Re: NAT question

From: Vazman (vazman@gmail.com)
Date: Tue Sep 27 2005 - 00:17:34 GMT-3

• Next message: John Matus: "Re: suspending telnet sessions"
• Previous message: Vazman: "Re: NAT question"
• Maybe in reply to: Scott Smith: "NAT question"
• Next in thread: Chris Lewis \(chrlewis\): "RE: NAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From a lab point of view, you will have to verify with the proctor about the
static route.
 HTH

 On 9/26/05, Vazman <vazman@gmail.com> wrote:
>
> This will work.
>
> You need to modify the ip nat outside statement with the "add-route"
> keyword.
>
> When you ping from 128.1.0.1 <http://128.1.0.1/> to 128.1.05, this is what
> happens on R3
>
> *Mar 1 00:59:22.760: NAT*: s=128.1.0.1->204.12.1.20 <http://204.12.1.20/>,
> d=128.1.0.5 <http://128.1.0.5/> [44]
> *Mar 1 00:59:22.760: NAT*: s=204.12.1.20 <http://204.12.1.20/>, d=
> 128.1.0.5->204.12.1.254 <http://204.12.1.254/> [44]
>
> The source address is being translated from 128.1.0.1 <http://128.1.0.1/>to
> 204.12.1.20 <http://204.12.1.20/> and the destination is
> being translated from 128.1.0.5 <http://128.1.0.5/>to
204.12.1.254<http://204.12.1.254/>
> .
>
> When BB3 replies, it is sending the packet to a destination of
204.12.1.20<http://204.12.1.20/>.
> But when that packet gets to
> R3, what does R3 do?? It checks the routing table and sees a connected
> route for 204.12.1.0/24 <http://204.12.1.0/24> on the same interface.
> The add-route keyword adds a static route for
204.12.1.20<http://204.12.1.20/>pointing to
> 128.1.0.1 <http://128.1.0.1/>
>
> Remember that NAT works differently for inside to outside and outside to
> inside. For inside to outside, it routes first and then NAT's.
> For outside to inside, it NAT's first and then routes.
>
> On R3
> =====
>
> R3#sh run | in ip nat
> ip nat inside
> ip nat outside
> ip nat inside source static 204.12.1.254 <http://204.12.1.254/>
128.1.0.5<http://128.1.0.5/>
> ip nat outside source static 128.1.0.1 <http://128.1.0.1/>
204.12.1.20<http://204.12.1.20/>add-route
> R3#sh run | in ip route
> R3#sh ip route static
> 204.12.1.0/24 <http://204.12.1.0/24> is variably subnetted, 2 subnets, 2
> masks
> S 204.12.1.20/32 <http://204.12.1.20/32> [1/0] via
128.1.0.1<http://128.1.0.1/>
> R3#
>
> R1#ping 128.1.0.5 <http://128.1.0.5/>
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 128.1.0.5 <http://128.1.0.5/>, timeout
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
> R1#
>
>
> On 9/26/05, chrlewis@cisco.com <chrlewis@cisco.com> wrote:
> >
> > Yes, this will not work. I can see you have extended the logic of
> > defining inside source static translation when translating source
> > addresses one way, as one would typically do when using NAT to connect
> > to the internet. If you try to apply the same logic with outside source
> > translations, the translating router will source replies from itself
> > rather than forward the packet.
> >
> > If you do a debug ip packet on the translating router, you should see
> > replies being sourced from local if you try pings from both ways.
> >
> > The robust way to solve this is to have two completely separate
> > translations, say have R1 ping 172.16.3.3 <http://172.16.3.3/> and have
> > that translated to
> > the real address of BB3, then have BB3 ping sat
200.1.1.1<http://200.1.1.1/>and translate
> > that to the real address of R1. If this happens in the lab scenario, you
> >
> > typically cannot just create staic routes for R1 and BB3 to be able to
> > send these packest towards R3, so you will have to choose destination
> > addresses that each router already knows about and that point towards R3
> >
> > to get it working within the constraints of typical labs.
> >
> > Chris
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf Of
> > Scott Smith
> > Sent: Monday, September 26, 2005 11:18 AM
> > To: groupstudy
> > Subject: NAT question
> >
> > I'm attempting to allow BB3 and R1 to communicate with neither having a
> > route to the other.
> >
> > When I ping from R1 to BB3 the translation works but no response is
> > received on R1. When I ping 204.12.1.20 <http://204.12.1.20/> from BB3
> > R3 replies (should
> > it??) and no translation is attempted. Would someone be kind enough to
> > tell me what I'm doing wrong?
> >
> >
> > R1 ---- R3 ---- BB3
> >
> > R3 Config:
> >
> > interface Ethernet0/0
> > ip address 128.1.0.3 <http://128.1.0.3/>
255.255.255.0<http://255.255.255.0/>
> > ip nat outside
> >
> > interface Ethernet0/1
> > ip address 204.12.1.3 <http://204.12.1.3/>
255.255.255.0<http://255.255.255.0/>
> > ip nat inside
> >
> > ip nat inside source static 204.12.1.254
<http://204.12.1.254/>128.1.0.5<http://128.1.0.5/>ip nat outside source
> > static 128.1.0.1 <http://128.1.0.1/> 204.12.1.20 <http://204.12.1.20/>
> >
> > R1 config:
> >
> > interface Ethernet0/0
> > ip address 128.1.0.1 <http://128.1.0.1/>
255.255.255.0<http://255.255.255.0/>
> >
> > BB3 Config:
> >
> > interface Ethernet0/0
> > ip address 204.12.1.254 <http://204.12.1.254/>
255.255.255.0<http://255.255.255.0/>
> >
> >
> > --
> > Scott Smith
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: John Matus: "Re: suspending telnet sessions"
• Previous message: Vazman: "Re: NAT question"
• Maybe in reply to: Scott Smith: "NAT question"
• Next in thread: Chris Lewis \(chrlewis\): "RE: NAT question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:16 GMT-3