RE: Destination NAT....(Back to basics)

From: Michael Le (mmle@xxxxxxxxxxxxxxxxx)
Date: Thu Jan 25 2001 - 16:11:43 GMT-3

   
You have it correct.
For clarification though, just think of it as if you only have 'ip nat
inside source static 10.190.9.20 172.30.43.111'. When your packet leaves the
router it will change it's source to 172.130.43.111. Any device that
responds to this packet will have a destination of 172.130.43.111. When it
reaches your router, the destination has to be NAT'd to 10.190.9.20. It has
to work both ways for to the packet to make it to both sides. Given that a
response has to be translated coming back in, a packet initiated from the
outside will too. And same for 'outside source static'.

Michael

-----Original Message-----
From: Maljure, Sanjay [mailto:smaljure@ciber.net]
Sent: Thursday, January 25, 2001 10:30 AM
To: Michael Le; Brian Hescock
Cc: ccielab@groupstudy.com
Subject: RE: Destination NAT....(Back to basics)

Hi As I said yesterday the SIP address and DIP address NATing works fine
with the 'inside source static' and 'ouside source static' commands.

Here is the config...
!
ip nat inside source static 10.190.9.20 172.30.43.111
ip nat inside source static 10.190.9.21 172.30.43.112
ip nat outside source static 172.31.21.111 10.190.29.112
ip nat outside source static 172.31.21.112 10.190.29.111
!
interface Ethernet0
 ip address 10.190.33.254 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no cdp enable
!
interface Serial0
 ip address 172.30.30.202 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 ip tcp header-compression
 no ip mroute-cache
 no fair-queue
 compress stac

And here is the NAT debug.....(for a packet with SIP=10.190.9.20 and
DIP=10.190.29.111) entering on the ethernet and leaving on the serial..

11w6d: NAT: s=10.190.9.20->172.30.43.111, d=10.190.29.111 [8853]
11w6d: NAT: s=172.30.43.111, d=10.190.29.111->172.31.21.111 [8853]
11w6d: NAT*: s=172.31.21.111->10.190.29.111, d=172.30.43.111 [1967]
11w6d: NAT*: s=10.190.29.111, d=172.30.43.111->10.190.9.20 [1967]
11w6d: NAT: s=10.190.9.20->172.30.43.111, d=10.190.29.111 [8923]
11w6d: NAT: s=172.30.43.111, d=10.190.29.111->172.31.21.111 [8923]
11w6d: NAT*: s=172.31.21.111->10.190.29.111, d=172.30.43.111 [2069]
11w6d: NAT*: s=10.190.29.111, d=172.30.43.111->10.190.9.20 [2069]
11w6d: NAT: s=10.190.9.20->172.30.43.111, d=10.190.29.111 [8985]
11w6d: NAT: s=172.30.43.111, d=10.190.29.111->172.31.21.111 [8985]
11w6d: NAT*: s=172.31.21.111->10.190.29.111, d=172.30.43.111 [2102]
11w6d: NAT*: s=10.190.29.111, d=172.30.43.111->10.190.9.20 [2102]

Where I was getting stuck - I was thinking that the 'outside source
static' command would change the SIP of a packet entering the 'outside'
interface and going out via 'inside' interface. This of course is true.
I was not sure if the 'outside source static' command would also change
the DIP address of a packet entering on the 'inside' and leaving the
'outside'. This is now verified to be true from the above debug. I guess
there is no need for a precedence when the entry in the NAT table is
created. (kind of makes sense because the NAT table in this case is all
static)

Thanks a lot
Sanjay

-----Original Message-----
From: Maljure, Sanjay
Sent: Wednesday, January 24, 2001 5:50 PM
To: Michael Le; Brian Hescock
Cc: ccielab@groupstudy.com
Subject: RE: Destination NAT....(Back to basics)

Hi Michael
I followed the URL that you sent. Very good, answers my question about
'routing before or after'

I still have doubts about how to achieve my original objective (my first
mail in this thread)...which is to NAT the source IP address AND
destination IP address of a packet in a static way.....something like
what Cisco would do in a 'Overlapping networks' case.

The http://www.cisco.com/warp/public/556/3.html document uses 'ip inside
source list' and 'ip outside source list' commands....
I am trying to set this up using the 'ip inside source static' and the
'outside source static' commands. Anybody has ideas? Would be
appreciated. Thanks for your time

Sanjay

-----Original Message-----
From: Michael Le [mailto:mmle@sprintparanet.com]
Sent: Wednesday, January 24, 2001 5:11 PM
To: Maljure, Sanjay; 'Brian Hescock'
Cc: ccielab@groupstudy.com
Subject: RE: Destination NAT....(Back to basics)

It does not NAT first going from the inside, private network. It has to
know
if the packet is going to go through the ip nat outside interface before
I
decides to NAT or not. Otherwise, the packet won't need to be NAT'd. I
think
Brian meant inbound as in, coming inbound into the router from the
outside
world, through the ip nat outside interface.
Read the link I sent.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Maljure, Sanjay
Sent: Wednesday, January 24, 2001 3:58 PM
To: Brian Hescock
Cc: ccielab@groupstudy.com
Subject: RE: Destination NAT....(Back to basics)

