[c-nsp] NAT and ARP

Amol Sapkal amolsapkal at gmail.com
Wed Oct 20 19:42:25 EDT 2004

Hi Guys,

Here is a client setup:

INTERNET --| fa0/1    fa0/0 |--LAN

The above setup is very simple. The LAN (invalid range) accesses
internet via NAT.
We have 'ip NAT inside' on fa0/0 and 'ip nat outside' on interface fa0/1.

Now, on this router I am seeing many many Incomplete ARP entries. The
client is very troubled with these entries.

I think the above is because of a smurf attack by one infected
machines, which may be pushing traffic to the Internet using
non-existing IPs from the 10.x.x.x range.

Now, here is my confusion. I invariably did a 'debug ip packet' (not
recommended) to check what is happening and found a couple of
'encapsulation failed' messages like this:

1w0d: IP: s= (FastEthernet0/1), d= (FastEthernet0/0), l
en 48, encapsulation failed  

I dont get why the above message should appear. My understanding of
NAT says that the IP will be retranslated to the invalid IP when it is
processed at the fa0/0 (where 'ip nat inside' is applied). I dont see
any reason why a packet with an invalid destination should appear in
the debug.
Am I understanding it wrong?
Moreover, the IP doesnt exist.

Any idea what are the other reasons for too many incomplete ARP entries?

Warm Regds,

Amol Sapkal

An eye for an eye makes the whole world blind 
- Mahatma Gandhi

More information about the cisco-nsp mailing list