RE: NAT Rotary from Marcin Zgola on 2011-01-20 (Ccielab archives 01/2011)

From: Marcin Zgola <MZgola_at_netrixllc.com>
Date: Thu, 20 Jan 2011 21:26:54 +0000

Thanks.

Marcin Zgola
Internetwork Lead
CCIE #18676
Netrix, LLC
http://www.netrixllc.com
Ph. 847.283.7400

-----Original Message-----
From: Tyson Scott [mailto:tscott_at_ipexpert.com]
Sent: Thursday, January 20, 2011 1:37 AM
To: 'Sadiq Yakasai'; Marcin Zgola
Cc: ccielab_at_groupstudy.com
Subject: RE: NAT Rotary

It is designed to only work for TCP. If someone has gotten it to work
otherwise I would love to see it but I was never able to get it to work for
anything other than TCP.

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Wednesday, January 19, 2011 12:58 PM
To: Marcin Zgola
Cc: ccielab_at_groupstudy.com
Subject: Re: NAT Rotary

Hi Marcin,

I have 2 issues I would like to point out as possible culprits here:

1. My understanding is that this NAT feature is actually designed to work
for TCP traffic only. The documentation below [1] also says that. Although I
must say, I have seen a blog on which a dude states hes tried it out on UDP
and found it to be working just fine!

2. TFTP traffic: As you know, TFTP signals on UDP:69 and then switches over
to these high numbered UDP port numbers, which are somewhat random in
nature. Now, I am not sure all the subsequent UDP traffic for the actually
file data transfer will be hitting your NAT policy there! Try modifying the
access list to match on the range of UDP port numbers that TFTP uses.

[1]
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_c
onsv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1048769

On Wed, Jan 19, 2011 at 7:06 PM, Marcin Zgola <MZgola_at_netrixllc.com> wrote:

> Problem Here is my setup
>
> ip nat pool PDSN 192.168.1.10 192.168.1.11 prefix-length 24 type rotary
> ip nat inside destination list TELNET pool PDSN
> !
> ip access-list extended TELNET
> permit tcp any host 10.16.100.1 eq 23
> permit udp any host 10.16.100.1 eq tftp
>
>
>
> This works great for telnet session, but it does now work for UDP.
>
> Here is my setup
>
> R1---R2---R3 (192.168.1.10)
> ---R4 (192.168.1.11)
>
> I need R1 to initiate a session to 10.16.100.1 and R2 to nat this session
> to either 192.168.1.10 or 192.168.1.11. it works great for TCP but not for
> UDP.
>
>
>
> Marcin Zgola
> Internetwork Lead
> CCIE #18676
> Netrix, LLC
> http://www.netrixllc.com
> Ph. 847.283.7400
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Thu Jan 20 2011 - 21:26:54 ART

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 07:39:17 ART