[c-nsp] NAT and ARP
Boyan Krosnov
Boyan at industria.com
Wed Oct 20 23:40:02 EDT 2004
int X
ip nat inside
int Y
ip nat outside
This is not enough of configuration to make NAT work. You need global
config "ip nat inside...." lines.
If you post the "ip nat" lines from the global router configuration (sh
run | i ip nat), as well as "sh ip int brief" and "sh ip route" it would
really help in diagnosing your problem.
OK, I'll shoot the loaded gun :)
Just an idea:
1.A spoofed packet with 10.10.101.37->216.80.150.91 comes in on fa0/0.
2.The packet gets routed and nated on the router and out to the
internet.
3.A response or an error comes back from 216.80.150.91->(router public
ip used for nat)
4.Response/Error gets de-NATed on the router based on the nat state flow
created in step 2
5.Packet is routed out Fa0/0 based on a connected route. No ARP entry
exists so -
5.1 an incomplete ARP entry appears in the ARP table
5.2 ARP requests appear on the LAN with no matching responses
5.3 IP packets cannot be encapsulated in ethernet frames because the
destination mac addres is not known. This is the "encapsulation failed"
message
The first thing I would do to check this hypothesis would be to attach a
sniffer (e.g. tcpdump, ethereal) on the ethernet port of the router. I
am really guessing here. This fits all the symptoms but is not necessary
the only possible reason for these symptoms, especially if you have
exotic global config ip nat lines.
Cheers,
Boyan Krosnov
just another techie speaking for himself
More information about the cisco-nsp
mailing list