[c-nsp] NAT and ARP
Amol Sapkal
amolsapkal at gmail.com
Wed Oct 20 19:42:25 EDT 2004
Hi Guys,
Here is a client setup:
|\\\\\\\\\\\\\\\\\\\|
INTERNET --| fa0/1 fa0/0 |--LAN
|\\\\\\\\\\\\\\\\\\\|
The above setup is very simple. The LAN (invalid range) accesses
internet via NAT.
We have 'ip NAT inside' on fa0/0 and 'ip nat outside' on interface fa0/1.
Now, on this router I am seeing many many Incomplete ARP entries. The
client is very troubled with these entries.
I think the above is because of a smurf attack by one infected
machines, which may be pushing traffic to the Internet using
non-existing IPs from the 10.x.x.x range.
Now, here is my confusion. I invariably did a 'debug ip packet' (not
recommended) to check what is happening and found a couple of
'encapsulation failed' messages like this:
1w0d: IP: s=216.80.150.91 (FastEthernet0/1), d=10.10.101.37 (FastEthernet0/0), l
en 48, encapsulation failed
I dont get why the above message should appear. My understanding of
NAT says that the IP will be retranslated to the invalid IP when it is
processed at the fa0/0 (where 'ip nat inside' is applied). I dont see
any reason why a packet with an invalid destination should appear in
the debug.
Am I understanding it wrong?
Moreover, the IP 10.10.101.37 doesnt exist.
Any idea what are the other reasons for too many incomplete ARP entries?
--
Warm Regds,
Amol Sapkal
--------------------------------------------------------------------
An eye for an eye makes the whole world blind
- Mahatma Gandhi
--------------------------------------------------------------------
More information about the cisco-nsp
mailing list