Network Address Translation by Jennifer Carroll, Jeff Doyle

Troubleshooting NAT

• 
  Do the dynamic pools contain the correct range of addresses?
  
• 
  Is there any overlap between dynamic pools?
  
• 
  Is there any overlap between addresses used for static mapping and the addresses in the dynamic pools?
  
• 
  Do the access lists specify the correct addresses to be translated? Are any addresses left out? Are any addresses included that should not be included?
  
• 
  Are the correct inside and outside interfaces specified?
  

Another problem can be timeouts. If a translated address is cached in some system after the dynamic entry has timed out of the NAT table, packets can be sent to the wrong address, or the destination may seem to have disappeared. Besides the ip nat translation timeout command already discussed, you can change several other default timeouts. Table 4-3 lists all the keywords you can use with the ip nat translation command and the default values of the timeout periods. You can change all the defaults within a range of 0–2,147,483,647 seconds.

Table 4-3 Dynamic NAT Table Timeout Values

Theoretically, there is no limit on the number of mappings that the NAT table can hold. Practically, memory and CPU or the boundaries of the available addresses or ports place a limit on the number of entries. Each NAT mapping uses approximately 160 bytes of memory. In the rare case where the entries must be limited either for performance or policy reasons, you can use the ip nat translation max-entries command.

Another useful command for troubleshooting is show ip nat statistics, as demonstrated in Example 4-32. This command displays a summary of the NAT configuration, as well as counts of active translation types, hits to an existing mapping, misses (causing an attempt to create a mapping), and expired translations. For dynamic pools, the type of pool, the total available addresses, the number of allocated addresses, the number of failed allocations, and the number of translations using the pool (refcount) appear.

Example 4-32 show ip nat statistics Displays Many Useful Details for Analyzing and Troubleshooting Your NAT Configuration

StCroix#show ip nat statistics

Total active translations: 3 (2 static, 1 dynamic; 3 extended)

Outside interfaces:

Serial0, Serial1.708, Serial1.709

Inside interfaces:

Ethernet0, Ethernet1

Hits: 980 Misses: 43

Expired translations: 54

Dynamic mappings:

-- Inside Source

access-list 1 interface Serial0 refcount 0

StCroix#

Finally, you can manually clear dynamic NAT entries from the NAT table. This action can prove useful if you need to get rid of a particular offending entry without waiting for the timeout to expire, or if you need to clear the entire NAT table to reconfigure an address pool. Note that Cisco IOS Software does not allow you to change or delete an address pool while addresses from the pool are mapped in the NAT table. The clear ip nat translations command clears entries; you can specify a single entry by the global and local address or by TCP and UDP translations (including ports), or you can use an asterisk (*) to clear the entire table. Of course, only dynamic entries are cleared; the command does not remove static entries.

Looking Ahead

You have seen that NAT aids in a more efficient use of available network addresses. The next chapter, "Introduction to IP Multicast Routing," discusses how multicast routing protocols can make more efficient use of network resources when groups of devices must share common information.

Command Summary

Table 4-4 provides a list and description of the commands discussed in this chapter

Command	Description
clear ip nat translations {* | [inside [tcp {inside [global-ip [global-port] local-ip [local-port]} | udp {inside[global-ip [global-port] local-ip [local-port]}] | [inside global-ip local-ip][outside local-ip global-ip]	Clears dynamic entries from the NAT table.
ip nat {inside | outside}	Designates the inside and outside interfaces; traffic originating from or destined for the interface is examined by the NAT.
Ip nat inside destination list {access-list-number|name} pool name	Enables translation of inside destination addresses.
ip nat inside source {list {access-list-number|name} pool name [overload] | static local-ip global-ip}	Enables translation of inside source addresses.
ip nat outside source {list {access-list-number|name} pool name | static global-ip local-ip}	Enables translation of outside source addresses.
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type {rotary | match-host}	Defines a pool of addresses to be used for address translation.
ip nat translation max-entries entries	Sets a limit on the number of entries allowed in the NAT table.
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | syn-timeout | port-timeout{tcp | udp}} seconds	Changes the default period after which a dynamic entry is removed from the NAT table and the address is returned to the pool.
show ip nat statistics	Displays NAT statistics.
show ip nat translations [verbose]	Displays the NAT table.

Table 4-4 Command Summary

Configuration Exercises

Refer to Figure 4-28 for Configuration Exercises 1–5.

