08-31-2009 09:38 AM - edited 03-04-2019 05:53 AM
All,
I configured a router like below:
ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0
ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable
ip route 192.168.200.0 255.255.255.0 null0
router bgp 300
network 192.168.200.0
neighbor 192.168.3.1 remote-as 200
The above works fine, but it doesn't work if I use an acl to identify the inside network like:
ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0
ip nat inside source list 5 pool SECONDARY overload
access-list 5 permit 192.168.50.0
Thanks,
John
08-31-2009 09:53 AM
Can you explain what does not work?
Is it translating but not giving the desired result or it is not translating at all?
Why are you overloading on the pool?
__
Edison.
08-31-2009 09:58 AM
Edison,
That was actually a "last resort" thing. It doesn't seem to translate correctly:
*Mar 1 01:08:14.855: IP: tableid=0, s=192.168.3.1 (FastEthernet0/0), d=192.168.200.1 (Null0), routed via RIB
*Mar 1 01:08:14.855: IP: tableid=0, s=192.168.3.2 (local), d=192.168.3.1 (FastEthernet0/0), routed via FIB
*Mar 1 01:08:14.859: IP: s=192.168.3.2 (local), d=192.168.3.1 (FastEthernet0/0), len 56, sending
Here's my debug ip packet output.
Thanks,
John
08-31-2009 10:10 AM
It works if you use an extended ACL :)
ip nat inside source list 105 pool SECONDARY
access-list 105 permit ip 192.168.50.0 0.0.0.255 any
I never use standard ACLs for NAT as best practice..
08-31-2009 10:11 AM
Edison,
It works if I ping outbound from the nat router sourcing from an address that's in the acl. It gets put into the table, and I can ping the natted address from outside of that router just fine.
Thanks,
John
08-31-2009 10:18 AM
John
ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0
ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable
The above is a static NAT setup so it is bi-directional ie. you can initiate connections from either inside or outside.
ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0
ip nat inside source list 5 pool SECONDARY overload
This one is not static, it is a dynamic NAT setup and therefore is not bi-directional ie. you need to initiate a connection from the inside first. Once this has been done there is an entry in the NAT table and so then an outside connection can use this translation.
Jon
08-31-2009 10:21 AM
Jon,
Are we reading each other's minds today?? :)
Thanks!
John
08-31-2009 10:19 AM
Edison,
It doesn't put anything in the table unless I have something going outbound, but when I do the complete network, it does put it into the table without seeing traffic for it:
ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0
ip nat inside source list 101 pool SECONDARY
WWW#sh ip nat trans
ip nat pool SECONDARY 192.168.200.1 192.168.200.254 netmask 255.255.255.0
ip nat inside source static network 192.168.50.0 192.168.200.0 /24 extendable
WWW#
WWW#sh ip nat trans
Subnet translation:
Inside global Inside local Outside local Outside global /prefix
192.168.200.0 192.168.50.0 --- --- /24
My conclusion is that the router won't route for my outside "falsified" addresses unless traffic came out of the network to create a mapping with the first config, but the second configuration automatically places the network that I want to translate in the table. In the first one, I have to ping outbound before I'll be able to ping inbound, otherwise there's not an entry in the table to translate to.
:)
Thanks!
John
08-31-2009 10:23 AM
Well, yes - but I tried your config and mine didn't work with standard ACL until I changed it to extended ACL but what you said is correct. There are differences between the 2 NAT approaches as the static is as the name implies, static - a NAT entry is built on the router so devices from the outside can reach the devices in the inside without the devices in the inside initiating a connection. The Pool is dynamically in nature, a PAT.
__
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: