Network Address Translation - Overview

MVP Expert
MVP Expert
Q:

What is the difference between Source NAT, Destination NAT and Dual-NAT?



A:

Network Address translation (NAT)

 

NAT is a method with which one IP address is remapped with a different IP address while they transit   from one network to an another.

Using NAT, Source IP or the Destination IP can be  changed. Depending on which IP address is changed, the terminology becomes source NAT or Destination NAT or Dual NAT.

On Typical  scenarios, NAT is performed on the device which performs routing, however with current technology, switches can also perform the same.

 

Destination NAT

Destination NAT is typically used  when you want to forward a packet to a host  which is not reachable from the source. These NATs are typically used as a one to one Mapping, however it can also be used to forward all packets to a particular destination.

A one to one Mapping means that if a packet reaches the  Controller with a particular IP address and a particular port. A rule can be created stating that these packets needs to be forwarded to a different IP on a different destination port.

On an Aruba Controller, this can be achieved using an Access-List, and therefore it need not act as a router to perform this function. Please find the configuration below :

 

[00:50:56:a3:8f:8e] (config) #ip access-list session Dst-NAT
[00:50:56:a3:8f:8e] (config-submode)#any  host  10.23.195.11 tcp 1234 dst-nat ip 10.23.195.12 23
[00:50:56:a3:8f:8e] (config-submode)#any  any  any permit

 

In the above example, a packet with  destination IP of 10.23.195.11 and with a destination tcp port of 1234 would be remapped  with a destination IP of 10.23.195.12 and with a destination port of 23.

The any any any permit below the the dst-nat entry is required in case  you want the controller to permit other packets.

The remapped IP need not be on the same subnet as the controller’s IP. Once the NAT is performed the controller would perform a normal route lookup to forward the packet.

 

This access-list can be mapped to an interface or to a user-role. For the below example, I am mapping the access-list to an interface.

 

[00:50:56:a3:8f:8e] (config) #interface gigabitethernet 0/0/0
[00:50:56:a3:8f:8e] (config-submode)#ip access-group session  Dst-NAT

 

Within the controller, The command “show datapath session table” would show us  whether the packet is Destination-NATed using the N Flag

Please note that in the example “10.23.10.49” is the IP address of the client contacting the controller on the port 1234.

 

(Aruba) [MDC] #show datapath  session  table 10.23.10.49
Datapath Session Table Entries
------------------------------
Flags: S - src NAT, N - dest NAT
       Y - no syn, C - client
Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.23.195.12    10.23.10.49     6    23    2394   0/0     0    0   0   0/0/0       6    0          0          SY
10.23.10.49     10.23.195.11    6    2394  1234   1/4097  0    0   0   0/0/0       6    2          104        NYC

 

Please note that the return traffic would have a S flag since the  source IP of this packet needs to be source-NATed back to the original IP  10.23.195.11.

Please note that the  Y flag is noticed in this example because the 10.23.195.12 is not configured to send the packet back to 10.23.195.11.

 

Source NAT

 

With Source NAT, The  source IP address and port number of a packet is remapped with a new source IP and Source port. This allows clients, which are connected on LAN with a Private IP address , to communicate on the Internet which uses Public IP addresses, which makes it the most implemented NAT.

A source NAT can also be used,  if you wish to create a separate vlan which doesn’t exist on the rest of the network. While performing the  source NAT, controller keeps a track of the Source IP, Source Port, Destination IP, Destination Port and Protocol.

If two clients sends traffic  to the same server with the same source port and destination port, The controller would change the source port after NAT so that the return traffic can be identified successfully.

 

Please note that a change in source port would only occur if  The Source IP,source port, Destination port, Destination IP and Protocol matches with an another traffic after NAT.

 

Source NAT can be implemented in multiple ways namely IP NAT inside, IP NAT outside and using access-list.

If using IP nat inside or IP nat ouside, the controller needs to act as the default gateway for the client which is initiating the traffic.

