[c-nsp] NAT and ARP

Brian Feeny signal at shreve.net
Thu Oct 21 09:44:43 EDT 2004 

Just curious, your not default routing to the fa0/1 interface are you? 
As in:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

?????

Brian

On Oct 20, 2004, at 6:42 PM, Amol Sapkal wrote:

> Hi Guys,
>
> Here is a client setup:
>
>                    |\\\\\\\\\\\\\\\\\\\|
> INTERNET --| fa0/1    fa0/0 |--LAN
>                    |\\\\\\\\\\\\\\\\\\\|
>
> The above setup is very simple. The LAN (invalid range) accesses
> internet via NAT.
> We have 'ip NAT inside' on fa0/0 and 'ip nat outside' on interface 
> fa0/1.
>
> Now, on this router I am seeing many many Incomplete ARP entries. The
> client is very troubled with these entries.
>
> I think the above is because of a smurf attack by one infected
> machines, which may be pushing traffic to the Internet using
> non-existing IPs from the 10.x.x.x range.
>
> Now, here is my confusion. I invariably did a 'debug ip packet' (not
> recommended) to check what is happening and found a couple of
> 'encapsulation failed' messages like this:
>
> 1w0d: IP: s=216.80.150.91 (FastEthernet0/1), d=10.10.101.37 
> (FastEthernet0/0), l
> en 48, encapsulation failed
>
> I dont get why the above message should appear. My understanding of
> NAT says that the IP will be retranslated to the invalid IP when it is
> processed at the fa0/0 (where 'ip nat inside' is applied). I dont see
> any reason why a packet with an invalid destination should appear in
> the debug.
> Am I understanding it wrong?
> Moreover, the IP 10.10.101.37 doesnt exist.
>
> Any idea what are the other reasons for too many incomplete ARP 
> entries?
>
>
> -- 
> Warm Regds,
>
> Amol Sapkal
>
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind
> - Mahatma Gandhi
> --------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041021/15ed9cc1/PGP.bin

More information about the cisco-nsp mailing list