From: Roberto Fernandez (rofernandez@us.telefonica.com)
Date: Mon Oct 02 2006 - 11:23:19 ART
Narbik,
Thanks for your answer.
The scenario you depict is a little bit different to the one I
presented, but indeed requires the use of "extendable" as a rule of
thumb I had previously though that way. (if IOS does not leave you add a
new NAT, then use extendable) and this applies when you have two
different "Inside Global" addresses going to the same "Inside Local".
My original question arouse over a solution on IEWEB Lab 18, where there
it was just one "Inside Global" and one "Inside Local" but using
different ports. Then the IOS let me enter all the commands without
"extendable", and the translations appeared in the "show ip nat
translations"
This was my solution:
ip nat inside source static tcp 173.2.5.100 443 interface
Ethernet0/0 443
ip nat inside source static tcp 173.2.5.100 110 interface
Ethernet0/0 110
ip nat inside source static tcp 173.2.5.100 80 interface
Ethernet0/0 80
ip nat inside source static tcp 173.2.5.100 25 interface
Ethernet0/0 25
This was IEWEB's
ip nat inside source static tcp 173.2.5.100 443 interface
192.168.1.1 443 extendable
ip nat inside source static tcp 173.2.5.100 110 interface
192.168.1.1 110 extendable
ip nat inside source static tcp 173.2.5.100 80 interface
192.168.1.1 80 extendable
ip nat inside source static tcp 173.2.5.100 25 interface
192.168.1.1 25 extendable
Is it mine wrong? I couldn't verify it since I didn't have the real
server to test it...:-)
Best Regards,
Roberto
________________________________
From: Narbik Kocharians [mailto:narbikk@gmail.com]
Sent: Sunday, October 01, 2006 12:28 AM
To: Roberto Fernandez
Cc: ccielab@groupstudy.com
Subject: Re: Question on static NAT and "extendable" argument
Let's say your company has two connections to the Internet, one through
ISP-1 (R2) and the other through ISP-2 (R3) for redundancy. ISP-1 has
assigned an IP address of 200.2.2.2 /24 and ISP-2 has assigned an IP
address of 200.3.3.3 /24. These ISPs ONLY support their assigned IP
addresses and they do not support the addresses from the other ISP. Your
company has an internal WEB server with an IP address of 10.1.1.1 /24,
you are suppose to use a static translation such that if the traffic
comes through ISP-1 the NAT device (R1) translates 10.1.1.1 to an IP
address that is supported by ISP-1, but if the traffic comes through
ISP-2, R1 should translate 10.1.1.1 to an IP address that is supported
by ISP-2. Let's say that you can not use PAT, PBR, or dynamic NAT to
accomplish this task.
In this case you are left with static NAT as the solution, if you just
use static NAT, the IOS will take the first statement and it wont allow
you to enter the second static nat statement because it sees another one
in there, whereas with the expandable argument, it does not look at the
inside local translation to inside global, it looks at the protocols as
well, therefore allowing you to enter the second static NAT statement,
check the configuration and you will see the use of expandable argument:
The connection from R1 to R2 is through 131.1.12.0 /24 and the
connection from R1 to R3 is through 131.1.13.0 /24
On R1
R1(config)#ip nat inside source static 10.1.1.1 200.2.2.2 extendable
R1(config)#ip nat inside source static 10.1.1.1 200.3.3.3 extendable
R1(config)#int lo0
R1(config-if)#ip nat inside
R1(config-if)#int S0/0/0.12
R1(config-subif)#ip nat outside
R1(config-subif)#int S0/0/0.13
R1(config-subif)#ip nat outside
To verify the configuration:
On R2 (ISP-1)
Telnet 200.2.2.2
On R3 (ISP-2)
Telnet 200.3.3.3
On R1
R1#Show ip nat translations
Pro Inside global Inside local Outside local Outside
global
--- 200.2.2.2 10.1.1.1 --- ---
--- 200.3.3.3 10.1.1.1 --- ---
tcp 200.2.2.2:23 10.1.1.1:23 131.1.12.2:28012
131.1.12.2:28012
tcp 200.3.3.3:23 10.1.1.1:23 131.1.13.3:59638
131.1.13.3:59638
Note if the keyword extendable is not used, the IOS will not allow you
to have two NAT entries for the same source IP address. The "extendable"
keyword creates an extended entry in the translation table.
I think we all know that there are better solutions than the one I just
mentioned, but this is all I could think of.
I hope I did not confuse you.
On 9/30/06, Roberto Fernandez <rofernandez@us.telefonica.com> wrote:
Friends,
Mind the following scenario,
There is an internal server, which is being masked under a router's
interface.
ROUTER---Ethernet0/0-(192.168.1.1)-----------EXTERIOR WORLD
|
|
INTERNAL WORLD
The question: When is the "extendable" keyword required?
1- Allways? (meaning in any of the two following variants of the
command)
ip nat inside source static tcp 173.2.5.100 443 interface
Ethernet0/0 443 extendable
ip nat inside source static tcp 173.2.5.100 110 interface
Ethernet0/0 110 extendable
ip nat inside source static tcp 173.2.5.100 80 interface
Ethernet0/0 80 extendable
ip nat inside source static tcp 173.2.5.100 25 interface
Ethernet0/0 25 extendable
or
ip nat inside source static tcp 173.2.5.100 443 interface
192.168.1.1 443 extendable
ip nat inside source static tcp 173.2.5.100 110 interface
192.168.1.1 110 extendable
ip nat inside source static tcp 173.2.5.100 80 interface
192.168.1.1 80 extendable
ip nat inside source static tcp 173.2.5.100 25 interface
192.168.1.1 25 extendable
2- Just when the Inside Global is entered as an instead of the interface
name?
ip nat inside source static tcp 173.2.5.100 443 interface 192.168.1.5
443 extendable
ip nat inside source static tcp 173.2.5.100 110 interface 192.168.1.5
110 extendable
ip nat inside source static tcp 173.2.5.100 80 interface 192.168.1.5 80
extendable
ip nat inside source static tcp 173.2.5.100 25 interface 192.168.1.5 25
extendable
Best Regards,
Roberto
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART