Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
2
Replies

Need help on IP NAT

pokwan
Level 1
Level 1

‎10-28-2002 10:50 PM - edited ‎03-02-2019 02:26 AM

Hi,

I am just testing IP nat on the RSM and I found the result rather strange. Would appreciate very much if someone could check my config and explain the test results.

I am able to ping pc B 192.168.10.20 from pc A 10.10.188.10 and the following NAT table was created.

RSM B# sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 10.10.199.10 10.10.188.10 --- ---

What I do not understand is that I can actually ping pc A actual and translated address form pc B.

1). I thought once an IP is translated, ie from 10.10.188.10 to 10.10.199.10, I can only see 10.10.199.10 on the interface where I specify ip nat outside. I should NOT see 10.10.188.10 from pc B. Why?

2). All other VLANS on RSM B can ping pc A actual and translated address as well. I thought if you specify the IP NAT OUTSIDE on the interface, then only will it reverse the translated address (10.10.199.10 back to 10.10.188.10). In other words, if I ping 10.10.199.10 from vlan 10 on RSM B, I should NOT get a respond. I assumed it did check the NAT table as I do get a reply to the ping. Why??

3). On a PIX firewall, once the address is translated, you can only reference the translated address and not the actual address. Shouldn't the IP NAT on the router do the same thing or my configuration is wrong?

The test scenario.

pc B(192.168.10.20)

|

|

| e1: 192.168.10.1

cisco 1600

| e0: 192.168.11.2

|

|

| vlan 7 (192.168.11.1) (ip nat outside)

rsm B

| vlan 2 (10.10.0.1) (ip nat inside)

|

| vlan 2 (10.10.0.2)

rsm A

| (10.10.188.1)

|

|

pc A (10.10.188.10)

Router 1600 config

interface e 0

ip address 192.168.11.2 255.255.255.0

int e 1

ip address 192.168.10.1 255.255.255.0

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.11.1

RSM B config.

!

interface Vlan7

ip address 192.168.11.1 255.255.255.0

ip nat outside

interface Vlan2

ip address 10.10.0.1 255.255.255.0

ip nat inside

ip nat pool test 10.10.199.10 10.10.199.250 netmask 255.255.255.0

ip nat inside source list 155 pool test

access-list 155 permit ip 10.10.188.0 0.0.0.255 192.168.10.0 0.0.0.255

Any help is much appreciated. Thanks.

Labels:
0 Helpful
2 Replies 2

thisisshanky
Level 11
Level 11

‎10-29-2002 09:17 AM

Hi,

Once you make a inside to outside ping, a NAT table entry is made, and once this happens, any pc can ping from outside to inside with the nat address, since nat table entry has been made. PCs in your lan wil still be able to ping the original ip address of PC A because, they do know the route how to reach PC A. (RSM A , B either are running a routing protocol, or it has static or default routes configured). So this ping will happen with the original ip address of PC A. Since NAT table entry has also been made, it should ping with translated address also.

Now once this entry ages out, you cannot ping from any other vlan with PC A's translated address, as there is no entry in NAT table of RSM B. But you will be still able to ping with orignial IP address of PC A because, those vlans, know the route to reach PC A.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

pokwan
Level 1
Level 1
In response to thisisshanky

‎10-29-2002 03:01 PM

Hi thisisshanky,

Thanks very much for your reply.

What I do not understand is why pc B (192.168.10.20) is able to ping the actual address of pc A (10.10.188.10). I thought the translated address (10.10.199.10) is all pc B could access. If pc B could still see pc A actual address, what is the purpose of the translated address besides translating from one IP to another? I thought part of the translation is not to allow pc B to know about pc A actual address!!

Any pcs on any vlans on RSM A SHOULD NOT be able to use the translated address of pc A (10.10.199.10) as the translation is performed on RSM B, correct?

You mentioned that after the NAT table is created, any pcs on any vlans could use the translated address? Does this means that everytime a packet reached the router, the router will actually check if there is a translation table available and check the destination address against the table as well? If that is the case, I DO NOT even have to specify IP NAT OUTSIDE on interface vlan 7 on RSM B, true? On RSM B, there is no mention on the translation address on the route table except ip route 10.10.188.0 255.255.254.0 10.10.0.4.

What the result I am getting, that means that I only have to specify IP NAT INSIDE if I wanted to translate the IP address of the pcs in the seleted inside interface and I DO NOT have specify any IP NAT OUTSIDE on the selected outside interface where I wanted the translation to be seen and vice versa? Please correct me if this is wrong.

I am tollaly confused of the purpose of IP NAT :(.

Thanks

0 Helpful
Customers Also Viewed These Support Documents