From: Geert Nijs (geert.nijs@simac.be)
Date: Wed Jul 14 2004 - 08:57:15 GMT-3
Well, once the session has been setup up from the inside, then and only
then the alias is inserted i think. After the nat translation has
time-out, the alias is removed....
Where with static nat, the alias remains all the time..... ???
-----Original Message-----
From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
Sent: woensdag 14 juli 2004 13:43
To: Geert Nijs
Cc: Cooper, David; CCIE LAB List
Subject: Re: Nat Expandable
Well, I understand the theory (or I think I do :-)
but then,
as I see it, the alias is usefull for statics so outside generated
traffic can find its way through the nat. Now, if you get rid of the
alias, how is the outside traffic supposed to reach the nat ?
Having two nats for redundancy strikes me as a very bad idea without a
lot of state sharing between them BTW. One of the not so nice things
about NAT (dynamic at least) is that you HAVE to have a botleneck for
your traffic (because your return traffic has to come trough your exit
point or else no NAT info).
Geert Nijs wrote:
> The no_alias option prevent the router from generating an ARP entry
for
> the translated address. Static nat works in two ways: a session can be
> setup from the inside interface but a session can also be setup from
an
> outside interface.
> To make this work, the router has to "respond" on the outside
interface
> for the "translated" inside host. He does this by inserting a static
arp
> entry on the outside interface. You can see this entry with "sh arp"
>
> No_alias prevents this static arp from being created, thereby limiting
> the static nat translation to sessions setup from the inside only (a
bit
> like dynamic nat)
>
> Sometimes this static arp entry can generate problems, such as when
you
> have two redundant, parallel routers which have the same static nat
> rules for redundancy. We have seen situations where the routers start
> generating "Duplicate IP address" warnings on the outside interfaces,
> since the router sees the same global address with two different mac
> addresses: one of router A and one of router B.
>
> Regards,
> Geert
>
> -----Original Message-----
> From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
> Sent: woensdag 14 juli 2004 12:26
> To: Geert Nijs
> Cc: Cooper, David; CCIE LAB List
> Subject: Re: Nat Expandable
>
> And also would let you statically nat an inside service to a global
> ip:port even when you only have one public address. Cute.
>
> On a related topic, there's a no_alias option. Anyone with an example
> case of where this option fits ?
> I've seen it used when extendable, but I fail to get why.
>
>
>
> Geert Nijs wrote:
>
>
>>It will "expand" your translations for static natting.
>>
>>Previously, when using static nat, the only translation you saw in
>
> "show
>
>>ip nat translation" was the ip address:
>>
>><inside global> <inside local> <outside global> <outside
>
> local>
>
>>
>>This was static. So you don't know anything about which sessions is
>
> the
>
>>client using ? is he translating web, ftp, telnet ?? The router
>>translates all, but you don't see it.
>>
>>If you use "expandable", this translation will be expanded to PAT
>>dynamically, so when the client sets up a session you will see in
>
> "show
>
>>ip nat translation":
>>
>><inside global> <inside local> <outside global> <outside
>
> local>
>
>><inside global:23> <inside local:23> <outside
>>global:1233> <outside local: 1233>
>><inside global:25> <inside local:25> <ourside
>>global:1345> <outside global: 1345>
>>
>>Which gives you an indication of which sessions the client is
>
> using....
>
>>Regards,
>>Geert
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> Of
>
>>Cooper, David
>>Sent: dinsdag 13 juli 2004 19:57
>>To: CCIE LAB List
>>Subject: Nat Expandable
>>
>>Can anyone tell me what the expandable command at the end of an IP NAT
>>inside/outside actually does? I can not find any good references on
>>Cisco and it seems to be a fairly new command. Thanks!
>>
>>-David
>>
>>
>
>
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:55 GMT-3