From: Brian McGahan (brian@cyscoexpert.com)
Date: Sat Jul 05 2003 - 23:22:05 GMT-3
Tom,
Yes, the behavior you describe is correct. Take the following
setup:
R1--12.0.0.0/8--R2
R1 is in AS 1, R2 is in AS 2. R1 is running NAT overload (PAT)
on the serial interface connected to R2. R1's config is as follows:
interface Serial0/1
ip address 12.0.0.1 255.0.0.0
ip nat outside
clockrate 64000
!
router bgp 1
neighbor 12.0.0.2 remote-as 2
!
ip nat inside source list 1 int s0/1 overload
!
access-list 1 permit any
When you look at R1's translation table, you can see that the
BGP session is getting translated:
R1# sh ip nat trans
Pro Inside global Inside local Outside local Outside
global
tcp 12.0.0.1:1 12.0.0.1:179 12.0.0.2:11009
12.0.0.2:11009
When R2 receives this BGP request, it cannot process it because
the ports have been translated. In order to avoid this issue, we must
configure R1 not to NAT BGP traffic. The config would be as follows:
ip nat inside source route-map NAT interface Serial0/1 overload
!
route-map NAT deny 10
match ip address 100
!
route-map NAT permit 20
!
access-list 100 permit tcp any any eq bgp
This instructs R1's NAT process to NAT only traffic that does
not match access-list 100, which specifies BGP traffic.
R1#sh ip bgp | b Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
12.0.0.2 4 2 11 12 3 0 0 00:06:46
1
As you can see from this output, the BGP session is now
established.
HTH,
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Thomas Larus
> Sent: Saturday, July 05, 2003 7:57 PM
> To: ccielab@groupstudy.com
> Subject: BGP TCP port 179 session drops when NAT (PAT) running
>
> Has anyone else experienced this:
>
> You configure BGP peering from a serial interface that is also the IP
NAT
> outside interface for Port Address Translation. Actually, the BGP
peering
> came first, and then you added PAT. PAT kills the BGP session by
changing
> the
> source port number.
>
> Unless you exclude the IP NAT outside interface's own IP address from
the
> IP
> NAT inside source pool, PAT will change the source port for the TCP
> session,
> and the other BGP peer will not like the new port number and will
> terminate
> the BGP session. At least that is what seemed to be going on when I
> experienced this a while back.
>
> I just wanted to see if other folks had experienced this. I mean,
> ideally,
> one would think that PAT would not act on TCP traffic originating from
the
> IP
> NAT outside interface itself. I guess there is so much shuffling
around
> of
> ports involved in PAT that the even traffic sourced from the outside
> interface
> can end up with changed source ports. Either that, or the traffic
> ostensibly
> sourced from the outside interface is logically treated by PAT as
sourced
> from
> elsewhere on the router. I would understand if this happened when I
had a
> loopback address configured as an IP NAT inside interface, but the
problem
> persisted when I took NAT off the loopback.
>
> I just wanted to see if any of the brilliant engineers out there would
> explain
> this phenomenon. (Priscilla O., Howard B., Brian D., Bryan M., Fred
I.?)
>
> Tom Larus, CCIE #10,014
>
>
>
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:25 GMT-3