\n<\/strong><\/p>\n
\u201cRouting\u201d & \u201cNAT\u201d represent keystone to understand more complex situations:<\/p>\n
Figure1: order of NAT+Routing Rules: \u2013 Traffic entering inside NAT interface is routed 1st then NATted \u2013 Traffic entering outside NAT interface is NATted 1st then routed IMPORTANT ===> For outside NAT : Make sure to have a route for the \u201coutside local\u201d to the outside NAT interface, or add the keyword \u201cadd-route\u201d at the end of the \u201cip nat outside source static\u201d command, otherwise, because of the \u201calias\u201d feature inherited to NAT, the outside interface will respond on behalf of the outside local (if the prefix belongs to the outside interface segment) or will not be routed (if the prefix doesn\u2019t belong to an attached subnet) (1)<\/p>\n Part2: NAT + Routing+ ACL Figure2: order of NAT+Routing+ACL Rules: \u2013 Traffic entering inside NAT interface is always routed 1st then NATted. \u2013 Traffic entering outside NAT interface is always NATted 1st then routed. \u2013 Inbound ACL are performed before routing & NAT, alleviate processing overhead by filtering unnecessary traffic. \u2013 Outbound ACL is performed after routing & NAT. Next follows the practice lab in which, the previously stated rules are demonstrated:<\/p>\n Figure3: Lab topology Note: vhost1 and vhost2 routers are simulated inside one single router using VRF-Lite (Figure4), for more information about this technique.<\/em><\/p>\n Figure4: end-host deployment Let\u2019s suppose that the policy is to block ICMP traffic between the inside host 10.0.0.17 and the outside host 192.168.20.146, we will see that the involved IP address in the ACL changes according to the type of translation, the direction of the traffic and the NAT interface on which ACL is applied.<\/p>\n Each time only a single ACL is applied to a single interface, one single icmp packet is generated from inside to outside.<\/p>\n Here is the battery of tests to be done, observe debug results and refer to the associated rules and figures.<\/p>\n Tests\u00a0: NAT operation:<\/p>\n (inside local = 10.0.0.17) is seen from outside as (inside global = 192.168.20.131) NAT(config)#ip nat inside source static 10.0.0.17 192.168.20.131<\/p>\n NAT#sh ip nat translations<\/p>\n Pro Inside global Inside local Outside local Outside global<\/p>\n \u2014 192.168.20.131 10.0.0.17 \u2014 \u2014<\/p>\n NAT#<\/p>\n For each case ICMP traffic is generated as follow:<\/p>\n Vhost#ping vrf vhost1 192.168.20.146 repeat 1<\/p>\n A1-ACL applied on outside nat interface A1-a) inbound direction filter prefix dst=outside local ip access-list ext outsideblock-in<\/p>\n 10 deny ip any host 192.168.20.131<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/1<\/p>\n ip access-group outsideblock-in in<\/p>\n NAT(config-if)#<\/p>\n *Mar 1 23:26:57.562: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), routed via FIB<\/p>\n *Mar 1 23:26:57.566: NAT: s=10.0.0.17->192.168.20.131, d=192.168.20.146 [139]<\/p>\n *Mar 1 23:26:57.570: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), g=192.168.20.130, len 100, forward<\/p>\n *Mar 1 23:26:57.706: IP: s=192.168.20.146 (FastEthernet0\/1), d=192.168.20.131, len 100, access denied<\/p>\n Note order of operation: routing->NAT for ICMP echo and the returning traffic is blocked before entering the router.