cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
15
Helpful
8
Replies

Why will this nat work vs. this one?

John Blakley
VIP Alumni
VIP Alumni

All,

I configured a router like below:

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable

ip route 192.168.200.0 255.255.255.0 null0

router bgp 300

network 192.168.200.0

neighbor 192.168.3.1 remote-as 200

The above works fine, but it doesn't work if I use an acl to identify the inside network like:

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source list 5 pool SECONDARY overload

access-list 5 permit 192.168.50.0

Thanks,

John

HTH, John *** Please rate all useful posts ***
8 Replies 8

Edison Ortiz
Hall of Fame
Hall of Fame

Can you explain what does not work?

Is it translating but not giving the desired result or it is not translating at all?

Why are you overloading on the pool?

__

Edison.

Edison,

That was actually a "last resort" thing. It doesn't seem to translate correctly:

*Mar 1 01:08:14.855: IP: tableid=0, s=192.168.3.1 (FastEthernet0/0), d=192.168.200.1 (Null0), routed via RIB

*Mar 1 01:08:14.855: IP: tableid=0, s=192.168.3.2 (local), d=192.168.3.1 (FastEthernet0/0), routed via FIB

*Mar 1 01:08:14.859: IP: s=192.168.3.2 (local), d=192.168.3.1 (FastEthernet0/0), len 56, sending

Here's my debug ip packet output.

Thanks,

John

HTH, John *** Please rate all useful posts ***

It works if you use an extended ACL :)

ip nat inside source list 105 pool SECONDARY

access-list 105 permit ip 192.168.50.0 0.0.0.255 any

I never use standard ACLs for NAT as best practice..

Edison,

It works if I ping outbound from the nat router sourcing from an address that's in the acl. It gets put into the table, and I can ping the natted address from outside of that router just fine.

Thanks,

John

HTH, John *** Please rate all useful posts ***

John

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable

The above is a static NAT setup so it is bi-directional ie. you can initiate connections from either inside or outside.

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source list 5 pool SECONDARY overload

This one is not static, it is a dynamic NAT setup and therefore is not bi-directional ie. you need to initiate a connection from the inside first. Once this has been done there is an entry in the NAT table and so then an outside connection can use this translation.

Jon

Jon,

Are we reading each other's minds today?? :)

Thanks!

John

HTH, John *** Please rate all useful posts ***

Edison,

It doesn't put anything in the table unless I have something going outbound, but when I do the complete network, it does put it into the table without seeing traffic for it:

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source list 101 pool SECONDARY

WWW#sh ip nat trans

ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0

ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable

WWW#

WWW#sh ip nat trans

Subnet translation:

Inside global Inside local Outside local Outside global /prefix

192.168.200.0 192.168.50.0 --- --- /24

My conclusion is that the router won't route for my outside "falsified" addresses unless traffic came out of the network to create a mapping with the first config, but the second configuration automatically places the network that I want to translate in the table. In the first one, I have to ping outbound before I'll be able to ping inbound, otherwise there's not an entry in the table to translate to.

:)

Thanks!

John

HTH, John *** Please rate all useful posts ***

Well, yes - but I tried your config and mine didn't work with standard ACL until I changed it to extended ACL but what you said is correct. There are differences between the 2 NAT approaches as the static is as the name implies, static - a NAT entry is built on the router so devices from the outside can reach the devices in the inside without the devices in the inside initiating a connection. The Pool is dynamically in nature, a PAT.

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco