RE: NAT with routing protocols

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Jul 10 2007 - 11:22:25 ART

• Next message: Mike Kraus \(mikraus\): "RE: CCIE- Paths - (A Non technical question)"
• Previous message: Tony Schaffran: "RE: CCIE- Paths - (A Non technical question)"
• Maybe in reply to: Ashok CCIE: "NAT with routing protocols"
• Next in thread: George Roman: "Re: NAT with routing protocols"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        Yes, you need to make sure that your locally generated routing
protocol traffic is exempted from the NAT process. Instead of using one
access-list like your example I would recommend to use multiples, one to
define your exemption and others to define what is NATed. This way when
you want to edit what is subject to the NAT process you don't have to
sort through a single long list. For example:

ip nat inside source route-map NAT interface Ethernet0 overload
!
!
ip access-list extended NO_NAT_ACL
 permit ospf any any
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 permit eigrp any any
 permit udp any eq rip any eq rip
!
ip access-list extended NAT_ACL
 permit ip 10.10.10.0 0.0.0.255 any
!
route-map NAT deny 10
 match ip address NO_NAT_ACL
!
route-map NAT permit 20
 match ip address NAT_ACL

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ashok Ananda -X (aananda - Innova Solutions at Cisco)
Sent: Tuesday, July 10, 2007 7:02 AM
To: Ashok CCIE; ccielab@groupstudy.com
Subject: RE: NAT with routing protocols

Hi Team,

        When NAT is enabled, the routing protocols like BGP, OSPF gets
disconnects as these source addresses gets translated. How to avoid
this?

        Here is few debug and config? Do we always deny routing
protocols when enabled for NAT?

        ~~~
        !
        interface Ethernet0/0
         ip address 3.3.3.2 255.255.255.0
         ip nat inside
         ip virtual-reassembly
         ntp broadcast key 1
        !
        !
        interface Serial2/0
         ip address 1.1.1.1 255.255.255.0
         ip nat outside
         ip virtual-reassembly
         serial restart-delay 0
         no fair-queue
        !

        !
        router ospf 100
         log-adjacency-changes
         network 1.1.1.0 0.0.0.255 area 0
         network 3.3.3.0 0.0.0.255 area 0
         network 0.0.0.0 255.255.255.255 area 0
        !
        !
        !
        ip nat pool POOL 10.10.10.10 10.10.10.20 netmask 255.255.255.0
        ip nat inside source route-map AA pool POOL reversible
        !
        access-list 120 deny ospf any any
        access-list 120 permit ip 10.10.10.0 0.0.0.255 any
        route-map AA permit 10
         match ip address 120
        !
        ~~~~

        debug:
        R1#deb ip nat de
        IP NAT detailed debugging is on
        R1#
        Jul 10 11:26:39.971 : NAT: i: ospf (1.1.1.1, 0) -> ( 224.0.0.5
<http://224.0.0.5> , 0) [967]
        Jul 10 11:26:39.971: NAT: s=1.1.1.1->10.10.10.10, d= 224.0.0.5
<http://224.0.0.5> [967]
        Jul 10 11:26:49.971: NAT: i: ospf (1.1.1.1, 0) -> ( 224.0.0.5
<http://224.0.0.5> , 0) [969]
        Jul 10 11:26:49.971: NAT: s=1.1.1.1-> 10.10.10.10
<http://10.10.10.10> , d=224.0.0.5 [969]

        Thanks,
        Ashok

• Next message: Mike Kraus \(mikraus\): "RE: CCIE- Paths - (A Non technical question)"
• Previous message: Tony Schaffran: "RE: CCIE- Paths - (A Non technical question)"
• Maybe in reply to: Ashok CCIE: "NAT with routing protocols"
• Next in thread: George Roman: "Re: NAT with routing protocols"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART