Here are some example situations where Domain NATing can not be used.
And also in the second diagram, you can see that both the INSIDE and DMZ are company's inside networks. So from INSIDE to DMZ what will we use as the domains?
NVI (NAT Virtual Interface) addresses these and many other limitations of classic Domain NATing.. Now the NAT is doing at a virtual interface inside the process rather than doing it on physical interfaces. Even you can do NAT for the traffic of same interface too like in Hair-Pinning or NAT-Loopback in Cisco ASAs.
Let's see a simple example of static NAT 1st..
Let's configure NAT on R2..
Enable NAT on interfaces..
R2(config)#int e0/0
R2(config-if)#ip nat enable
R2(config)#int e0/1
R2(config-if)#ip nat enable
Do the mapping..
R2(config)#ip nat source static 192.168.2.21 203.115.41.221
R2(config)#ip nat source static 192.168.2.22 203.115.41.222
Note:-
As soon as you enter any NAT related command, NVI0 will come up as a new interface. It will assign an IP address of an actual interface just to show off. It does not matter what the IP address of NVI is. Because I entered a nat command on e0/0 interface 1st it took the IP address of that interface. If I entered a global command I think it will take the lowest interface (E0/0 in this case) IP address.
You cannot go inside to it or change it. If you want to remove it, you have to undo all the NAT related commands and reboot the router..
Now let's see the translations table by show nat nvi translations command..
No translations have been occurred yet as no traffic has passed through..
Let's see the routing table..
Well there are 2 entries in the routing table for NAT IPs. Pretty much the same as in Domain NATing.
When the servers are generating traffic destined to outside of their network (ex:- pinging to 203.115.41.111 which is actually the public IP of PC1 from 203.115.41.221), you will see the following output..
Inside Global, Inside Local & Outside Global, Outside Local have been replaced with the following above which really means the same..
Let's change something and see the behavior..
This time I am changing the source & global address of Server-2, let's see what happens..
Doing the mapping..
R2(config)#ip nat source static 203.115.41.222 192.168.2.22
Now before traffic passes through, the table will be like this..
How about a ping from Server-2 to 203.115.41.111 address now..
Well, it is not pinging, because there is no matching translation rule.
You cannot go inside to it or change it. If you want to remove it, you have to undo all the NAT related commands and reboot the router..
Now let's see the translations table by show nat nvi translations command..
No translations have been occurred yet as no traffic has passed through..
Let's see the routing table..
Well there are 2 entries in the routing table for NAT IPs. Pretty much the same as in Domain NATing.
When the servers are generating traffic destined to outside of their network (ex:- pinging to 203.115.41.111 which is actually the public IP of PC1 from 203.115.41.221), you will see the following output..
Inside Global, Inside Local & Outside Global, Outside Local have been replaced with the following above which really means the same..
Let's change something and see the behavior..
This time I am changing the source & global address of Server-2, let's see what happens..
Doing the mapping..
R2(config)#ip nat source static 203.115.41.222 192.168.2.22
Now before traffic passes through, the table will be like this..
How about a ping from Server-2 to 203.115.41.111 address now..
Well, it is not pinging, because there is no matching translation rule.
Note:-
The above command means to translate the source IP to 192.168.2.22 if it is 203.115.41.222
But the source IP is always 192.168.2.22 so the packet will be forwarded from R2 according to the routing table without any translation which will not come back again because the far end destination does not know how to find the 192.168.2.22
Though the rule is incorrect there will be a routing entry for the static destination 192.168.2.22 as a local route via E0/1..
But the source IP is always 192.168.2.22 so the packet will be forwarded from R2 according to the routing table without any translation which will not come back again because the far end destination does not know how to find the 192.168.2.22
Note:-
This above example could have been done by Domain NATting too.. More unique examples for Domainless NATing will be discussed in later posts..
No comments:
Post a Comment