<\/p>\n *** Last outbound interface operation is traffic forwarding to next-hop A1-b) outbound direction filter prefix src=outside local ip access-list ext outsideblock-out<\/p>\n 10 deny ip host 192.168.20.131 any<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/1<\/p>\n ip access-group outsideblock-out out<\/p>\n NAT(config-if)#<\/p>\n *Mar 1 23:34:36.162: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), routed via FIB<\/p>\n *Mar 1 23:34:36.166: NAT: s=10.0.0.17->192.168.20.131, d=192.168.20.146 [140]<\/p>\n *Mar 1 23:34:36.170: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), len 100, access denied<\/p>\n NAT(config-if)#<\/p>\n Note the order of operations: routing->NAT, and then ACL blocked it outbound at the outside NAT interface.<\/p>\n A2-acl applied on inside nat interface A2-a) inbound direction filter prefix src=inside local ip access-list ext insideblock-in<\/p>\n 10 deny ip host 10.0.0.17 any<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/0<\/p>\n ip access-group insideblock-in in<\/p>\n Vhost#p vrf vhost1 192.168.20.146 repeat 1<\/p>\n Type escape sequence to abort.<\/p>\n Sending 1, 100-byte ICMP Echos to 192.168.20.146, timeout is 2 seconds:<\/p>\n U<\/p>\n Success rate is 0 percent (0\/1)<\/p>\n Vhost#<\/p>\n NAT#<\/p>\n *Mar 1 22:53:08.410: IP: s=10.0.0.17 (FastEthernet0\/0), d=192.168.20.146, len 100, access denied<\/p>\n NAT#<\/p>\n The debug confirm that inbound ACL at the inside NAT interface is performed 1st before any other operations and filter the inside local as source of the traffic<\/p>\n A2-b) outbound direction filter prefix dst=inside local ip access-list ext insideblock-out<\/p>\n 10 deny ip any host 10.0.0.17<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/0<\/p>\n ip access-group insideblock-out out<\/p>\n Vhost#<\/p>\n Vhost#p vrf vhost1 192.168.20.146 repeat 1<\/p>\n Type escape sequence to abort.<\/p>\n Sending 1, 100-byte ICMP Echos to 192.168.20.146, timeout is 2 seconds:<\/p>\n .<\/p>\n Success rate is 0 percent (0\/1)<\/p>\n Vhost#<\/p>\n NAT(config-if)#<\/p>\n *Mar 1 23:14:36.762: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), routed via FIB<\/p>\n *Mar 1 23:14:36.766: NAT: s=10.0.0.17->192.168.20.131, d=192.168.20.146 [137]<\/p>\n *Mar 1 23:14:36.770: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), g=192.168.20.130, len 100, forward<\/p>\n *Mar 1 23:14:36.918: NAT*: s=192.168.20.146, d=192.168.20.131->10.0.0.17 [137]<\/p>\n *Mar 1 23:14:36.922: IP: tableid=0, s=192.168.20.146 (FastEthernet0\/1), d=10.0.0.17 (FastEthernet0\/0), routed via FIB<\/p>\n *Mar 1 23:14:36.926: IP: s=192.168.20.146 (FastEthernet0\/1), d=10.0.0.17 (FastEthernet0\/0), len 100, access denied<\/p>\n Note the order of operations: Routing=>NAT for ICMP echo, but NAT=>Routing for ICMP reply and outbound ACL at the inside NAT interface<\/p>\n NAT operation: (inside local = 10.0.0.17) is seen from outside as (inside global = 192.168.20.131) (outside global = 192.168.20.146) is seen from inside as (outside local = 10.0.0.35) As stated in (1) make sure to have a route for the outside local to the outside interface, or add the keywork \u201cadd-route\u201d at the end of the \u201cip nat outside source static\u201d command otherwise because of the \u201calias\u201d feature inherited to NAT, the outside interface will respond on behalve of 10.0.0.35 (10.0.0.35 belongs to the outside inteface segment)<\/p>\n ip nat outside source static 192.168.20.146 10.0.0.35 add-route<\/p>\n or<\/p>\n ip nat outside source static 192.168.20.146 10.0.0.35<\/p>\n ip route 10.0.0.35 255.255.255.255 fa0\/1<\/p>\n NAT(config)#do sh ip nat tra<\/p>\n Pro Inside global Inside local Outside local Outside global<\/p>\n \u2014 \u2014 \u2014 10.0.0.35 192.168.20.146<\/p>\n \u2014 192.168.20.131 10.0.0.17 \u2014 \u2014<\/p>\n NAT(config)#<\/p>\n