Saturday, September 18, 2010

Cisco IOS Destination-NAT

Throughout my career in networking, I’ve often implemented Source-NAT translation on Cisco routers (the practice of replacing the source IP address in packets) to either hide the private address or because the subnet overlapped with another location.  However, I’ve rarely implemented Destination-NAT (the practice of replacing the destination IP address in packets).  Destination-NAT, it turns out is not as self-explanatory as Source-NAT when it comes to CLI commands.  And, the materials I found on CCO and Google searches did not clearly explain how to do this simple task in Cisco IOS.  So, I think it warrants a quick article in case others need!

Why would you want to Destination-NAT?  It is needed when a service provider assigns private addressing (RFC 1918) to a service you need to target and you already have a route in your network for that subnet, which goes elsewhere.  Or, you need to direct certain lines of business (LOB) to use one circuit over another, to reach the same service.  In this case, you can have one LOB target the real IP to reach the service over a specific circuit, and another LOB would target the Destination-NAT IP.  This way, the two LOBs don’t have to share the circuit.

If you are translating one IP to one IP, there is no need for a pool, or an ACL, for either source OR destination-NAT.  You would use the “ip nat inside source static” or “ip nat outside source static”.  I’ll explain which one to use for which scenario.  I just depends of the direction the session is initiated.  I usually assign the interface for my network (the one closer to the network core) as the “inside” interface using the “ip nat inside”.  And the interface facing the other network as “outside” using the “ip nat outside” command.  This also happens to be the way zone based firewalls work, although NAT has nothing to do with security or firewalls, and you could very well do the opposite.

Before I give a Destination-NAT example, let’s do a Source-NAT because that’s more common.  Here is the topology:

Core network where sessions get initiated (10.1.1.0/24) –> NAT router –> Other network (172.16.1.0/24)

In this scenario, we hide the core network’s real host IP address (10.1.1.1) for that flow with the NAT range IP address of 192.168.1.1.  So, the “other network” sees our traffic coming from the NAT address.

The IOS CLI command to do this is:

ip nat inside source static 10.1.1.1 192.168.1.1

Of course, you have to ensure there is a route for the translated address in the routing tables along the path for any router to reach that destination. 

Now, let’s say we also need to use this NAT router to translate the destination of our packet.  In other words, there is a LOB who needs to reach 172.16.1.1 via a different path, or we simply cannot advertise 172.16.1.0/24 into our core, for various reasons.  We need the host on our core to be able to target 172.16.1.1 by using destination address 172.18.222.222.

At the NAT router, you can’t use “ip nat inside destination static” because there is no such command in IOS.  Instead, you would use the following:

ip nat outside source static 172.18.222.222 172.16.1.1 add-route

As you can see, we are dealing with the outside NAT interface, which means we NAT in the return direction, which is why we have to reverse the order of the translation and use “source” instead of “destination”!

The “add-route” keyword may be needed if there is no route (or a route with an incorrect next-hop) in the routing table for the old “not-translated” destination.

Again, you have to ensure the 172.18.222.222 route is advertised inside your core, so the hosts can reach it.

Note- not all applications are tolerant to NAT, so make sure you test!

Monday, August 9, 2010

Upgrading an HP EliteBook 2530p Laptop from 80GB SSD to 160GB SSD

This week, I upgraded one of my client’s out-of-space hard drive in his HP EliteBook 2530p laptop from the factory-shipped first generation 80GB Intel X18-M 1.8in SATA solid state drive (p/n SSDSA1MH080G1) to a newer second generation 160GB Intel X18-M 1.8in SATA solid state drive (p/n SSDSA1MH160G2).  The first generation 5mm drives max out at 80GB and there are no other Intel drives with more capacity.  Since the 8mm X18 drives don’t physically fit into the 2530p, we had to wait for Intel to release the second generation drives, which are 5mm and come with 160GB capacity.

The upgrade was fairly simple and worked as I had planned.  However, I am documenting what I did in case someone else wants the info.  I did not find any forum post on how to do such an upgrade on this particular hardware.

First, I used the Windows 7 Backup and Restore feature to “Create a system image” onto an external USB hard drive.  This will be used to restore the image onto the new drive.  This works also with Windows Vista Business and Ultimate using the “Complete PC Backup”.

I downloaded the HP EliteBook 2530p “Maintenance and Service Guide” from hp.com and followed the instructions on removing and re-installing the SSD.  This was painless and there were just a few screws to deal with.

Once the new 160GB SSD was installed, I booted with the Windows 7 installation CD and restored the previously saved image from the USB drive.  The restore process actually works great but it does not use the “unallocated” space at the end of the disk.  So, we still have an 80GB SSD with 80GB wasted.  To expand the partition, I used the latest stable gparted release (which today is 0.6.1.2).

I booted with the CD onto which I burned the gparted .iso image and accepted all the defaults and booted with gparted live.

When in gparted, I selected the “HP_TOOLS” partition (1GB, located at the end of our 80GB partition) and dragged it all the way to the end of the unallocated space of the new 160GB drive using the mouse pointer.  That left some unallocated space in between the C: drive and the HP_TOOLS drive.  So, I was able to expand the C: drive onto this unallocated space, again by dragging the mouse pointer.  We now have a roughly 159GB drive!  I applied the changes, which returned a success message.  I exited gparted and rebooted the notebook.  C: drive now has lots of additional space!

UPDATED 5/16/2011--  Unrelated note- notebooks with regular hard drives must have their BIOS Device Configuration “SATA Mode” set to AHCI, whereas ones with SSD must have it set to “IDE”.  Otherwise, Windows will fail to start, and a “Startup Repair” will not be successful.

UPDATED 5/19/2011-- I also have been aware of a few BSOD due to a bug in firmware 02HD.  Updating to 02M3 on the 160GB SSD is supposed to fix this.  However, upgrading the firmware has been a bit difficult.  Downloaded the new firmware from “Software & Drivers” on hp.com however, running that in Windows will not work because the SSD I purchased was not from HP so it says it’s incompatible.  So, downloaded the update from Intel.com, which consists of an ISO image to be burned on a CD for use to boot/update outside the OS.  The problem is the CD is not detected by any BIOS/Boot Device in any PC or laptop I’ve tried.  So, I followed instructions in http://communities.intel.com/thread/8906, except I skipped step “C)” as my ISO CD did not have a config.sys file.  The upgrade was quick and worked just fine with the 2 files that were on the CD.