[c-nsp] how NAt works from outside to inside

s m sam.gh1986 at gmail.com
Thu Apr 4 03:28:03 EDT 2013 

hello guys

thanks for your replies. Manuel, you are right. you exactly explained what
happened. i have two freebsd system which are connected to a 2800 cisco
router directly.
i check packets in freebsd systems by wireshark that is a network protocol
analyzer. in wireshark i see packets as i mentioned and request packets
have type 8 (Echo ping request) and reply packets have type 0 (Echo ping
reply).

i know this behavior is unusual but it really happens to me!!! you mean
that cisco act normally? i mean when nai is defined from inside to outside,
outside systems should be able to ping inside systems? and packets should
be similar to below?

request packets:   src:192.168.2.1----> dst: 192.168.1.1
reply packets:       src: 192.168.2.50----> dst:192.168.2.1

you know, first of all it is so important for me to understand what is the
correct behavior and then try to fix my problem in freebsd box.

thanks


On Mon, Apr 1, 2013 at 7:01 PM, Manuel Berrocal (mberroca) <
mberroca at cisco.com> wrote:

> Hi Sam,
>         This shouldn't be happening (as you are mentioning it).  So
> probably there are some details missing from your description that will
> explain this.
>         How are you seeing the source and destination addresses of the
> ping packets? (debug in router? Sniffer in each host? Etc)
>         What type are the ICMP packets? (you should be able to see this
> either on the sniffer or the debug... the types are:
> http://www.nthelp.com/icmp.html)
>         Are the source and destination hosts PC's connected to the router?
> (or are you using loopback interfaces, etc)
>
>         The following link might help you
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml
>
>         By the way, I understand that when you change the Cisco router by
> a freebsd system the host (192.168.2.1) seems to receive the same packet
> reply but now the host acts differently... this is not possible... the host
> shouldn't be able to tell whether the packet was sent from a cisco router
> or a freebsd system (in both cases it receives src: 192.168.2.50---->
> dst:192.168.2.1 type=0 if it is a reply)... so we have something missing...
> if the host act differently the this are different packets...  (The only
> difference would be the MAC address of the freebsd system and the this
> should remind us of ARP but I won't go there if not required... this
> dependes on your answers to the questions above)
>
> Regards,
> Manuel
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Thompson
> mthompson-at-brightsolid.com |puck.nether.net nsp|
> Sent: Sunday, March 31, 2013 7:00 AM
> To: Manuel Berrocal (mberroca); s m
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] how NAt works from outside to inside
>
> Date: Sat, 30 Mar 2013 13:17:00 +0430
> From: s m <sam.gh1986 at gmail.com<mailto:sam.gh1986 at gmail.com>>
> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> Subject: [c-nsp] how NAt works from outside to inside
> Message-ID:
>         <
> CAA_1SgGGNvk-dPbs+2osTnLSEDPUbxSZs3YTTfVfy0kN3+KcbA at mail.gmail.com<mailto:
> CAA_1SgGGNvk-dPbs%2B2osTnLSEDPUbxSZs3YTTfVfy0kN3%2BKcbA at mail.gmail.com>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> hello all
>
> i am newbie in NAT and i have some problem. i want to have a dynamic nat
> and this is my topology:
>
> 192.168.1.1-----> cisco 2800 ------> 192.168.2.1
>
> and this is my configuration in cisco 2800:
>
> interface GigabitEthernet 0/0
> ip address 192.168.2.2 255.255.255.0
> ip nat outside
> ip virtual-reassebly in
> duplex auto
> speed auto
>
> interface GigabitEthernet 0/1
> ip address 192.168.1.2 255.255.255.0
> ip nat inside
> ip virtual-reassebly in
> duplex auto
> speed auto
>
> ip nat pool t 192.168.2.50 192.168.2.60 netmask 255.255.255.0 ip nat
> inside source list 1 pool t access-list 1 permit any
>
> when i ping 192.168.2.1 from 192.168.1.1 (from inside to outside), every
> thing is ok and nat is done correctly but when i ping
> 192.168.1.1 from 192.168.2.1 (from outside to inside),  packets that
> received in 192.168.2.1 are as below:
>
> request packets:   src:192.168.2.1----> dst: 192.168.1.1
> reply packets:       src: 192.168.2.50----> dst:192.168.2.1
>
> and 192.168.2.1 system accept these packets as its reply!!! i think this
> behavior is wrong, isn't it? how it is happen? moreover, if i put a freebsd
> system instead of cisco, everything is the same except that
> 192.168.2.1 does not accept the reply packets as its reply (as i
> expected!!). please let me know if the cisco behavior is correct or not and
>  if it is correct, how cisco router do that?
>
> please help me if i am misunderstanding.
> thanks in advance
>

More information about the cisco-nsp mailing list