NAT Order of Operations

/ NAT order of operation
DATE: 3 February 2003
Title: / NAT Order of Operation
Date: / 3 February 2003
Document ID: / SUPPORT-IPNAT-2003-001
Version: / 2.4
Version 1.0 was email format
Version 2.0 was initial graphics
Changes since 2.0:
Changed table numbering to match chapters (2.1)
Added initial comments from TAC (2.1)
Added comments/diagram per BN review (2.2)
Added comments from development (2.3)
Spelling check (2.4)
Abstract: / This document outlines the capabilities of NAT in processing packets on the incoming and outgoing interfaces.

Table of Contents

1. Network Address Translation (NAT) Definitions

1.1Inside Interface

1.2Outside Interface

1.3Inside Source NAT (Dynamic)

1.4Inside Source NAT (Static)

1.5Inside Destination NAT

2Foundry NAT Order of Operation

2.1ICMP Order of Operation Inside-to-Outside

2.2ICMP Order of Operation – Outside-to-Inside (Response to ICMP Inside-to-Outside Packets)

2.3ICMP Order of Operation – Outside-to-Inside (Initiated from Outside)

2.4ICMP Order of Operation – Inside-to-Inside

2.5TCP Order of Operation – Inside-to-Outside

2.6TCP Order of Operation – Outside-to-Inside

2.7TCP Order of Operation Inside-to-Inside

UDP Order of Operation – Inside-to-Outside

UDP Order of Operation – Outside-to-Inside

2.8UDP Order of Operation Inside-to-Inside

1. Network Address Translation (NAT) Definitions

1.1Inside Interface

Interface on the private IP Side (figure 1-1). Note that inside and outside logical interfaces can be configured on the same interface and the clouds in the diagram are logical.

1.2Outside Interface

Interface on the Global Internet or other private IP network (figure 1-1). Note that inside and outside logical interfaces can be configured on the same interface and the clouds in the diagram are logical.

1.3Inside Source NAT (Dynamic)

NAT performed on the source address of the inside interface IP address range. Figure 1-2 shows the fields changed by the Foundry Layer 3 Switch Router performing Inside Source NAT.

1.4Inside Source NAT (Static)

NAT performed on the source address of the Inside Interface IP address range with a static source NAT configuration. Figure 1-2 shows the fields changed by the Foundry Layer 3 Switch Router performing Inside Source NAT.

1.5Inside Destination NAT

NAT performed on the destination address of the Inside Interface IP Address Range. Figure 1-5 displays the fields manipulated by the Foundry Layer 3 Switch Router during Outside Source NAT operation.

2Foundry NAT Order of Operation

Foundry Networks implementation of NAT depends on the protocol undergoing the translation. The basic operations include Policy-Based Routing (PBR), routing, input Access Control Lists (ACLs), output ACL’s, and NAT itself. It is important to understand the order of operation that is performed on each incoming packet for these processes. Additionally, the behavior is different for different protocol types and different packet directions.

2.1ICMP Order of Operation Inside-to-Outside

Figure 2-1 depicts the order of operation for inside-to-outside translation for Internet Control Messaging Protocol (IP Protocol Type 1).

2.1.1Perform Policy Based Routing

NOTE: Outbound ACL does not work with PBR on the same interface.

2.1.2Perform Routing Function

Note that routing must select the interface with outside NAT enabled for NAT to occur.

2.1.3Check Packet Against Input Access Control List

2.1.4Perform Network Address Translation

2.1.5Check Packet Against Outboud Access Control List

NOTE: Outbound ACL and PBR does not work on the same interface

2.2ICMP Order of Operation – Outside-to-Inside (Response to ICMP Inside-to-Outside Packets)

Figure 2-2 displays the order of operations for outside-to-inside NAT with ICMP response packets.

2.2.1Perform Policy Based Routing

Outboud ACL on PBR interface does not work together.

2.2.2Perform Routing Function

2.2.3Check Packet Against Input Access Control List

2.2.4Perform Network Address Translation – Outside-to-Inside ICMP Response

2.2.5Check Packet Against Outboud Access Control List

Outboud ACL on PBR interface does not work together.

2.3ICMP Order of Operation – Outside-to-Inside (Initiated from Outside)

Figure 2-3 displays the operations sequence for outside to inside NAT for ICMP traffic initiated from the outside. Notice that NAT is not performed!

2.3.1Perform Policy Based Routing

2.3.2Perform Routing Function

A Foundry Networks device will reply to ICMP packets initiated from outside where the destination is a NAT address from the outside interface NAT address configuration unless it is an ICMP return packet as per 2.2 above.

2.3.3Check Packet Against Input Access Control List

2.4ICMP Order of Operation – Inside-to-Inside

Inside-to-inside translation occurs when both “ip nat inside” and “ip nat outside” are configured on the same interface. Figure 2-4 depicts inside-to-inside NAT packet flow.

2.4.1Routing Lookup for Destination IP

2.4.2NAT Inside-to-Inside

Dependent on NAT configuration, the example below (Figure 2-4) displays a static source NAT configuration

2.5TCP Order of Operation – Inside-to-Outside

Figure 2-5 depicts the order of operation for inside-to-outside translation for Transmission Control Protocol (IP Protocol 6).

