*** NAT question (in fact PAT question) ***

*** NAT question (in fact PAT question) ***

Post by Nuno Cristel » Fri, 04 May 2001 18:01:00



Hi,

I have a problem with the following Cisco 3660 NAT configuration:
.
.
.
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 secondary
ip address 10.1.3.1 255.255.255.0 secondary
ip address 10.1.4.1 255.255.255.0 secondary
ip address 10.1.5.1 255.255.255.0 secondary
ip address 10.1.6.1 255.255.255.0 secondary
ip address 10.1.7.1 255.255.255.0 secondary

ip nat inside

duplex auto

speed auto

!

!

interface Serial3/0:0

ip address <something>

ip nat outside

encapsulation ppp

!

ip nat inside source list 69 interface Serial3/0:0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 <something>

no ip http server

!

access-list 69 permit 192.168.1.0 0.0.0.255  <== Can we perform this
translation ? The packets are being received.
access-list 69 permit 10.1.1.0 0.0.0.255
access-list 69 permit 10.1.2.0 0.0.0.255
access-list 69 permit 10.1.3.0 0.0.0.255
access-list 69 permit 10.1.4.0 0.0.0.255
access-list 69 permit 10.1.5.0 0.0.0.255
access-list 69 permit 10.1.6.0 0.0.0.255
access-list 69 permit 10.1.7.0 0.0.0.255

Okay now, what's the problem ? The router sometimes stops responding and
reloads by
itself.

*** Now two questions:

*** FIRST QUESTION:

In a router performing NAT (in this case NAT with OVERLOAD - port address
translation) can I send to the INSIDE interface (the
interface that connects to my INTERNAL networks) packets whose source
addresses are from other networks ? Look at access list 69. The FastEthernet
Interface is in other networks but 192.168.1.0 is to be translated also. .
Someone told me that this might be possible. It doesnt sound logical or does
it ?

*** SECOND QUESTION:

In the real configuration what I am trying to do is to give access to every
host in 7 class C networks, via NAT, to the internet, using one single
EXTERNAL address, using OVERLOAD. Can this cause performance problems ?

The router is a 3660 with 256Mbytes of RAM.

Here goes the error message:

System received bus error exception

signal=0xa       context=0x610327b0

code=0x10

PC=0x60434108 cause=0x20

Status reg=0x34018002

Thanks,

Nuno Cristelo

 
 
 

*** NAT question (in fact PAT question) ***

Post by peteatarin » Fri, 04 May 2001 19:42:45


To your second question, the answer is yes.  While the theoretical limit is
just over 64K ports available, in reality it is vic 4000.

pete


Quote:> Hi,

> I have a problem with the following Cisco 3660 NAT configuration:
> .
> .
> .
> interface FastEthernet0/0
> ip address 10.1.1.1 255.255.255.0
> ip address 10.1.2.1 255.255.255.0 secondary
> ip address 10.1.3.1 255.255.255.0 secondary
> ip address 10.1.4.1 255.255.255.0 secondary
> ip address 10.1.5.1 255.255.255.0 secondary
> ip address 10.1.6.1 255.255.255.0 secondary
> ip address 10.1.7.1 255.255.255.0 secondary

> ip nat inside

> duplex auto

> speed auto

> !

> !

> interface Serial3/0:0

> ip address <something>

> ip nat outside

> encapsulation ppp

> !

> ip nat inside source list 69 interface Serial3/0:0 overload

> ip classless

> ip route 0.0.0.0 0.0.0.0 <something>

> no ip http server

> !

> access-list 69 permit 192.168.1.0 0.0.0.255  <== Can we perform this
> translation ? The packets are being received.
> access-list 69 permit 10.1.1.0 0.0.0.255
> access-list 69 permit 10.1.2.0 0.0.0.255
> access-list 69 permit 10.1.3.0 0.0.0.255
> access-list 69 permit 10.1.4.0 0.0.0.255
> access-list 69 permit 10.1.5.0 0.0.0.255
> access-list 69 permit 10.1.6.0 0.0.0.255
> access-list 69 permit 10.1.7.0 0.0.0.255

> Okay now, what's the problem ? The router sometimes stops responding and
> reloads by
> itself.

> *** Now two questions:

> *** FIRST QUESTION:

> In a router performing NAT (in this case NAT with OVERLOAD - port address
> translation) can I send to the INSIDE interface (the
> interface that connects to my INTERNAL networks) packets whose source
> addresses are from other networks ? Look at access list 69. The
FastEthernet
> Interface is in other networks but 192.168.1.0 is to be translated also. .
> Someone told me that this might be possible. It doesnt sound logical or
does
> it ?

> *** SECOND QUESTION:

> In the real configuration what I am trying to do is to give access to
every
> host in 7 class C networks, via NAT, to the internet, using one single
> EXTERNAL address, using OVERLOAD. Can this cause performance problems ?

> The router is a 3660 with 256Mbytes of RAM.

