02-21-2009 02:59 PM - edited 03-06-2019 04:09 AM
Hi every body!
I was practicing dynamic nat on my 2500 routers when i encountered something strange.
The topology is:
h1----sw(L2)----e0RA s0----------s0 RB
Ip address:
h1: 199.199.199.10/24
default gateway: 199.199.199.1/24
rAe0 199.199.199.1/24
rA s0 200.200.200.1/24
rB s0 200.200.200.2/24
rA config:
int eo
ip nat inside
ip addres 199.199.199.1/24
int s0
ip address 200.200.200.1/24
ip nat outside
ip nat source list 1 pool zee
acess-list 1 permit 199.199.199.0 0.0.0.255
ip nat pool zee 200.200.200.2 200.200.200.3 netmask 255.255.255.0
------------------------------------------
rb config;
int s0
ip address 200.200.200.2/24
clockrate 56000
-------------------------------------------
i found:
h1 can ping 200.200.200.2
but rA can not ping 200.200.200.2
Rb can ping 200.200.200.1
Why can ra not ping 200.200.200.2?
Any input will be appreciated
thanks a lot!
Solved! Go to Solution.
02-22-2009 12:17 AM
Hello Sarah,
200.200.200.2 is also the serial interface on RB
I would suggest to use on RA a loopback to represent the public pool
int loop1
ip address 200.200.220.1 255.255.255.0
then change the nat pool accordingly and add static routes for the pool from RB
on RB
ip route 200.200.220.0 255.255.255.0 200.200.200.1
this should give you a clean setup that is more realistic.
Hope to help
Giuseppe
02-22-2009 12:02 PM
Hello Sarah,
my opinion is that this not a real case.
you are not going to use NAT in this way.
Here it is my explanation:
in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.
A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.
So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.
Is this a reasonable choice ?
I don't think so.
I know that you are probably implementing a lab proposed in some book.
It looks like that the NAT entry overrides the CEF neighbor adjacency.
To demonstrate this you can:
enable debug ip icmp on RB
test performing a ping to 200.200.200.2 from RA
do you see any debug line on RB ?
if no packet hits RB the meaning of this output is:
you have asked to ping 200.200.200.2 but 200.200.200.2 is mapped to 199.199.199.10 and so the ping is sent to 199.199.199.10
if you had a BGP session with 200.200.200.2 it would stuck to active
Hope to help
Giuseppe
02-22-2009 12:23 PM
Sarah
I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 200.200.200.2 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?
Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?
HTH
Rick
02-22-2009 02:36 PM
Hi Sarah,
PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign THE SAME port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.
So in your example the first translation should keep the same port (200) whereas for the second one the router should chose the first available port from the 0-511 range (of course different from 200).
Hope it helps,
Petru
02-21-2009 09:19 PM
try replacing your config line ip nat source list 1 pool zee with ip nat inside source list 1 pool zee overload. you need the "overload" keyword to do dynamic nat. use the show ip nat translations command for verifications.
02-21-2009 11:49 PM
Thanks for your reply!
I am not doing PAT right now, the purpose of this lab is to master the dynmaic nat.
what you refer as overload is port address translation with nat. Again my goal is to master the dynamic nat then proceeds to PAT.
thanks a lot!
02-21-2009 11:59 PM
Hi
Verify that u have a route back to rA from router rb.
U r able to ping the 200.200.200.2 becox it has created dynamic nat entry and there is no other entry in the nat table for other destinations.
Thanks
Mahmood
02-22-2009 08:24 AM
Thanks a lot Mahmood!
For starter, 200.200.200.0/24 is directly connected subnet for both ra and rb.Both ra and rb 's0 interfaces are on that subnet.So ra and rb have entry in their routing table :
c 200.200.200./24 directly connected s0
Also the fact rb can ping ra proves that ra has entry for 200.200.200/24 that's how rb was able to receive echo from ra.
02-22-2009 12:17 AM
Hello Sarah,
200.200.200.2 is also the serial interface on RB
I would suggest to use on RA a loopback to represent the public pool
int loop1
ip address 200.200.220.1 255.255.255.0
then change the nat pool accordingly and add static routes for the pool from RB
on RB
ip route 200.200.220.0 255.255.255.0 200.200.200.1
this should give you a clean setup that is more realistic.
Hope to help
Giuseppe
02-22-2009 08:19 AM
Thanks Giuseppe!
