NAT server and NAT static

NAT server and NAT static are two commonly used techniques.

For the access from the public network to the private network, the NAT server and NAT static modes are the same. For the access from the private network to the public network, the NAT server mode translates only the IP address, while the NAT static mode translates both the IP address and port. This is easy to confuse. Let me share a related case with you.

Problem Description

Topology:

192.168.14.19----Peer device --- Tunnel ---AR1220----192.168.9.253

The AR1220 establishes an IPSEC tunnel with the peer device. After the tunnel is established, The internal IP addresses of the two ends can be pinged. However, the internal network gateway of the ar1220(192.168.9.253) cannot telnet the internal network gateway of the peer device.

Handling Procedure

1. Check the encryption data flow and IPSEC SA tunnel information at both ends. The information is normal. The related information is as follows:

dis ipsec sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "center_vpn"
Sequence number : 1
Acl group        : 0
Acl rule         : 0
Mode             : Template
-----------------------------
    Connection ID     : 1481
    Encapsulation mode: Tunnel
    Tunnel local      : 172.x.20.10
    Tunnel remote     : 172.x.10.10
    Flow source       : 192.168.9.0/255.255.255.0 0/0
    Flow destination : 192.168.14.0/255.255.255.0 0/0
    Qos pre-classify : Disable
    Qos group         : -

    [Outbound ESP SAs]
      SPI: 3354115212 (0xc7ebbc8c)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 0/2949
      Outpacket count       : 0
      Outpacket encap count : 0
      Outpacket drop count : 0
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs]
      SPI: 1560642734 (0x5d0584ae)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 0/2949
      Inpacket count        : 0
      Inpacket decap count : 0
      Inpacket drop count   : 0
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N
dis ike sa
    Conn-ID Peer            VPN   Flag(s)                Phase
---------------------------------------------------------------
     1481    172.x.10.10   0     RD                     2
     1478    172.x.10.10   0     RD                     1

2. Using the display ipsec statistics esp command, the output shows that there is no packet count during the telnet test, but packets are counted during the ping test.

dis ipsec statistics esp

Inpacket count : 0

Inpacket auth count : 0

Inpacket decap count : 0

Outpacket count : 0

Outpacket auth count : 0

Outpacket encap count : 0

Inpacket drop count : 0

Outpacket drop count : 0

BadAuthLen count : 0

AuthFail count : 0

InSAAclCheckFail count : 0

PktDuplicateDrop count : 0

PktSeqNoTooSmallDrop count: 0

PktInSAMissDrop count : 0

3. The captured packets and traffic statics show that the AR1220 has sends Telnet packets.

Interface: Vlanif1
Traffic policy inbound: a
Rule number: 1
Current status: OK!
Item                    Sum(Packets/Bytes)               Rate(pps/bps)
------------------------------------------------------------------------------
Matched                           1/90                          1/96
   Passed                          1/90                          1/96
   Dropped                         0/0                           0/0
     Filter                        0/0                           0/0
     CAR                           0/0                           0/0
   Queue Matched                   0/0                           0/0
     Enqueued                      0/0                           0/0
     Discarded                     0/0                           0/0
   CAR                             0/0                           0/0
     Green packets                 0/0                           0/0
     Yellow packets                0/0                           0/0
     Red packets                   0/0                           0/0

The preceding information indicates that the AR1220 sends telnet packets from the 192.168.9. 253 but does not forward the packets through IPSec encryption. It is suspected that the device performs IPSec encryption for ICMP packets and other forwarding processes for non-ICMP packets.

4. Check the configuration on the interface. It is found that NAT SERVER is configured for the 192.168.9.253 address so that external network can access the intranet address 192.168.9.253 and its port number.

interface GigabitEthernet0/0/0
description to_Internet

tcp adjust-mss 1200
ip address 172.XX.20.10 255.255.255.0
nat server protocol tcp global current-interface 8080 inside 192.168.9.253 8080
nat outbound 3000
ipsec policy center_vpn

Check the NAT session of the address. It is found that the data packets are translated to the public network when the 192.168.9.253 accesses the peer address.

5. After the nat server is changed to nat static, telnet is normal.

nat static protocol tcp global current-interface 8080 inside 192.168.9.253 8080

Root Cause

Nat server is configured on the outbound interface of the public network. As a result, NAT is performed on all the TCP packets sent from the 192.168.9.253. Therefore, the translated packets cannot enter the IPSec tunnel. After the configuration is changed to nat static protocol tcp global current-interface 8080 inside 192.168.9.253 8080, services are normal. Nat static NAT is performed only when the source address is 192.168.9.253 and the TCP port number is 8080. Therefore, the communication is normal after the NAT server is changed to NAT static.