> Here goes the error message:

> System received bus error exception

> signal=0xa       context=0x610327b0

> code=0x10

> PC=0x60434108 cause=0x20

> Status reg=0x34018002

> Thanks,

> Nuno Cristelo


 
 
 

*** NAT question (in fact PAT question) ***

Post by --=Hatte » Fri, 04 May 2001 22:41:40


Sorry for messing with message, but it easyer to answer it like this ;-)

Quote:> Okay now, what's the problem ? The router sometimes stops responding and
> reloads by
> itself.
> *** SECOND QUESTION:
> In the real configuration what I am trying to do is to give access to
every
> host in 7 class C networks, via NAT, to the internet, using one single
> EXTERNAL address, using OVERLOAD. Can this cause performance problems ?
> The router is a 3660 with 256Mbytes of RAM.
> Here goes the error message:
> System received bus error exception

What's your IOS version?
I had the same problem, same error message, but updating the IOS solved the
problem.
At bad times my max uptime was 30 seconds before it rebooted.
Try a newer version, or try to downgrade it to 'solid' version.

Quote:> *** FIRST QUESTION:
> In a router performing NAT can I send to the INSIDE interface packets
whose
> source
> addresses are from other networks ? Look at access list 69. The
FastEthernet
> Interface is in other networks but 192.168.1.0 is to be translated also. .
> Someone told me that this might be possible. It doesnt sound logical or
does
> it ?

I don't get what you mean. Maybe ASCII-art?
 
 
 

*** NAT question (in fact PAT question) ***

Post by Barry Margoli » Fri, 04 May 2001 23:24:01




>*** FIRST QUESTION:

>In a router performing NAT (in this case NAT with OVERLOAD - port address
>translation) can I send to the INSIDE interface (the
>interface that connects to my INTERNAL networks) packets whose source
>addresses are from other networks ? Look at access list 69. The FastEthernet
>Interface is in other networks but 192.168.1.0 is to be translated also. .
>Someone told me that this might be possible. It doesnt sound logical or does
>it ?

It's fine.  As long as you have a route to those networks, it will work.
When packets are coming back in from the outside, it will translate the
destinations to 192.168.1.x and then route them normally.

--

Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

1. kinda dumb PIX NAT/PAT question leading into a VPN question

If I have a Pix protecting the private network 192.169.1.0/24 (inside) and
has a public interface (outside) in the internet let's say using the address
99.99.1.1/24.  On the PIX I have a global pool of addresses set up for
clients on the 192.168.1.0 network to reach the internet with.  This pool
could be 99.99.1.128 through 99.99.1.254.  Additionally I have a
static/coinduit that allows telnet to an inside host (192.168.1.2) through
99.99.1.2.  Now for the question, when a host on ihe internet telnets to
99.99.1.2 that establish a session on the host 99.99.1.2.  however if I
telnet from the host 99.99.1.2 to some other host on the internet does my
souce address apear as 99.99.1.2 or one of the addresses I reserved in the
address pool.

the reason I ask this is that I'm trying to terminate a couple VPN (IPSEC)
connections behind my PIX on a 1600 series I use as my frame router.  I
tried setting up the static/conduit through the pix on a global address (as
the examples on cco show)  but I seems that the traffic from the router
behind the pix keeps gettings nat'd (which I seem to remember kills
IKE/IPSec).  Since this routers address is non-routable I cannot connect to
it from the internet by any other method than the conduit/permit.  The whole
purpose is the dynamic crypto maps on my pix have such extremely short
(300-600 seconds) lifetimes on the IKE/IPSEC associations due to the fact
that the majority of the connections are dial up users who are frequently
dropped.  This short lifetime seemed to help them over the weekend/nights
when they got dropped and couldn't reconnect until their existing
association expired and was deleted from the PX.  The couple connections I
am trying to terminate behind the PIX are static IP DSL connections that
really don't need the short lifetime and dynamic maps.  It seems as though I
can change the IKE key assocciation lifetime easy enough in the policy, but
the IPSec lifetimes seem to be global for all maps  Would it hurt to have
IPSEC renegotiating every 5 or so minutes but IPSec no renegotiaing for say
8 hours?  Would this be able to help eliminate the slugishness these sites
experience during the frequent renegotiations.

The only other option I'm seeing is to maybe use a protocol not so sensitive
to NAT like maybe GRE to encapsulate the IPSec in?  Any Suggestions or
helpful links would be greatly appreciated.

Thanks

Barry Lance

2. Major TCP Socket Slow Performance.

3. NAT, PAT and routing with Cisco 827 - some questions

4. User adding rows to a table

5. NAT/PAT question

6. Proofs of convergence for simulated annealing (in neural networks)

7. Question on NAT/PAT timeouts

8. New Version Of FrontPage

9. PIX PAT/NAT question

10. a question about NAT (PAT)

11. Cisco NAT/PAT - based on dest. IP - questions

12. PIX question concerning Inside and Outside NAT\PAT

13. Question about NAT and PAT (Network and Port Address Translation)