Re: NAT (Portforwarding) for local traffic

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Tue Jul 15 2008 - 08:14:45 ART

• Next message: subodh.rawat@wipro.com: "Yes...done my CCIE(R&S)"
• Previous message: Huan Pham: "Re: NAT (Portforwarding) for local traffic"
• Maybe in reply to: Huan Pham: "NAT (Portforwarding) for local traffic"
• Next in thread: John: "Re: NAT (Portforwarding) for local traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Huan,

NAT could be tricky sometimes, you see now! But personally, I'm a big fan of
doing all kinds of weird things with NAT :)
So here is another link explaining the difference between inside and outside
NAT domain:

http://blog.internetworkexpert.com/2008/02/15/the-inside-and-outside-of-nat/

HTH

-- 
Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
Online Community: http://www.IEOC.com
CCIE Blog: http://blog.internetworkexpert.com
2008/7/15 Huan Pham <pnhuan@yahoo.com>:
> Thanks Petr for the detailed explaination!
>
> It looks more complicated that I have thought. I will read through, and
> modify
> it to do what I want.
>
> --- On Tue, 7/15/08, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> From: Petr Lapukhov <petr@internetworkexpert.com>
> Subject: Re: NAT (Portforwarding) for local traffic
> To: "Huan Pham" <Huan.Pham@peopletelecom.com.au>
> Cc: ccielab@groupstudy.com
> Date: Tuesday, July 15, 2008, 6:50 PM
>
> Huan,
> The question you asked was so interesting that i made a blog post about it
> :)
>
> http://blog.internetworkexpert.com/2008/07/15/a-curious-nat-scenario/
>
>
> HTH
> --
>
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
> Online Community: http://www.IEOC.com
> CCIE Blog: http://blog.internetworkexpert.com
>
>
> 2008/7/15 Huan Pham <Huan.Pham@peopletelecom.com.au>:
>
> > Sorry, I copied the old nat translations.
> >
> > Here is a more updated, after I tried telnet from outside, and from R1
> > itself. The nat translations table looks OK to me.
> >
> > R1#sh ip nat translations
> > Pro Inside global      Inside local       Outside local      Outside
> > global
> > tcp 150.0.0.3:23       10.1.1.3:23        12.0.0.2:12023
> > 12.0.0.2:12023
> > tcp 150.0.0.3:23       10.1.1.3:23        150.0.0.1:13980
> > 150.0.0.1:13980
> > tcp 150.0.0.3:23       10.1.1.3:23        ---                ---
> >
> >
> > -----Original Message-----
> > From: Huan Pham
> > Sent: Tuesday, 15 July 2008 11:18 AM
> > To: ccielab@groupstudy.com
> > Subject: NAT (Portforwarding) for local traffic
> >
> > Hi Gs,
> >
> > I have an interesting problem with NAT. I try to set up port-forwarding
> > NAT on a router so that I when I telnet to a public IP (part of loopback
> > subnet) from outside, or from the NAT router itself, I will ended up on
> > a local PC. Is it possible to force local traffic to be natted on a
> > router that do natting?
> >
> > I am labbing this scenario and I can forward external Telnet traffic to
> > a specific IP. However, if I try telnet from the NAT router, I got the
> > telnet refused error message. Debugging, and show nat translation looks
> > OK.
> >
> > I am missing something, or this is just not achievable? Thanks guys in
