Tuesday, June 13, 2006

 

NAT Inside and Outside Swapped. (Problem #71)


Consider the above network with R2 doing NAT with the inside and outside parts of the network as labelled above. A ping from R1 (source address 10.1.1.1) to R3 (destination address 192.168.1.2) succeeds and goes through a source address NAT translation at R2.

The configuration on the routers is shown below -

Router R1

interface Ethernet0
 ip address 10.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2

Router R2

interface Ethernet0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!         
interface Serial2
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
ip nat pool NATPOOL 172.16.1.1 172.16.1.254 prefix-length 24
ip nat inside source list 101 pool NATPOOL
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Router R3

interface Serial2
 ip address 192.168.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

Now consider the network diagram changed as shown below. Note that the inside and outside portions of the network have been swapped.


You task in this problem is to modify the configuration on R2 alone to reflect the modified assignment of the inside and outside of the network and get the same ping done earlier, i.e. from R1 (source address 10.1.1.1) to R3 (destination address 192.168.1.2) to work with R2 doing the source address NAT translation as before.

# posted by Cisco da Gama @ 10:21 AM
Comments:
I think the following config on R2 will do the trick?

conf t
interface ethernet 0
ip nat outside
interface serial 2
ip nat inside

no access-list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

regards
Richard
# posted by Blogger richsd1 : Tue Jun 13, 10:49:00 AM 2006
 
No, that won't do the trick because the requirement is that it is the 10.1.1.x addresses that need to be NATed. I think I need to make the question clearer on that point.
# posted by Blogger Cisco da Gama : Tue Jun 13, 12:00:00 PM 2006
 
Richard, I just updated the question to indicate that after the inside/outside swap it is still the source address that should be translated when pinging from 10.1.1.1 to 192.168.1.2.
# posted by Blogger Cisco da Gama : Tue Jun 13, 12:02:00 PM 2006
 
Ok thanks for that.

Is it then just a case of ->?

conf t
interface ethernet 0
ip nat outside
interface serial 2
ip nat inside

no ip nat inside source list 101 pool natpool
ip nat outside source list 101 pool natpool

Regards
Richard
# posted by Blogger richsd1 : Tue Jun 13, 11:42:00 PM 2006
 
Actually, it turns out that just swapping "outside" and "inside" in the config is not enough! I framed this question because I myself initially thought that the swap in the config should be enough but turns out that an asymmetry in the NAT order of processing depending on the inside-to-outside or the outside-to-inside directions causes some additional configuration to be required to get this working. The spirit behind this question was to emphasize that asymmetry.
# posted by Blogger Cisco da Gama : Wed Jun 14, 10:17:00 AM 2006
 
Hi
Thanks for the recent blog on the asymmetry of NAT routing. Interesting reading. This obviously sheds new light on this problem for me.

For inside to outside routing the destination address MUST be routable. In the example given when the inside and outside areas have been switched the destination address on the inside-to-outside leg will be the 172.16.1.0 address space. I believe this address is NOT in R2s routing table.

Therefore to complete this problem i believe a route must be added on R2 for this network? I dont have the hardware to try this out on at the moment, but i guess ,in addition to the previously mentioned config, the following would do the trick.

R2

ip route 172.16.1.0 255.255.255.0 10.1.1.1

Regards
Richard
# posted by Blogger richsd1 : Sat Jun 17, 12:25:00 AM 2006
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?