Example 4-10 Although Host C Sends Pings to 201.114.37.5, NAT Causes the Replies to Have a Source Address of 10.1.3.1

Example 4-10 Although Host C Sends Pings to 201.114.37.5, NAT Causes the Replies to Have a Source Address of 10.1.3.1

ICMP packet debugging is on

HostC#ping 201.114.37.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.114.37.5, timeout is 2 seconds:

!!!!!

HostC#

ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.2.2

ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.2.2

ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.2.2

ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.2.2

HostC#

If you're recreating these examples in a lab, Example 4-10 reveals a useful trick. Host C is actually a Cisco router with IP routing disabled (no ip routing) and an ip default-gateway command pointing to Veracruz's locally attached interface. As Example 4-10 demonstrates, this setup enables you to use the IOS's extensive debugging tools to observe network behavior from a host's perspective.

If the administrator of the inside network wants to prevent traffic from being sent to OG addresses, he must implement a filter, as shown in Example 4-11.

Example 4-11 Implementing a Filter to Prevent Traffic of the Inside Network from Being Sent to OG Addresses

ip address 10.1.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

!

interface Serial1

encapsulation frame-relay

!

interface Serial1.705 point-to-point

ip nat outside

frame-relay interface-dlci 705

!

router ospf 100

default-information originate

!

ip nat inside source static 10.1.1.3 204.15.87.1

ip nat outside source static 201.114.37.5 10.1.3.1

!

ip route 0.0.0.0 0.0.0.0 199.100.35.253

access-list 101 permit ip any host 10.1.3.1

Notice that an incoming filter is used on interface E0. The filtering must take place before the address translation; an outgoing filter on S1.705 would have no way to differentiate the already translated destination address. Figure 4-17 shows the results of the filter; host A can still reach host D on its OL address, but packets to the OG address are blocked.

F
igure 4-17

The debug output in Example 4-10 and Example 4-6 emphasizes the fact that NAT does not, by itself, guarantee that private or illegal IP addresses do not leak into the public Internet. Wise administrators filter for the private Class A, B, and C addresses on interfaces connected to ISPs. Wise ISPs do the same on interfaces connected to their subscribers.

A difficulty with the various configurations shown in this case study so far is that very few "real-life" devices will use IP addresses to reach other devices. Names are almost always used. Therefore, DNS servers must have the correct IP addresses relevant to their side of the NAT. In Figure 4-18, DNS servers are placed on the inside and outside networks. DNS1 might have the following name-to-address mappings:

HostA.insidenet.com IN A 10.1.1.3

HostB.insidenet.com IN A 10.1.1.4

HostC.insidenet.com IN A 10.1.2.2

Here, all hosts have local addresses (local to the inside network). DNS2 might have the following name-to-address mapping:

HostD.outsidenet.com IN A 201.114.37.5

These entries all map to global addresses. DNS1 is authoritative for inside.net, and DNS2 is authoritative for outside.net. Example 4-12 shows the NAT configuration for Mazatlan.

Example 4-12 Mazatlan's NAT Configuration, Supporting DNS1 and DNS2 in Figure 4-18

ip nat inside source static 10.1.2.2 204.15.87.2

ip nat inside source static 10.1.1.4 204.15.87.3

ip nat inside source static 10.1.1.254 204.15.87.254

ip nat outside source static 201.114.37.5 10.1.3.1

ip nat outside source static 201.50.34.1 10.1.3.2

F
igure 4-18

In addition to the three inside hosts and one outside host, the configuration in Example 4-12 has entries for the two DNS servers. If host A wants to send a packet to host D, it sends a DNS query to DNS1 for the address of HostD.outsidenet.com. DNS1 then queries DNS2, which returns an address of 201.114.37.5. When this DNS message passes through the NAT, the address is translated to 10.1.3.1, and DNS1 passes this address on to host A. Host A then sends packets to this address, and the NAT translates the source and destination addresses of the packets.

If host D wants to speak to a host on the inside network, the opposite happens. Host D might query DNS2 for the address of HostC.insidenet.com, prompting DNS2 to query DNS1. DNS1 responds with an address of 10.1.2.2, which is translated to 204.15.87.2 by the NAT and passed to host D by DNS2. Again, when packets are exchanged between host D and host C, the NAT translates the source and destination addresses.