If an access-list is used,  the controller would be able to intercept traffic, even if the client’s gateway is on different device.

 

IP NAT INSIDE

This configuration needs to be performed on the vlan from which the original packet (packet before re-mapping) is expected. Typically, this is configured on the client vlan.

When IP NAT inside is configured, the  controller will NAT all traffic  which needs to be routed, as long as the traffic originated from the vlan where IP NAT Inside is configured.

 

IP NAT OUTSIDE

This configuration needs to be performed on the vlan, from which the packet would egress after routing. If IP nat outside is configured on the vlan which has a public IP, Only the packets which egresses out of this vlan would be NATed

Please refer to the following link for detailed information on IP NAT inside and IP NAT outside : https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-difference-between-quot-ip-nat-inside-quot-and-quot/ta-p/259784

 

Source NAT using Access-List

Configuring NAT  using access-list gives us additional features. This will allow us to  specify which packets needs to be NATed and also allows us to use a nat pool. A NAT pool allows us to remap  a new IP which is chosen from a list of IPs.

In the below example, We are creating a custom src-nat  access-list which does the following actions

  1. HTTP traffic should be NAT’ed with the exiting Vlan IP
  2. HTTPS traffic should be NATed with an IP address from a Pool of IPs
  3. All other traffic should be routed without NAT

 

[VMC-GROUP] (config) #ip nat  pool NAT-POOL 10.23.195.14 10.23.195.16

The above configuration creates a nat pool from which the controller would randomly choose an IP to remap with.

 

[VMC-GROUP] (config) #ip access-list session Custom-Src-NAT
[VMC-GROUP] (config-submode)#any  any  svc-http src-nat
[VMC-GROUP] (config-submode)#any  any  svc-https src-nat pool NAT-POOL
[VMC-GROUP] (config-submode)#any  any  any permit

Similar to the Destination NAT, This access-list can be mapped to a user-role or an interface. Since applying it to an interface is shown on the example related to destination NAT, I will be mapping this  to an user-role for this example.

 

[VMC-GROUP] (config) #user-role Custom-NAT-Role
[VMC-GROUP] (config-submode)#access-list session Custom-Src-NAT

 

(Aruba) [MDC] #show rights  Custom-NAT-Role

access-list List
----------------
Position  Name                        Type     Location
--------  ----                        ----     --------
1         global-sacl                 session
2         apprf-custom-nat-role-sacl  session
3         custom-src-nat              session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
apprf-custom-nat-role-sacl
--------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
custom-src-nat
--------------
Priority  Source  Destination  Service    Application  Action                 TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------                 ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------
1         any     any          svc-http                src-nat                                         Low                                            4
2         any     any          svc-https               src-nat pool nat-pool                           Low                                            4
3         any     any          any                     permit                                          Low                                            4

Expired Policies (due to time constraints) = 0

 

This user-role can be mapped to any aaa profile, which would implement the source NAT to any user who receives this user-role. In this example, I have mapped it in the initial role of an SSID

 

AAA Profile "Aruba-WPA-PSK"
----------------------------
Parameter                           Value
---------                           -----
Initial role                        custom-nat-role

(Aruba) [MDC] #show user
Users
-----
    IP              MAC            Name              Role              Age(d:h:m)  Auth  VPN link       AP name            Roaming   Essid/Bssid/Phy                         Profile         Forward mode  Type     Host Name  User Type
----------     ------------       ------             ----              ----------  ----  --------       -------            -------   ---------------                         -------         ------------  ----     ---------  ---------
10.10.10.2     d8:32:e3:7b:df:03                     custom-nat-role   00:00:00                         18:64:72:cd:ed:b4  Wireless  Aruba-WPA-PSK/18:64:72:5e:db:52/a-VHT  Aruba-WPA-PSK  tunnel        Android             WIRELESS

 

