Hi Tong, I said that you have the same network on both sides of the NAT router because the pool is a network, and in this case it is an inside pool so exists on the inside .
Sorry about this, but I had another look at your mail and the second type of NAT is not twice-NAT like I said, but overloaded NAT which is sometimes called NAPT or PAT (Network Address Port Translation is the RFC-compliant term). One important difference is the NAPT will not easily allow inbound connections. I've now seen the example referred to by Cisco Nuts in another post. I can't see how that can work at all. My policy with any single-stack NAT device is to avoid an overlap. Q1. ans. If I understand you correctly, the question is about routing within the outside network to the NAT router. I don't know. Maybe the router is doing proxy arp for pool addresses when there's an overlap? I take it that the configuration is currently working, is that right? Q2. ans. Again, this is about routing within the outside network, which may not be in your control, therefore the exchange is dictating the terms here. Q3. ans. I don't know whether you can use the same IP address for the pool and the interface with IOS. Why not try it? This overlap thing is beginning to puzzle me and I thought I knew a lot abot NAT, I can't see how it works, but you seem to be saying that it is working for you. I need to switch my routers on and have a further look. rgds Marc "Sim, CT (Chee Tong)" wrote: > > Hi Marc and dear all, > > >You cannot have the same network on both sides > >of the NAT router. > > Why you said that I had same network on both side of the NAT router? I have > 50.100.165.X and 192.168.3.X on both side of the NAT router. > > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > > interface Ethernet0 > > description Interface facing Financial Service Provider > > ip address 192.168.3.1 255.255.255.0 > > ip nat outside > > > > interface Ethernet1 > > description Interface facing Rabobank (Trusted) network > > ip address 50.100.165.240 255.255.255.0 > > ip nat inside > > > > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 > > ip nat inside source list 1 pool XXY > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > > I am not the one who configured this NAT router previously. > > Q1)what I don't understand is when we establish the connection from > 50.100.165.50 (for eg) to 192.168.3.50(for eg). The source IP will change > to 192.168.3.111 (for eg) after it pass thru the NAT router and reach the > destination 192.168.3.50. When it replies back the source IP is > 192.168.3.50 and the destination IP is 192.168.3.111. How do the packet > know it have to go to Ethernet0 of the NAT router, as the IP of NAT router's > Ethernet0 is 192.168.3.1 not 192.168.3.111. > > Q2) > >Normally I would want to use a NAT pool that was not present on either > >side of the router. > > Yes, I saw this on my book as follows > > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > Ip nat pool ovrld-nat 172.16.2.2 172.16.2.2 netmask 255.255.255.0 > Ip nat inside source list 1 pool ovrld-nat overload > ! > interface Ethernet0/0 > ip address 10.1.1.10 255.255.255.0 > ip nat inside > ! > interface serial0/0 > ip address 192.168.3.1 255.255.255.0 > ip nat outside > ! > access-list 1 permit 10.1.1.0 0.0.0.255 > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > > OK, I understand this, whenever the packets from 10.1.1.X network go out, > the source IP will all become 172.16.2.2, but what the packet got reply, the > destination will become 172.16.2.2, How the hell the packet know it should > go to serial0/0, as its IP is 192.168.3.1 not 172.16.2.2. Unless, there is > a route added in the target host. But how can expect to add the route entry > in all the hosts. > > Q3)I did NAT with checkpoint firewall for my internet access, my firewall > has two IPs 50.100.100.1 (internal) and 200.100.100.64 (external). I > configured it in such a way that all the outgoing packets's source IP become > 200.100.100.64 after passing thru firewall and it works as I think the > replying packet the destination will be the firewall's external IP. > > Can we configured the same thing with my cisco router as shown below. > > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > Ip nat pool ovrld-nat 192.168.3.1 192.168.3.1 netmask 255.255.255.0 > Ip nat inside source list 1 pool ovrld-nat overload > ! > interface Ethernet0/0 > ip address 10.1.1.10 255.255.255.0 > ip nat inside > ! > interface serial0/0 > ip address 192.168.3.1 255.255.255.0 > ip nat outside > ! > access-list 1 permit 10.1.1.0 0.0.0.255 > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > > Will it works? > > -----Original Message----- > From: Marc Thach Xuan Ky [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 19, 2002 8:49 PM > To: Sim, CT (Chee Tong) > Cc: [EMAIL PROTECTED] > Subject: Re: NAT questions-will