Re: Nat Expandable

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Wed Jul 14 2004 - 08:43:05 GMT-3

Well, I understand the theory (or I think I do :-)
but then,
as I see it, the alias is usefull for statics so outside generated
traffic can find its way through the nat. Now, if you get rid of the
alias, how is the outside traffic supposed to reach the nat ?

Having two nats for redundancy strikes me as a very bad idea without a
lot of state sharing between them BTW. One of the not so nice things
about NAT (dynamic at least) is that you HAVE to have a botleneck for
your traffic (because your return traffic has to come trough your exit
point or else no NAT info).

Geert Nijs wrote:

> The no_alias option prevent the router from generating an ARP entry for
> the translated address. Static nat works in two ways: a session can be
> setup from the inside interface but a session can also be setup from an
> outside interface.
> To make this work, the router has to "respond" on the outside interface
> for the "translated" inside host. He does this by inserting a static arp
> entry on the outside interface. You can see this entry with "sh arp"
>
> No_alias prevents this static arp from being created, thereby limiting
> the static nat translation to sessions setup from the inside only (a bit
> like dynamic nat)
>
> Sometimes this static arp entry can generate problems, such as when you
> have two redundant, parallel routers which have the same static nat
> rules for redundancy. We have seen situations where the routers start
> generating "Duplicate IP address" warnings on the outside interfaces,
> since the router sees the same global address with two different mac
> addresses: one of router A and one of router B.
>
> Regards,
> Geert
>
> -----Original Message-----
> From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
> Sent: woensdag 14 juli 2004 12:26
> To: Geert Nijs
> Cc: Cooper, David; CCIE LAB List
> Subject: Re: Nat Expandable
>
> And also would let you statically nat an inside service to a global
> ip:port even when you only have one public address. Cute.
>
> On a related topic, there's a no_alias option. Anyone with an example
> case of where this option fits ?
> I've seen it used when extendable, but I fail to get why.
>
>
>
> Geert Nijs wrote:
>
>
>>It will "expand" your translations for static natting.
>>
>>Previously, when using static nat, the only translation you saw in
>
> "show
>
>>ip nat translation" was the ip address:
>>
>><inside global> <inside local> <outside global> <outside
>
> local>
>
>>
>>This was static. So you don't know anything about which sessions is
>
> the
>
>>client using ? is he translating web, ftp, telnet ?? The router
>>translates all, but you don't see it.
>>
>>If you use "expandable", this translation will be expanded to PAT
>>dynamically, so when the client sets up a session you will see in
>
> "show
>
>>ip nat translation":
>>
>><inside global> <inside local> <outside global> <outside
>
> local>
>
>><inside global:23> <inside local:23> <outside
>>global:1233> <outside local: 1233>
>><inside global:25> <inside local:25> <ourside
>>global:1345> <outside global: 1345>
>>
>>Which gives you an indication of which sessions the client is
>
> using....
>
>>Regards,
>>Geert
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> Of
>
>>Cooper, David
>>Sent: dinsdag 13 juli 2004 19:57
>>To: CCIE LAB List
>>Subject: Nat Expandable
>>
>>Can anyone tell me what the expandable command at the end of an IP NAT
>>inside/outside actually does? I can not find any good references on
>>Cisco and it seems to be a fairly new command. Thanks!
>>
>>-David
>>
>>
>
> _______________________________________________________________________
>
>>Please help support GroupStudy by purchasing your study materials
>
> from:
>
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>
> ########################################################################
> #############
>
>>This e-mail and any attached files are confidential and may be legally
>
> privileged.
>
>>If you are not the addressee, any disclosure, reproduction, copying,
>
> distribution,
>
>>or other dissemination or use of this communication is strictly
>
> prohibited.
>
>>If you have received this transmission in error please notify Simac
>
> immediately
>
>>and then delete this e-mail.
>>
>>Simac has taken all reasonable precautions to avoid virusses in this
>
> email.
>
>>Simac does not accept liability for damage by virusses, for the
>
> correct and complete
>
>>transmission of the information, nor for any delay or interruption of
>
> the transmission,
>
>>nor for damages arising from the use of or reliance on the
>
> information.
>
>>All e-mail messages addressed to, received or sent by Simac or Simac
>
> employees
>
>>are deemed to be professional in nature. Accordingly, the sender or
>
> recipient of
>
>>these messages agrees that they may be read by other Simac employees
>
> than the official
>
>>recipient or sender in order to ensure the continuity of work-related
>
> activities
>
>>and allow supervision thereof.
>>
>
> ########################################################################
> #############
>
>>
> _______________________________________________________________________
>
>>Please help support GroupStudy by purchasing your study materials
>
> from:
>
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>
> 

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:54 GMT-3