[c-nsp] NAT and ARP
Boyan at industria.com
Wed Oct 20 23:40:02 EDT 2004
ip nat inside
ip nat outside
This is not enough of configuration to make NAT work. You need global
config "ip nat inside...." lines.
If you post the "ip nat" lines from the global router configuration (sh
run | i ip nat), as well as "sh ip int brief" and "sh ip route" it would
really help in diagnosing your problem.
OK, I'll shoot the loaded gun :)
Just an idea:
1.A spoofed packet with 10.10.101.37->126.96.36.199 comes in on fa0/0.
2.The packet gets routed and nated on the router and out to the
3.A response or an error comes back from 188.8.131.52->(router public
ip used for nat)
4.Response/Error gets de-NATed on the router based on the nat state flow
created in step 2
5.Packet is routed out Fa0/0 based on a connected route. No ARP entry
exists so -
5.1 an incomplete ARP entry appears in the ARP table
5.2 ARP requests appear on the LAN with no matching responses
5.3 IP packets cannot be encapsulated in ethernet frames because the
destination mac addres is not known. This is the "encapsulation failed"
The first thing I would do to check this hypothesis would be to attach a
sniffer (e.g. tcpdump, ethereal) on the ethernet port of the router. I
am really guessing here. This fits all the symptoms but is not necessary
the only possible reason for these symptoms, especially if you have
exotic global config ip nat lines.
just another techie speaking for himself
More information about the cisco-nsp