Re[2]: NAT order of operation [7:64037]

Sat, 01 Mar 2003 02:22:25 -0800 

Thanks. symon.

Would anybody answer my question titled 'NAT definition' ?
(I sent it to this ML in 25 Feb.)

regards.

On Sat, 1 Mar 2003 08:44:08 -0000
"Symon Thurlow"  wrote:

> I had a look at the link, and this is the flow for inside-outside:
> 
> If IPSec then check input access list
> decryption - for CET (Cisco Encryption Technology) or IPSec
> check input access list
> check input rate limits
> input accounting
> policy routing
> routing
> redirect to web cache
> NAT inside to outside (local to global translation)
> crypto (check map and mark for encryption)
> check output access list
> inspect (Context-based Access Control (CBAC))
> TCP intercept
> encryption
> 
> It makes sense to me to route first and NAT later, because until the
> router has performed the routing function, it can't know what interface
> to send the packet out. Once it knows the interface to send the packet
> out, it will know if NAT is required or not, and no further routing
> decisions are required.
> 
> For outside-inside, this is the flow:
> 
> If IPSec then check input access list
> decryption - for CET or IPSec
> check input access list
> check input rate limits
> input accounting
> NAT outside to inside (global to local translation)
> policy routing
> routing
> redirect to web cache
> crypto (check map and mark for encryption)
> check output access list
> inspect CBAC
> TCP intercept
> Encryption
> 
> The router must perform NAT first, so that it will know the real
> destination address, and then it can make a routing decision based on
> the real destination address.
> 
> So a very simplified (some detail left out) example would be a simple
> NAT to the internet for internal traffic such as this:
> 
> Internal_PC(192.168.1.100)----------(192.168.1.1 int e0)Router(int e1
> 217.217.217.217)----------Internet
> 
> Lets say that the router is performing NAT on all outbound traffic so
> that it appears to come from IP address 217.217.217.217. Lets pretend
> the PC is sending an HTTP request to a website (and that it has already
> performed a DNS lookup etc).
> 
> 1.The PC will send an HTTP request for the website address (1.2.3.4). 
> 2.The HTTP packet will be received by the router on INT e0. 
> 3.The router will look at the destination address of the packet, realise
> that it is not on the local subnet, so it will look in it's routing
> tables for where to send the packet. 
> 4.In our example the router will only have one route, which is a default
> to the Internet. 
> 5.The router will therefore send the packet out it's INT e1 interface,
> but it will change the source address to be 217.217.217.217.
> 
> This is the route first then NAT behaviour in your original question.
> 
> Lets say that things are good today so the HTTP request made it to the
> web server, and the reply is coming back. 
> 
> 1.The router will receive the packet on it's external interface (INT e1)
> with a destination address of 217.217.217.217. 
> 2.The router will realise that this is return traffic for the request
> that came out, so will NAT the packet back, changing the destination
> address back to 182.168.1.100, then look in it's routing tables to see
> where to send the packet. 
> 3.It will realise that 192.168.1.100 is directly connected, so it will
> transmit the packet out it's INT e0 interface.
> 
> I know I have simplified the process a lot and left some detail out, but
> that should explain why the flows are different depending on which way
> the traffic is going.
> 
> Cheers,
> 
> Symon
> -----Original Message-----
> From: Masaru Umetsu [mailto:[EMAIL PROTECTED] 
> Sent: 28 February 2003 01:16
> To: [EMAIL PROTECTED]
> Subject: NAT order of operation [7:64037]
> 
> 
> Regading NAT order of operaion,I looked the URL below.
> 
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
> 0080133ddd.shtml
> 
> 
> routing
> $B"-(B
> NAT inside to outside(local to global)
> 
> 
> NAT outside to inside(global to local)
> $B"-(B
> routing
> 
> I don't understand the flow of above.
> Please teach me the meaning of above easily by using example.
> 
> :-)
> =============================================
> 
>  This email has been content filtered and
>  subject to spam filtering. If you consider
>  this email is unsolicited please forward
>  the email to [EMAIL PROTECTED] and
>  request that the sender's domain be
>  blocked from sending any further emails.
> 
> =============================================
> 

-- 
Masaru Umetsu 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64145&t=64037
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to