overlap occur? [7:38764] > > Hi Tong, > The second method you use is twice-NAT, both source and destination > addresses are converted. This does not work well on Cisco routers > unless all NAT entries are defined statically. This is sometimes a good > policy anyway where there are only a small number of known connections, > which is often the case when connecting to exchange feeds for instance. > > You have an address clash. Note that a NAT router has only one IP stack > and one routing table. You cannot have the same network on both sides > of the NAT router. In your case it might be possible to use a /25 mask > and use .129-.254 for the pool, however, I would not recommend this > without further information from you. > > Normally I would want to use a NAT pool that was not present on either > side of the router. Is there a reason that you are using that pool > anyway? Is this dictated by the provider, or are they happy to route to > a network that you specify? > You need to know how many servers will be contacted within the financial > services provider, and how many clients on your network, also which way > is the connection made? Is it a persistent connection? Is there any > name resolution across the router? > > rgds > Marc TXK > > "Sim, CT (Chee Tong)" wrote: > > > > I found my previous administrator configured the following NAT for my > router > > (shown below). Our network is in 50.100.X.X and we need to contact a > > workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why > > he defined the source pool to be from 192.168.3.101 192.168.3.240 > > > > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > interface Ethernet0 > > description Interface facing Financial Service Provider > > ip address 192.168.3.1 255.255.255.0 > > ip nat outside > > > > interface Ethernet1 > > description Interface facing Rabobank (Trusted) network > > ip address 50.100.165.240 255.255.255.0 > > ip nat inside > > > > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 > > ip nat inside source list 1 pool XXY > > > > ########################################################################## > > > > Q1)But, when I show IP nat trans. I saw the following, I understand the > > first two, but not line 3. the 192.168.3.118 should be the source address > > of returning packet, what is 192.168.3.119 ? > > > > RBFW2514#sh ip nat trans > > Inside global Inside local Outside local Outside > global > > --- 192.168.3.117 50.100.165.81 --- --- > > --- 192.168.3.118 50.100.165.210 --- --- > > --- 192.168.3.119 192.168.3.118 > > > ############################################################################ > > > > Q2)I understand there is another kind of NAT which work like the > following. > > Inside global Inside local Outside local Outside > global > > 192.168.2.2:1234 10.0.0.1:1234 172.21.3.1:23 > > 192.168.2.2:2222 10.0.0.2:2222 172.21.3.2:23 > > 192.168.2.2:3333 10.0.0.3:3333 172.21.3.4:23 > > > > What is the difference these method. I think both NAT can work. Why we > > don't use these one? > > > > Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use > > the same port 2222. There will be 2X 192.168.2.2:2222 in the inside > global. > > Will be 192.168.2.2:2222 have problem identify which to be NAT back to > > 10.0.0.1 or 10.0.0.2. > > > > Thanks a lot > > Tong > > > > ================================================================== > > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en > > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht > > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en > > de afzender direct te informeren door het bericht te retourneren. > > ================================================================== > > The information contained in this message may be confidential > > and is intended to be exclusively for the addressee. Should you > > receive this message unintentionally, please do not use the contents > > herein and notify the sender immediately by return e-mail. > > > > ================================================================== > ================================================================== > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en > de afzender direct te informeren door het bericht te retourneren. > ================================================================== > The information contained in this message may be confidential > and is intended to be exclusively for the addressee. Should you > receive this message unintentionally, please do not use the contents > herein and notify the sender immediately by return e-mail. > > ================================================================== > > ------------------------------------------------------------------------ > > Part 1.2 Type: application/ms-tnef > Encoding: base64 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38922&t=38764 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