I understand that the addrees 200.200.200.2/24 should be excluded from the pool on ra as this ip is assigned to so of adjacent rB. But i want to learn why the ping is successful on rb to ra but not ra to rb.
Thanks a lot!
02-22-2009 10:21 AM
Hi Giuseppe!
I ran the test again . i started out with default configurations on ra and rb
ra So-------------------So rb
h1 is connected to rA.
I configured ra as:
int s0
ip address 200.200.200.1/24
clockrate 56000
ip nat outside
---------------
int e0
ip address 199.199.199.1/24
ip nat inside
----------------------
ip nat pool zee 200.200.200.2 200.200.200.2 netmask 255.255.255.0
ip nat source list 1 pool zee
access-list 1 permit 199.199.199.0 0.0.0.255
--------------------------------------
H1 Config:
ip address 199.199.199.10/24
gateway 199.199.199.1/24
---------------------------------
rb config:
int so
ip address 200.200.200.2/24
-------------------------------------
Now i ping 200.200.200.2 on ra
This time ping was successful but with strange results.
RouterA#ping 200.200.200.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
RouterA#
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [20]
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [21]
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [22]
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [23]
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [24]
------------------------------------
1) what do the numbers in [ ] represent?
2)Usually when we ping , we get result something like that:
If i am pinging from ip1 to ip2 where ip1 is ip address of the interface towards ip2.
src ip1 dest ip2
src ip2 dest ip1
From the output below:
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [20]
00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [21]
i noticed:
src = 200.200.200.1 dst 200.200.200.2-> 199.199.199.10
Obviously ra is not sending the ping packets to 200.200.200.2 so of rb.
It simply sending the packets to itself
Ping packet is being looped back to ra as evident from the facts:
1) the translation 200.200.200.2-> 199.199.199.10
2) the reply from 200.200.200.2 is missing, which should be:
src: 200.200.200.2 dst : 200.200.200.1
Any insight into this result , will be appreciated .
thanks a lot!
02-22-2009 11:36 AM
I dont see similar output when pinging out of a nated port.
Is this something to do with IOS version?
Thanks in advance.
02-22-2009 11:41 AM
By the by , it appears that you have statically assigned an IP address from the nat pool.
should config have been - say - to be outside the range of all assignments to avoid duplicate IP address.
ip nat pool zee 200.200.200.200 200.200.200.254 netmask 255.255.255.0
Also, what is the command to display the nat entries/nat table. This will show all addresses used up from the pool.
Thanks
02-22-2009 12:46 PM
Thanks Mattkaya!
ip nat pool zee 200.200.200.200 200.200.200.254 netmask 255.255.255.0
Since the ip address is not assigned to adjacent router int, there should be no complication as it was in my case where i used the ip address configured on s0 int of adjacent router b.
"Also, what is the command to display the nat entries/nat table. This will show all addresses used up from the pool"
you can use" show ip nat translation"
thanks a lot!
02-22-2009 12:02 PM
Hello Sarah,
my opinion is that this not a real case.
you are not going to use NAT in this way.
Here it is my explanation:
in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.
A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.
So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.
Is this a reasonable choice ?
I don't think so.
I know that you are probably implementing a lab proposed in some book.
It looks like that the NAT entry overrides the CEF neighbor adjacency.
To demonstrate this you can:
enable debug ip icmp on RB
test performing a ping to 200.200.200.2 from RA
do you see any debug line on RB ?
if no packet hits RB the meaning of this output is:
you have asked to ping 200.200.200.2 but 200.200.200.2 is mapped to 199.199.199.10 and so the ping is sent to 199.199.199.10
if you had a BGP session with 200.200.200.2 it would stuck to active
Hope to help
Giuseppe
02-22-2009 12:23 PM
Sarah
I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 200.200.200.2 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?
Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?
HTH
Rick
02-22-2009 12:55 PM
Thanks a lot Rick!
"What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? "
In the above case, communication will occur properly as the above address is not used by adjacent router's int.
"Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB? "
We can either( which is better choice) configure the route statically on rb or run routing protocol and advertise the route to rb from ra.
-------------------------------------
02-22-2009 12:50 PM
Thanks a lot Giuseppe! i was just performing lab with weird scenario. Yes you are right , in real world we don,t perform nat in this manner. But implementing weird scenarios helps me understand the internals of subject better.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide