Re: Dynamic NAT

From: Matt Mullen (mullenm@gmail.com)
Date: Thu Dec 02 2004 - 18:58:02 GMT-3

• Next message: Jason Aarons: "IPSec fails with ACL"
• Previous message: Larry Roberts: "Re: Dynamic NAT"
• Maybe in reply to: ccie2be: "Dynamic NAT"
• Next in thread: Matt Mullen: "Re: Dynamic NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I tried it and there was no message generated when the pool was
exhausted. I am running 12.2(26)...

R2#sh run
!
interface Loopback88
 ip address 88.88.88.1 255.255.255.0
 ip nat inside
!
interface Loopback99
 ip address 99.99.99.1 255.255.255.0
 ip nat inside
!
interface Serial0
 no ip address
 encapsulation frame-relay
 no frame-relay inverse-arp
!
interface Serial0.24 point-to-point
 ip address 150.50.24.2 255.255.255.0
 ip nat outside
 frame-relay interface-dlci 104
!
!
ip nat pool natpool 150.50.24.100 150.50.24.100 netmask 255.255.255.0
ip nat inside source list 1 pool natpool
!
access-list 1 permit 88.88.88.0 0.0.0.255
access-list 1 permit 99.99.99.0 0.0.0.255

R2#ping ip 150.50.24.4 source lo88

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.24.4, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms
R2#ping ip 150.50.24.4 source lo99

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.24.4, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.1
.....
Success rate is 0 percent (0/5)
R2#

Interesting that it doesn't log anything. Would be nice to know when
your nat pool is running out. I guess we should all switch to IPv6 :)

-Matt

On Thu, 02 Dec 2004 15:49:51 -0500, Larry Roberts
<groupstudy@american-hero.com> wrote:
> Yep.
>
> I don't know if an error message is generated or not.
>
> I guess the best way would be to make a pool of 1 address, and try to
> have 2 different devices use it. See if anything gets written to the log
>
> I'm in the midst of a practice lab, or I would do it myself.
>
>
>
>
> Lee Gillespie wrote:
> > When the 29th user complains....
> >
> >
> > --- ccie2be <ccie2be@nyc.rr.com> wrote:
> >
> >
> >>Thanks again,
> >>
> >>but I forgot to ask:
> >>
> >>What happens when it fails? Will NAT siliently
> >>discard the packet, will a
> >>console message appear, or something else
> >>altogether?
> >>
> >>In other words, how would I know when or if this
> >>situation occurred?
> >>
> >>Thanks, Tim
> >>----- Original Message -----
> >>From: "Larry Roberts" <groupstudy@american-hero.com>
> >>To: "Phil" <theccie@gmail.com>
> >>Cc: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> >><ccielab@groupstudy.com>
> >>Sent: Thursday, December 02, 2004 1:59 PM
> >>Subject: Re: Dynamic NAT
> >>
> >>
> >>
> >>>without the "overload" keyword, the 29th NAT
> >>
> >>translation will fail.
> >>
> >>>with "overload" PAT kicks in.
> >>>
> >>>Larry
> >>>
> >>>
> >>>Phil wrote:
> >>>
> >>>>That is a good question. Without trying in the
> >>
> >>lab I would say that if
> >>
> >>>>your nat command is:
> >>>>
> >>>>ip nat inside source list 1 pool SMALL overload
> >>>>
> >>>>It will use PAT on the NATed source addresses,
> >>
> >>but every source will
> >>
> >>>>be 204.1.1.3 with different port numbers.
> >>
> >>Without the "overload"
> >>
> >>>>keyword my guess is that it will not work after
> >>
> >>the last address in
> >>
> >>>>the pool is used.
> >>>>
> >>>>Phil
> >>>>
> >>>>On Thu, 2 Dec 2004 13:34:59 -0500, ccie2be
> >>
> >><ccie2be@nyc.rr.com> wrote:
> >>
> >>>>>Hi guys,
> >>>>>
> >>>>>I've seen several examples where the pool of
> >>
> >>addresses (Inside Global)
> >>is
> >>
> >>>>>smaller than the number of Inside Local that
> >>
> >>might potentially need to
> >>be
> >>
> >>>>>translated.
> >>>>>
> >>>>>For example, let's say the inside local address
> >>
> >>is 10.0.1.0/24 which is
> >>254
> >>
> >>>>>potential addresses to be translated.
> >>>>>
> >>>>>Also, assume the pool of Inside Global address
> >>
> >>is define like this:
> >>
> >>>>>ip nat pool SMALL 204.1.1.3 204.1.1.31 netmask
> >>
> >>255.255.255.0
> >>
> >>>>>which is a total of 28 addresses.
> >>>>>
> >>>>>What happens when the 29th Inside Local address
> >>
> >>needs to be tranlated?
> >>
> >>>>>Does it just not work or does NAT "know" to now
> >>
> >>use extended translation
> >>
> >>>>>tables?
> >>>>>
> >>>>>TIA, Tim
> >>>>>
> >>>
> >>>_______________________________________________________________________
> >>>
> >>>>>Subscription information may be found at:
> >>>>>http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> > _______________________________________________________________________
> >
> >>>>Subscription information may be found at:
> >>>>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> > _______________________________________________________________________
> >
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > The all-new My Yahoo! - Get yours free!
> > http://my.yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Jason Aarons: "IPSec fails with ACL"
• Previous message: Larry Roberts: "Re: Dynamic NAT"
• Maybe in reply to: ccie2be: "Dynamic NAT"
• Next in thread: Matt Mullen: "Re: Dynamic NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:23 GMT-3