What does "ip nat inside" (interface cfg) really do ?

ovt · ‎01-14-2003

Hi all!

e0/0 e0/1

--------------- Cisco Router -------------

2.0.0.0/30 .1 192.168.1.0

ip nat inside source list 101 int e0/0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

int e0/0

ip nat outside

int e0/1

ip nat inside

I.e. do *no* NAT for OurLAN(192.168.1.0) to OtherLANs(192.168.0.0) as IPSec

tunnel is used between sites and do NAT to Internet.

After that I can't get to Router's e0/0 (2.0.0.1) from 2.0.0.x via telnet. Packet goes

to telnet server ok, but response is NATed (2.0.0.1:23 -> 2.0.0.1:1) /* yes,

port 1 ! */ Telnet client sends RST and reconnects.

The questions are: why is "ip nat inside" ignored ??? (The response packet

goes from the *Router itself*, rather than the inside network. Why is the packet

NATed ??? What does "ip nat inside" really do ???)

Thanks,

Oleg Tipisov,

REDCENTER,

Moscow

gfullage · ‎01-15-2003

I just set this up in the lab and it worked fine, plus I've done it for many customers and it has always worked. Are you saying that as soon as you put "ip nat outside" on e0/0 you cna no longer telnet to that interface? If you take the command out telnet starts working again?

What version of code are you running on this router? Can you send the full config, make sure to x.x.x.x out any public IP addresses?

ovt · ‎01-16-2003

It seems that NAT is processing packets which cross the router from inside to

outside *and* locally generated packets that *match the ACL*. It doesn't matter

whether "ip nat inside" is present or not.

I have no idea is this a bug or feature.

If I rewrite the ACL:

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.168.1.0. 0.0.0.255 any

everything is ok and I can telnet to the outside interface.

Oleg Tipisov,

REDCENTER,

Moscow