I am just testing IP nat on the RSM and I found the result rather strange. Would appreciate very much if someone could check my config and explain the test results.
I am able to ping pc B 192.168.10.20 from pc A 10.10.188.10 and the following NAT table was created.
RSM B# sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 10.10.199.10 10.10.188.10 --- ---
What I do not understand is that I can actually ping pc A actual and translated address form pc B.
1). I thought once an IP is translated, ie from 10.10.188.10 to 10.10.199.10, I can only see 10.10.199.10 on the interface where I specify ip nat outside. I should NOT see 10.10.188.10 from pc B. Why?
2). All other VLANS on RSM B can ping pc A actual and translated address as well. I thought if you specify the IP NAT OUTSIDE on the interface, then only will it reverse the translated address (10.10.199.10 back to 10.10.188.10). In other words, if I ping 10.10.199.10 from vlan 10 on RSM B, I should NOT get a respond. I assumed it did check the NAT table as I do get a reply to the ping. Why??
3). On a PIX firewall, once the address is translated, you can only reference the translated address and not the actual address. Shouldn't the IP NAT on the router do the same thing or my configuration is wrong?
The test scenario.
| e1: 192.168.10.1
| e0: 192.168.11.2
| vlan 7 (192.168.11.1) (ip nat outside)
| vlan 2 (10.10.0.1) (ip nat inside)
| vlan 2 (10.10.0.2)
pc A (10.10.188.10)
Router 1600 config
interface e 0
ip address 192.168.11.2 255.255.255.0
int e 1
ip address 192.168.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.11.1
RSM B config.
ip address 192.168.11.1 255.255.255.0
ip nat outside
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip nat pool test 10.10.199.10 10.10.199.250 netmask 255.255.255.0
ip nat inside source list 155 pool test
access-list 155 permit ip 10.10.188.0 0.0.0.255 192.168.10.0 0.0.0.255
Once you make a inside to outside ping, a NAT table entry is made, and once this happens, any pc can ping from outside to inside with the nat address, since nat table entry has been made. PCs in your lan wil still be able to ping the original ip address of PC A because, they do know the route how to reach PC A. (RSM A , B either are running a routing protocol, or it has static or default routes configured). So this ping will happen with the original ip address of PC A. Since NAT table entry has also been made, it should ping with translated address also.
Now once this entry ages out, you cannot ping from any other vlan with PC A's translated address, as there is no entry in NAT table of RSM B. But you will be still able to ping with orignial IP address of PC A because, those vlans, know the route to reach PC A.
What I do not understand is why pc B (192.168.10.20) is able to ping the actual address of pc A (10.10.188.10). I thought the translated address (10.10.199.10) is all pc B could access. If pc B could still see pc A actual address, what is the purpose of the translated address besides translating from one IP to another? I thought part of the translation is not to allow pc B to know about pc A actual address!!
Any pcs on any vlans on RSM A SHOULD NOT be able to use the translated address of pc A (10.10.199.10) as the translation is performed on RSM B, correct?
You mentioned that after the NAT table is created, any pcs on any vlans could use the translated address? Does this means that everytime a packet reached the router, the router will actually check if there is a translation table available and check the destination address against the table as well? If that is the case, I DO NOT even have to specify IP NAT OUTSIDE on interface vlan 7 on RSM B, true? On RSM B, there is no mention on the translation address on the route table except ip route 10.10.188.0 255.255.254.0 10.10.0.4.
What the result I am getting, that means that I only have to specify IP NAT INSIDE if I wanted to translate the IP address of the pcs in the seleted inside interface and I DO NOT have specify any IP NAT OUTSIDE on the selected outside interface where I wanted the translation to be seen and vice versa? Please correct me if this is wrong.
I am tollaly confused of the purpose of IP NAT :(.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...