From: Andrew Yourtchenko (andin@xxxxxx)
Date: Thu Feb 03 2000 - 17:20:00 GMT-3
Hello Carole,
In real life the answer is "yes". I've done that a couple of times,
and it works. Though I think this might be more a hack than a normal
case.
I will use the term "NAT" here, in reality meaning port-address
translation - that's probably what you want to do.
The trick is to configure a loopback interface as "ip nat inside", and
the ethernet as "ip nat outside". Then, you have to use policy routing
to throw the packets from "inside" and "outside" ( I am not 100% sure about the
latter - you may want to experiment with that) to the loopback first
(route map with ACL and 'set interface lo0' + ip policy on the interface).
Also, you define your "outside" ip address as your primary address on
ethernet, and your "inside" address as secondary. Loopback's address
is never really used, as far as I remember, so it can be set to some
other RFC1918 range than your 'inside' range.
The mechanics of this are as follows - when a packet from the "inside"
gets into the router, it _should_ just be reforwarded back in normal circumstan
ces.
But in this case it gets thrown onto loopback, which is marked as "inside".
But then it has to go outside,
to the ethernet! So, the NAT engine awakes in case the addresses match
NAT condition. The packet gets translated, an entry is created in the
nat translation database, and the packet flies away.
When it gets back from the Net to your router, the router translates
it back to RFC1928 destination, and throws to your host from the ethernet
interface. I told previously that I am not sure about the need to make
policy routing for return packets - I think It is unnecessary, since
you would usually want to do "ip nat inside source list 101 int eth0
overload", and the packet, arriving to router's own address should get
translated automatically - but I vaguely remember some troubles with
that (It's a hack, recall that ? :)
I had implemented this type of solution for router with one ethernet,
dual-homed to two providers simultaneously assuming there were
radio-bridges connecting to them - as an experiment (It was
a real case, though, but it was solved in a more gentle way by using
inter-vlan routing - 2620+2924XL-EN did the thing).
If the list's community requests and permits, I could post the configs of the w
hole
testbench here (5 routers, 1 acting as a dummy host, the other - NAT
box, 2 providers, and a "remote" host in internet). That setup even
allowed automatic failover - requiring that some dynamic routing
protocol was run with one of the providers.
Though, all this, though looks like a nice fun, is not very good from
the security point of view - since provider has actually a direct
connection to your ethernet segment, he can play fool with your hosts.
and, vice versa - all your stuff like ARP requests will fly over to
the provider, consuming the link bandwidth. The last hope that remains
- that provider hasn't implemented the same type of routing on the
other side :)
have fun!
with best regards,
Andrew Yourtchenko
CCIE #5423
/Systems Engineer
OCS distribution
phone. +7-812-324-2870 ext 244
mailto:andin@ocs.ru
http://www.ocs.ru/
Thursday, February 03, 2000, 6:53:48 AM, you wrote:
C> I thik the answer is probably 'no', but is it possible to set up NAT
C> with only one physical Ethernet interface, maybe with loopbacks &
C> secondary addresses? (a variation of one armed routing?)
C> I have been trying to figure out a way to set up NAT with one physical
C> interface. I have a Cisco 804 (that I am not using the ISDN port on),
C> which has only the 1 Ethernet Interface, plus three 10BaseT hub ports
C> on same Ethernet segment.
C> I'd like to set it up so that my ISP will connect to Eth 0 (via DSL
C> service) & provide a default IP address (x.x.x.86/24) and gateway
C> (x.x.x.1/24). Some PCs will hang off the three Ethernet ports. The
C> PCs will want to connect to the Internet, but have their private IP
C> addresses (say 10.1.1.2 - 10.1.1.4) shielded from the Internet.
C> thanks,
C> Carole
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:52 GMT-3