Re: NAT with routing protocols

From: George Roman (georgeroman@gmail.com)
Date: Wed Jul 11 2007 - 05:29:21 ART

Brian,

Do you mean that locally generated traffic gets nated also?

Thanks in advanced.

George

On 7/10/07, Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
>
> Yes, you need to make sure that your locally generated routing
> protocol traffic is exempted from the NAT process. Instead of using one
> access-list like your example I would recommend to use multiples, one to
> define your exemption and others to define what is NATed. This way when
> you want to edit what is subject to the NAT process you don't have to
> sort through a single long list. For example:
>
> ip nat inside source route-map NAT interface Ethernet0 overload
> !
> !
> ip access-list extended NO_NAT_ACL
> permit ospf any any
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit eigrp any any
> permit udp any eq rip any eq rip
> !
> ip access-list extended NAT_ACL
> permit ip 10.10.10.0 0.0.0.255 any
> !
> route-map NAT deny 10
> match ip address NO_NAT_ACL
> !
> route-map NAT permit 20
> match ip address NAT_ACL
>
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ashok Ananda -X (aananda - Innova Solutions at Cisco)
> Sent: Tuesday, July 10, 2007 7:02 AM
> To: Ashok CCIE; ccielab@groupstudy.com
> Subject: RE: NAT with routing protocols
>
> Hi Team,
>
>
>
> When NAT is enabled, the routing protocols like BGP, OSPF gets
> disconnects as these source addresses gets translated. How to avoid
> this?
>
> Here is few debug and config? Do we always deny routing
> protocols when enabled for NAT?
>
> ~~~
> !
> interface Ethernet0/0
> ip address 3.3.3.2 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> ntp broadcast key 1
> !
> !
> interface Serial2/0
> ip address 1.1.1.1 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> serial restart-delay 0
> no fair-queue
> !
>
> !
> router ospf 100
> log-adjacency-changes
> network 1.1.1.0 0.0.0.255 area 0
> network 3.3.3.0 0.0.0.255 area 0
> network 0.0.0.0 255.255.255.255 area 0
> !
> !
> !
> ip nat pool POOL 10.10.10.10 10.10.10.20 netmask 255.255.255.0
> ip nat inside source route-map AA pool POOL reversible
> !
> access-list 120 deny ospf any any
> access-list 120 permit ip 10.10.10.0 0.0.0.255 any
> route-map AA permit 10
> match ip address 120
> !
> ~~~~
>
> debug:
> R1#deb ip nat de
> IP NAT detailed debugging is on
> R1#
> Jul 10 11:26:39.971 : NAT: i: ospf (1.1.1.1, 0) -> ( 224.0.0.5
> <http://224.0.0.5> , 0) [967]
> Jul 10 11:26:39.971: NAT: s=1.1.1.1->10.10.10.10, d= 224.0.0.5
> <http://224.0.0.5> [967]
> Jul 10 11:26:49.971: NAT: i: ospf (1.1.1.1, 0) -> ( 224.0.0.5
> <http://224.0.0.5> , 0) [969]
> Jul 10 11:26:49.971: NAT: s=1.1.1.1-> 10.10.10.10
> <http://10.10.10.10> , d=224.0.0.5 [969]
>
>
> Thanks,
> Ashok
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART