[c-nsp] NAT question
Hi all, Is there a way of showing or knowing the NAT session per second current rate on ASR1k? According to its Datasheet it says it supports 200,000 sessions per second with 20G ESP. On CLI the cmd "show ip nat trans tot" shows the active sessions only for both TCP and UDP based. Thanks, Ton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] nat question
hey all i configured natting on a cisco router i have loopback interface and f0/0 interface with ip nat inside configured and one interface configured for outside natting does that affect ? _ More than messages–check out the rest of the Windows Live™. http://www.microsoft.com/windows/windowslive/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nat Question
Here's the scenario... I have a Cisco 1800ISR already configured to a DSL modem for internet...its doing great. The customer now brought in another internet feed and wants two websites that they use to go out that internet feed...no problem. The sticking issue I'm having right now is with NAT. The current configuration is a route-map that matches an ACL and overloads the Dialer interface. I know what I need to do...which is stop those two IP addresses from matching the NAT statement and match another NAT statement and overload the FastEthernet interface...but I'm totally stumped on how to do this. If anyone could point me in the direction of some whitepapers or tell me the Cisco Speek for what exactly I'm asking for...that would be most appreciated. Thanks!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT question.
packets from the Ethernet of Router A do not seem to get nat'd, however to show up in the nat translations table. What do you mean by that? Please post outputs of sh ip nat tran for both 192.168 and 10. What makes you think that don't get nat'd ? Vincent ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT question.
sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 66.X.A.99:989310.2.0.1:9893 66.X.Y.129:9893 66.X.Y.129:9893 I know that it the router is not doing NAT correctly because even though is shows up in the tables, our core routers are seeing the 10. address and not the public address. Below is from the console of one of our core routers that router C hands off traffic to for the outside world. Sep 17 17:17:20: ICMP: dst (10.2.0.1) host unreachable sent to 66.X.Y.129 Troy Beisigl -Original Message- From: Vincent De Keyzer [mailto:[EMAIL PROTECTED] Sent: Monday, September 17, 2007 6:04 AM To: 'Troy Beisigl' Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] NAT question. packets from the Ethernet of Router A do not seem to get nat'd, however to show up in the nat translations table. What do you mean by that? Please post outputs of sh ip nat tran for both 192.168 and 10. What makes you think that don't get nat'd ? Vincent ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT question.
I have a strange problem happening with NAT and am wondering if anyone here might be able to help solve the problem. We have a cisco 2611 router configured to do NAT of IP addresses on the 2 T1 serial interfaces to public IP addresses on the Ethernet 0/0 interface. It seems to translate the IP addresses of the serial interface itself but not the IP addresses of the Ethernet interface on the router on the remote side of those T1s. Here are the details of the network. Office A connects to the Ethernet of router A (A cisco 1720). This router has a T1 interface that connects to router C (A Cisco 2611) on T1 interface S0/0. Router C is configured with ip nat inside on serial 0/0 and serial 0/1. Router C also is configured with ip nat outside on Ethernet 0/0. packets from the Ethernet of Router A do not seem to get nat'd, however to show up in the nat translations table. Packets from router A sourced from the T1 interface do get nat'd. Router B is the same as router A except that it is on a different internal IP block and has the same NAT problem. Any ideas on why these IP addresses are not getting NAT'd correctly? Router A config: ! interface Serial0 description T1 Circuit ID: ip address 192.168.0.1 255.255.255.252 down-when-looped service-module t1 timeslots 1-24 ! interface FastEthernet0 ip address 10.2.0.1 255.255.255.0 speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.2 no ip http server ! ! Router C config: interface Ethernet0/0 ip address 66.X.A.97 255.255.255.224 ip nat outside load-interval 30 half-duplex ! interface Serial0/0 ip address 192.168.0.2 255.255.255.252 ip nat inside load-interval 30 no fair-queue service-module t1 clock source internal service-module t1 timeslots 1-24 ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Serial0/1 ip address 192.168.0.6 255.255.255.252 ip nat inside load-interval 30 shutdown service-module t1 clock source internal service-module t1 timeslots 1-24 ! ip nat translation max-entries 15000 ip nat pool def_pool 66.X.A.99 66.X.A.99 netmask 255.255.255.224 ip nat inside source list 10 pool def_pool overload ip classless ip route 0.0.0.0 0.0.0.0 66.X.A.98 ip route 10.1.0.0 255.255.255.0 192.168.0.5 ip route 10.2.0.0 255.255.255.0 192.168.0.1 ! access-list 10 remark Internet Access List (NAT) access-list 10 permit 10.1.0.0 0.0.0.255 log access-list 10 permit 10.2.0.0 0.0.0.255 log access-list 10 permit 192.168.0.0 0.0.0.255 log ! Thanks, Troy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Question
