would be a simple
NAT to the internet for internal traffic such as this:

Internal_PC(192.168.1.100)----------(192.168.1.1 int e0)Router(int e1
217.217.217.217)----------Internet

Lets say that the router is performing NAT on all outbound traffic so
that it appears to come from IP address 217.217.217.217. Lets pretend
the PC is sending an HTTP request to a website (and that it has already
performed a DNS lookup etc).

1.The PC will send an HTTP request for the website address (1.2.3.4). 
2.The HTTP packet will be received by the router on INT e0. 
3.The router will look at the destination address of the packet, realise
that it is not on the local subnet, so it will look in it's routing
tables for where to send the packet. 
4.In our example the router will only have one route, which is a default
to the Internet. 
5.The router will therefore send the packet out it's INT e1 interface,
but it will change the source address to be 217.217.217.217.

This is the route first then NAT behaviour in your original question.

Lets say that things are good today so the HTTP request made it to the
web server, and the reply is coming back. 

1.The router will receive the packet on it's external interface (INT e1)
with a destination address of 217.217.217.217. 
2.The router will realise that this is return traffic for the request
that came out, so will NAT the packet back, changing the destination
address back to 182.168.1.100, then look in it's routing tables to see
where to send the packet. 
3.It will realise that 192.168.1.100 is directly connected, so it will
transmit the packet out it's INT e0 interface.

I know I have simplified the process a lot and left some detail out, but
that should explain why the flows are different depending on which way
the traffic is going.

Cheers,

Symon
-----Original Message-----
From: Masaru Umetsu [mailto:[EMAIL PROTECTED] 
Sent: 28 February 2003 01:16
To: [EMAIL PROTECTED]
Subject: NAT order of operation [7:64037]


Regading NAT order of operaion,I looked the URL below.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
0080133ddd.shtml


routing
$B"-(B
NAT inside to outside(local to global)


NAT outside to inside(global to local)
$B"-(B
routing

I don't understand the flow of above.
Please teach me the meaning of above easily by using example.

:-)
=============================================

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to [EMAIL PROTECTED] and
 request that the sender's domain be
 blocked from sending any further emails.

=============================================




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64142&t=64037
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]