Brian I am kind of confused....
Say a packet with SIP=10.190.9.20 and DIP=10.190.29.111 arrives on
E0(which is the nat inside interface) (refer to below script)
(nat first, then routing??)
In that case the router will try to route to 10.190.29.111. Lets say the
route to this network points to s0(which is the nat outside interface).
At this point, I am expecting the DIP address of the packet also to be
translated because I am using 'ip nat outside source static...' command.
Am I wrong?
!Thanks

ip nat inside source static 10.190.9.20 172.30.43.111
ip nat inside source static 10.190.9.21 172.30.43.112
ip nat outside source static 172.31.21.111 10.190.29.112
ip nat outside source static 172.31.21.112 10.190.29.111
!
interface Ethernet0
 ip address 10.190.33.254 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no cdp enable
!
interface Serial0
 ip address 172.30.30.202 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 ip tcp header-compression
 no ip mroute-cache
 no fair-queue
 compress stac

Sanjay

-----Original Message-----
From: Brian Hescock [mailto:bhescock@cisco.com]
Sent: Wednesday, January 24, 2001 4:41 PM
To: Maljure, Sanjay
Cc: ccielab@groupstudy.com
Subject: RE: Destination NAT....(Back to basics)

Outbound packets--- routing done first, then nat
Inbound packets--- nat first, then route

On Wed, 24 Jan 2001, Maljure, Sanjay wrote:

> Hi everyone
> Please help me with a couple of questions.....
>
> 1. When does the routing decision occur? before or after NAT????
> 2. How about for inside source address NATing? before or after?
> 3. How about for outside source address NATing? before or after?
>
> Can't get to my test lab right now. So any help would be appreciated.
> Also forgive the atrocious english. How does one apply for a poetic
> license?
> Thanks for your time
>
> Sanjay
>
>
> -----Original Message-----
> From: Brian Hescock [mailto:bhescock@cisco.com]
> Sent: Wednesday, January 24, 2001 3:25 PM
> To: Maljure, Sanjay
> Cc: ccielab@groupstudy.com
> Subject: RE: Destination NAT....
>
>
> Sanjay,
> I'm in the middle of a class right now but check a couple of the
docs
> and you should find what you need. I've used the docs to set it up
for
> an
> internal lab I developed and it worked, although overlapping ip
> addresses
> with nat is rather confusing. If I remember correctly there's one key
> stumbling block that you can run into with the static route you need
to
> add (I believe it was a matter of what you point it to, it's not what
> you
> think).
>
> Let me know if you don't get it working and I can check after class, I
> can
> send you that portion of the lab, which includes the working config.
>
> B.
>
> On Wed, 24 Jan 2001, Maljure, Sanjay wrote:
>
> > Hi Brian
> > I did look at the documents describing the "overlapping with NAT " I
> > think what I am trying to do is exactly the same as the
'overlapping'
> > case except for the DNS part. And not having DNS should not really
> > matter.
> > None of the documents that I looked at gave a sample script for
doing
> > this using static IP addresses. One document that I looked in to
used
> > 'inside source list..' and 'outside source list...' to do it as they
> > were translating entire subnets.
> > So I am thinking 'inside source static' and 'outside source static'
> will
> > do the trick for me.
> > What do you think?
> > Thanks
> >
> > Sanjay Maljure
> > CCIE# 6286
> > Enterprise Systems Consultant
> > Ciber, Inc.
> >
> > Tel - 732.225.1700
> > Fax - 732.225.1973
> >
> >
> > -----Original Message-----
> > From: Brian Hescock [mailto:bhescock@cisco.com]
> > Sent: Wednesday, January 24, 2001 2:51 PM
> > To: Maljure, Sanjay
> > Cc: ccielab@groupstudy.com
> > Subject: Re: Destination NAT....
> >
> >
> > Sounds like you want to do NAT with overlapping ip addresses. Do a
> > search
> > on CCO on "NAT and overlapping"
> >
> > Brian
> >
> > On Wed, 24 Jan 2001, Maljure, Sanjay wrote:
> >
> > >
> > > Hi
> > > I thought I knew this stuff but I am beginning to see these funny
> > gnomes
> > > flying around....so please help
> > > What I need to do:
> > >
> > > I have an IP packet
> > > SIP=10.190.9.20
> > > DIP=10.190.29.111
> > >
> > > I need to NAT this so that
> > >
> > > SIP=172.30.43.111
> > > DIP=172.31.21.112
> > >
> > > And all these IP addresses are fixed which means I got to do
static
> > NAT
> > >
> > > I am using a 2500 with "full NAT" feature set
> > >
> > > NATing the source IP addresses can be done with "ip nat inside
> source
> > > static....."
> > > How do I take care of the destination IP address NATing? ("ip nat
> > > outside source static...." will work????)
> > >
> > > Thanks for your time
> > > Sanjay
> > >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:43 GMT-3