Posted on Wednesday, 23rd March 2005 by sean
Getting back into things, I thought I’d do some practical work with NAT. I’ll go over the basic source NAT with overload, and then allowing an inside server to be accessed on the outside.
First, pinging the server from R1 times out. Looking at it from the server (Bob):
[root@bob ~]# tcpdump icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 08:20:45.178697 IP 192.168.15.2 > bob.ertw.com: icmp 80: echo request seq 9924 08:20:45.943971 IP bob.ertw.com > 192.168.15.2: icmp 80: echo reply seq 9924
So the server is responding, but to 192.168.15.2, which it doesn’t have a route for. I’d like to translate the source address to something that Bob can access.
r0:
interface Ethernet0 ip nat outside interface Serial0.130 point-to-point ip nat inside ip nat inside source list 100 interface Ethernet0 overload access-list 100 permit ip any 192.168.1.0 0.0.0.255
ACL 100 picks up anything going to 192.168.1.0/24. The nat command translates anything coming from that network to the E0 interface’s address.
[root@bob ~]# tcpdump -n icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 08:41:27.440168 IP 192.168.1.198 > 192.168.1.10: icmp 80: echo request seq 1676 08:41:27.521420 IP 192.168.1.10 > 192.168.1.198: icmp 80: echo reply seq 1676
Now the ping works, because Bob sees the packet as coming from R0.
Now, I’d like Bob to be able to telnet to R1 using 192.168.1.222.
ip nat inside source static 192.168.15.2 192.168.1.222
This is similar to the command before. A static NAT is really two way, we’re translating the inside local address (R1) to the inside global address (.222). By design, this will translate in the reverse direction, which is what we want.
A proxy ARP entry is created as a result of this command, and the translation entry is made:
r0#show ip arp | include 222 Internet 192.168.1.222 - 0060.5cf3.bb1e ARPA Ethernet0 r0#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.222 192.168.15.2 --- ---
Note that when R1 pings Bob, the source address is translated to 222 instead of E0’s address as per the overload earlier.
09:45:37.842420 IP 192.168.1.222 > bob.ertw.com: icmp 80: echo request seq 5197 09:45:37.901200 IP bob.ertw.com > 192.168.1.222: icmp 80: echo reply seq 5197
Next up, a look at the ip nat outside source.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Posted in Routing | Comments (0)