> > advance.
> >
> >
> >
> > The topo:
> >
> >
> > R3----------R1----------R2
> >    inside  NAT  outside
> >
> >
> > LAN:10.1.1.0/24
> > WAN:12.0.0.0/24
> > Loopback0 <http://12.0.0.0/24Loopback0> on R1: 150.0.0.1/24
> >
> > R3 is the Telnet server behind the NAT device, R2 is the external public
> > hosts. If external device telnet to 150.0.0.10, it should end up on R3
> > (10.1.1.10/24)
> >
> >
> > R1#sh run | in interface|nat|address|ip route
> >
> > ip telnet source-interface Loopback0
> >
> > interface Loopback0
> >  ip address 150.0.0.1 255.255.255.0
> >  ip nat outside
> >
> > interface FastEthernet0/0
> >  ip address 10.1.1.1 255.255.255.0
> >  ip nat inside
> >
> > interface Serial0/0.1 point-to-point
> >  ip address 12.0.0.1 255.255.255.0
> >  ip nat outside
> >  frame-relay interface-dlci 102
> >
> > ip nat inside source static tcp 10.1.1.3 23 150.0.0.3 23 extendable
> >
> > ip route 150.0.0.3 255.255.255.255 FastEthernet0/0
> >
> >
> >
> > R1#sh ip nat translations
> > Pro Inside global      Inside local       Outside local      Outside
> > global
> > tcp 150.0.0.3:23       10.1.1.3:23        12.0.0.2:12023
> > 12.0.0.2:12023
> > tcp 150.0.0.3:23       10.1.1.3:23        12.0.0.2:23475
> > 12.0.0.2:23475
> > tcp 150.0.0.3:23       10.1.1.3:23        ---                ---
> >
> >
> > Debug message on R3#
> > !Telnet from R2 to 150.0.0.3 is successfull
> >
> > 02:16:04: IP: tableid=0, s=12.0.0.2 (Ethernet0/0), d=10.1.1.3
> > (Ethernet0/0), routed via RIB
> > 02:16:04: IP: s=12.0.0.2 (Ethernet0/0), d=10.1.1.3 (Ethernet0/0), len
> > 40, rcvd 3
> > 02:16:04: IP: tableid=0, s=10.1.1.3 (local), d=12.0.0.2 (Ethernet0/0),
> > routed via FIB
> > 02:16:04: IP: s=10.1.1.3 (local), d=12.0.0.2 (Ethernet0/0), len 43,
> > sending
> > 02:16:04: IP: tableid=0, s=10.1.1.3 (local), d=12.0.0.2 (Ethernet0/0),
> > routed via FIB
> > 02:16:04: IP: s=10.1.1.3 (local), d=12.0.0.2 (Ethernet0/0), len 43,
> > sending
> > 02:16:04: IP: tableid=0, s=10.1.1.3 (local), d=12.0.0.2 (Ethernet0/0),
> > routed via FIB
> > 02:16:04: IP: s=10.1.1.3 (local), d=12.0.0.2 (Ethernet0/0), len 46,
> > sending
> >
> >
> > !Telnet from R1 (source loopback0) is not successful
> >
> > 02:19:05: IP: tableid=0, s=150.0.0.1 (Ethernet0/0), d=10.1.1.3
> > (Ethernet0/0), routed via RIB
> > 02:19:05: IP: s=150.0.0.1 (Ethernet0/0), d=10.1.1.3 (Ethernet0/0), len
> > 44, rcvd 3
> > 02:19:05: IP: tableid=0, s=10.1.1.3 (local), d=150.0.0.1 (Ethernet0/0),
> > routed via FIB
> > 02:19:05: IP: s=10.1.1.3 (local), d=150.0.0.1 (Ethernet0/0), len 44,
> > sending
> > 02:19:05: IP: tableid=0, s=150.0.0.1 (Ethernet0/0), d=10.1.1.3
> > (Ethernet0/0), routed via RIB
> > 02:19:05: IP: s=150.0.0.1 (Ethernet0/0), d=10.1.1.3 (Ethernet0/0), len
> > 40, rcvd 3
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: subodh.rawat@wipro.com: "Yes...done my CCIE(R&S)"
• Previous message: Huan Pham: "Re: NAT (Portforwarding) for local traffic"
• Maybe in reply to: Huan Pham: "NAT (Portforwarding) for local traffic"
• Next in thread: John: "Re: NAT (Portforwarding) for local traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART