Image of Cortney & Jeremy

NAT Based Upon Source Address

by Jeremy L. Gaddis on April 21, 2010 · 1 comment

in Networking

The idea for today’s post came from a question that someone asked earlier today (paraphrasing): “how do I NAT some hosts to one IP address while NAT’ing others to a different IP address?”

Here’s the topology we’ll be working with:

R3 will serve as our Internet router — our connection to the Internet.  R2 will serve as a random host outside of our local network.  R1 will “masquerade” as different internal hosts on our network, using loopback interfaces to “simulate” separate hosts. The “NAT IPs” on R3 represent the IP addresses we’ll be NAT’ing traffic to.

Here’s our initial configs for R1 and R2:

R1:

interface loopback 101
 ip address 10.1.1.101 255.255.255.255
!
interface loopback 102
 ip address 10.1.1.102 255.255.255.255
!
interface serial 0/1
 ip address 10.13.13.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.13.13.3

R2:

interface fastethernet 0/0
 ip address 10.23.23.2 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.23.23.3

Not much to that, as you can see.  R1 has two loopback interfaces — they will simulate separate hosts on our internal network.  Both R1 and R2 have a static default route pointing towards R3 as well.

Our starting configuration for R3 looks like this:

interface serial 1/2
 clock rate 128000
 ip address 10.13.13.3 255.255.255.0
 no shutdown
!
interface ethernet 0/0
 ip address 10.23.23.3 255.255.255.0
 no shutdown
!
ip route 10.1.1.0 255.255.255.0 10.13.13.1

There we’re just configuring our interfaces as well as adding a static route to the 10.1.1.0/24 network (the loopbacks on R1).  We could have used a dynamic routing protocol instead, but this lets us simplify a bit.

At this point, we should have connectivity and be able to ping all the way across the network, e.g. from R1’s loopbacks to R2’s fastethernet0/0 interface:

R1# ping 10.23.23.2 source loopback 101

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.23.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.101
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/20 ms

With basic connectivity established, we can move on to setting up NAT. In this example, we’re going to NAT any traffic from 10.1.1.101 to 10.23.23.101 and traffic from 10.1.1.102 to 10.23.23.102. First, let’s create two NAT pools, one for each of our “outside” IP addresses:

R3(config)# ip nat pool NAT-101 10.23.23.101 10.23.23.101 prefix-length 24
R3(config)# ip nat pool NAT-102 10.23.23.102 10.23.23.102 prefix-length 24

Next, we’ll create two access lists: one to match 10.1.1.101 and the other to match 10.1.1.102.

R3(config)# access-list 1 permit 10.1.1.101
R3(config)# access-list 2 permit 10.1.1.102

Now we have to tell R3 how we want to actually NAT traffic. This is where we’ll tie the ACLs and NAT pools together.

R3(config)# ip nat inside source list 1 pool NAT-101
R3(config)# ip nat inside source list 2 pool NAT-102

The last step is to tell R3 which interfaces are “inside” and “outside”, as far as NAT is concerned.

R3(config)# interface serial 1/2
R3(config-if)# ip nat inside
R3(config-if)# interface ethernet 0/0
R3(config-if)# ip nat outside
R3(config-if)# end

With everything all set up, let’s start a “debug ip packet” on R2, so that we can see the packets coming in and going back out.

R2# debug ip packet
IP packet debugging is on

To test, let’s send a ping to R2’s fastethernet 0/0 interface, sourcing it from R1’s loopback 101 interface:

R1# ping 10.23.23.2 source 10.1.1.101 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.23.23.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.101
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 20/20/20 ms

What do we see on R2?

*Mar 23 08:15:12.331: IP: tableid=0, s=10.23.23.101 (FastEthernet0/0), d=10.23.23.2 (FastEthernet0/0), routed via RIB
*Mar 23 08:15:12.331: IP: s=10.23.23.101 (FastEthernet0/0), d=10.23.23.2 (FastEthernet0/0), len 100, rcvd 3
*Mar 23 08:15:12.331: IP: tableid=0, s=10.23.23.2 (local), d=10.23.23.101 (FastEthernet0/0), routed via FIB
*Mar 23 08:15:12.331: IP: s=10.23.23.2 (local), d=10.23.23.101 (FastEthernet0/0), len 100, sending

We can see that R2 received a packet on it’s fastethernet 0/0 interface with a source IP address of 10.23.23.101. The ping we sent had a source address of 10.1.1.101, but R3 correctly NAT’d it, based upon ACL 1 and the NAT-101 NAT pool, to 10.23.23.101. Let’s ping R2 again, this time with a source address of 10.1.1.102 (the loopback 102 interface).

R1# ping 10.23.23.2 source 10.1.1.102 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.23.23.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.102
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 20/20/20 ms
*Mar 23 08:18:29.735: IP: tableid=0, s=10.23.23.102 (FastEthernet0/0), d=10.23.23.2 (FastEthernet0/0), routed via RIB
*Mar 23 08:18:29.735: IP: s=10.23.23.102 (FastEthernet0/0), d=10.23.23.2 (FastEthernet0/0), len 100, rcvd 3
*Mar 23 08:18:29.739: IP: tableid=0, s=10.23.23.2 (local), d=10.23.23.102 (FastEthernet0/0), routed via FIB
*Mar 23 08:18:29.739: IP: s=10.23.23.2 (local), d=10.23.23.102 (FastEthernet0/0), len 100, sending

We can see that this time, because of ACL 2 and the NAT-102 NAT pool, the packet was NAT’d to 10.23.23.102, just what we expected.

One last question: how will traffic originating from R1’s serial 0/1 interface (10.13.13.1) — or any other IP address, for that matter — be NAT’d? The answer is: it won’t. Since traffic with a source address of 10.13.13.1 does not match any of our access lists, that traffic will be routed normally, without any translation taking place.

R1# ping 10.23.23.2 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.23.23.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 20/20/20 ms
*Mar 23 08:20:55.739: IP: tableid=0, s=10.13.13.1 (FastEthernet0/0), d=10.23.23.2 (FastEthernet0/0), routed via RIB
*Mar 23 08:20:55.743: IP: s=10.13.13.1 (FastEthernet0/0), d=10.23.23.2 (FastEthernet0/0), len 100, rcvd 3
*Mar 23 08:20:55.743: IP: tableid=0, s=10.23.23.2 (local), d=10.13.13.1 (FastEthernet0/0), routed via FIB
*Mar 23 08:20:55.743: IP: s=10.23.23.2 (local), d=10.13.13.1 (FastEthernet0/0), len 100, sending

Notice the source IP address, 10.13.13.1? The traffic from R1’s serial 0/1 interface has passed through R3 without being translated.

{ 1 comment… read it below or add one }

Leave a Comment

Previous post:

Next post: