[c-nsp] IOS 12.4 and NAT

Reuben Farrelly reuben-cisco-nsp at reub.net
Thu May 12 04:55:50 EDT 2005 

Hi,

Joe Maimon wrote:
> Gert Doering wrote:
> 
>>Hi,
>>
>>On Thu, May 05, 2005 at 10:34:27AM +0200, Carsten Bormann wrote:
>>
>>
>>>>what's "NVI enhancement"?  Any pointers?
>>>
>>>While the US sleeps:
>>>
>>>http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/ 
>>>123newft/123t/123t_14/gtnatvi.htm
>>
>>
>>Ah, thanks.  So finally Cisco has fallen to market pressure "the way
>>you do it is much too complicated, we need a simple on/off switch"

Following this up, has anyone actually got NVI nat to work _at all_ under 
12.3(14)T or 12.4(1)?

I've tried with a 1721 and an 831 in a trivially basic test environment, and 
neither seem to work, but it's inconceivable that cisco would release code 
with an LD tag, with a feature that is completely and utterly broken.  There 
are no external bugs documented for this, so I'm guessing that it's something 
I have done wrong, or else, it's bugfree code ;-)


Should a config like this from a 1721 work?  Starting with a blank config:

--
int fastethernet0.1
  description test outside interface
  encapsulation dot1Q 1 native
  ip address 1.1.1.1 255.255.255.0
  ip nat enable

int fastethernet0.2
  description test inside interface
  encapsulation dot1Q 2
  ip address 2.2.2.2 255.255.255.0

ip nat inside source list 110 interface fastethernet0.1 overload
access-list 110 permit ip 2.2.2.0 0.0.0.255 any log

or:  ip nat source static 2.2.2.3 1.1.1.3

static PATs likewise don't seem to work.  Ping and TCP connects time out.
--


Same config gives the same result on an 831 duel ethernet router.  Taking off 
NAT and it routes OK albeit with no NAT taking place (as expected).

If I remove "ip nat enable" and replace with "ip nat inside" and "ip nat 
outside" it NATs OK, but that's one of the key points about NVI - that "The 
NAT Virtual Interface feature allows all NAT traffic flows on the virtual 
interface, eliminating the need to specify inside and outside domains."

The documentation at 
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gtnatvi.htm 
scrapes by, but it could do with a whole lot more simple examples.

I'm happy to open a tac case but I'm not real keen on opening any more cases 
than necessary (we've been told at work that the more cases we open with TAC, 
the worse our partner metrics look...so being a bleeding edge ground breaker 
isn't always a good thing).

reuben

More information about the cisco-nsp mailing list