Why will this nat work vs. this one?

Unanswered Question
Aug 31st, 2009

All,

I configured a router like below:

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable

ip route 192.168.200.0 255.255.255.0 null0

router bgp 300

network 192.168.200.0

neighbor 192.168.3.1 remote-as 200

The above works fine, but it doesn't work if I use an acl to identify the inside network like:

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source list 5 pool SECONDARY overload

access-list 5 permit 192.168.50.0

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Edison Ortiz Mon, 08/31/2009 - 09:53

Can you explain what does not work?

Is it translating but not giving the desired result or it is not translating at all?

Why are you overloading on the pool?

__

Edison.

John Blakley Mon, 08/31/2009 - 09:58

Edison,

That was actually a "last resort" thing. It doesn't seem to translate correctly:

*Mar 1 01:08:14.855: IP: tableid=0, s=192.168.3.1 (FastEthernet0/0), d=192.168.200.1 (Null0), routed via RIB

*Mar 1 01:08:14.855: IP: tableid=0, s=192.168.3.2 (local), d=192.168.3.1 (FastEthernet0/0), routed via FIB

*Mar 1 01:08:14.859: IP: s=192.168.3.2 (local), d=192.168.3.1 (FastEthernet0/0), len 56, sending

Here's my debug ip packet output.

Thanks,

John

Edison Ortiz Mon, 08/31/2009 - 10:10

It works if you use an extended ACL :)

ip nat inside source list 105 pool SECONDARY

access-list 105 permit ip 192.168.50.0 0.0.0.255 any

I never use standard ACLs for NAT as best practice..

John Blakley Mon, 08/31/2009 - 10:11

Edison,

It works if I ping outbound from the nat router sourcing from an address that's in the acl. It gets put into the table, and I can ping the natted address from outside of that router just fine.

Thanks,

John

Jon Marshall Mon, 08/31/2009 - 10:18

John

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable

The above is a static NAT setup so it is bi-directional ie. you can initiate connections from either inside or outside.

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source list 5 pool SECONDARY overload

This one is not static, it is a dynamic NAT setup and therefore is not bi-directional ie. you need to initiate a connection from the inside first. Once this has been done there is an entry in the NAT table and so then an outside connection can use this translation.

Jon

John Blakley Mon, 08/31/2009 - 10:19

Edison,

It doesn't put anything in the table unless I have something going outbound, but when I do the complete network, it does put it into the table without seeing traffic for it:

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source list 101 pool SECONDARY

WWW#sh ip nat trans

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable

WWW#

WWW#sh ip nat trans

Subnet translation:

Inside global Inside local Outside local Outside global /prefix

192.168.200.0 192.168.50.0 --- --- /24

My conclusion is that the router won't route for my outside "falsified" addresses unless traffic came out of the network to create a mapping with the first config, but the second configuration automatically places the network that I want to translate in the table. In the first one, I have to ping outbound before I'll be able to ping inbound, otherwise there's not an entry in the table to translate to.

:)

Thanks!

John

Edison Ortiz Mon, 08/31/2009 - 10:23

Well, yes - but I tried your config and mine didn't work with standard ACL until I changed it to extended ACL but what you said is correct. There are differences between the 2 NAT approaches as the static is as the name implies, static - a NAT entry is built on the router so devices from the outside can reach the devices in the inside without the devices in the inside initiating a connection. The Pool is dynamically in nature, a PAT.

__

Edison.

Actions

This Discussion