From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Mar 05 2009 - 16:18:47 ARST
I works but for my but doing the nex changes:
Rack1R1#sh run | in ip nat
ip nat outside
ip nat pool test 150.1.1.1 150.1.1.1 prefix-length 28
ip nat inside source static 204.12.1.254 132.1.170.12
ip nat inside source static 132.1.170.2 150.1.1.1
ip nat outside source list 199 pool test
Rack1R1#
Rack1R1#sh ip access-lists 199
Extended IP access list 199
10 permit ip host 132.1.170.2 host 132.1.170.12 (2 matches)
Rack1R1#
Now it works like this:
Packet goes sourced from 132.1.170.2 to 132.1.170.12, so the destinations is
translated by this ip nat:
ip nat inside source static 204.12.1.254 132.1.170.12
Rack1R1(config)#
*Mar 5 18:02:28.080: NAT*: s=132.1.170.2, d=132.1.170.12->204.12.1.254 [30]
So far the packet do not need to go to the inside so that it is just
translated in one way not int both ways, so in R2 I will get answer from
204.12.1.254, let see:
Rack1R2#ping 132.1.170.12 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 132.1.170.12, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms
Rack1R2#
*Mar 5 17:57:37.595: ICMP: redirect rcvd from 132.1.170.12- for 132.1.170.12
use gw 132.1.170.7
*Mar 5 17:57:37.595: ICMP: echo reply rcvd, src 204.12.1.254, dst
132.1.170.2
*Mar 5 17:57:37.595: ICMP: echo reply rcvd, src 204.12.1.254, dst
132.1.170.2
Rack1R2#
BB3#
Nov 11 04:04:02.434: ICMP: echo reply sent, src 204.12.1.254, dst 132.1.170.2
BB3#
Now I just wanna change the source address 132.1.170.2 by this one 150.1.1.1,
so I need to add and ACL and the "ip nat outside" so that the source address
is changed :
Rack1R1(config)#do sh ip access-list 199
Extended IP access list 199
10 permit ip host 132.1.170.2 host 132.1.170.12 (4 matches)
Rack1R1(config)#
Rack1R1(config)#do sh run | in ip nat
ip nat outside
ip nat pool test 150.1.1.1 150.1.1.1 prefix-length 28
ip nat inside source static 204.12.1.254 132.1.170.12
ip nat outside source list 199 pool test
So:
Rack1R1(config)#
*Mar 5 18:55:44.367: NAT*: s=132.1.170.2->150.1.1.1, d=132.1.170.12 [64]
*Mar 5 18:55:44.367: NAT*: s=150.1.1.1, d=132.1.170.12->204.12.1.254 [64]
*Mar 5 18:55:44.371: ICMP: echo reply rcvd, src 204.12.1.254, dst 150.1.1.1
Rack1R1(config)#
Again, all of these are just one way, you do not need "ip nat inside" to make
translation happens. In BB3, we got wat we need:
BB3#
Nov 11 04:11:52.292: ICMP: echo reply sent, src 204.12.1.254, dst 150.1.1.1
BB3#
The issue is that R2 can not get the pings back:
Rack1R2#ping 132.1.170.12 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 132.1.170.12, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
Rack1R2#
So let say we can receive it with his original address 132.1.170.1, we need
one more NAT to make it works and since the packet is now inside the router we
will need one "ip nat inside" so that when the packet cross the outside
interface and change the destination from 150.1.1.1 to 132.1.170.2.
Rack1R1(config)#do sh run | in ip nat
ip nat outside
ip nat pool test 150.1.1.1 150.1.1.1 prefix-length 28
ip nat inside source static 204.12.1.254 132.1.170.12
ip nat inside source static 132.1.170.2 150.1.1.1
ip nat outside source list 199 pool test
Rack1R1(config)#
*Mar 5 19:08:48.411: NAT*: s=132.1.170.2->150.1.1.1, d=132.1.170.12 [70]
*Mar 5 19:08:48.411: NAT*: s=150.1.1.1, d=132.1.170.12->204.12.1.254 [70]
*Mar 5 19:08:48.415: NAT*: s=204.12.1.254, d=150.1.1.1->132.1.170.2 [70]
Rack1R1(config)#
Now on R2 and BB3 we get:
Rack1R2#ping 132.1.170.12 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 132.1.170.12, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
Rack1R2#
BB3#
Nov 11 04:24:56.313: ICMP: echo reply sent, src 204.12.1.254, dst 150.1.1.1
BB3#
In all the cases NAT just happen in one way, that why you do not need ip nat
inside. Regarding the redirects you do not need to make that work so that
packets goes in yur case from R6 - to - R8 and to R1.
Regards
----- Original Message -----
From: Sadiq Yakasai
To: Groupstudy @ CrespoNetworks
Cc: Edouard Zorrilla ; Cisco certification
Sent: Thursday, March 05, 2009 10:39 AM
Subject: Re: Advanced Nat Question
Not much to be honest. How can you send traffic to an IP address that doesnt
exist? Who would reply to ARP request for that IP, much less the traffic going
out the interface of the router originating it. More light on this would
definately be a great idea :-)
Thanks,
On Thu, Mar 5, 2009 at 1:02 PM, Groupstudy @ CrespoNetworks
<groupstudy@cresponet.com> wrote:
Well, I missed putting loopback0 on R8 (10.8.8.2) and now pings work
but I'm still not clear why this works without a "ip nat inside" on
Lo0 (R8)
The topology is like this:
R2
| 10.90.90.1/28
|
| 10.90.90.2/28
-------R1
| (.1)
10.80.80.0/24 |
|
R8----------- |
F0/0 (.3) |
| (.2)
------R6
| .1
| 10.60.60.0/29
|
Basically, traffic needs to be sourced from R6 (10.60.60.1) to R8
(10.80.80.12<---- doesn't exist) but actually goes to R2 (10.90.90.1)
with source 10.8.8.2<-- Return traffic should come back to this IP from
R2.
The config is here:
R8
interface Loopback0
ip address 10.8.8.2
interface F0/0
ip address 10.80.80.3 255.255.255.0
ip nat outside
ip nat pool test 10.8.8.2 10.8.8.2 netmask 255.255.255.240
ip nat inside source static 10.60.60.1 10.8.8.2
ip nat inside source static 10.90.90.1 10.80.80.12
ip nat outside source list 199 pool test
!
access-list 199 permit ip host 10.60.60.1 host 10.80.80.12
I seem to understand loopback NAT scenarios but they have always
required a "domain" inside/outside or the use of the newer NVI. Finally
you must disable "ip redirects" on R8 (F0/0) but I haven't figured out
why yet.
I hope this makes sense.
Thanks!
J
Edouard Zorrilla wrote:
> Would please paste the solucion you have donde ? Other, the traffic
> source is sourced from the router itself or by something else inside ?
>
> Regards
>
> ----- Original Message ----- From: "Groupstudy @ CrespoNetworks"
> <groupstudy@cresponet.com>
> Cc: "Cisco certification" <ccielab@groupstudy.com>
> Sent: Thursday, March 05, 2009 5:35 AM
> Subject: Advanced Nat Question
>
>
>> GS,
>>
>> I was hoping someone could help me understand, what seems to me, an
>> advanced NAT question that I can't seem to get my head around. I
>> actually think it may be a typo in the solution. Basically, the
>> question is from "CCIE Routing and Switching Practice Labs" Practice
Lab
>> 3 Section 7. BTW, I know the book is a bit dated but I think it still
>> useful. The point of the question is to change the sa and da with the
>> use of proxy arp and no ip redirects. Has anyone done this task and
if
>> so, can you confirm the solution? I configured it exactly as the
>> solution states but it does not work. Also, the solution attempts to
>> translate inside and outside addresses with only one interface and
just
>> with a "ip nat outside" statement. Thank you in advance.
>>
>> Jimmy
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART