Re: NAT questions-will overlap occur? [7:38764]
Hi Tong, I've reread the BCRAN book. The example given of NAT overlap is when the two real network spaces overlap, not when a pool overlaps with the real space. I still don't see how this can work. Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38932&t=38764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT questions-will overlap occur? [7:38764]
e source IP will all become 172.16.2.2, but what the packet got reply, the > destination will become 172.16.2.2, How the hell the packet know it should > go to serial0/0, as its IP is 192.168.3.1 not 172.16.2.2. Unless, there is > a route added in the target host. But how can expect to add the route entry > in all the hosts. > > Q3)I did NAT with checkpoint firewall for my internet access, my firewall > has two IPs 50.100.100.1 (internal) and 200.100.100.64 (external). I > configured it in such a way that all the outgoing packets's source IP become > 200.100.100.64 after passing thru firewall and it works as I think the > replying packet the destination will be the firewall's external IP. > > Can we configured the same thing with my cisco router as shown below. > > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > Ip nat pool ovrld-nat 192.168.3.1 192.168.3.1 netmask 255.255.255.0 > Ip nat inside source list 1 pool ovrld-nat overload > ! > interface Ethernet0/0 > ip address 10.1.1.10 255.255.255.0 > ip nat inside > ! > interface serial0/0 > ip address 192.168.3.1 255.255.255.0 > ip nat outside > ! > access-list 1 permit 10.1.1.0 0.0.0.255 > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > > Will it works? > > -Original Message- > From: Marc Thach Xuan Ky [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 19, 2002 8:49 PM > To: Sim, CT (Chee Tong) > Cc: [EMAIL PROTECTED] > Subject: Re: NAT questions-will overlap occur? [7:38764] > > Hi Tong, > The second method you use is twice-NAT, both source and destination > addresses are converted. This does not work well on Cisco routers > unless all NAT entries are defined statically. This is sometimes a good > policy anyway where there are only a small number of known connections, > which is often the case when connecting to exchange feeds for instance. > > You have an address clash. Note that a NAT router has only one IP stack > and one routing table. You cannot have the same network on both sides > of the NAT router. In your case it might be possible to use a /25 mask > and use .129-.254 for the pool, however, I would not recommend this > without further information from you. > > Normally I would want to use a NAT pool that was not present on either > side of the router. Is there a reason that you are using that pool > anyway? Is this dictated by the provider, or are they happy to route to > a network that you specify? > You need to know how many servers will be contacted within the financial > services provider, and how many clients on your network, also which way > is the connection made? Is it a persistent connection? Is there any > name resolution across the router? > > rgds > Marc TXK > > "Sim, CT (Chee Tong)" wrote: > > > > I found my previous administrator configured the following NAT for my > router > > (shown below). Our network is in 50.100.X.X and we need to contact a > > workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why > > he defined the source pool to be from 192.168.3.101 192.168.3.240 > > > > > > > interface Ethernet0 > > description Interface facing Financial Service Provider > > ip address 192.168.3.1 255.255.255.0 > > ip nat outside > > > > interface Ethernet1 > > description Interface facing Rabobank (Trusted) network > > ip address 50.100.165.240 255.255.255.0 > > ip nat inside > > > > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 > > ip nat inside source list 1 pool XXY > > > > ## > > > > Q1)But, when I show IP nat trans. I saw the following, I understand the > > first two, but not line 3. the 192.168.3.118 should be the source address > > of returning packet, what is 192.168.3.119 ? > > > > RBFW2514#sh ip nat trans > > Inside global Inside local Outside localOutside > global > > --- 192.168.3.117 50.100.165.81
RE: NAT questions-will overlap occur? [7:38764]
Hi Marc and dear all, >You cannot have the same network on both sides >of the NAT router. Why you said that I had same network on both side of the NAT router? I have 50.100.165.X and 192.168.3.X on both side of the NAT router. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > interface Ethernet0 > description Interface facing Financial Service Provider > ip address 192.168.3.1 255.255.255.0 > ip nat outside > > interface Ethernet1 > description Interface facing Rabobank (Trusted) network > ip address 50.100.165.240 255.255.255.0 > ip nat inside > > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 > ip nat inside source list 1 pool XXY &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& I am not the one who configured this NAT router previously. Q1)what I don't understand is when we establish the connection from 50.100.165.50 (for eg) to 192.168.3.50(for eg). The source IP will change to 192.168.3.111 (for eg) after it pass thru the NAT router and reach the destination 192.168.3.50. When it replies back the source IP is 192.168.3.50 and the destination IP is 192.168.3.111. How do the packet know it have to go to Ethernet0 of the NAT router, as the IP of NAT router's Ethernet0 is 192.168.3.1 not 192.168.3.111. Q2) >Normally I would want to use a NAT pool that was not present on either >side of the router. Yes, I saw this on my book as follows &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Ip nat pool ovrld-nat 172.16.2.2 172.16.2.2 netmask 255.255.255.0 Ip nat inside source list 1 pool ovrld-nat overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface serial0/0 ip address 192.168.3.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& OK, I understand this, whenever the packets from 10.1.1.X network go out, the source IP will all become 172.16.2.2, but what the packet got reply, the destination will become 172.16.2.2, How the hell the packet know it should go to serial0/0, as its IP is 192.168.3.1 not 172.16.2.2. Unless, there is a route added in the target host. But how can expect to add the route entry in all the hosts. Q3)I did NAT with checkpoint firewall for my internet access, my firewall has two IPs 50.100.100.1 (internal) and 200.100.100.64 (external). I configured it in such a way that all the outgoing packets's source IP become 200.100.100.64 after passing thru firewall and it works as I think the replying packet the destination will be the firewall's external IP. Can we configured the same thing with my cisco router as shown below. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Ip nat pool ovrld-nat 192.168.3.1 192.168.3.1 netmask 255.255.255.0 Ip nat inside source list 1 pool ovrld-nat overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface serial0/0 ip address 192.168.3.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&a
Re: NAT questions-will overlap occur? [7:38764]
Hi Tong, The second method you use is twice-NAT, both source and destination addresses are converted. This does not work well on Cisco routers unless all NAT entries are defined statically. This is sometimes a good policy anyway where there are only a small number of known connections, which is often the case when connecting to exchange feeds for instance. You have an address clash. Note that a NAT router has only one IP stack and one routing table. You cannot have the same network on both sides of the NAT router. In your case it might be possible to use a /25 mask and use .129-.254 for the pool, however, I would not recommend this without further information from you. Normally I would want to use a NAT pool that was not present on either side of the router. Is there a reason that you are using that pool anyway? Is this dictated by the provider, or are they happy to route to a network that you specify? You need to know how many servers will be contacted within the financial services provider, and how many clients on your network, also which way is the connection made? Is it a persistent connection? Is there any name resolution across the router? rgds Marc TXK "Sim, CT (Chee Tong)" wrote: > > I found my previous administrator configured the following NAT for my router > (shown below). Our network is in 50.100.X.X and we need to contact a > workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why > he defined the source pool to be from 192.168.3.101 192.168.3.240 > > > interface Ethernet0 > description Interface facing Financial Service Provider > ip address 192.168.3.1 255.255.255.0 > ip nat outside > > interface Ethernet1 > description Interface facing Rabobank (Trusted) network > ip address 50.100.165.240 255.255.255.0 > ip nat inside > > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 > ip nat inside source list 1 pool XXY > > ## > > Q1)But, when I show IP nat trans. I saw the following, I understand the > first two, but not line 3. the 192.168.3.118 should be the source address > of returning packet, what is 192.168.3.119 ? > > RBFW2514#sh ip nat trans > Inside global Inside local Outside localOutside global > --- 192.168.3.117 50.100.165.81 --- --- > --- 192.168.3.118 50.100.165.210--- --- > --- 192.168.3.119 192.168.3.118 > > > Q2)I understand there is another kind of NAT which work like the following. > Inside global Inside local Outside localOutside global > 192.168.2.2:1234 10.0.0.1:1234 172.21.3.1:23 > 192.168.2.2: 10.0.0.2: 172.21.3.2:23 > 192.168.2.2: 10.0.0.3: 172.21.3.4:23 > > What is the difference these method. I think both NAT can work. Why we > don't use these one? > > Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use > the same port . There will be 2X 192.168.2.2: in the inside global. > Will be 192.168.2.2: have problem identify which to be NAT back to > 10.0.0.1 or 10.0.0.2. > > Thanks a lot > Tong > > == > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en > de afzender direct te informeren door het bericht te retourneren. > == > The information contained in this message may be confidential > and is intended to be exclusively for the addressee. Should you > receive this message unintentionally, please do not use the contents > herein and notify the sender immediately by return e-mail. > > == Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38771&t=38764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT questions-will overlap occur? [7:38764]
I found my previous administrator configured the following NAT for my router (shown below). Our network is in 50.100.X.X and we need to contact a workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why he defined the source pool to be from 192.168.3.101 192.168.3.240 interface Ethernet0 description Interface facing Financial Service Provider ip address 192.168.3.1 255.255.255.0 ip nat outside interface Ethernet1 description Interface facing Rabobank (Trusted) network ip address 50.100.165.240 255.255.255.0 ip nat inside ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 ip nat inside source list 1 pool XXY ## Q1)But, when I show IP nat trans. I saw the following, I understand the first two, but not line 3. the 192.168.3.118 should be the source address of returning packet, what is 192.168.3.119 ? RBFW2514#sh ip nat trans Inside global Inside local Outside localOutside global --- 192.168.3.117 50.100.165.81 --- --- --- 192.168.3.118 50.100.165.210--- --- --- 192.168.3.119 192.168.3.118 Q2)I understand there is another kind of NAT which work like the following. Inside global Inside local Outside localOutside global 192.168.2.2:1234 10.0.0.1:1234 172.21.3.1:23 192.168.2.2: 10.0.0.2: 172.21.3.2:23 192.168.2.2: 10.0.0.3: 172.21.3.4:23 What is the difference these method. I think both NAT can work. Why we don't use these one? Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use the same port . There will be 2X 192.168.2.2: in the inside global. Will be 192.168.2.2: have problem identify which to be NAT back to 10.0.0.1 or 10.0.0.2. Thanks a lot Tong == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38764&t=38764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]