RE: NAT question

From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Tue Sep 27 2005 - 09:57:54 GMT-3

Great solution!

I bet the wording of the restriction on statics would be along the lines
of no ip route statements to allow for this use of a static route.

Chris

________________________________

From: Vazman [mailto:vazman@gmail.com]
Sent: Monday, September 26, 2005 10:18 PM
To: Chris Lewis (chrlewis)
Cc: Scott Smith; groupstudy
Subject: Re: NAT question

From a lab point of view, you will have to verify with the proctor about
the static route.

HTH

On 9/26/05, Vazman <vazman@gmail.com> wrote:

        This will work.

        You need to modify the ip nat outside statement with the
"add-route" keyword.

        When you ping from 128.1.0.1 <http://128.1.0.1/> to 128.1.05,
this is what happens on R3

        *Mar 1 00:59:22.760: NAT*: s=128.1.0.1->204.12.1.20
<http://204.12.1.20/> , d= 128.1.0.5 <http://128.1.0.5/> [44]
        *Mar 1 00:59:22.760: NAT*: s=204.12.1.20 <http://204.12.1.20/>
, d= 128.1.0.5-> 204.12.1.254 <http://204.12.1.254/> [44]

        The source address is being translated from 128.1.0.1
<http://128.1.0.1/> to 204.12.1.20 <http://204.12.1.20/> and the
destination is
        being translated from 128.1.0.5 <http://128.1.0.5/> to
204.12.1.254 <http://204.12.1.254/> .

        When BB3 replies, it is sending the packet to a destination of
204.12.1.20 <http://204.12.1.20/> . But when that packet gets to
        R3, what does R3 do?? It checks the routing table and sees a
connected route for 204.12.1.0/24 on the same interface.
        The add-route keyword adds a static route for 204.12.1.20
<http://204.12.1.20/> pointing to 128.1.0.1 <http://128.1.0.1/>

        Remember that NAT works differently for inside to outside and
outside to inside. For inside to outside, it routes first and then
NAT's.
        For outside to inside, it NAT's first and then routes.

        On R3
        =====

        R3#sh run | in ip nat
         ip nat inside
         ip nat outside
        ip nat inside source static 204.12.1.254 <http://204.12.1.254/>
128.1.0.5 <http://128.1.0.5/>
        ip nat outside source static 128.1.0.1 <http://128.1.0.1/>
204.12.1.20 <http://204.12.1.20/> add-route
        R3#sh run | in ip route
        R3#sh ip route static
             204.12.1.0/24 is variably subnetted, 2 subnets, 2 masks
        S 204.12.1.20/32 [1/0] via 128.1.0.1 <http://128.1.0.1/>
        R3#

        R1#ping 128.1.0.5 <http://128.1.0.5/>

        Type escape sequence to abort.
        Sending 5, 100-byte ICMP Echos to 128.1.0.5 <http://128.1.0.5/>
, timeout is 2 seconds:
        !!!!!
        Success rate is 100 percent (5/5), round-trip min/avg/max =
8/8/8 ms
        R1#

        On 9/26/05, chrlewis@cisco.com < chrlewis@cisco.com
<mailto:chrlewis@cisco.com> > wrote:

                Yes, this will not work. I can see you have extended the
logic of
                defining inside source static translation when
translating source
                addresses one way, as one would typically do when using
NAT to connect
                to the internet. If you try to apply the same logic with
outside source
                translations, the translating router will source replies
from itself
                rather than forward the packet.

                If you do a debug ip packet on the translating router,
you should see
                replies being sourced from local if you try pings from
both ways.

                The robust way to solve this is to have two completely
separate
                translations, say have R1 ping 172.16.3.3
<http://172.16.3.3/> and have that translated to
                the real address of BB3, then have BB3 ping sat
200.1.1.1 <http://200.1.1.1/> and translate
                that to the real address of R1. If this happens in the
lab scenario, you
                typically cannot just create staic routes for R1 and BB3
to be able to
                send these packest towards R3, so you will have to
choose destination
                addresses that each router already knows about and that
point towards R3
                to get it working within the constraints of typical
labs.

                Chris

                -----Original Message-----
                From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf Of
                Scott Smith
                Sent: Monday, September 26, 2005 11:18 AM
                To: groupstudy
                Subject: NAT question

                I'm attempting to allow BB3 and R1 to communicate with
neither having a
                route to the other.

                When I ping from R1 to BB3 the translation works but no
response is
                received on R1. When I ping 204.12.1.20
<http://204.12.1.20/> from BB3 R3 replies (should
                it??) and no translation is attempted. Would someone be
kind enough to
                tell me what I'm doing wrong?

                R1 ---- R3 ---- BB3

                R3 Config:

                interface Ethernet0/0
                ip address 128.1.0.3 <http://128.1.0.3/> 255.255.255.0
<http://255.255.255.0/>
                ip nat outside

                interface Ethernet0/1
                ip address 204.12.1.3 <http://204.12.1.3/>
255.255.255.0 <http://255.255.255.0/>
                ip nat inside

                ip nat inside source static 204.12.1.254
<http://204.12.1.254/> 128.1.0.5 <http://128.1.0.5/> ip nat outside
source
                static 128.1.0.1 <http://128.1.0.1/> 204.12.1.20
<http://204.12.1.20/>

                R1 config:

                interface Ethernet0/0
                ip address 128.1.0.1 <http://128.1.0.1/> 255.255.255.0
<http://255.255.255.0/>

                BB3 Config:

                interface Ethernet0/0
                ip address 204.12.1.254 <http://204.12.1.254/>
255.255.255.0 <http://255.255.255.0/>

                --
                Scott Smith

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:16 GMT-3