cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1253
Views
0
Helpful
17
Replies

dynamic nat

sarahr202
Level 5
Level 5

Hi every body!

I was practicing dynamic nat on my 2500 routers when i encountered something strange.

The topology is:

h1----sw(L2)----e0RA s0----------s0 RB

Ip address:

h1: 199.199.199.10/24

default gateway: 199.199.199.1/24

rAe0 199.199.199.1/24

rA s0 200.200.200.1/24

rB s0 200.200.200.2/24

rA config:

int eo

ip nat inside

ip addres 199.199.199.1/24

int s0

ip address 200.200.200.1/24

ip nat outside

ip nat source list 1 pool zee

acess-list 1 permit 199.199.199.0 0.0.0.255

ip nat pool zee 200.200.200.2 200.200.200.3 netmask 255.255.255.0

------------------------------------------

rb config;

int s0

ip address 200.200.200.2/24

clockrate 56000

-------------------------------------------

i found:

h1 can ping 200.200.200.2

but rA can not ping 200.200.200.2

Rb can ping 200.200.200.1

Why can ra not ping 200.200.200.2?

Any input will be appreciated

thanks a lot!

4 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

200.200.200.2 is also the serial interface on RB

I would suggest to use on RA a loopback to represent the public pool

int loop1

ip address 200.200.220.1 255.255.255.0

then change the nat pool accordingly and add static routes for the pool from RB

on RB

ip route 200.200.220.0 255.255.255.0 200.200.200.1

this should give you a clean setup that is more realistic.

Hope to help

Giuseppe

View solution in original post

Hello Sarah,

my opinion is that this not a real case.

you are not going to use NAT in this way.

Here it is my explanation:

in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.

A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.

So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.

Is this a reasonable choice ?

I don't think so.

I know that you are probably implementing a lab proposed in some book.

It looks like that the NAT entry overrides the CEF neighbor adjacency.

To demonstrate this you can:

enable debug ip icmp on RB

test performing a ping to 200.200.200.2 from RA

do you see any debug line on RB ?

if no packet hits RB the meaning of this output is:

you have asked to ping 200.200.200.2 but 200.200.200.2 is mapped to 199.199.199.10 and so the ping is sent to 199.199.199.10

if you had a BGP session with 200.200.200.2 it would stuck to active

Hope to help

Giuseppe

View solution in original post

Sarah

I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 200.200.200.2 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?

Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?

HTH

Rick

HTH

Rick

View solution in original post

Hi Sarah,

PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign THE SAME port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.

So in your example the first translation should keep the same port (200) whereas for the second one the router should chose the first available port from the 0-511 range (of course different from 200).

Hope it helps,

Petru

View solution in original post

17 Replies 17

johnlloyd_13
Level 9
Level 9

try replacing your config line ip nat source list 1 pool zee with ip nat inside source list 1 pool zee overload. you need the "overload" keyword to do dynamic nat. use the show ip nat translations command for verifications.

Thanks for your reply!

I am not doing PAT right now, the purpose of this lab is to master the dynmaic nat.

what you refer as overload is port address translation with nat. Again my goal is to master the dynamic nat then proceeds to PAT.

thanks a lot!

Hi

Verify that u have a route back to rA from router rb.

U r able to ping the 200.200.200.2 becox it has created dynamic nat entry and there is no other entry in the nat table for other destinations.

Thanks

Mahmood

Thanks a lot Mahmood!

For starter, 200.200.200.0/24 is directly connected subnet for both ra and rb.Both ra and rb 's0 interfaces are on that subnet.So ra and rb have entry in their routing table :

c 200.200.200./24 directly connected s0

Also the fact rb can ping ra proves that ra has entry for 200.200.200/24 that's how rb was able to receive echo from ra.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

200.200.200.2 is also the serial interface on RB

I would suggest to use on RA a loopback to represent the public pool

int loop1

ip address 200.200.220.1 255.255.255.0

then change the nat pool accordingly and add static routes for the pool from RB

on RB

ip route 200.200.220.0 255.255.255.0 200.200.200.1

this should give you a clean setup that is more realistic.

Hope to help

Giuseppe

Thanks Giuseppe!

I understand that the addrees 200.200.200.2/24 should be excluded from the pool on ra as this ip is assigned to so of adjacent rB. But i want to learn why the ping is successful on rb to ra but not ra to rb.

Thanks a lot!

Hi Giuseppe!

I ran the test again . i started out with default configurations on ra and rb

ra So-------------------So rb

h1 is connected to rA.

I configured ra as:

int s0

ip address 200.200.200.1/24

clockrate 56000

ip nat outside

---------------

int e0

ip address 199.199.199.1/24

ip nat inside

----------------------

ip nat pool zee 200.200.200.2 200.200.200.2 netmask 255.255.255.0

ip nat source list 1 pool zee

access-list 1 permit 199.199.199.0 0.0.0.255

--------------------------------------

H1 Config:

ip address 199.199.199.10/24

gateway 199.199.199.1/24

---------------------------------

rb config:

int so

ip address 200.200.200.2/24

-------------------------------------

Now i ping 200.200.200.2 on ra

This time ping was successful but with strange results.

RouterA#ping 200.200.200.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

RouterA#

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [20]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [21]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [22]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [23]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [24]

------------------------------------

1) what do the numbers in [ ] represent?

2)Usually when we ping , we get result something like that:

If i am pinging from ip1 to ip2 where ip1 is ip address of the interface towards ip2.

src ip1 dest ip2

src ip2 dest ip1

From the output below:

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [20]

00:22:50: NAT: s=200.200.200.1, d=200.200.200.2->199.199.199.10 [21]

i noticed:

src = 200.200.200.1 dst 200.200.200.2-> 199.199.199.10

Obviously ra is not sending the ping packets to 200.200.200.2 so of rb.

It simply sending the packets to itself

Ping packet is being looped back to ra as evident from the facts:

1) the translation 200.200.200.2-> 199.199.199.10

2) the reply from 200.200.200.2 is missing, which should be:

src: 200.200.200.2 dst : 200.200.200.1

Any insight into this result , will be appreciated .

thanks a lot!

I dont see similar output when pinging out of a nated port.

Is this something to do with IOS version?

Thanks in advance.

By the by , it appears that you have statically assigned an IP address from the nat pool.

should config have been - say - to be outside the range of all assignments to avoid duplicate IP address.

ip nat pool zee 200.200.200.200 200.200.200.254 netmask 255.255.255.0

Also, what is the command to display the nat entries/nat table. This will show all addresses used up from the pool.

Thanks

Thanks Mattkaya!

ip nat pool zee 200.200.200.200 200.200.200.254 netmask 255.255.255.0

Since the ip address is not assigned to adjacent router int, there should be no complication as it was in my case where i used the ip address configured on s0 int of adjacent router b.

"Also, what is the command to display the nat entries/nat table. This will show all addresses used up from the pool"

you can use" show ip nat translation"

thanks a lot!

Hello Sarah,

my opinion is that this not a real case.

you are not going to use NAT in this way.

Here it is my explanation:

in real world you can think to use a NAT pool only if your ISP gives you an additional public address block to manage internet access.

A clean solution is that the NAT pool uses an ip address block that is different from the ip subnet used in the WAN internet facing interface.

So discussing your configuration can be useful to understand what priorities a router use when a NAT Inside Global address overlaps the ip address of another router that is also the next hop to internet.

Is this a reasonable choice ?

I don't think so.

I know that you are probably implementing a lab proposed in some book.

It looks like that the NAT entry overrides the CEF neighbor adjacency.

To demonstrate this you can:

enable debug ip icmp on RB

test performing a ping to 200.200.200.2 from RA

do you see any debug line on RB ?

if no packet hits RB the meaning of this output is:

you have asked to ping 200.200.200.2 but 200.200.200.2 is mapped to 199.199.199.10 and so the ping is sent to 199.199.199.10

if you had a BGP session with 200.200.200.2 it would stuck to active

Hope to help

Giuseppe

Sarah

I think that Giuseppe makes good points about how NAT is usually used. And I agree that the real problem with your test is that 200.200.200.2 is used both in the NAT pool and as the address of the neighbor router. What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? Or to follow the point from Giuseppe what happens if you make the NAT pool addresses in an entirely different network?

Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB?

HTH

Rick

HTH

Rick

Thanks a lot Rick!

"What happens if you make your NAT pool to be 200.200.200.10 and 200.200.200.11? "

In the above case, communication will occur properly as the above address is not used by adjacent router's int.

"Note that if the NAT pool is in a different network that routerB needs a route to that network/subnet. How would you get those routes into routerB? "

We can either( which is better choice) configure the route statically on rb or run routing protocol and advertise the route to rb from ra.

-------------------------------------

Thanks a lot Giuseppe! i was just performing lab with weird scenario. Yes you are right , in real world we don,t perform nat in this manner. But implementing weird scenarios helps me understand the internals of subject better.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco