From: Groupstudy @ CrespoNetworks (@)
Date: Fri Mar 06 2009 - 13:02:46 ARST
Thanks Daniel and Edouard...
Each of your emails helped me understand the some key points to NAT
about static translations being truly bidirectional. It's weird because
I always thought I had understood NAT pretty well but it turns out that,
this whole time, I was misinterpreting the "nat inside source static"
command. Daniel you are right that R6 receives the reply from
10.90.90.1. Also, the need to disable IP redirect is now clear to me as
it pertains to this situation. Thanks guys...
Cheers,
J
Daniel Valle wrote:
> HI, I think the way you're doing it, R6 will receive the reply from
> 10.90.90.1 and not 10.80.80.12.
> R6 sends an echo request to 10.80.80.12 and will receive a reply from
> 10.90.90.1
> you should add something like
>
> ip nat pool test2 10.80.80.12 10.80.80.12 netmask 255.255.255.0
> ip nat outside source list 198 pool test2
> access-list 198 permit ip host 10.90.90.1 host 10.8.8.2
>
> and regarding the ip redirects, the problem is that R8 owns the 10.8.8.2 (
> lo0) and treats it like a local received packet, so it will not re-route it
> ( do a debug ip packet in R8 and you'll see what i'm talking about). if you
> remove the loopback from R8 and put for one static route in R2 pointing the
> 10.8.8.2 to R1, then the same on R1 to R3. you can enable ip redirects and
> will still work . ( in the scenario, the only routers that need to know how
> to reach 10.8.8.2 is R2 and R1.
>
> hopet his helps,
> Daniel
> On Thu, Mar 5, 2009 at 10:02 AM, Groupstudy @ CrespoNetworks <
> groupstudy@cresponet.com> wrote:
>
>
>> Well, I missed putting loopback0 on R8 (10.8.8.2) and now pings work
>> but I'm still not clear why this works without a "ip nat inside" on
>> Lo0 (R8)
>>
>>
>>
>> The topology is like this:
>>
>> R2
>> | 10.90.90.1/28
>> |
>> | 10.90.90.2/28
>> -------R1
>> | (.1)
>> 10.80.80.0/24 |
>> |
>> R8----------- |
>> F0/0 (.3) |
>> | (.2)
>> ------R6
>> | .1
>> | 10.60.60.0/29
>> |
>>
>>
>> Basically, traffic needs to be sourced from R6 (10.60.60.1) to R8
>> (10.80.80.12<---- doesn't exist) but actually goes to R2 (10.90.90.1)
>> with source 10.8.8.2<-- Return traffic should come back to this IP from R2.
>>
>> The config is here:
>>
>> R8
>>
>> interface Loopback0
>> ip address 10.8.8.2
>>
>> interface F0/0
>> ip address 10.80.80.3 255.255.255.0
>> ip nat outside
>>
>>
>> ip nat pool test 10.8.8.2 10.8.8.2 netmask 255.255.255.240
>> ip nat inside source static 10.60.60.1 10.8.8.2
>> ip nat inside source static 10.90.90.1 10.80.80.12
>> ip nat outside source list 199 pool test
>> !
>> access-list 199 permit ip host 10.60.60.1 host 10.80.80.12
>>
>>
>> I seem to understand loopback NAT scenarios but they have always
>> required a "domain" inside/outside or the use of the newer NVI. Finally
>> you must disable "ip redirects" on R8 (F0/0) but I haven't figured out
>> why yet.
>>
>> I hope this makes sense.
>>
>> Thanks!
>>
>> J
>>
>>
>> Edouard Zorrilla wrote:
>>
>>> Would please paste the solucion you have donde ? Other, the traffic
>>> source is sourced from the router itself or by something else inside ?
>>>
>>> Regards
>>>
>>> ----- Original Message ----- From: "Groupstudy @ CrespoNetworks"
>>> <groupstudy@cresponet.com>
>>> Cc: "Cisco certification" <ccielab@groupstudy.com>
>>> Sent: Thursday, March 05, 2009 5:35 AM
>>> Subject: Advanced Nat Question
>>>
>>>
>>>
>>>> GS,
>>>>
>>>> I was hoping someone could help me understand, what seems to me, an
>>>> advanced NAT question that I can't seem to get my head around. I
>>>> actually think it may be a typo in the solution. Basically, the
>>>> question is from "CCIE Routing and Switching Practice Labs" Practice Lab
>>>> 3 Section 7. BTW, I know the book is a bit dated but I think it still
>>>> useful. The point of the question is to change the sa and da with the
>>>> use of proxy arp and no ip redirects. Has anyone done this task and if
>>>> so, can you confirm the solution? I configured it exactly as the
>>>> solution states but it does not work. Also, the solution attempts to
>>>> translate inside and outside addresses with only one interface and just
>>>> with a "ip nat outside" statement. Thank you in advance.
>>>>
>>>> Jimmy
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART