Saturday, May 26, 2012

NAT Virtual Interface


The NAT Virtual Interface (NVI) feature removes the requirement to configure an interface as either Network Address Translation (NAT) inside or NAT outside. An interface can be configured to use NAT or not use NAT.

NVI allows traffic between overlapped VPN routing/forwarding (VRFs) in the same Provider Edge (PE) router, and traffic from inside to inside between overlapping networks. 


In normal NAT scenario:
Packets on the NAT outside are first translated and then routed. On the inside interface routing decision kicks in first and only then translation rules get applied followed by forwarding.

(5.5.5.5) -R5- nat in -R2 -nat out - R1 -R3(3.3.3.3)

debug on R2:
*Mar  1 01:25:16.647: NAT: Allocated Port for 5.5.5.5 -> 10.12.0.2: wanted 21 got 21
*Mar  1 01:25:16.651: IP: tableid=0, s=5.5.5.5 (Ethernet0/0), d=3.3.3.3 (Ethernet0/1), routed via FIB
^^^ inside, route before NAT ^^^
*Mar  1 01:25:16.655: NAT: i: icmp (5.5.5.5, 21) -> (3.3.3.3, 21) [32]
*Mar  1 01:25:16.659: NAT: s=5.5.5.5->10.12.0.2, d=3.3.3.3 [32]
*Mar  1 01:25:16.659: IP: s=10.12.0.2 (Ethernet0/0), d=3.3.3.3 (Ethernet0/1), g=10.12.0.1, len 100, forward
*Mar  1 01:25:16.667:     ICMP type=8, code=0
*Mar  1 01:25:16.791: NAT: o: icmp (3.3.3.3, 21) -> (10.12.0.2, 21) [32]
*Mar  1 01:25:16.795: NAT: s=3.3.3.3, d=10.12.0.2->5.5.5.5 [32]
^^^ outside, NAT before route ^^^
*Mar  1 01:25:16.795: IP: tableid=0, s=3.3.3.3 (Ethernet0/1), d=5.5.5.5 (Ethernet0/0), routed via FIB
*Mar  1 01:25:16.799: IP: s=3.3.3.3 (Ethernet0/1), d=5.5.5.5 (Ethernet0/0), g=10.25.0.5, len 100, forward
*Mar  1 01:25:16.799:     ICMP type=0, code=0


NVI scenario:
So what’s the difference with NVI? First, we see that now NAT behaves symmetrically. Next, we see that NAT translation tables are used to take a “routing decision” to send packet to virtual interface. Packet is translated there and then another routing decision takes place, followed by packet forwarding. So the difference from the old model is that now routing decision is taken twice: before and after translation. This allows to get rid of any static routes needed by “legacy” NAT, since lookup is performed after translation.

To summarize: Domain-based NAT uses different orders of operations for inside and outside domain. NVI based NAT is symmetrical and performs routing lookup twice: first to send packet to NVI, second to route packet using the post-translated addresses.

Note: this setup only works for "one way" initialize the traffic, e.g. from R5 to R3; other way around is not working (as R3 do not know the route to 5.5.5.5)

--------
The new NAT virtual interface has no difference between interface outside or inside.
1. First it will check the packet to see if it needs to be NAT
2. If it needs to be NAT, it will be routed to the virtual interface then doing the NAT.
3. After the NATed, it will be routed again.
--------

The Inside and Outside of NAT
MPLS VPN: Using the NAT Virtual Interface for Internet Access
NAT Virtual Interface
NAT virtual interface  
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)