Re: Question on static NAT and "extendable" argument

From: Narbik Kocharians (narbikk@gmail.com)
Date: Sun Oct 01 2006 - 01:27:31 ART

• Next message: Narbik Kocharians: "Re: OSPF & BGP Router-id command"
• Previous message: Magmax: "RE: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Let's say your company has two connections to the Internet, one through
ISP-1 (R2) and the other through ISP-2 (R3) for redundancy. ISP-1 has
assigned an IP address of 200.2.2.2 /24 and ISP-2 has assigned an IP address
of 200.3.3.3 /24. These ISPs ONLY support their assigned IP addresses and
they do not support the addresses from the other ISP. Your company has an
internal WEB server with an IP address of 10.1.1.1 /24, you are suppose to
use a static translation such that if the traffic comes through ISP-1 the
NAT device (R1) translates 10.1.1.1 to an IP address that is supported by
ISP-1, but if the traffic comes through ISP-2, R1 should translate
10.1.1.1to an IP address that is supported by ISP-2. Let's say that
you can not use
PAT, PBR, or dynamic NAT to accomplish this task.

In this case you are left with static NAT as the solution, if you just use
static NAT, the IOS will take the first statement and it wont allow you to
enter the second static nat statement because it sees another one in there,
whereas with the expandable argument, it does not look at the inside local
translation to inside global, it looks at the protocols as well, therefore
allowing you to enter the second static NAT statement, check the
configuration and you will see the use of expandable argument:

The connection from R1 to R2 is through 131.1.12.0 /24 and the connection
from R1 to R3 is through 131.1.13.0 /24

* *

*On R1*

R1(config)#ip nat inside source static 10.1.1.1 200.2.2.2 extendable

R1(config)#ip nat inside source static 10.1.1.1 200.3.3.3 extendable

* *

R1(config)#int lo0

R1(config-if)#ip nat inside

R1(config-if)#int S0/0/0.12

R1(config-subif)#ip nat outside

R1(config-subif)#int S0/0/0.13

R1(config-subif)#ip nat outside

* *

*To verify the configuration:*

* *

*On R2 (ISP-1)*

Telnet 200.2.2.2

* *

*On R3 (ISP-2)*

Telnet 200.3.3.3

*
*

*On R1*

*R1#Show ip nat translations*

Pro Inside global Inside local Outside local Outside global

--- 200.2.2.2 10.1.1.1 --- ---

--- 200.3.3.3 10.1.1.1 --- ---

tcp 200.2.2.2:23 10.1.1.1:23 131.1.12.2:28012
131.1.12.2:28012

tcp 200.3.3.3:23 10.1.1.1:23 131.1.13.3:59638
131.1.13.3:59638

*Note if the keyword extendable is not used, the IOS will not allow you to
have two NAT entries for the same source IP address. The "extendable"
keyword creates an extended entry in the translation table.*

* *

*I think we all know that there are better solutions than the one I just
mentioned, but this is all I could think of.*

*I hope I did not confuse you.*

On 9/30/06, Roberto Fernandez <rofernandez@us.telefonica.com> wrote:
>
> Friends,
>
> Mind the following scenario,
>
> There is an internal server, which is being masked under a router's
> interface.
>
> ROUTER---Ethernet0/0-(192.168.1.1)-----------EXTERIOR WORLD
> |
> |
> INTERNAL WORLD
>
> The question: When is the "extendable" keyword required?
>
> 1- Allways? (meaning in any of the two following variants of the
> command)
>
> ip nat inside source static tcp 173.2.5.100 443 interface
> Ethernet0/0 443 extendable
> ip nat inside source static tcp 173.2.5.100 110 interface
> Ethernet0/0 110 extendable
> ip nat inside source static tcp 173.2.5.100 80 interface
> Ethernet0/0 80 extendable
> ip nat inside source static tcp 173.2.5.100 25 interface
> Ethernet0/0 25 extendable
>
> or
>
> ip nat inside source static tcp 173.2.5.100 443 interface
> 192.168.1.1 443 extendable
> ip nat inside source static tcp 173.2.5.100 110 interface
> 192.168.1.1 110 extendable
> ip nat inside source static tcp 173.2.5.100 80 interface
> 192.168.1.1 80 extendable
> ip nat inside source static tcp 173.2.5.100 25 interface
> 192.168.1.1 25 extendable
>
>
>
> 2- Just when the Inside Global is entered as an instead of the interface
> name?
>
>
> ip nat inside source static tcp 173.2.5.100 443 interface 192.168.1.5
> 443 extendable
> ip nat inside source static tcp 173.2.5.100 110 interface 192.168.1.5
> 110 extendable
> ip nat inside source static tcp 173.2.5.100 80 interface 192.168.1.5 80
> extendable
> ip nat inside source static tcp 173.2.5.100 25 interface 192.168.1.5 25
> extendable
>
>
> Best Regards,
> Roberto
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)

• Next message: Narbik Kocharians: "Re: OSPF & BGP Router-id command"
• Previous message: Magmax: "RE: ospf authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:03 ART