dynamic nat

Answered Question
Feb 21st, 2009

Hi every body!

I was practicing dynamic nat on my 2500 routers when i encountered something strange.

The topology is:

h1----sw(L2)----e0RA s0----------s0 RB

Ip address:

h1: 199.199.199.10/24

default gateway: 199.199.199.1/24

rAe0 199.199.199.1/24

rA s0 200.200.200.1/24

rB s0 200.200.200.2/24

rA config:

int eo

ip nat inside

ip addres 199.199.199.1/24

int s0

ip address 200.200.200.1/24

ip nat outside

ip nat source list 1 pool zee

acess-list 1 permit 199.199.199.0 0.0.0.255

ip nat pool zee 200.200.200.2 200.200.200.3 netmask 255.255.255.0

------------------------------------------

rb config;

int s0

ip address 200.200.200.2/24

clockrate 56000

-------------------------------------------

i found:

h1 can ping 200.200.200.2

but rA can not ping 200.200.200.2

Rb can ping 200.200.200.1

Why can ra not ping 200.200.200.2?

Any input will be appreciated

thanks a lot!

I have this problem too.
0 votes
Correct Answer by badalam_nt about 7 years 11 months ago

Hi Sarah,

PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign THE SAME port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.

So in your example the first translation should keep the same port (200) whereas for the second one the router should chose the first available port from the 0-511 range (of course different from 200).

Hope it helps,

Petru

Correct Answer by Richard Burts about 7 years 11 months ago

Sarah

I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 200.200.200.2 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?

Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?

HTH

Rick

Correct Answer by Giuseppe Larosa about 7 years 11 months ago

Hello Sarah,

my opinion is that this not a real case.

you are not going to use NAT in this way.

Here it is my explanation:

in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.

A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.

So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.

Is this a reasonable choice ?

I don't think so.

I know that you are probably implementing a lab proposed in some book.

It looks like that the NAT entry overrides the CEF neighbor adjacency.

To demonstrate this you can:

enable debug ip icmp on RB

test performing a ping to 200.200.200.2 from RA

do you see any debug line on RB ?

if no packet hits RB the meaning of this output is:

you have asked to ping 200.200.200.2 but 200.200.200.2 is mapped to 199.199.199.10 and so the ping is sent to 199.199.199.10

if you had a BGP session with 200.200.200.2 it would stuck to active

Hope to help

Giuseppe

Correct Answer by Giuseppe Larosa about 7 years 11 months ago

Hello Sarah,

200.200.200.2 is also the serial interface on RB

I would suggest to use on RA a loopback to represent the public pool

int loop1

ip address 200.200.220.1 255.255.255.0

then change the nat pool accordingly and add static routes for the pool from RB

on RB

ip route 200.200.220.0 255.255.255.0 200.200.200.1

this should give you a clean setup that is more realistic.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
johnlloyd_13 Sat, 02/21/2009 - 21:19

try replacing your config line ip nat source list 1 pool zee with ip nat inside source list 1 pool zee overload. you need the "overload" keyword to do dynamic nat. use the show ip nat translations command for verifications.

sarahr202 Sat, 02/21/2009 - 23:49

Thanks for your reply!

I am not doing PAT right now, the purpose of this lab is to master the dynmaic nat.

what you refer as overload is port address translation with nat. Again my goal is to master the dynamic nat then proceeds to PAT.

thanks a lot!

mahmoodmkl Sat, 02/21/2009 - 23:59

Hi

Verify that u have a route back to rA from router rb.

U r able to ping the 200.200.200.2 becox it has created dynamic nat entry and there is no other entry in the nat table for other destinations.

Thanks

Mahmood

sarahr202 Sun, 02/22/2009 - 08:24

Thanks a lot Mahmood!

For starter, 200.200.200.0/24 is directly connected subnet for both ra and rb.Both ra and rb 's0 interfaces are on that subnet.So ra and rb have entry in their routing table :

c 200.200.200./24 directly connected s0

Also the fact rb can ping ra proves that ra has entry for 200.200.200/24 that's how rb was able to receive echo from ra.

Correct Answer
Giuseppe Larosa Sun, 02/22/2009 - 00:17

Hello Sarah,

200.200.200.2 is also the serial interface on RB

I would suggest to use on RA a loopback to represent the public pool

int loop1

ip address 200.200.220.1 255.255.255.0

then change the nat pool accordingly and add static routes for the pool from RB

on RB

ip route 200.200.220.0 255.255.255.0 200.200.200.1

this should give you a clean setup that is more realistic.

Hope to help

Giuseppe

sarahr202 Sun, 02/22/2009 - 08:19

Thanks Giuseppe!

I understand that the addrees 200.200.200.2/24 should be excluded from the pool on ra as this ip is assigned to so of adjacent rB. But i want to learn why the ping is successful on rb to ra but not ra to rb.

Thanks a lot!

sarahr202 Sun, 02/22/2009 - 10:21

Hi Giuseppe!

I ran the test again . i started out with default configurations on ra and rb

ra So-------------------So rb

h1 is connected to rA.

