- Bronze, 100 points or more
Hi every body!
I was practicing dynamic nat on my 2500 routers when i encountered something strange.
The topology is:
h1----sw(L2)----e0RA s0----------s0 RB
default gateway: 188.8.131.52/24
rA s0 184.108.40.206/24
rB s0 220.127.116.11/24
ip nat inside
ip addres 18.104.22.168/24
ip address 22.214.171.124/24
ip nat outside
ip nat source list 1 pool zee
acess-list 1 permit 126.96.36.199 0.0.0.255
ip nat pool zee 188.8.131.52 184.108.40.206 netmask 255.255.255.0
ip address 220.127.116.11/24
h1 can ping 18.104.22.168
but rA can not ping 22.214.171.124
Rb can ping 126.96.36.199
Why can ra not ping 188.8.131.52?
Any input will be appreciated
thanks a lot!
PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign THE SAME port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.
So in your example the first translation should keep the same port (200) whereas for the second one the router should chose the first available port from the 0-511 range (of course different from 200).
Hope it helps,
I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 184.108.40.206 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 220.127.116.11 and 18.104.22.168? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?
Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?
my opinion is that this not a real case.
you are not going to use NAT in this way.
Here it is my explanation:
in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.
A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.
So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.
Is this a reasonable choice ?
I don't think so.
I know that you are probably implementing a lab proposed in some book.
It looks like that the NAT entry overrides the CEF neighbor adjacency.
To demonstrate this you can:
enable debug ip icmp on RB
test performing a ping to 22.214.171.124 from RA
do you see any debug line on RB ?
if no packet hits RB the meaning of this output is:
you have asked to ping 126.96.36.199 but 188.8.131.52 is mapped to 184.108.40.206 and so the ping is sent to 220.127.116.11
if you had a BGP session with 18.104.22.168 it would stuck to active
Hope to help
22.214.171.124 is also the serial interface on RB
I would suggest to use on RA a loopback to represent the public pool
ip address 126.96.36.199 255.255.255.0
then change the nat pool accordingly and add static routes for the pool from RB
ip route 188.8.131.52 255.255.255.0 184.108.40.206
this should give you a clean setup that is more realistic.
Hope to help