NAT

Network Address Translation is a method of changing packet IP addresses. SoodarOS uses PNAT variation, which changes Port and Address.

NAT Static Mapping

Define a static mapping for address translation.

Address only NAT

In this mode, only the address is translated to the given address. Depending on flow direction( whether it’s in2out or out2in), the source or destination of the packet is changed.

When a packet containing a source same as local address is passing through an input interface, its source is replaced with global address. When a packet containing a destination same as global address is passing through an output interface, its destination is replaced with local address.

ip nat inside source static A.B.C.D A.B.C.D

Add a new static map entry to the NAT static table. The first IP is a local address, and the second is a global address.

Example :

soodar(config)# ip nat inside source static 192.168.1.10 85.20.1.1
soodar(config)# interface ge0
soodar(config-if)# ip nat inside
soodar(config)# interface ge1
soodar(config-if)# ip nat outside

Define a static map entry that translates every ingress traffic from ge0 sourced from 192.168.1.10 to 85.20.1.1 ( Also known as Source NAT). Every packet coming from ge1, which is destined to 85.20.1.1, is also translated to 192.168.1.10

soodar(config)# ip nat inside source static 85.20.1.1 192.168.1.10
soodar(config)# interface ge0
soodar(config-if)# ip nat outside
soodar(config)# interface ge1
soodar(config-if)# ip nat inside

Define a static map entry that translates every ingress traffic from ge0 destined to 192.168.1.10 to 85.20.1.1 ( Also known as Destination NAT). Every packet coming from ge1, which is sourced from 85.20.1.1, is also translated to 192.168.1.10

Protocol NAT

Sometimes we need to be more specific about our NAT and translate a specified protocol on a defined port. So when defining an entry, we introduce the protocol and desired ports. All other aspects of this entry( including behavior) are simple Address only NAT.

ip nat inside source static <tcp|udp> A.B.C.D (1-65535) A.B.C.D (1-65535)

Add a new static map entry to the NAT static table. The first IP is a local address, and the number following is its port. The second IP is a global address, and the number following is its port.

Example :

soodar(config)# ip nat inside source static tcp 192.168.1.10 444 85.20.1.1 666
soodar(config)# interface ge0
soodar(config-if)# ip nat inside
soodar(config)# interface ge1
soodar(config-if)# ip nat outside

Define a static map entry that translates every ingress traffic from ge0 sourced from 192.168.1.10:444 to 85.20.1.1:666 ( Also known as Source NAT). Every packet coming from ge1, which is destined to 85.20.1.1:666, is also translated to 192.168.1.10:444

soodar(config)# ip nat inside source static tcp 85.20.1.1 666 192.168.1.10 444
soodar(config)# interface ge0
soodar(config-if)# ip nat outside
soodar(config)# interface ge1
soodar(config-if)# ip nat inside

Define a static map entry that translates every ingress traffic from ge0 destined to 192.168.1.10:444 to 85.20.1.1:666 ( Also known as Destination NAT). Every packet coming from ge1, which is sourced from 85.20.1.1:666, is also translated to 192.168.1.10:444

Dynamic NAT

In dynamic NAT, every packet’s source outgoing from an input interface and destined to an output interface is translated to an IP, provided by IP pool.

For every source translation, a new session is created, and its state is kept. So the packets coming from an output interface and having a matched session, its destination is changed with respect to the session’s information.

NAT IP pool

A pool of available IP addresses to use as a NAT IP.

ip nat pool PNAT44 A.B.C.D [ A.B.C.D ]

Add an IP( or an IP range if the second IP is provided) to a nat pool named PNAT44

Example :

soodar(config)# ip nat pool p1 1.1.1.1
soodar(config)# ip nat pool p2 2.1.1.1 2.1.1.10

The first command is to create p1 nat pool and add IP 1.1.1.1 to it. the second one adds 2.1.1.1 to 2.1.1.10 to p2 nat pool.

Put interface behind NAT

ip nat inside

Define an interface as a NAT inside interface.

ip nat outside

Define an interface as a NAT outside interface.

NAT Forwarding

When a packet arrives to an inside or an outside interface, Dataplane looks for a translation to use or create. If none is found, the packet is dropped. Admin can change this behavior and instead of dropping them, forward them like normal packets on non-NAT enabled interfaces.

ip nat forwarding

Enable NAT forwarding feature on device.

Debugging

Debugging logs can be set in case of need.

debug nat44 event

log data plane installation processes and results

show ip nat statistics

show statistics about translations and current NAT configuration

soodar# show ip nat statistics
Total active translations: 4 (1 static, 3 dynamic)
Outside interfaces:
  ge1
Inside interfaces:
  ge0
NAT Forwarding: Disabled

show ip nat translations

Show current active translations

soodar# show ip nat translations
 Pro     Inside Local     Inside Global   Outside Local   Outside Global
 ---------------------------------------------------------------------------
 ---          1.1.1.10         200.2.3.3             ---              ---
 ICMP      1.1.1.10:48      200.2.3.3:48     2.1.1.10:48      2.1.1.10:48
 TCP    1.1.1.10:46122   200.2.3.3:46122   2.1.1.10:5201    2.1.1.10:5201
 TCP    1.1.1.10:46120   200.2.3.3:46120   2.1.1.10:5201    2.1.1.10:5201
 ICMP      1.1.1.10:45   200.2.3.3:63327     2.1.1.10:45      2.1.1.10:45

Total number of translations: 4

Example configuration

soodar(config)# int ge0
soodar(config-if)#  ip nat outside
soodar(config)# int ge2
soodar(config-if)#  ip nat inside
soodar(config)# ip nat pool nat1 200.1.2.1