(Aruba) [MDC] #show datapath  session  table 10.23.195.12
10.10.10.2      10.23.195.12    6    40644 80     0/0     0    0   1   tunnel 18   a    6          733        FSC
10.10.10.2      10.23.195.12    6    40646 80     0/0     0    0   1   tunnel 18   a    3          172        SC
10.23.195.12    10.23.195.11    17   8211  8498   1/0     0    0   1   0/0/0       7    0          0          FYCI
10.23.195.12    10.23.195.11    6    80    40646  0/0     0    0   1   tunnel 18   a    2          120        N

 

(Aruba) [MDC] #show datapath session  table 10.23.195.12
10.23.195.12    10.23.195.14    6    443   45678  0/0     0    0   1   tunnel 15   9    0          0          NY
10.23.195.12    10.23.195.14    6    443   45680  0/0     0    0   0   tunnel 15   9    0          0          NY
10.23.195.12    10.23.195.14    6    443   45682  0/0     0    0   0   tunnel 15   9    0          0          NY
10.10.10.2      10.23.195.12    6    45682 443    0/0     0    0   0   tunnel 15   a    4          240        SYC
10.10.10.2      10.23.195.12    6    45680 443    0/0     0    0   0   tunnel 15   a    4          240        SYC
10.10.10.2      10.23.195.12    6    45678 443    0/0     0    0   0   tunnel 15   a    4          240        SYC

 

The S flags denotes that the  traffic was source-NATed by the controller.

However One thing to notice is the entry for the return traffic. The destination Ip  is 10.23.195.11, for HTTP traffic and 10.23.195.14 for https traffic.

The HTTPS had used an IP address from the NAT pool to source-NAT the traffic.

 

Please note that for clients connecting to the controller using Aruba’s VIA, Source-NAT using IP Nat inside or IP NAT outside would not work. Only the method with access-list would work for these clients.

Please refer to the following article  for more details : https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-enable-source-NAT-for-VIA-clients/ta-p/183008

(Please note that the position of the Access-list  in the article should have been src-nat at first followed by allow-all in the second position)

 

Dual NAT

 Dual nat can remap both source and destination IP with a new IP address.All the rules for remapping of IP and port numbers apply to dual-nat as well. Please find the example of dual-nat below :

 

ip nat pool dual-nat 10.23.195.14 10.23.195.16 10.23.195.12

 

We need to first create an IP nat pool mentioning the source IP addresses and the  destination IP address.

 

 [VMC-GROUP] (config) #ip access-list session  dual-nat
 [VMC-GROUP] (config-submode)#any  any  svc-http dual-nat pool DUAL-NAT
 [VMC-GROUP] (config-submode)#any  any  any  permit

 

The above configuration would remap all HTTP traffic with a source ip from a range between 10.23.195.14 & 10.23.195.16 and the traffic would be destination-NATed to 10.23.195.12

This access-list was mapped to an user-role and the role mapped to an initial role of a aaa profile.

 

(Aruba) [MDC] #show user
Users
-----
    IP              MAC            Name              Role              Age(d:h:m)  Auth  VPN link       AP name                                   Roaming   Essid/Bssid/Phy                        Profile         Forward mode  Type     Host Name  User Type
----------     ------------       ------             ----              ----------  ----  --------       -------                                   -------   ---------------                        -------         ------------  ----     ---------  ---------
10.10.10.2     d8:32:e3:7b:df:03                     dual-nat          00:00:05                         18:64:72:cd:ed:b4                         Wireless Aruba-WPA-PSK/18:64:72:5e:db:52/a-VHT  Aruba-WPA-PSK  tunnel        Android             WIRELESS

Since a dual nat was performed both S and N flag should be visible for both the request and the response.

 

(Aruba) [MDC] #show datapath  session  table
10.10.10.2      4.2.2.2         6    46511 80     0/0     0    0   0   tunnel 18   8    4          240        SNYC
10.23.195.12    10.23.195.14    6    80    43777  0/0     0    0   0   tunnel 18   2    0          0          SNY
Version history
Revision #:
3 of 3
Last update:
‎02-19-2019 02:16 PM
Updated by:
 
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: