Hi Tong, The second method you use is twice-NAT, both source and destination addresses are converted. This does not work well on Cisco routers unless all NAT entries are defined statically. This is sometimes a good policy anyway where there are only a small number of known connections, which is often the case when connecting to exchange feeds for instance.
You have an address clash. Note that a NAT router has only one IP stack and one routing table. You cannot have the same network on both sides of the NAT router. In your case it might be possible to use a /25 mask and use .129-.254 for the pool, however, I would not recommend this without further information from you. Normally I would want to use a NAT pool that was not present on either side of the router. Is there a reason that you are using that pool anyway? Is this dictated by the provider, or are they happy to route to a network that you specify? You need to know how many servers will be contacted within the financial services provider, and how many clients on your network, also which way is the connection made? Is it a persistent connection? Is there any name resolution across the router? rgds Marc TXK "Sim, CT (Chee Tong)" wrote: > > I found my previous administrator configured the following NAT for my router > (shown below). Our network is in 50.100.X.X and we need to contact a > workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why > he defined the source pool to be from 192.168.3.101 192.168.3.240 > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > interface Ethernet0 > description Interface facing Financial Service Provider > ip address 192.168.3.1 255.255.255.0 > ip nat outside > > interface Ethernet1 > description Interface facing Rabobank (Trusted) network > ip address 50.100.165.240 255.255.255.0 > ip nat inside > > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 > ip nat inside source list 1 pool XXY > > ########################################################################## > > Q1)But, when I show IP nat trans. I saw the following, I understand the > first two, but not line 3. the 192.168.3.118 should be the source address > of returning packet, what is 192.168.3.119 ? > > RBFW2514#sh ip nat trans > Inside global Inside local Outside local Outside global > --- 192.168.3.117 50.100.165.81 --- --- > --- 192.168.3.118 50.100.165.210 --- --- > --- 192.168.3.119 192.168.3.118 > ############################################################################ > > Q2)I understand there is another kind of NAT which work like the following. > Inside global Inside local Outside local Outside global > 192.168.2.2:1234 10.0.0.1:1234 172.21.3.1:23 > 192.168.2.2:2222 10.0.0.2:2222 172.21.3.2:23 > 192.168.2.2:3333 10.0.0.3:3333 172.21.3.4:23 > > What is the difference these method. I think both NAT can work. Why we > don't use these one? > > Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use > the same port 2222. There will be 2X 192.168.2.2:2222 in the inside global. > Will be 192.168.2.2:2222 have problem identify which to be NAT back to > 10.0.0.1 or 10.0.0.2. > > Thanks a lot > Tong > > ================================================================== > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en > de afzender direct te informeren door het bericht te retourneren. > ================================================================== > The information contained in this message may be confidential > and is intended to be exclusively for the addressee. Should you > receive this message unintentionally, please do not use the contents > herein and notify the sender immediately by return e-mail. > > ================================================================== Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38771&t=38764 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
