Re: NAT question

From: Vazman (vazman@gmail.com)
Date: Tue Sep 27 2005 - 00:11:03 GMT-3

• Next message: Vazman: "Re: NAT question"
• Previous message: Loi, Choon Ho: "RE: IPV6 redistribution issue"
• Maybe in reply to: Scott Smith: "NAT question"
• Next in thread: Vazman: "Re: NAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This will work.

You need to modify the ip nat outside statement with the "add-route"
keyword.

When you ping from 128.1.0.1 <http://128.1.0.1> to 128.1.05, this is what
happens on R3

*Mar 1 00:59:22.760: NAT*: s=128.1.0.1->204.12.1.20 <http://204.12.1.20>, d=
128.1.0.5 <http://128.1.0.5> [44]
*Mar 1 00:59:22.760: NAT*: s=204.12.1.20 <http://204.12.1.20>, d=128.1.0.5->
204.12.1.254 <http://204.12.1.254> [44]

The source address is being translated from 128.1.0.1 <http://128.1.0.1> to
204.12.1.20 <http://204.12.1.20> and the destination is
being translated from 128.1.0.5 <http://128.1.0.5> to
204.12.1.254<http://204.12.1.254>
.

When BB3 replies, it is sending the packet to a destination of
204.12.1.20<http://204.12.1.20>.
But when that packet gets to
R3, what does R3 do?? It checks the routing table and sees a connected route
for 204.12.1.0/24 <http://204.12.1.0/24> on the same interface.
The add-route keyword adds a static route for
204.12.1.20<http://204.12.1.20>pointing to
128.1.0.1 <http://128.1.0.1>

Remember that NAT works differently for inside to outside and outside to
inside. For inside to outside, it routes first and then NAT's.
For outside to inside, it NAT's first and then routes.

On R3
=====

R3#sh run | in ip nat
ip nat inside
ip nat outside
ip nat inside source static 204.12.1.254 <http://204.12.1.254>
128.1.0.5<http://128.1.0.5>
ip nat outside source static 128.1.0.1 <http://128.1.0.1>
204.12.1.20<http://204.12.1.20>add-route
R3#sh run | in ip route
R3#sh ip route static
204.12.1.0/24 <http://204.12.1.0/24> is variably subnetted, 2 subnets, 2
masks
S 204.12.1.20/32 <http://204.12.1.20/32> [1/0] via
128.1.0.1<http://128.1.0.1>
R3#

 R1#ping 128.1.0.5 <http://128.1.0.5>

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.1.0.5 <http://128.1.0.5>, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
R1#

 On 9/26/05, chrlewis@cisco.com <chrlewis@cisco.com> wrote:
>
> Yes, this will not work. I can see you have extended the logic of
> defining inside source static translation when translating source
> addresses one way, as one would typically do when using NAT to connect
> to the internet. If you try to apply the same logic with outside source
> translations, the translating router will source replies from itself
> rather than forward the packet.
>
> If you do a debug ip packet on the translating router, you should see
> replies being sourced from local if you try pings from both ways.
>
> The robust way to solve this is to have two completely separate
> translations, say have R1 ping 172.16.3.3 <http://172.16.3.3> and have
> that translated to
> the real address of BB3, then have BB3 ping sat
200.1.1.1<http://200.1.1.1>and translate
> that to the real address of R1. If this happens in the lab scenario, you
> typically cannot just create staic routes for R1 and BB3 to be able to
> send these packest towards R3, so you will have to choose destination
> addresses that each router already knows about and that point towards R3
> to get it working within the constraints of typical labs.
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Scott Smith
> Sent: Monday, September 26, 2005 11:18 AM
> To: groupstudy
> Subject: NAT question
>
> I'm attempting to allow BB3 and R1 to communicate with neither having a
> route to the other.
>
> When I ping from R1 to BB3 the translation works but no response is
> received on R1. When I ping 204.12.1.20 <http://204.12.1.20> from BB3 R3
> replies (should
> it??) and no translation is attempted. Would someone be kind enough to
> tell me what I'm doing wrong?
>
>
> R1 ---- R3 ---- BB3
>
> R3 Config:
>
> interface Ethernet0/0
> ip address 128.1.0.3 <http://128.1.0.3> 255.255.255.0<http://255.255.255.0>
> ip nat outside
>
> interface Ethernet0/1
> ip address 204.12.1.3 <http://204.12.1.3>
255.255.255.0<http://255.255.255.0>
> ip nat inside
>
> ip nat inside source static 204.12.1.254 <http://204.12.1.254>
128.1.0.5<http://128.1.0.5>ip nat outside source
> static 128.1.0.1 <http://128.1.0.1> 204.12.1.20 <http://204.12.1.20>
>
> R1 config:
>
> interface Ethernet0/0
> ip address 128.1.0.1 <http://128.1.0.1> 255.255.255.0<http://255.255.255.0>
>
> BB3 Config:
>
> interface Ethernet0/0
> ip address 204.12.1.254 <http://204.12.1.254>
255.255.255.0<http://255.255.255.0>
>
>
> --
> Scott Smith
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Vazman: "Re: NAT question"
• Previous message: Loi, Choon Ho: "RE: IPV6 redistribution issue"
• Maybe in reply to: Scott Smith: "NAT question"
• Next in thread: Vazman: "Re: NAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:16 GMT-3