From: Deepesh Chouhan (deepesh@cisco.com)
Date: Fri Nov 01 2002 - 04:04:40 GMT-3
Hi
There is lot of confusion here :)
This is my understanding. If someone has any comments/objections, please
share it with us.
Long explanation
rule 1
Nat was created for source addresses (SA)
You can change SA of incoming packets on inside interface (i/f) or outside
I/f using ip nat inside source and ip nat outside source respectively
** exception is rule 2 **
rule 2
For load distribution of TCP (only TCP) traffic coming from outside, you can
ask router to change DA of incoming packets using a rotary pool
Intuitively this pool should be like
ip nat outside dest <use rotary pool>
But it is actually configured as
ip nat inside dest <use rotart pool>
See e.g.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c
/ipcprt1/1cdipadr.htm#xtocid2215662
Thus you are using wrong configuration. In your case you don't need NAT.
Your SA are legal (that's why you are not changing them). What you need is
plain vanilla routing (static/routing protocol etc.) on your workstation
(default gw=r5) and r5 (150.x.x.x via r2). You should ping directly
150.x.x.x from your workstation. If your workstation doesn't want to ping
150.x.x.x, but use 172.x.x.x instead, then you have to look for some other
solution. I don't know that solution. But definitely NAT is not the solution
(refer to rule 1)
Also, note that these inside dest translations are created on the fly for
incoming TCP traffic on outside interface. So even if you configure it, it
won't show up using ip nat trans, until traffic is there
Now on to mysterious ping replies from 172.17.1.20.
r5 is generating this reply
rule 3
If i'm a router doing nat, then i'll alias arp for inside global (IG) and
outside local (OL) addresses. But not in all cases. I'll do it only for my
own INSIDE domain (host/peer on inside interfaces) AND only if IG/OL are
connected to me (through some other interface)
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm
look for alias
so in this case workstation (ws) is sending arp query for 172.17.1.20.
Following rule 3 r5 responds with it's own mac address as it is treated as
IG. You can verify on mac entries on ws.
rule 4
Packets coming on inside nat i/f are first routed and then NATed. So when ws
sends packet to r5, r5 looks into routing & arp table. It sees that it is
connected to this subnet and has aliased for the arp. Hence it responds on
its own. No NAT translation is done. You can verify by turning on nat
debugs
This explains why it is timing out when you change it to 172.17.1.20. There
is no arp entry on ws
rule 3, annex 1
If IG's are not directly connected, and your INSIDE domain (host/routers)
ping IG , router will send ICMP U
rule 3, annex 2
For OL's arp alias are always generated
Hope this solves your mystery :)
thanks
Deepesh
> -----Original Message-----
> From: Ram Shummoogum [mailto:rshummoo@ca.ibm.com]
> Sent: Thursday, October 31, 2002 12:05 PM
> To: deepesh@cisco.com
> Cc: ccielab@groupstudy.com
> Subject: RE: NAT-help- urgent
>
>
>
> Deepesh:
> so--r2-e0--e0--r5--e1: Note I have a lan extension between between r2 and
> r5.
> my desktop is on e1.I can ping the inside interface of r2.
>
> what I am trying to achieve is that I want the destination
> address replaced
> from 172.17.1.20 to 150.50.200.14
> I don't know if it possible?
>
> I changed 172.17.1.20 to 172.17.2.20 and this time it times out.
> regards,
> RAM-514-205-6612
>
>
> "Deepesh Chouhan" <deepesh@cisco.com> on 10/31/2002 02:42:41 PM
>
> To: Ram Shummoogum/Quebec/IBM@IBMCA, <ccielab@groupstudy.com>
> cc:
> Subject: RE: NAT-help- urgent
>
>
> Hi
>
> Can you throw in topology
> Which subnet is your workstsation connected ?
>
> thanks
> Deepesh
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Ram Shummoogum
> > Sent: Thursday, October 31, 2002 10:51 AM
> > To: ccielab@groupstudy.com
> > Subject: NAT-help- urgent
> >
> >
> > Hi experts:
> >
> > I am stuck on a nat issue:
> >
> > R2:
> > int e0
> > ip address 172.17.1.18/24
> > ip nat inside
> >
> > int ser 0
> > ip add 150.50.17.2/24
> > ip nat outside
> >
> >
> > ip nat inside destination static 172.17.1.20 150.50.200.14
> >
> >
> > When I ping from a workstation to 172.17.1.20 I get a +ve response
> > It looks like 172.17.1.20 is responding to my request locally. The
> > translation is not taking place because I still get a +ve response after
> > I disconnect 150.50.200.14.
> >
> > My workstation source address is 172.16.18.0
> >
> >
> > Your help is greatly appreciated.
> >
> > regards
> >
> > RAM-514-2056612
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:50 GMT-3