I configured ra as:

int s0

ip address 200.200.200.1/24

clockrate 56000

ip nat outside

---------------

int e0

ip address 199.199.199.1/24

ip nat inside

----------------------

ip nat pool zee 200.200.200.2 200.200.200.2 netmask 255.255.255.0

ip nat source list 1 pool zee

access-list 1 permit 199.199.199.0 0.0.0.255

--------------------------------------

H1 Config:

ip address 199.199.199.10/24

gateway 199.199.199.1/24

---------------------------------

rb config:

int so

ip address 200.200.200.2/24

-------------------------------------

Now i ping 200.200.200.2 on ra

This time ping was successful but with strange results.

RouterA#ping 200.200.200.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

RouterA#

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [20]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [21]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [22]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [23]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [24]

------------------------------------

1) what do the numbers in [ ] represent?

2)Usually when we ping , we get result something like that:

If i am pinging from ip1 to ip2 where ip1 is ip address of the interface towards ip2.

src ip1 dest ip2

src ip2 dest ip1

From the output below:

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [20]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [21]

i noticed:

src = 200.200.200.1 dst 200.200.200.2-> 199.199.199.10

Obviously ra is not sending the ping packets to 200.200.200.2 so of rb.

It simply sending the packets to itself

Ping packet is being looped back to ra as evident from the facts:

1) the translation 200.200.200.2-> 199.199.199.10

2) the reply from 200.200.200.2 is missing, which should be:

src: 200.200.200.2 dst : 200.200.200.1

Any insight into this result , will be appreciated .

thanks a lot!

mattkaya56 Sun, 02/22/2009 - 11:36

I dont see similar output when pinging out of a nated port.

Is this something to do with IOS version?

Thanks in advance.

mattkaya56 Sun, 02/22/2009 - 11:41

By the by , it appears that you have statically assigned an IP address from the nat pool.

should config have been - say - to be outside the range of all assignments to avoid duplicate IP address.

ip nat pool zee 200.200.200.200 200.200.200.254 netmask 255.255.255.0

Also, what is the command to display the nat entries/nat table. This will show all addresses used up from the pool.

Thanks

sarahr202 Sun, 02/22/2009 - 12:46

Thanks Mattkaya!

ip nat pool zee 200.200.200.200 200.200.200.254 netmask 255.255.255.0

Since the ip address is not assigned to adjacent router int, there should be no complication as it was in my case where i used the ip address configured on s0 int of adjacent router b.

"Also, what is the command to display the nat entries/nat table. This will show all addresses used up from the pool"

you can use" show ip nat translation"

thanks a lot!

Correct Answer
Giuseppe Larosa Sun, 02/22/2009 - 12:02

Hello Sarah,

my opinion is that this not a real case.

you are not going to use NAT in this way.

Here it is my explanation:

in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.

A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.

So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.

Is this a reasonable choice ?

I don't think so.

I know that you are probably implementing a lab proposed in some book.

It looks like that the NAT entry overrides the CEF neighbor adjacency.

To demonstrate this you can:

enable debug ip icmp on RB

test performing a ping to 200.200.200.2 from RA

do you see any debug line on RB ?

if no packet hits RB the meaning of this output is:

you have asked to ping 200.200.200.2 but 200.200.200.2 is mapped to 199.199.199.10 and so the ping is sent to 199.199.199.10

if you had a BGP session with 200.200.200.2 it would stuck to active

Hope to help

Giuseppe

Correct Answer
Richard Burts Sun, 02/22/2009 - 12:23

Sarah

I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 200.200.200.2 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?

Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?

HTH

Rick

sarahr202 Sun, 02/22/2009 - 12:55

Thanks a lot Rick!

"What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? "

In the above case, communication will occur properly as the above address is not used by adjacent router's int.

"Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB? "

We can either( which is better choice) configure the route statically on rb or run routing protocol and advertise the route to rb from ra.

-------------------------------------

sarahr202 Sun, 02/22/2009 - 12:50

Thanks a lot Giuseppe! i was just performing lab with weird scenario. Yes you are right , in real world we don,t perform nat in this manner. But implementing weird scenarios helps me understand the internals of subject better.

sarahr202 Sun, 02/22/2009 - 13:41

If you guys don't mind, i have one more questions.

I was reading about NAT(using pat) in my ccna book, i find that nat router does not change the src port, it retains the src port number in the packet received from host. for example:

My book shows the following output;

show ip nat translation

( i omitted the output for brevity )

inside global inside local

200.200.1.1 3213 10.10.10.10 3213

It is obvious that nat router is using the same port number it receives in the packet.

My questions are:

1) Does nat router change the port number if it receives two ip packets from different hosts with same src port say 200?

2) Does nat router usually use the same port number , it receives in the ip packet ,for multiplexing?

Thanks a lot!

Correct Answer
badalam_nt Sun, 02/22/2009 - 14:36

Hi Sarah,

PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign THE SAME port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.

So in your example the first translation should keep the same port (200) whereas for the second one the router should chose the first available port from the 0-511 range (of course different from 200).

Hope it helps,

Petru

Actions

This Discussion