Re: Nat Expandable

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Wed Jul 14 2004 - 10:23:11 GMT-3

• Next message: mani poopal: "Re: INE Lab 20 Section 5.48 - 5.51 "FULL IP REACHABILITY""
• Previous message: Geert Nijs: "RE: Nat Expandable"
• Maybe in reply to: Cooper, David: "Nat Expandable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That would not fit the examples, that are all for a service being
advertised, i.e., you need the NAT for outsiders reaching your inside host.

Geert Nijs wrote:
> Well, once the session has been setup up from the inside, then and only
> then the alias is inserted i think. After the nat translation has
> time-out, the alias is removed....
> Where with static nat, the alias remains all the time..... ???
>
> -----Original Message-----
> From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
> Sent: woensdag 14 juli 2004 13:43
> To: Geert Nijs
> Cc: Cooper, David; CCIE LAB List
> Subject: Re: Nat Expandable
>
> Well, I understand the theory (or I think I do :-)
> but then,
> as I see it, the alias is usefull for statics so outside generated
> traffic can find its way through the nat. Now, if you get rid of the
> alias, how is the outside traffic supposed to reach the nat ?
>
> Having two nats for redundancy strikes me as a very bad idea without a
> lot of state sharing between them BTW. One of the not so nice things
> about NAT (dynamic at least) is that you HAVE to have a botleneck for
> your traffic (because your return traffic has to come trough your exit
> point or else no NAT info).
>
> Geert Nijs wrote:
>
>
>>The no_alias option prevent the router from generating an ARP entry
>
> for
>
>>the translated address. Static nat works in two ways: a session can be
>>setup from the inside interface but a session can also be setup from
>
> an
>
>>outside interface.
>>To make this work, the router has to "respond" on the outside
>
> interface
>
>>for the "translated" inside host. He does this by inserting a static
>
> arp
>
>>entry on the outside interface. You can see this entry with "sh arp"
>>
>>No_alias prevents this static arp from being created, thereby limiting
>>the static nat translation to sessions setup from the inside only (a
>
> bit
>
>>like dynamic nat)
>>
>>Sometimes this static arp entry can generate problems, such as when
>
> you
>
>>have two redundant, parallel routers which have the same static nat
>>rules for redundancy. We have seen situations where the routers start
>>generating "Duplicate IP address" warnings on the outside interfaces,
>>since the router sees the same global address with two different mac
>>addresses: one of router A and one of router B.
>>
>>Regards,
>>Geert
>>
>>-----Original Message-----
>>From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
>>Sent: woensdag 14 juli 2004 12:26
>>To: Geert Nijs
>>Cc: Cooper, David; CCIE LAB List
>>Subject: Re: Nat Expandable
>>
>>And also would let you statically nat an inside service to a global
>>ip:port even when you only have one public address. Cute.
>>
>>On a related topic, there's a no_alias option. Anyone with an example
>>case of where this option fits ?
>>I've seen it used when extendable, but I fail to get why.
>>
>>
>>
>>Geert Nijs wrote:
>>
>>
>>
>>>It will "expand" your translations for static natting.
>>>
>>>Previously, when using static nat, the only translation you saw in
>>
>>"show
>>
>>
>>>ip nat translation" was the ip address:
>>>
>>><inside global> <inside local> <outside global> <outside
>>
>>local>
>>
>>>This was static. So you don't know anything about which sessions is
>>
>>the
>>
>>
>>>client using ? is he translating web, ftp, telnet ?? The router
>>>translates all, but you don't see it.
>>>
>>>If you use "expandable", this translation will be expanded to PAT
>>>dynamically, so when the client sets up a session you will see in
>>
>>"show
>>
>>
>>>ip nat translation":
>>>
>>><inside global> <inside local> <outside global> <outside
>>
>>local>
>>
>>><inside global:23> <inside local:23> <outside
>>>global:1233> <outside local: 1233>
>>><inside global:25> <inside local:25> <ourside
>>>global:1345> <outside global: 1345>
>>>
>>>Which gives you an indication of which sessions the client is
>>
>>using....
>>
>>
>>>Regards,
>>>Geert
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>
>>Of
>>
>>
>>>Cooper, David
>>>Sent: dinsdag 13 juli 2004 19:57
>>>To: CCIE LAB List
>>>Subject: Nat Expandable
>>>
>>>Can anyone tell me what the expandable command at the end of an IP NAT
>>>inside/outside actually does? I can not find any good references on
>>>Cisco and it seems to be a fairly new command. Thanks!
>>>
>>>-David
>>>
>>>
>>
>>
> _______________________________________________________________________
>
>>>Please help support GroupStudy by purchasing your study materials
>>
>>from:
>>
>>
>>>http://shop.groupstudy.com
>>>
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
> ########################################################################
>
>>#############
>>
>>
>>>This e-mail and any attached files are confidential and may be legally
>>
>>privileged.
>>
>>
>>>If you are not the addressee, any disclosure, reproduction, copying,
>>
>>distribution,
>>
>>
>>>or other dissemination or use of this communication is strictly
>>
>>prohibited.
>>
>>
>>>If you have received this transmission in error please notify Simac
>>
>>immediately
>>
>>
>>>and then delete this e-mail.
>>>
>>>Simac has taken all reasonable precautions to avoid virusses in this
>>
>>email.
>>
>>
>>>Simac does not accept liability for damage by virusses, for the
>>
>>correct and complete
>>
>>
>>>transmission of the information, nor for any delay or interruption of
>>
>>the transmission,
>>
>>
>>>nor for damages arising from the use of or reliance on the
>>
>>information.
>>
>>
>>>All e-mail messages addressed to, received or sent by Simac or Simac
>>
>>employees
>>
>>
>>>are deemed to be professional in nature. Accordingly, the sender or
>>
>>recipient of
>>
>>
>>>these messages agrees that they may be read by other Simac employees
>>
>>than the official
>>
>>
>>>recipient or sender in order to ensure the continuity of work-related
>>
>>activities
>>
>>
>>>and allow supervision thereof.
>>>
>>
>>
> ########################################################################
>
>>#############
>>
>>
> _______________________________________________________________________
>
>>>Please help support GroupStudy by purchasing your study materials
>>
>>from:
>>
>>
>>>http://shop.groupstudy.com
>>>
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
>

-- 
Carlos G Mendioroz <tron@huapi.ba.ar>

• Next message: mani poopal: "Re: INE Lab 20 Section 5.48 - 5.51 "FULL IP REACHABILITY""
• Previous message: Geert Nijs: "RE: Nat Expandable"
• Maybe in reply to: Cooper, David: "Nat Expandable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:55 GMT-3