2.5.1Perform Policy Based Routing

Outbound ACL on PBR interface does not work.

2.5.2Perform Routing Function

Note that routing must select the interface with outside NAT enabled for NAT to occur.

2.5.3Check Packet Against Input Access Control List

2.5.4Perform Network Address Translation

2.5.5Check Packet Against Outboud Access Control List

Outboud ACL on PBR interface does not work.

2.6TCP Order of Operation – Outside-to-Inside

Figure 2-6 depicts the order of operation for TCP Outside-to-Inside NAT.

2.6.1Perform Policy Based Routing

Outboud ACL on PBR interface does not work

2.6.2Perform Routing Function

2.6.3Check Packet Against Input Access Control List

2.6.4Perform Network Address Translation

2.6.5Check Packet Against Outboud Access Control List

Outboud ACL on PBR interface does not work

2.7TCP Order of Operation Inside-to-Inside

Inside-to-inside translation occurs when both “ip nat inside” and “ip nat outside” are configured on the same interface. Figures 2-7 displays TCP inside-to-inside translation. The order of operation is different depending on if Policy Based Routing is enabled.

Note: RTSP and MMS not supported protocols for inside-to-inside translation.

Note: Inside-to-Inside translation only occurs when enabling inside and outside NAT on the same interface.

2.7.1Inside-to-Inside without PBR

2.7.1.1Check Inbound ACL

2.7.1.2Perform Inside-to-Outside NAT

2.7.1.3Perform Outside-to-Inside NAT

2.7.1.4Perform Routing

2.7.1.5Process Outbound ACL

2.7.2Inside-to-Inside with PBR

2.7.2.1Perform Policy Based Routing

2.7.2.2Perform Routing

2.7.2.3Perform Inside-to-Outside NAT

UDP Order of Operation – Inside-to-Outside

Figure 2-8 depicts the order of operation for inside-to-outside translation for Transmission Control Protocol (IP Protocol 17).

2.7.3Perform Policy Based Routing

Outboud ACL on PBR interface does not work

2.7.4Perform Routing Function

Note that routing must select the interface with outside NAT enabled for NAT to occur.

2.7.5Check Packet Against Input Access Control List

2.7.6Perform Network Address Translation

2.7.7Check Packet Against Outboud Access Control List

Outboud ACL on PBR interface does not work

UDP Order of Operation – Outside-to-Inside

Figure 2-9 depicts the order of operation for UDP Outside-to-Inside NAT.

2.7.8Perform Policy Based Routing

Outboud ACL on PBR interface does not work

2.7.9Perform Routing Function

2.7.10Check Packet Against Input Access Control List

2.7.11Network Address Translation Outside to Inside

2.7.12Check Packet Against Outboud Access Control List

Outboud ACL on PBR interface does not work

2.8UDP Order of Operation Inside-to-Inside

Inside-to-inside translation occurs when both “ip nat inside” and “ip nat outside” are configured on the same interface. Figures 2-10 displays UDP inside-to-inside translation. The order of operation is different depending on if Policy Based Routing is enabled. Note: RTSP and MMS not supported protocols for inside-to-inside translation.

NAT Order of Operations

1. Network Address Translation (NAT) Definitions

1.1Inside Interface

1.2Outside Interface

1.3Inside Source NAT (Dynamic)

1.4Inside Source NAT (Static)

1.5Inside Destination NAT

2Foundry NAT Order of Operation

2.1ICMP Order of Operation Inside-to-Outside

2.1.1Perform Policy Based Routing

2.1.2Perform Routing Function

2.1.3Check Packet Against Input Access Control List

2.1.4Perform Network Address Translation

2.1.5Check Packet Against Outboud Access Control List

2.2ICMP Order of Operation – Outside-to-Inside (Response to ICMP Inside-to-Outside Packets)

2.2.1Perform Policy Based Routing

2.2.2Perform Routing Function

2.2.3Check Packet Against Input Access Control List

2.2.4Perform Network Address Translation – Outside-to-Inside ICMP Response

2.2.5Check Packet Against Outboud Access Control List

2.3ICMP Order of Operation – Outside-to-Inside (Initiated from Outside)

2.3.1Perform Policy Based Routing

2.3.2Perform Routing Function

2.3.3Check Packet Against Input Access Control List

2.4ICMP Order of Operation – Inside-to-Inside

2.5TCP Order of Operation – Inside-to-Outside

2.6TCP Order of Operation – Outside-to-Inside

2.7.1.1Check Inbound ACL

2.7.1.2Perform Inside-to-Outside NAT

2.7.1.3Perform Outside-to-Inside NAT

2.7.1.4Perform Routing

2.7.1.5Process Outbound ACL

2.7.2.1Perform Policy Based Routing

2.7.2.2Perform Routing

2.7.2.3Perform Inside-to-Outside NAT

2.8.1.1Check Inbound ACL

2.8.1.2Perform Inside-to-Outside NAT

2.8.1.3Perform Outside-to-Inside NAT

2.8.1.4Perform Routing

2.8.1.5Process Outbound ACL

2.8.2.1Perform Policy Based Routing

2.8.2.2Perform Routing