Netpath foiled by Cisco IOS NAT

stevewright

Issue

I had this issue when using Netpath.

PC with Netpath agent <--> Cisco IOS router running NAT <--> WAN <--> Target device

An expected traceroute would be:

     IP of Cisco

     IP of WAN device

     IP of Target

Two NAT scenarios:

1. Destination NAT - PC connects to a NAT IP that the router translates to the real IP of the Target.
     Traceroute from PC shows:

     IP of Cisco

     NAT IP - < Should represent WAN device

     NAT IP

2. Source NAT - PC connects to real IP of Target, but has it's own IP NATted by the Cisco.

     Traceroute from PC shows:

     IP of Cisco

     IP of Target - < Should represent WAN device

     IP of Target

The result of this is that Netpath shows a map with 3 devices  PC - Cisco - Target

as it combines the results of the duplicated responses (the NAT IP or the IP of the Target) as it believes them to be a single device.

Given that the PC is local to the Cisco (and unlikely to have any problems), it means the entire WAN's path is hidden, thus rendering Netpath's functionality virtually useless.

Cause

After much hunting, I discovered that when you have a Cisco IOS device doing static NAT, it deliberately hides the IPs of upstream devices returning the ICMP time-exceeded packets.

"In Cisco IOS Release 15.1(3)T and later releases, when you configure the traceroute command, NAT returns the same inside global IP address for all inside local IP addresses."

Slightly incorrect wording (there is no "traceroute" command), but the end of the sentence is the killer.

I did some packet captures on both the Cisco and the PC and confirmed this behaviour.

A lot of this Thwack entry can really be summarised by the source of my knownledge:

http://lostintransit.se/2013/05/29/nat-translation-what-happened-to-my-traceroute/

This document:

IP Addressing: NAT Configuration Guide, Cisco IOS Release 12.2SX - Configuring NAT for IP Address Conservation [Cisco IO…

and Cisco bug CSCsu37097.

Solution

I will attempt to log a feature request with Cisco to make the change in behaviour optional but I don't hold out much hope, so if anyone has any suggestions for how to get around this I'd be most grateful!