Hi, Assuming that the router 2 is not on transparent mode, taking it out it wouldnt make much difference, because the packet will be routed to the next hop (R2), assuming that there is a route for the network of the ASA to be behind router2 on the HSRP routers. It would make sense if they are all on the same broadcast domain.
Mike. From: [email protected] To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Date: Fri, 22 Jun 2012 03:05:49 +0000 Hi Mike, Yes, I’m familiar with it. It’s the same as you say “sysopt noproxyarp” on the ASA. My question is about why would you do it? Can someone will give me a good example? I’m doing a task and it asks to configure a peer for a pair of HSRP routers. I’ll have to give a sketch of the topology to make it more or less clear: R1----+--- R2-----(163.1.132.0)-----ASA-----R6 R3----| So to be precise R1 and R3 should have their IPSec peer set to 163.1.132.113 which is ASA interface. The solution configures static NAT on R2 binding 163.1.132.113 to R6 loopback: ip nat inside source static 6.0.0.1 163.1.132.113 no-alias If R2 will stop responding to ARP requests sent to 163.1.132.113 how the whole thing will work ? Eugene From: Mike Rojas [mailto:[email protected]] Sent: Thursday, June 21, 2012 7:54 PM To: Eugene Pefti; [email protected] Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Hey Eugene, Are you familiar with proxyARP? Basically, the router will answer arp for any address that is on its range assigned to a particular interface associated with a NAT right? well, this command will stop the router so it doesnt do it anymore. Mike From: [email protected] To: [email protected] Date: Fri, 22 Jun 2012 02:44:22 +0000 Subject: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option What are use cases of this “no-alias” NAT option. All references I found in Cisco docs say little to me. Quoting: • Autoaliasing of Pool Addresses: Many customers want to configure the NAT software to translate their local addresses to global addresses allocated from unused addresses from an attached subnet. This requires that the router answer ARP requests for those addresses so that packets destined for the global addresses are accepted by the router and translated. (Routing takes care of this packet delivery when the global addresses are allocated from a virtual network which isn't connected to anything.) When a NAT pool used as an inside global or outside local pool consists of addresses on an attached subnet, the software will generate an alias for that address so that the router will answer ARPs for those addresses. This automatic aliasing also occurs for inside global or outside local addresses in static entries. It can be disabled for static entries can be disabled by using the "no-alias" keyword:. ip nat inside source static <local-ip-address> <global-ip-address> no-alias Why would the router NOT reply on behalf of those global addresses ? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
