RE: Lab 31 - CCIE Pratical Studies ->How well Does NAT works

From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Tue Aug 09 2005 - 09:57:09 GMT-3

• Next message: Kumar Raja-Q16843: "Cisco to buy Nokia"
• Previous message: Jaycee Cockburn - BCX SS: "RE: OSPF Over FR Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'll take a stab...open mouth...insert foot... ;-)

Godswill, the ACL you are using defines what is allowed to create a
translation and what is not. This is not used to block any traffic per se.
Since your second PING actually created the translation, it had not timed
out by the time you tried your third PING. If you had waited long enough
for the translation to be torn down, I bet the third PING would have failed
like the second. If you really want to deny the traffic over and above the
translation ACL, you would have to create a second ACL and apply it to the
interface.

I use NAT with extended ACLs and route maps with no problems.

Rik

-----Original Message-----
From: Godswill Oletu [mailto:oletu@inbox.lv]
Sent: Tuesday, August 09, 2005 1:36 AM
To: cisco@groupstudy.com
Subject: Lab 31 - CCIE Pratical Studies ->How well Does NAT works with
[7:101780]

Hi,

Are mine missing something as far as NAT is concerned?

eg:
#
#interface loopback0
#ip address 200.100.1.33 255.255.255.248 !
#interface fastethernet0/0
#ip address 9.3.3.1 255.255.255.0
#ip nat inside
!
#interface serial0/0
#ip address 192.168.11.6 255.255.255.252 #ip nat outside !
#access-list 101 deny ip 172.16.0.0 0.0.255.255 host 200.100.1.17
#access-list 101 permit ip 172.16.0.0 0.0.255.255 host 200.100.1.18 !
#ip nat pool ccie 200.100.1.34 200.100.1.38 netmask 255.255.255.248 #ip nat
inside source list 101 pool ccie !

Results:
From a Workstation behind 'fastethernet0/0'
C:\>ping 200.100.1.17
request timed out (Good, expected)

C:\>ping 200.100.1.18
reply from 200.100.1.18 (Good, expected!)

C:\>ping 200.100.1.17
reply from 200.100.1.17 (Surprised!!!!!, not expected)

I have been using NAT for years and thought I understood its inner workings
very well, but had not used extended access-list for NAT. However, the above
result looks wierd to me, or are mine missing something vital as far as NAT
is concerned?

Despite the DENY host 200.100.1.17, once there is a translation for host
200.100.1.18 on the table, NAT seems to close its eyes and accept traffic
destined for 200.100.1.17.

How well does NAT work with Extended Access List? Or is this a bug?

Thanks.
Godswill Oletu

• Next message: Kumar Raja-Q16843: "Cisco to buy Nokia"
• Previous message: Jaycee Cockburn - BCX SS: "RE: OSPF Over FR Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3