Genie's Tech Blog

Where knowledge has no dimensions

Reversible NAT

Hello Friends,

Today I am going to discuss regarding reversible NAT. 

Reversible NAT can be used in two situations

1) In dynamic NAT with route-map option and a NAT pool is being used

R3(config)#ip nat inside source route-map MAP pool POOL ?
mapping-id Associate a mapping id to this mapping
overload Overload an address translation
reversible Allow out->in traffic
vrf Specify vrf
When used in dynamic NAT, the reversible option is only usable after some is generated from inside. The traffic generated from inside would create a one-one NAT entry along with full extended translation.
 
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 150.1.3.3:2    150.1.1.1:2 150.1.2.2:2 150.1.2.2:2
---      150.1.3.3       150.1.1.1           ---                      ---                >>>> creates something like this for reverse traffic
The one-one NAT entry that has been created can be used for outside->inside traffic then. Only traffic matching the route-map will be allowed to create a NAT entry. The route-map check will happen in both directions. As you would already, the ACL will be reversed for checking the traffic from outside->inside.
 
Sample Config -
ip nat pool POOL 150.1.3.3 150.1.3.3 prefix-length 24
ip nat inside source route-map NAT pool POOL
route-map NAT permit 10
match ip address 111
access-list 111 permit ip any host 150.1.2.2
access-list 111 permit ip any host 155.1.23.2
 
2) In a one-one static NAT with a route-map
 
R3(config)#ip nat inside source static 1.1.1.1 2.2.2.2 route-map MAP ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
reversible check route-map for out->in traffic
<cr>
When used with static NAT, the effect of reversible keyword is to check the route-map in outside->inside direction too.
Here is an example that explains the behavior of NAT reversible.
 
SETUP
=====
                         
R1 se1/1 --- se1/2 R3 se1/3 -- se1/1 R2
 
R3 se1/2 - inside interface
R3 se1/3 - outside interface
 
Configs

R1 -
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Serial1/1
ip address 155.1.13.1 255.255.255.0

R3 -
interface Loopback0
ip address 150.1.3.3 255.255.255.0
interface Serial1/2
ip address 155.1.13.3 255.255.255.0
ip nat inside
interface Serial1/3
ip address 155.1.23.3 255.255.255.0
ip nat outside
ip nat inside source static 150.1.1.1 150.1.3.3 route-map NAT reversible
route-map NAT permit 10
match ip address 111
access-list 111 permit ip any host 150.1.2.2
access-list 111 permit ip any host 155.1.23.2

R2 -
interface Loopback0
ip address 150.1.2.2 255.255.255.0
interface Ethernet0/0
ip address 192.10.1.2 255.255.255.0
interface Serial1/0
ip address 155.1.0.2 255.255.255.0
interface Serial1/1
ip address 155.1.23.2 255.255.255.0
R2 is trying to telnet to R3's IP 150.1.3.3 which should get translated to 150.1.1.1 and should connect to R1. This should happen only for certain traffic as matched by the route-map. Remember that Loopback 0 and Serial 1/1 are the only IPs allowed to perform NAT(as per ACL 111).
 
Tests
====
 
Here are the outputs from R2

Test 1 -
Telnet using a source IP that is allowed in the ACL for NAT
R2#telnet 150.1.3.3 /source-interface loopback 0
Trying 150.1.3.3 ... Open

User Access Verification
Username: cisco
Password:
R1#
R1#exi
[Connection to 150.1.3.3 closed by foreign host]

NAT occurs successfully and we connect to R1(150.1.1.1)

Test 2 -

Test using a souce IP that is not part of the ACL for NAT
R2#telnet 150.1.3.3 /source-interface et
R2#telnet 150.1.3.3 /source-interface ethernet 0/0
Trying 150.1.3.3 ... Open

User Access Verification
Password:
Password:
R3>

NAT is not successful and the telnet packet is processed by R3.
Without the reversible keyword, controlling which traffic should use this static NAT entry for outside->inside is not possible.
 
Hope this explains how Reversible NAT works.
 
Cheers...!!!
Comments are closed