Q:
What is the difference between Source NAT, Destination NAT and Dual-NAT?
A: Network Address translation (NAT)
NAT is a method with which one IP address is remapped with a different IP address while they transit from one network to an another.
Using NAT, Source IP or the Destination IP can be changed. Depending on which IP address is changed, the terminology becomes source NAT or Destination NAT or Dual NAT.
On Typical scenarios, NAT is performed on the device which performs routing, however with current technology, switches can also perform the same.
Destination NAT
Destination NAT is typically used when you want to forward a packet to a host which is not reachable from the source. These NATs are typically used as a one to one Mapping, however it can also be used to forward all packets to a particular destination.
A one to one Mapping means that if a packet reaches the Controller with a particular IP address and a particular port. A rule can be created stating that these packets needs to be forwarded to a different IP on a different destination port.
On an Aruba Controller, this can be achieved using an Access-List, and therefore it need not act as a router to perform this function. Please find the configuration below :
[00:50:56:a3:8f:8e] (config) #ip access-list session Dst-NAT
[00:50:56:a3:8f:8e] (config-submode)#any host 10.23.195.11 tcp 1234 dst-nat ip 10.23.195.12 23
[00:50:56:a3:8f:8e] (config-submode)#any any any permit
In the above example, a packet with destination IP of 10.23.195.11 and with a destination tcp port of 1234 would be remapped with a destination IP of 10.23.195.12 and with a destination port of 23.
The any any any permit below the the dst-nat entry is required in case you want the controller to permit other packets.
The remapped IP need not be on the same subnet as the controller’s IP. Once the NAT is performed the controller would perform a normal route lookup to forward the packet.
This access-list can be mapped to an interface or to a user-role. For the below example, I am mapping the access-list to an interface.
[00:50:56:a3:8f:8e] (config) #interface gigabitethernet 0/0/0
[00:50:56:a3:8f:8e] (config-submode)#ip access-group session Dst-NAT
Within the controller, The command “show datapath session table” would show us whether the packet is Destination-NATed using the N Flag
Please note that in the example “10.23.10.49” is the IP address of the client contacting the controller on the port 1234.
(Aruba) [MDC] #show datapath session table 10.23.10.49
Datapath Session Table Entries
------------------------------
Flags: S - src NAT, N - dest NAT
Y - no syn, C - client
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
10.23.195.12 10.23.10.49 6 23 2394 0/0 0 0 0 0/0/0 6 0 0 SY
10.23.10.49 10.23.195.11 6 2394 1234 1/4097 0 0 0 0/0/0 6 2 104 NYC
Please note that the return traffic would have a S flag since the source IP of this packet needs to be source-NATed back to the original IP 10.23.195.11.
Please note that the Y flag is noticed in this example because the 10.23.195.12 is not configured to send the packet back to 10.23.195.11.
Source NAT
With Source NAT, The source IP address and port number of a packet is remapped with a new source IP and Source port. This allows clients, which are connected on LAN with a Private IP address , to communicate on the Internet which uses Public IP addresses, which makes it the most implemented NAT.
A source NAT can also be used, if you wish to create a separate vlan which doesn’t exist on the rest of the network. While performing the source NAT, controller keeps a track of the Source IP, Source Port, Destination IP, Destination Port and Protocol.
If two clients sends traffic to the same server with the same source port and destination port, The controller would change the source port after NAT so that the return traffic can be identified successfully.
Please note that a change in source port would only occur if The Source IP,source port, Destination port, Destination IP and Protocol matches with an another traffic after NAT.
Source NAT can be implemented in multiple ways namely IP NAT inside, IP NAT outside and using access-list.
If using IP nat inside or IP nat ouside, the controller needs to act as the default gateway for the client which is initiating the traffic.
If an access-list is used, the controller would be able to intercept traffic, even if the client’s gateway is on different device.
IP NAT INSIDE
This configuration needs to be performed on the vlan from which the original packet (packet before re-mapping) is expected. Typically, this is configured on the client vlan.
When IP NAT inside is configured, the controller will NAT all traffic which needs to be routed, as long as the traffic originated from the vlan where IP NAT Inside is configured.
IP NAT OUTSIDE
This configuration needs to be performed on the vlan, from which the packet would egress after routing. If IP nat outside is configured on the vlan which has a public IP, Only the packets which egresses out of this vlan would be NATed
Please refer to the following link for detailed information on IP NAT inside and IP NAT outside : https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-difference-between-quot-ip-nat-inside-quot-and-quot/ta-p/259784
Source NAT using Access-List
Configuring NAT using access-list gives us additional features. This will allow us to specify which packets needs to be NATed and also allows us to use a nat pool. A NAT pool allows us to remap a new IP which is chosen from a list of IPs.
In the below example, We are creating a custom src-nat access-list which does the following actions
- HTTP traffic should be NAT’ed with the exiting Vlan IP
- HTTPS traffic should be NATed with an IP address from a Pool of IPs
- All other traffic should be routed without NAT
[VMC-GROUP] (config) #ip nat pool NAT-POOL 10.23.195.14 10.23.195.16
The above configuration creates a nat pool from which the controller would randomly choose an IP to remap with.