F
igure 4-28 The Internetwork for Configuration Exercises 1–5

1. ISP1 in Figure 4-28 has assigned the address block 201.50.13.0/24 to AS 3. ISP2 has assigned the address block 200.100.30.0/24 to AS 3. RTR1 and RTR2 are accepting full BGP routes from the ISP routers but do not transmit any routes to the ISPs. They run IBGP between them and OSPF on all Ethernet interfaces. No routes are redistributed between BGP and OSPF. The addresses of the router interfaces are as follows:

RTR1, E0: 172.16.3.1/24

RTR1, E1: 172.16.2.1/24

RTR1, S0: 201.50.26.13/30

RTR2, E0: 172.16.3.2/24

RTR2, E1: 172.16.1.1/24

RTR2, S0: 200.100.29.241/30

SVR1 is the DNS server authoritative for AS 3; its address is 172.16.3.3. DNS1 reaches SVR1 at 201.50.13.1, whereas DNS2 reaches the same server at 200.100.30.254. Write routing and NAT configurations for RTR1 and RTR2, translating inside addresses appropriately for each ISP's assigned address block. Any inside device must be able to reach either ISP, but no packets can leave AS 3 with a private source address under any circumstance.

2. The address of SVR2 in Figure 4-28 is 172.16.2.2, and the address of SVR3 is 172.16.2.3. Modify the configurations of Configuration Exercise 1 so that devices within ISP1's AS connect to the servers round-robin at the address 201.50.13.3.

3. HTTP packets sent to 200.100.30.50 from ISP2 are sent to SVR2 in Figure 4-28. SMTP packets sent to 200.100.30.50 from ISP2 are sent to SVR3. Modify the configurations of the previous exercises to implement these translations.

4. Five outside devices in Figure 4-28, 201.50.12.67–201.50.12.71, must appear to devices within AS 3 as having addresses 192.168.1.1–192.168.1.5, respectively. Add the appropriate NAT configurations to the previously created configurations.

5. Devices in AS 3 of Figure 4-28 with addresses in the 172.16.100.0/24 subnet should all appear to have the IG address 200.100.30.75 when sending packets to ISP2. Modify the configurations of the previous exercises to accommodate this.

6. In Figure 4-29, redundant links have been added so that RTR1 and RTR2 each have connections to both ISPs, and each accept full BGP routes from both ISPs. The address of RTR1, S1 is 200.100.29.137/30, and the address of RTR2, S1 is 201.50.26.93/30. Write configurations for the two routers, ensuring that all features added in the previous exercises still work correctly.

F
igure 4-29 The Internetwork for Configuration Exercise 6

F
igure 4-30 The Internetwork for Troubleshooting Exercise 2

Troubleshooting Exercises

1. 
   Identify the mistake in the configuration in Example 4-33.
   

Example 4-33 Configuration for Troubleshooting Exercise 1

ip nat pool EX1 192.168.1.1 192.168.1.254 netmask 255.255.255.0 type match-host

ip nat pool EX1A netmask 255.255.255.240

address 172.21.1.33 172.21.1.38

address 172.21.1.40 172.21.1.46

ip nat inside source list 1 pool EX1

ip nat inside source static 10.18.53.210 192.168.1.1

ip nat outside source list 2 pool EX1A

!

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 2 permit 192.168.2.0 0.0.0.255

2. 
   RTR1 in Figure 4-30 connects two internetworks with overlapping addresses.
   

NAT is implemented on the router as configured in Example 4-34, but devices cannot communicate across the router. What is wrong?

Example 4-34 Configuration for Troubleshooting Exercise 2

interface Ethernet0

ip address 172.16.10.1 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address 172.16.255.254 255.255.255.0

ip nat outside

!

router ospf 1

redistribute static metric 10 metric-type 1 subnets

network 10.0.0.0 0.255.255.255 area 0

!

ip nat translation timeout 500

ip nat pool NET1 10.1.1.1 10.1.255.254 netmask 255.255.0.0

ip nat pool NET2 192.168.1.1 192.168.255.254 netmask 255.255.0.0

ip nat inside source list 1 pool NET1

ip nat outside source list 1 pool NET2

!

ip classless

!

ip route 10.1.0.0 255.255.0.0 Ethernet0

ip route 192.168.0.0 255.255.0.0 Ethernet1

!

access-list 1 permit 172.16.0.0 0.0.255.255

3. 
   Refer to the configurations of Cozumel and Guaymas in Figure 4-21. If the first line of access list 1 in both configurations is removed, what is the result? Can Guaymas and Cozumel still ping each other?
   

Download 0.92 Mb.

Share with your friends: