[c-nsp] NAT and ARP

Boyan Krosnov Boyan at industria.com
Wed Oct 20 23:40:02 EDT 2004

int X
 ip nat inside
int Y
 ip nat outside

This is not enough of configuration to make NAT work. You need global
config "ip nat inside...." lines.

If you post the "ip nat" lines from the global router configuration (sh
run | i ip nat), as well as "sh ip int brief" and "sh ip route" it would
really help in diagnosing your problem.

OK, I'll shoot the loaded gun :)
Just an idea:
1.A spoofed packet with> comes in on fa0/0. 
2.The packet gets routed and nated on the router and out to the
3.A response or an error comes back from>(router public
ip used for nat)
4.Response/Error gets de-NATed on the router based on the nat state flow
created in step 2
5.Packet is routed out Fa0/0 based on a connected route. No ARP entry
exists so -
5.1 an incomplete ARP entry appears in the ARP table
5.2 ARP requests appear on the LAN with no matching responses
5.3 IP packets cannot be encapsulated in ethernet frames because the
destination mac addres is not known. This is the "encapsulation failed"

The first thing I would do to check this hypothesis would be to attach a
sniffer (e.g. tcpdump, ethereal) on the ethernet port of the router. I
am really guessing here. This fits all the symptoms but is not necessary
the only possible reason for these symptoms, especially if you have
exotic global config ip nat lines.

Boyan Krosnov
just another techie speaking for himself 

More information about the cisco-nsp mailing list