[VMC-GROUP] (config) #ip access-list session Custom-Src-NAT
[VMC-GROUP] (config-submode)#any any svc-http src-nat
[VMC-GROUP] (config-submode)#any any svc-https src-nat pool NAT-POOL
[VMC-GROUP] (config-submode)#any any any permit
Similar to the Destination NAT, This access-list can be mapped to a user-role or an interface. Since applying it to an interface is shown on the example related to destination NAT, I will be mapping this to an user-role for this example.
[VMC-GROUP] (config) #user-role Custom-NAT-Role
[VMC-GROUP] (config-submode)#access-list session Custom-Src-NAT
(Aruba) [MDC] #show rights Custom-NAT-Role
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-custom-nat-role-sacl session
3 custom-src-nat session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-custom-nat-role-sacl
--------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
custom-src-nat
--------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any svc-http src-nat Low 4
2 any any svc-https src-nat pool nat-pool Low 4
3 any any any permit Low 4
Expired Policies (due to time constraints) = 0
This user-role can be mapped to any aaa profile, which would implement the source NAT to any user who receives this user-role. In this example, I have mapped it in the initial role of an SSID
AAA Profile "Aruba-WPA-PSK"
----------------------------
Parameter Value
--------- -----
Initial role custom-nat-role
(Aruba) [MDC] #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
10.10.10.2 d8:32:e3:7b:df:03 custom-nat-role 00:00:00 18:64:72:cd:ed:b4 Wireless Aruba-WPA-PSK/18:64:72:5e:db:52/a-VHT Aruba-WPA-PSK tunnel Android WIRELESS
(Aruba) [MDC] #show datapath session table 10.23.195.12
10.10.10.2 10.23.195.12 6 40644 80 0/0 0 0 1 tunnel 18 a 6 733 FSC
10.10.10.2 10.23.195.12 6 40646 80 0/0 0 0 1 tunnel 18 a 3 172 SC
10.23.195.12 10.23.195.11 17 8211 8498 1/0 0 0 1 0/0/0 7 0 0 FYCI
10.23.195.12 10.23.195.11 6 80 40646 0/0 0 0 1 tunnel 18 a 2 120 N
(Aruba) [MDC] #show datapath session table 10.23.195.12
10.23.195.12 10.23.195.14 6 443 45678 0/0 0 0 1 tunnel 15 9 0 0 NY
10.23.195.12 10.23.195.14 6 443 45680 0/0 0 0 0 tunnel 15 9 0 0 NY
10.23.195.12 10.23.195.14 6 443 45682 0/0 0 0 0 tunnel 15 9 0 0 NY
10.10.10.2 10.23.195.12 6 45682 443 0/0 0 0 0 tunnel 15 a 4 240 SYC
10.10.10.2 10.23.195.12 6 45680 443 0/0 0 0 0 tunnel 15 a 4 240 SYC
10.10.10.2 10.23.195.12 6 45678 443 0/0 0 0 0 tunnel 15 a 4 240 SYC
The S flags denotes that the traffic was source-NATed by the controller.
However One thing to notice is the entry for the return traffic. The destination Ip is 10.23.195.11, for HTTP traffic and 10.23.195.14 for https traffic.
The HTTPS had used an IP address from the NAT pool to source-NAT the traffic.
Please note that for clients connecting to the controller using Aruba’s VIA, Source-NAT using IP Nat inside or IP NAT outside would not work. Only the method with access-list would work for these clients.
Please refer to the following article for more details : https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-enable-source-NAT-for-VIA-clients/ta-p/183008
(Please note that the position of the Access-list in the article should have been src-nat at first followed by allow-all in the second position)
Dual NAT
Dual nat can remap both source and destination IP with a new IP address.All the rules for remapping of IP and port numbers apply to dual-nat as well. Please find the example of dual-nat below :
ip nat pool dual-nat 10.23.195.14 10.23.195.16 10.23.195.12
We need to first create an IP nat pool mentioning the source IP addresses and the destination IP address.
[VMC-GROUP] (config) #ip access-list session dual-nat
[VMC-GROUP] (config-submode)#any any svc-http dual-nat pool DUAL-NAT
[VMC-GROUP] (config-submode)#any any any permit
The above configuration would remap all HTTP traffic with a source ip from a range between 10.23.195.14 & 10.23.195.16 and the traffic would be destination-NATed to 10.23.195.12
This access-list was mapped to an user-role and the role mapped to an initial role of a aaa profile.
(Aruba) [MDC] #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
10.10.10.2 d8:32:e3:7b:df:03 dual-nat 00:00:05 18:64:72:cd:ed:b4 Wireless Aruba-WPA-PSK/18:64:72:5e:db:52/a-VHT Aruba-WPA-PSK tunnel Android WIRELESS
Since a dual nat was performed both S and N flag should be visible for both the request and the response.
(Aruba) [MDC] #show datapath session table
10.10.10.2 4.2.2.2 6 46511 80 0/0 0 0 0 tunnel 18 8 4 240 SNYC
10.23.195.12 10.23.195.14 6 80 43777 0/0 0 0 0 tunnel 18 2 0 0 SNY