Hi, On Fri, Jun 29, 2007 at 05:06:42AM -0400, Sridhar Ayengar wrote: What I can't figure out is how to configure the network for the servers. Make them neither inside nor outside - then packets will never be NATted coming from this interface, or going towards it. This is the cool thing about the classic IOS NAT - you can do things like this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT Question
I have a NAT question which could probably be considered simple, but my Google-fu fails me. I would appreciate either an answer, or a pointer to where I can RTFM. I have four networks that I'm routing between. The first is a publicly-accessible block for servers with a routeable IP block. The second and third are networks with private IP blocks. The fourth is, of course, the outbound connection to the upstream provider. Now, as I understand it, the two private networks will be considered inside for the purposes of NAT, and the connection to the outside world will be considered outside. What I can't figure out is how to configure the network for the servers. I need the workstations on the private networks to be able to access the servers without being NATed, and vice-versa. Of course, the machines on the two private networks need to be able to talk to each other as well. Many thanks for the help. Peace... Sridhar (P.S. I will be adding a VPN in addition to the above, but that's for another day, I suppose.) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Question
IIRC NAT occurs after routing, therefore it traffic is simply routed between inside interfaces, it should never be NATed. You could, however, always do something like this in the ACL which decides what traffic is NATed: ip nat inside source list 100 interface WAN overload ! access-list 100 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 100 permit ip 192.168.0.0 0.0.255.255 any where 192.168.0.0/16 encapsulates your private networks, and 10.0.0.0/24 is your DMZ - for example. Tom - Original Message - From: Gert Doering [EMAIL PROTECTED] To: Sridhar Ayengar [EMAIL PROTECTED] Cc: Cisco NSPs cisco-nsp@puck.nether.net Sent: Friday, June 29, 2007 6:52 PM Subject: Re: [c-nsp] NAT Question Hi, On Fri, Jun 29, 2007 at 05:06:42AM -0400, Sridhar Ayengar wrote: What I can't figure out is how to configure the network for the servers. Make them neither inside nor outside - then packets will never be NATted coming from this interface, or going towards it. This is the cool thing about the classic IOS NAT - you can do things like this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Question
Hi, On Sat, Jun 30, 2007 at 12:26:45AM +0930, Tom Storey wrote: IIRC NAT occurs after routing, therefore it traffic is simply routed between inside interfaces, it should never be NATed. Specifically, inside-to-outside NAT occurs if and only if (!) the packet comes in from an ip nat inside interface and leaves via an ip nat outside interace. Which is why you can do cool tricks with bounce over loopback :) (even if half of them woulnd't be necessary if static NAT mappings could take an ACL for only for *these* destinations, please!). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Question
Hi, On Fri, Jun 29, 2007 at 11:35:22AM +0200, Vincent De Keyzer wrote: This is the cool thing about the classic IOS NAT - you can do things like this. Does Cisco have any other NAT than the classic IOS one ? PS: You can reply on-list if ever my question makes sense :) Yes, they recently invented one-click NAT - I've forgotten the actual syntax, but it's something that is configured on the outside interface *only*, and is much less flexible in what you can do with it. I can only wonder what made them implement this - propably too many computer magazines complaining that cisco IOS is too complex to manage!!!. insert rant about IOS quality and idiot decisions like 878 has ISDN hardware but cannot fully use it etc. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nat question
I figured it out. I forgot that I needed ip nat inside on f0/0. Everything works now. Thanks. Dan. Dan wrote: Kevin, That make sense. Now how can I route certain ip's or subnets to this gateway? On the lan port f0/0 i already have a route-map called inet that sets the next-hop behavior for subnets. When I create a sequence in the inet route-map that permits a certain ip and sets the next-hop to the gateway on the vlan303(64.x.x.3) it does not work. Thanks, Dan. Kevin Graham wrote: On 4/30/07, Dan [EMAIL PROTECTED] wrote: interface FastEthernet0/3/3 switchport access vlan 303 [...] route-map nat-wb permit 10 match interface FastEthernet0/3/3 [...] interface Vlan303 ip address 64.x.x.1 255.255.255.240 [...] ip nat inside source route-map nat-wb interface FastEthernet0/3/3 overload Fa0/3/3 is a switchport, you want to overload onto the SVI (vlan303). route-map nat-wb should also match the SVI, not the switchport. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
