RE: NAT-help- urgent (long reply)

From: Deepesh Chouhan (deepesh@cisco.com)
Date: Fri Nov 01 2002 - 23:58:41 GMT-3

Hi

Infact I also figured this today morning, that by reversing role (inside i/f
becomes outside and vice versa) we'll be able to do it.

Make sure that you always keep the entry as static. Otherwise outside
traffic won't be able to enter, unless inside starts the session

thanks again
deepesh

> -----Original Message-----
> From: Ram Shummoogum [mailto:rshummoo@ca.ibm.com]
> Sent: Friday, November 01, 2002 6:39 PM
> To: deepesh@cisco.com
> Cc: ccielab@groupstudy.com
> Subject: RE: NAT-help- urgent (long reply)
>
>
> Deepesh:
>
> Thanks for taking the time to write such a long reply.
> 150.50.200.14 is an address that i cannot allow r5 to see. We are dealing
> with 2 different companies here. (political)
>
> Your explanation for the +ve ping is exactly what was happenning.
>
> I was able to get it working by using the config below.
>
> r1---s---so--r2-e0--e0--r5--e1
>
> on R2:
>
> int s 0
> ip nat inside
>
> int e 0
> ip nat outside
>
> ip nat inside source static 150.50.200.14 172.17.1.20
>
>
> note: 150.50.200.14 is connected to r1 and my desktop is 172.16.8.6 is on
> e1 of R5.
>
> From the desktop I am able to ping the virtual address 172.17.1.20 and got
> a response from 150.50.200.14.
> I am even able to bring up a TCP session .
> I verified everything with a sniffer and it does exactly what I wanted.
> "REPLACE THE DESTINATION ADDRESS 172.17.2.10 by 150.50.200.14"
>
>
> Thanks again
>
> cheers,
> RAM-514-205-6612
>
>
>
>
>
> "Deepesh Chouhan" <deepesh@cisco.com> on 11/01/2002 02:04:40 AM
>
> To: Ram Shummoogum/Quebec/IBM@IBMCA
> cc: <ccielab@groupstudy.com>
> Subject: RE: NAT-help- urgent (long reply)
>
>
> Hi
>
> There is lot of confusion here :)
> This is my understanding. If someone has any comments/objections, please
> share it with us.
>
> Long explanation
> rule 1
> Nat was created for source addresses (SA)
> You can change SA of incoming packets on inside interface (i/f) or outside
> I/f using ip nat inside source and ip nat outside source respectively
> ** exception is rule 2 **
>
> rule 2
> For load distribution of TCP (only TCP) traffic coming from outside, you
> can
> ask router to change DA of incoming packets using a rotary pool
> Intuitively this pool should be like
> ip nat outside dest <use rotary pool>
> But it is actually configured as
> ip nat inside dest <use rotart pool>
> See e.g.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/12
> 1cgcr/ip_c
>
> /ipcprt1/1cdipadr.htm#xtocid2215662
>
> Thus you are using wrong configuration. In your case you don't need NAT.
> Your SA are legal (that's why you are not changing them). What you need is
> plain vanilla routing (static/routing protocol etc.) on your workstation
> (default gw=r5) and r5 (150.x.x.x via r2). You should ping directly
> 150.x.x.x from your workstation. If your workstation doesn't want to ping
> 150.x.x.x, but use 172.x.x.x instead, then you have to look for some other
> solution. I don't know that solution. But definitely NAT is not the
> solution
> (refer to rule 1)
>
> Also, note that these inside dest translations are created on the fly for
> incoming TCP traffic on outside interface. So even if you configure it, it
> won't show up using ip nat trans, until traffic is there
>
> Now on to mysterious ping replies from 172.17.1.20.
> r5 is generating this reply
> rule 3
> If i'm a router doing nat, then i'll alias arp for inside global (IG) and
> outside local (OL) addresses. But not in all cases. I'll do it only for my
> own INSIDE domain (host/peer on inside interfaces) AND only if IG/OL are
> connected to me (through some other interface)
> http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/11
> 95_pp.htm
> look for alias
> so in this case workstation (ws) is sending arp query for 172.17.1.20.
> Following rule 3 r5 responds with it's own mac address as it is treated as
> IG. You can verify on mac entries on ws.
>
> rule 4
> Packets coming on inside nat i/f are first routed and then NATed. So when
> ws
> sends packet to r5, r5 looks into routing & arp table. It sees that it is
> connected to this subnet and has aliased for the arp. Hence it responds on
> its own. No NAT translation is done. You can verify by turning on nat
> debugs
>
> This explains why it is timing out when you change it to
> 172.17.1.20. There
> is no arp entry on ws
>
> rule 3, annex 1
> If IG's are not directly connected, and your INSIDE domain (host/routers)
> ping IG , router will send ICMP U
>
> rule 3, annex 2
> For OL's arp alias are always generated
>
>
> Hope this solves your mystery :)
>
> thanks
> Deepesh
>
>
> > -----Original Message-----
> > From: Ram Shummoogum [mailto:rshummoo@ca.ibm.com]
> > Sent: Thursday, October 31, 2002 12:05 PM
> > To: deepesh@cisco.com
> > Cc: ccielab@groupstudy.com
> > Subject: RE: NAT-help- urgent
> >
> >
> >
> > Deepesh:
> > so--r2-e0--e0--r5--e1: Note I have a lan extension between
> between r2 and
> > r5.
> > my desktop is on e1.I can ping the inside interface of r2.
> >
> > what I am trying to achieve is that I want the destination
> > address replaced
> > from 172.17.1.20 to 150.50.200.14
> > I don't know if it possible?
> >
> > I changed 172.17.1.20 to 172.17.2.20 and this time it times out.
> > regards,
> > RAM-514-205-6612
> >
> >
> > "Deepesh Chouhan" <deepesh@cisco.com> on 10/31/2002 02:42:41 PM
> >
> > To: Ram Shummoogum/Quebec/IBM@IBMCA, <ccielab@groupstudy.com>
> > cc:
> > Subject: RE: NAT-help- urgent
> >
> >
> > Hi
> >
> > Can you throw in topology
> > Which subnet is your workstsation connected ?
> >
> > thanks
> > Deepesh
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Ram Shummoogum
> > > Sent: Thursday, October 31, 2002 10:51 AM
> > > To: ccielab@groupstudy.com
> > > Subject: NAT-help- urgent
> > >
> > >
> > > Hi experts:
> > >
> > > I am stuck on a nat issue:
> > >
> > > R2:
> > > int e0
> > > ip address 172.17.1.18/24
> > > ip nat inside
> > >
> > > int ser 0
> > > ip add 150.50.17.2/24
> > > ip nat outside
> > >
> > >
> > > ip nat inside destination static 172.17.1.20 150.50.200.14
> > >
> > >
> > > When I ping from a workstation to 172.17.1.20 I get a +ve response
> > > It looks like 172.17.1.20 is responding to my request locally. The
> > > translation is not taking place because I still get a +ve response
> after
> > > I disconnect 150.50.200.14.
> > >
> > > My workstation source address is 172.16.18.0
> > >
> > >
> > > Your help is greatly appreciated.
> > >
> > > regards
> > >
> > > RAM-514-2056612

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:51 GMT-3