Re: NAT Rotary from Sadiq Yakasai on 2011-01-25 (Ccielab archives 01/2011)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Tue, 25 Jan 2011 10:20:10 +0000

Dave,

Its not that NAT is not designed to work with UDP. Most NAT features do work
perfectly fine for UDP traffic.

There is a NAT feature for translating destination port numbers (inside
destination) with ROTARY type of NAT pool. This is the particular feature
that we are referring to. This is the same feature that Tyson made a
reference to as well.

Read this link below please:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1048769

Sadiq

On Tue, Jan 25, 2011 at 3:08 AM, Dave Serra <maybeedave_at_yahoo.com> wrote:

> Tyson,
>
> Is it that NAT does not work with UDP or that NAT was not designed to work
> with UDP? I ask for clarification because I have seen docs that state it
> does work with UDP. So I interpret what you say as it is simply busted in
> the IOS. Did I get that right?
>
>
> http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html
>
>
> Make a small loan, Make a big difference - Kiva.org
>
>
> ------------------------------
> *From:* Tyson Scott <tscott_at_ipexpert.com>
> *To:* Sadiq Yakasai <sadiqtanko_at_gmail.com>; Marcin Zgola <
> MZgola_at_netrixllc.com>
> *Cc:* ccielab_at_groupstudy.com
> *Sent:* Thu, January 20, 2011 2:37:09 AM
> *Subject:* RE: NAT Rotary
>
> It is designed to only work for TCP. If someone has gotten it to work
> otherwise I would love to see it but I was never able to get it to work for
> anything other than TCP.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Wednesday, January 19, 2011 12:58 PM
> To: Marcin Zgola
> Cc: ccielab_at_groupstudy.com
> Subject: Re: NAT Rotary
>
> Hi Marcin,
>
> I have 2 issues I would like to point out as possible culprits here:
>
> 1. My understanding is that this NAT feature is actually designed to work
> for TCP traffic only. The documentation below [1] also says that. Although
> I
> must say, I have seen a blog on which a dude states hes tried it out on UDP
> and found it to be working just fine!
>
> 2. TFTP traffic: As you know, TFTP signals on UDP:69 and then switches over
> to these high numbered UDP port numbers, which are somewhat random in
> nature. Now, I am not sure all the subsequent UDP traffic for the actually
> file data transfer will be hitting your NAT policy there! Try modifying the
> access list to match on the range of UDP port numbers that TFTP uses.
>
> [1]
>
> http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_c
> onsv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1048769
>
> On Wed, Jan 19, 2011 at 7:06 PM, Marcin Zgola <MZgola_at_netrixllc.com>
> wrote:
>
> > Problem Here is my setup
> >
> > ip nat pool PDSN 192.168.1.10 192.168.1.11 prefix-length 24 type rotary
> > ip nat inside destination list TELNET pool PDSN
> > !
> > ip access-list extended TELNET
> > permit tcp any host 10.16.100.1 eq 23
> > permit udp any host 10.16.100.1 eq tftp
> >
> >
> >
> > This works great for telnet session, but it does now work for UDP.
> >
> > Here is my setup
> >
> > R1---R2---R3 (192.168.1.10)
> > ---R4 (192.168.1.11)
> >
> > I need R1 to initiate a session to 10.16.100.1 and R2 to nat this session
> > to either 192.168.1.10 or 192.168.1.11. it works great for TCP but not
> for
> > UDP.
> >
> >
> >
> > Marcin Zgola
> > Internetwork Lead
> > CCIE #18676
> > Netrix, LLC
> > http://www.netrixllc.com
> > Ph. 847.283.7400
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Tue Jan 25 2011 - 10:20:10 ART

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 07:39:17 ART