Networking

Learn how to use the NAT Order of Operations

Earlier this year, David Davis wrote an article about the <a href='http://www.techrepublic.com/5100-1035_11-6055946.html' target='_blank'>Cisco IOS order of operations</a>, and now, he's delving deeper into the topic. Check out these three scenarios to get a better understanding of how to use the NAT Order of Operations.

Earlier this year, I wrote an article about the Cisco IOS order of operations ("Understand the order of operations for Cisco IOS"). In that article, I walked you through the two different order of operations tables, one of which is the NAT Order of Operations.

This time, I want to delve deeper into how to use the NAT Order of Operations. (For more information on using Network Address Translation (NAT), read "Set up NAT using the Cisco IOS.")

It's important to keep in mind that the NAT Order of Operations doesn't just apply to NAT—it applies to any combination of operations that's on the list. This list details the order that the router will perform these tasks, whether you're actually using NAT.

A quick review

Before we get started, let's review the NAT Order of Operations.

Here's the order of operations for the inside-to-outside list:

  • If IPSec, then check input access list
  • Decryption—for Cisco Encryption Technology (CET) or IPSec
  • Check input access list
  • Check input rate limits
  • Input accounting
  • Policy routing
  • Routing
  • Redirect to Web cache
  • NAT inside to outside (local to global translation)
  • Crypto (check map and mark for encryption)
  • Check output access list
  • Inspect context-based access control (CBAC)
  • TCP intercept
  • Encryption

Here's the order of operations for the outside-to-inside list:

  • If IPSec, then check input access list
  • Decryption—for CET or IPSec
  • Check input access list
  • Check input rate limits
  • Input accounting
  • NAT outside to inside (global to local translation)
  • Policy routing
  • Routing
  • Redirect to Web cache
  • Crypto (check map and mark for encryption)
  • Check output access list
  • Inspect CBAC
  • TCP intercept
  • Encryption

Now that we've refreshed your memory about the actual NAT Order of Operations, let's explore some scenarios.

Scenario 1: Access lists and routing

Let's say that you've created an access list on a router that doesn't use NAT. When a packet enters the router, will the access list filter the traffic, or will it route the traffic first?

Actually, this is a trick question—you don't have enough information to answer it. You need to know whether the access list is an input or output access list.

Let's say that this is an input access list. In that case, the access list would filter the traffic before routing it. (This is the most efficient way to filter the traffic; if you want to eliminate traffic, you should do so before it eats up processing power on your router.)

If you're using an extended access list, you're filtering according to the source and destination IP addresses. The source and destination IP addresses stay the same regardless of whether the routing has occurred. So routing the packet doesn't change the IP addresses used in the access list, as they would if you were using NAT on the router.

Scenario 2: Crypto and NAT

Let's say that you're encrypting traffic with IPSec and you're using NAT. In this scenario, you're using local-to-global NAT (i.e., inside-to-outside), and you create an access list to define the traffic you want to encrypt.

When you create the crypto access list to define the traffic that will go through NAT, will the source IP address of the traffic be the inside IP (i.e., local IP) or the outside IP (i.e., global IP)?

Since inside-to-outside translation occurred before the crypto step, you would use the post-NAT IP address in the crypto map, assuming you want to encrypt the post-NAT traffic. Many times, you want to use NAT on some traffic to the Internet, and you don't want to used NAT on encrypted traffic.

Scenario 3: Access lists and NAT

For our final scenario, let's say you want to permit SSH traffic coming into your router from the outside network to an inside host using static NAT. Here are the relevant lines from the configuration:

interface Ethernet0/0
 ip address 172.16.6.6 255.255.255.0
 ip access-group 150 in
 ip nat outside

interface Ethernet0/1
 ip address 10.10.10.6 255.255.255.0
 ip nat inside

ip nat inside source static 10.10.10.4 172.16.6.14

access-list 150 permit tcp any host x.x.x.x eq 22
access-list 150 deny   ip any any log

Look at the access list and notice the x.x.x.x. Which IP address would go in that access list: 10.10.10.4 or 172.16.6.14?

In the NAT Order of Operations, you can see that the router always checks an input access list before NAT occurs. Therefore, you would use the pre-NAT IP address, which would be 172.16.6.14.

Summary

It's important to keep in mind that the NAT Order of Operations doesn't just apply to NAT. While it's very helpful in just about every NAT situation, it can also come in handy in other scenarios. After reviewing these situations, you hopefully have a better understanding of how the NAT Order of Operations works.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

1 comments
TechDictator
TechDictator

Very useful information, concise and to the point. This is a good reference guide that I'm going to print and put on my wall right now. Thanks!

Editor's Picks