Rules – how to apply NAT
- NAT policy should be apply to incoming traffic
- IP outgoing interface cannot be used in the NAT pool
- NAT pool must be on separate subnet (not part of interface subnet)
- In dynamic nat, NAT type of route is automatically created (no need extra route configuration)
- In static nat, extra route must by added (ip route 6.6.6.0/24 1.1.2.2) to point nat interface for coming back packet
- If we do “clear ip route * ” dynamic nat is stop working and nat policy must be recreated on interface level (SEOS 6.2)
- On “multibind” interface, combination with static and dynamic nat is not working (only dynamic is operational), pool should be configured as multibind
ip nat pool my-pool napt multibind”
- NAT policy could be applied on the subscriber level
subscriber default
ip address pool
nat policy my-nat
Dynamic NAT:
The ping from “LAN” context with any source address will be NAT-ed in “local” context in LAN interface. Example source address 1.1.2.2 will be replace to POOL-1 address 2.2.2.0/24 (dynamic mapping) and routed to context WAN.
Static NAT:
The ping from “LAN” context will be NAT-ed in “local” context in LAN interface. Source address 5.5.5.5 will be replace to 6.6.6.6 (static mapping) address and routed to context WAN.
Configuration
!
context local
!
ip nat pool POOL-1 napt
address 2.2.2.0/24
!
nat policy POL-NAT
! Default class
pool POOL-1 local
! Static rules
ip static in source 5.5.5.5 6.6.6.6
!
interface LAN
ip address 1.1.2.1/24
ip nat POL-NAT acl-counters
!
interface WAN
ip address 192.168.1.1/24
!
ip route 0.0.0.0/0 192.168.1.2
ip route 5.5.5.0/24 1.1.2.2
ip route 6.6.6.0/24 1.1.2.2
ip route 159.107.0.0/16 159.107.90.1
!
context WAN
!
interface to-local
ip address 192.168.1.2/24
no logging console
!
ip route 1.1.2.0/24 192.168.1.1
ip route 1.1.3.0/24 192.168.1.1
ip route 2.2.2.0/24 192.168.1.1
ip route 6.6.6.0/24 192.168.1.1
!
context LAN
!
interface Static loopback
ip address 5.5.5.5/24
!
interface to-local
ip address 1.1.2.2/24
no logging console
!
ip route 0.0.0.0/0 1.1.2.1
!
! ** End Context **
!
card carrier 2
mic 1 fe-12-port
!
port ethernet 2/1
no shutdown
medium-type copper
bind interface to-local LAN
!
port ethernet 2/2
no shutdown
medium-type copper
bind interface LAN local
!
port ethernet 2/3
no shutdown
bind interface WAN local
!
port ethernet 2/4
no shutdown
bind interface to-local WAN
!
end
Checking nat translation
[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!
[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!
[local]Redback# show nat policy POL-NAT detail
Policy name : POL-NAT
Policy grid : 0x1
Number of rules : 1
Slot mask : 0xc
Number of binds : 1
Circuit : 2/2
Reference counters (in circuits * classes):
Slot 2
1
Static NAT Rules:
In/Out Protocol Src-Addr Port NAT-Src-Addr Port NAT-Ctx-Id
in ip 5.5.5.5 0 6.6.6.6 0 0x40080001
Class-Name Action/ Pool-Grid/ Dest-IP-Addr/ Timeout(sec) Admit-Ctrl
P2MP Context-Id Context-Id
default na[p]t 0x1 tcp 86400
Off 0x40080001 udp 120
finrst 240
icmp 60
syn 128
basic 3600
Note: This is not official command and should be use with extra attention.
The syntax could be changed in new release:
Checking dynamic translations
[local]Redback# show card 2 nat ?
circuit Display circuit nat information
counters Display NAT counters (without drop counters)
drop-counters Display NAT drop counters
log NAT Message Log
policy Display policy information
pool Display pool information
translation Display translation information
[local]Redback# show context
Context Name Context ID VPN-RD Description
------------------------------------------------------------------------------
local 0x40080001
[local]Redback# show card 2 nat translation context 0x40080001 source any
Slot 2 Ingress:
Type IP From IP To Ports Flag Pointer Ctx Flag
Flag: D-Dynamic, R-remote, Z-dmz, A-admission, I-ignore translation,
d-dest NAT, U - p2mp UDP
NAPT 1.1.2.2 2.2.2.0 1990/0009 0x0014 0x50024440 1/1 D
NAPT 1.1.2.2 2.2.2.0 1991/0010 0x0014 0x500244a0 1/1 D
NAPT 1.1.2.2 2.2.2.0 1989/0008 0x0014 0x500243e0 1/1 D
Checking static translation
[local]Redback# show card 2 nat circuit 2/2:1023:63/1/1/7 detail
Circuit 2/2:1023:63/1/1/7 ingress
Feature block pointer: 0x4ea8b4e0
Policy: grid=1 version=1 pointer=0xf0536ae0
Number src rules: 1 ptr 0xf05877c0
Number dst rules: 0 ptr 0x0
Number napt rules: 0 ptr 0x0
Out nat ptr 0xd053c2c0 napt ptr 0xf053eac0
class 0 ptr 0x4eaab500
Rule table:
Type IP From IP To Ports Csum Idx Ctx Vrs
src nat 5.5.5.5 6.6.6.6 0000/0000 0xfdfd 65 1 1
Circuit 2/2:1023:63/1/1/7 egress
Feature block pointer: 0x4ae2c520
Policy: grid=1 version=1 pointer=0xd00eb240
Number src rules: 0 ptr 0x0
Number dst rules: 1 ptr 0xd09cf0e0
Number napt rules: 0 ptr 0x0
Rule table:
Type IP From IP To Ports Csum Idx Ctx Vrs
dst nat 6.6.6.6 5.5.5.5 0000/0000 0x0202 129 1 1
Checking translation by using “access-list”
!
ip access-list dyn
seq 10 permit ip 2.2.2.0 0.0.0.255 any
seq 15 permit ip host 6.6.6.6 any
seq 20 permit ip any any
!
!
interface to-local
ip address 192.168.1.2/24
ip access-group dyn in count log
no logging console
!
[WAN]Redback# clear access-group ip-filter interface to-local in all
[WAN]Redback# show access-group ip-filter interface to-local in counters
Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules
Hit Count: 0 No Match (Default)
Hit Count: 0 seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count: 0 seq 15 permit ip host 6.6.6.6 any
Hit Count: 0 seq 20 permit ip any any
[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!
[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!
[WAN]Redback# show access-group ip-filter interface to-local in counters
Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules
Hit Count: 0 No Match (Default)
Hit Count: 5 seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count: 5 seq 15 permit ip host 6.6.6.6 any
Hit Count: 0 seq 20 permit ip any any