From: Brian McGahan (brian@cyscoexpert.com)
Date: Sat Jul 05 2003 - 23:26:02 GMT-3
Tom,
BTW, it's Brian with an 'i'. Just like that "other" Brian ;)
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian McGahan
> Sent: Saturday, July 05, 2003 9:22 PM
> To: 'Thomas Larus'; ccielab@groupstudy.com
> Subject: RE: BGP TCP port 179 session drops when NAT (PAT) running
>
> Tom,
>
> Yes, the behavior you describe is correct. Take the following
> setup:
>
> R1--12.0.0.0/8--R2
>
> R1 is in AS 1, R2 is in AS 2. R1 is running NAT overload (PAT)
> on the serial interface connected to R2. R1's config is as follows:
>
>
> interface Serial0/1
> ip address 12.0.0.1 255.0.0.0
> ip nat outside
> clockrate 64000
> !
> router bgp 1
> neighbor 12.0.0.2 remote-as 2
> !
> ip nat inside source list 1 int s0/1 overload
> !
> access-list 1 permit any
>
> When you look at R1's translation table, you can see that the
> BGP session is getting translated:
>
> R1# sh ip nat trans
> Pro Inside global Inside local Outside local Outside
> global
> tcp 12.0.0.1:1 12.0.0.1:179 12.0.0.2:11009
> 12.0.0.2:11009
>
>
> When R2 receives this BGP request, it cannot process it because
> the ports have been translated. In order to avoid this issue, we must
> configure R1 not to NAT BGP traffic. The config would be as follows:
>
>
> ip nat inside source route-map NAT interface Serial0/1 overload
> !
> route-map NAT deny 10
> match ip address 100
> !
> route-map NAT permit 20
> !
> access-list 100 permit tcp any any eq bgp
>
>
> This instructs R1's NAT process to NAT only traffic that does
> not match access-list 100, which specifies BGP traffic.
>
> R1#sh ip bgp | b Neighbor
> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> State/PfxRcd
> 12.0.0.2 4 2 11 12 3 0 0 00:06:46
> 1
>
> As you can see from this output, the BGP session is now
> established.
>
> HTH,
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866.CyscoXP
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Thomas Larus
> > Sent: Saturday, July 05, 2003 7:57 PM
> > To: ccielab@groupstudy.com
> > Subject: BGP TCP port 179 session drops when NAT (PAT) running
> >
> > Has anyone else experienced this:
> >
> > You configure BGP peering from a serial interface that is also the
IP
> NAT
> > outside interface for Port Address Translation. Actually, the BGP
> peering
> > came first, and then you added PAT. PAT kills the BGP session by
> changing
> > the
> > source port number.
> >
> > Unless you exclude the IP NAT outside interface's own IP address
from
> the
> > IP
> > NAT inside source pool, PAT will change the source port for the TCP
> > session,
> > and the other BGP peer will not like the new port number and will
> > terminate
> > the BGP session. At least that is what seemed to be going on when I
> > experienced this a while back.
> >
> > I just wanted to see if other folks had experienced this. I mean,
> > ideally,
> > one would think that PAT would not act on TCP traffic originating
from
> the
> > IP
> > NAT outside interface itself. I guess there is so much shuffling
> around
> > of
> > ports involved in PAT that the even traffic sourced from the outside
> > interface
> > can end up with changed source ports. Either that, or the traffic
> > ostensibly
> > sourced from the outside interface is logically treated by PAT as
> sourced
> > from
> > elsewhere on the router. I would understand if this happened when I
> had a
> > loopback address configured as an IP NAT inside interface, but the
> problem
> > persisted when I took NAT off the loopback.
> >
> > I just wanted to see if any of the brilliant engineers out there
would
> > explain
> > this phenomenon. (Priscilla O., Howard B., Brian D., Bryan M., Fred
> I.?)
> >
> > Tom Larus, CCIE #10,014
> >
> >
> >
>
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:26 GMT-3