NAT ALG (Application Level Gateway)

Lesson Contents

NAT (Network Address Translation) translates IP addresses on the network layer (L3) and port numbers on the transport layer (L4). This works well for most applications but it can cause issues for applications that include IP addresses or port numbers on the application layer.

Here are some example applications:

  • SIP
  • H323
  • FTP
  • DNS

To make NAT work with these applications, we also need to translate address information in the application layer. An ALG (Application Level Gateway) is an application that translates this information in the payload of the application layer. NAT ALG performs the translation while translating the IP addresses and/or port numbers.

In this lesson, we will take a look at an application (DNS) that requires NAT ALG. I chose DNS since the name requests/replies are easy to understand and we can test everything on Cisco IOS routers.

Configuration





We use the following topology:

Nat Alg Dns Topology

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

DNS1

hostname DNS1
!
no ip routing
!
ip host H1.NETWORKLESSONS.LOCAL 192.168.1.101
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.1.150 255.255.255.0
!
ip default-gateway 192.168.1.254
!
ip dns server
!
end

H1

hostname H1
!
no ip routing
!
ip name-server 192.168.1.150
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.1.101 255.255.255.0
!
ip default-gateway 192.168.1.254
!
end

H2

hostname H2
!
no ip routing
!
ip name-server 192.168.2.150
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.2.102 255.255.255.0
!
ip default-gateway 192.168.2.254
!
end

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/2
 ip address 192.168.2.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
ip nat inside source static 192.168.1.101 192.168.2.101
ip nat inside source static 192.168.1.150 192.168.2.150
!
end

We have the following devices:

  • R1 is our NAT router.
  • H1 is a host on our LAN.
  • DNS1 is our DNS server.
  • H2 is a host somewhere outside of our network.

We have two static NAT rules:

  • H1 is reachable from the outside through 192.168.2.101.
  • DNS1 is reachable from the outside through 192.168.2.150.

The DNS server has one entry for H1, that’s it.

Let’s start with a simple lookup from H1:

H1#ping h1.networklessons.local
Translating "h1.networklessons.local"...domain server (192.168.1.150) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/8 ms

H1 resolves the hostname through the DNS server and pings its own IP address. We can see the address that it resolved with the show hosts command:

H1#show hosts
Default domain is not set
Name/address lookup uses domain service
Name servers are 192.168.1.150

Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
       temp - temporary, perm - permanent
       NA - Not Applicable None - Not defined

Host                      Port  Flags      Age Type   Address(es)
h1.networklessons.local   None  (temp, OK)  0   IP    192.168.1.101

I captured the answer of the DNS server, you can see it below:

Nat Alg H1 Dns Query Answer

NAT ALG H1 DNS Answer

As you can see above, the answer shows IP address 192.168.1.01 in the application layer of this packet.

The DNS server is reachable from the outside with IP address 192.168.2.150. Let’s see what happens when H2 does a DNS request. Let’s enable a debug on R1 to see NAT in action:

R1#debug ip nat
IP NAT debugging is on

Now we try a ping from H2 to the hostname of H1:

H2#ping h1.networklessons.local
Translating "h1.networklessons.local"...domain server (192.168.2.150) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/16 ms

H2 gets an answer from the DNS server and pings IP address 192.168.2.101. This is the outside IP address of H1, not its real IP address. Take a look at the NAT debug on R1:

R1#
NAT: s=192.168.2.102, d=192.168.2.150->192.168.1.150 [0]
NAT: DNS resource record 192.168.1.101 -> 192.168.2.101
NAT: s=192.168.1.150->192.168.2.150, d=192.168.2.102 [12]
NAT*: s=192.168.2.102, d=192.168.2.101->192.168.1.101 [11]
NAT*: s=192.168.1.101->192.168.2.101, d=192.168.2.102 [11]

In the output above, we see that the IP addresses of the DNS server and H1 got translated, but it also shows us that the DNS resource record is translated from 192.168.1.01 to 192.168.2.101. That’s our NAT ALG in action.

Here is a capture of the DNS answer from H2 captured on the DNS server:

Nat Alg H2 Dns Query Answer Before Nat

NAT ALG H2 DNS Answer Before NAT

Above, you can see that it is sourced from 192.168.1.150 and the answer shows 192.168.1.101.

Below, we have the DNS answer captures on H2, after NAT:

Nat Alg H2 Dns Query Answer After Nat

NAT ALG H2 DNS Answer After NAT

Above, we see that the source IP address got translated and the answer on the application layer got translated to 192.168.2.101. We can also confirm this by looking at the DNS records that H2 knows about:

H2#show hosts
Default domain is not set
Name/address lookup uses domain service
Name servers are 192.168.2.150

Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
       temp - temporary, perm - permanent
       NA - Not Applicable None - Not defined

Host                      Port  Flags      Age Type   Address(es)
h1.networklessons.local   None  (temp, EX)  0   IP    192.168.2.101

H2 has stored the outside IP address 192.168.2.101 for the hostname of H1.

Conclusion

You have now learned how NAT ALG translates address information on the application layer to make certain applications work through NAT. I hope you enjoyed this lesson. If you have any questions feel free to leave a comment.

Tags:


Forum Replies

  1. Hi Rene,

    So for NAT ALG only extra command is ip virtual-reassembly in right ??

    br//zaman

  2. Hello Zaman.

    The command ip virtual-reassembly is not related to NAT ALG. This command is used for detecting and preventing several different types of fragmentation attacks. More about this command can be found at the following link.

    https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-cbac-vfr.html#GUID-0A94C3F4-5D7A-4E85-8FAE-0F8F6EBABACF

    In the lesson, R1 employs NAT ALG by default and Rene is showing an example of how it actually functions. No specialized configuration is necessary for NAT ALG to function.

    I hope this has been helpful!

    Laz

  3. It’s quite surprising, but this autoconfiguration can sometimes cause more issues than it fixes.

    I’ve been requested to disable this before to get sip working.

    The command to disable for UDP is:

    no ip nat service sip udp port 5060

  4. Hello Chris

    Yes, you are correct that NAT ALG can cause some interesting and often unpredictable results. This is usually the case when used in conjunction with some other security appliance such as a firewall where additional NAT or VPN functionality takes place. It is the policy of some networking professionals to disable this service in order to avoid these unpredictable results.

    In any case it is necessary to approach NAT ALG with caution and make sure to take into account all possible contingencies.

    I hope this has been helpful!

    Laz

2 more replies! Ask a question or join the discussion by visiting our Community Forum