For each case ICMP traffic is generated from vhost1 (10.0.0.17) toward vhost2 (192.168.20.146) as follow :<\/p>\n Vhost#ping vrf vhost1 10.0.0.35 repeat 1<\/p>\n Here are normal operations without filtering:<\/p>\n NAT(config)#<\/p>\n *Mar 2 02:07:20.597: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=10.0.0.35 (FastEthernet0\/1), routed via RIB<\/p>\n *Mar 2 02:07:20.605: NAT: s=10.0.0.17->192.168.20.131, d=10.0.0.35 [204]<\/p>\n *Mar 2 02:07:20.605: NAT: s=192.168.20.131, d=10.0.0.35->192.168.20.146 [204]<\/p>\n *Mar 2 02:07:20.609: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), g=192.168.20.146, len 100, forward<\/p>\n *Mar 2 02:07:20.721: NAT*: s=192.168.20.146->10.0.0.35, d=192.168.20.131 [204]<\/p>\n *Mar 2 02:07:20.725: NAT*: s=10.0.0.35, d=192.168.20.131->10.0.0.17 [204]<\/p>\n *Mar 2 02:07:20.733: IP: tableid=0, s=10.0.0.35 (FastEthernet0\/1), d=10.0.0.17 (FastEthernet0\/0), routed via FIB<\/p>\n *Mar 2 02:07:20.737: IP: s=10.0.0.35 (FastEthernet0\/1), d=10.0.0.17 (FastEthernet0\/0), g=10.0.0.34, len 100, forward<\/p>\n NAT(config)#<\/p>\n Note the order of operations: routing=>NAT then NAT=>Routing for the returning traffic<\/p>\n B1-acl applied on outside nat interface B1-a) inbound filter prefix src=outside global ip access-list ext outsideblock-in<\/p>\n 10 deny ip host 192.168.20.146 any<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/1<\/p>\n ip access-group outsideblock-in in<\/p>\n NAT(config-if)#<\/p>\n *Mar 2 02:16:45.621: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=10.0.0.35 (FastEthernet0\/1), routed via RIB<\/p>\n *Mar 2 02:16:45.625: NAT: s=10.0.0.17->192.168.20.131, d=10.0.0.35 [207]<\/p>\n *Mar 2 02:16:45.629: NAT: s=192.168.20.131, d=10.0.0.35->192.168.20.146 [207]<\/p>\n *Mar 2 02:16:45.633: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), g=192.168.20.146, len 100, forward<\/p>\n *Mar 2 02:16:45.745: IP: s=192.168.20.146 (FastEthernet0\/1), d=192.168.20.131, len 100, access denied<\/p>\n B1-b) outbound filter prefix dst=outside global ip access-list ext outsideblock-out<\/p>\n 10 deny ip any host 192.168.20.146<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/1<\/p>\n ip access-group outsideblock-out out<\/p>\n NAT(config-if)#<\/p>\n *Mar 2 02:19:31.969: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=10.0.0.35 (FastEthernet0\/1), routed via RIB<\/p>\n *Mar 2 02:19:31.973: NAT: s=10.0.0.17->192.168.20.131, d=10.0.0.35 [208]<\/p>\n *Mar 2 02:19:31.977: NAT: s=192.168.20.131, d=10.0.0.35->192.168.20.146 [208]<\/p>\n *Mar 2 02:19:31.981: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), len 100, access denied<\/p>\n B2- acl applied on inside nat interface B2-a) inbound filter prefix dst=outside local ip access-list ext insideblock-in<\/p>\n 10 deny ip any host 10.0.0.35<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/0<\/p>\n ip access-group insideblock-in in<\/p>\n NAT(config-if)#<\/p>\n *Mar 2 02:10:45.613: IP: s=10.0.0.17 (FastEthernet0\/0), d=10.0.0.35, len 100, access denied<\/p>\n B2-b) outbound filter prefix src=outside local ip access-list ext insideblock-out<\/p>\n 10 deny ip host 10.0.0.35 any<\/p>\n 20 permit ip any any<\/p>\n interface FastEthernet0\/0<\/p>\n ip access-group insideblock-out out<\/p>\n NAT(config-if)#<\/p>\n *Mar 2 02:12:11.393: IP: tableid=0, s=10.0.0.17 (FastEthernet0\/0), d=10.0.0.35 (FastEthernet0\/1), routed via RIB<\/p>\n *Mar 2 02:12:11.397: NAT: s=10.0.0.17->192.168.20.131, d=10.0.0.35 [206]<\/p>\n *Mar 2 02:12:11.401: NAT: s=192.168.20.131, d=10.0.0.35->192.168.20.146 [206]<\/p>\n *Mar 2 02:12:11.405: IP: s=192.168.20.131 (FastEthernet0\/0), d=192.168.20.146 (FastEthernet0\/1), g=192.168.20.146, len 100, forward<\/p>\n *Mar 2 02:12:11.517: NAT*: s=192.168.20.146->10.0.0.35, d=192.168.20.131 [206]<\/p>\n *Mar 2 02:12:11.517: NAT*: s=10.0.0.35, d=192.168.20.131->10.0.0.17 [206]<\/p>\n *Mar 2 02:12:11.525: IP: tableid=0, s=10.0.0.35 (FastEthernet0\/1), d=10.0.0.17 (FastEthernet0\/0), routed via FIB<\/p>\n *Mar 2 02:12:11.529: IP: s=10.0.0.35 (FastEthernet0\/1), d=10.0.0.17 (FastEthernet0\/0), len 100, access denied<\/p>\n \u2013 Write down your expectations in term of address translation, routing and filtering.<\/p>\n \u2013 Make sure to choose your IP addresses to filter, the ACL direction and the interface to which ACL is applied with the order of operations in mind.<\/p>\n","protected":false},"excerpt":{"rendered":" This is the 1st post in the series \u201crouter order of operations\u201d and the purpose is to provide a comprehensive but clear enough overview of how operations are performed in the router and implications on what IP addresses to consider particularly when filtering with ACL. Part1: NAT + Routing \u201cRouting\u201d & \u201cNAT\u201d represent keystone to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,2],"tags":[],"class_list":["post-100","post","type-post","status-publish","format-standard","hentry","category-ccie-rns","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=100"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/100\/revisions"}],"predecessor-version":[{"id":509,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/100\/revisions\/509"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n<\/strong><\/p>\n![\"\"](\"https:\/\/cciethebeginning.files.wordpress.com\/2010\/06\/060810_1604_orderofoper1.png?w=630\")
<\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n![\"\"](\"https:\/\/cciethebeginning.files.wordpress.com\/2010\/06\/060810_1604_orderofoper2.png?w=630\")
<\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n![\"\"](\"https:\/\/cciethebeginning.files.wordpress.com\/2010\/06\/routing_nat_acl.png?w=750&h=137\")
<\/p>\n
\n<\/em><\/p>\n
\n<\/strong><\/p>\n![\"\"](\"https:\/\/cciethebeginning.files.wordpress.com\/2010\/06\/routing_nat_acl_vrf.png?w=368&h=255\")
<\/p>\n
\n<\/strong><\/p>\n\n
\n Inside source<\/strong><\/td>\n Inside NAT interface<\/strong><\/td>\n Outside NAT interface<\/strong><\/td>\n<\/tr>\n \n ACL direction<\/strong><\/td>\n inbound<\/strong><\/td>\n outbound<\/strong><\/td>\n inbound<\/strong><\/td>\n Outbound<\/strong><\/td>\n<\/tr>\n \n Prefix to filter<\/strong><\/td>\n Src=Inside local<\/em><\/strong><\/td>\n Dst=Inside local<\/em><\/strong><\/td>\n Dst=Outside local<\/em><\/strong><\/td>\n Src=Outside local<\/em><\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n \n
\n outside source<\/strong><\/td>\n Inside NAT interface<\/strong><\/td>\n Outside NAT interface<\/strong><\/td>\n<\/tr>\n \n ACL direction<\/strong><\/td>\n inbound<\/strong><\/td>\n outbound<\/strong><\/td>\n inbound<\/strong><\/td>\n outbound<\/strong><\/td>\n<\/tr>\n \n Prefix to filter<\/strong><\/td>\n Dst=Outside local<\/em><\/strong><\/td>\n Src=Outside local<\/em><\/strong><\/td>\n Src=Outside global<\/em><\/strong><\/td>\n Dst=Outside global<\/em><\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n A) \u2013 inside source NAT<\/h2>\n
\n<\/strong><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\nB) \u2013 outside source NAT<\/h2>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/strong><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\n
\n<\/em><\/p>\nConclusion<\/h2>\n