We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 581 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

295 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,

    some of our customers use "extendable" at the end of static nat command.
    Could you please explain what does it mean?
    Thanks

  2. Hello Laz,
    I have a question regarding NAT. I am going to use the below topology for my question.

    In this topology, I have a 3560 switch that is acting as my edge device that is connected to the ISP through Fa0/2 interface. Two firewalls and the edge switch are connected to the same segment (172.16.0.0/24) through the Layer 2 switch. The ASA 0 is using 172.16.0.4 - 172.16.0.100 address block as the Natted IPs for some internal hosts that are using 10.0.0.0/24 and ASA1 is using 172.16.0.101- 172.16.0.200 address block as the Natted IP for some other internal hosts that are using 10.10.0.0/24.

    Question:

    1) Let's say one of the internal hosts 10.0.0.1 is being natted to 172.16.0.10 on ASA0. When the edge switch sends out an ARP request to get the mac address of 172.168.0.10 IP address, how would ASA0 know it has to respond to the ARP request even though the IP is not attached to any interface? Why would ASA1 not respond to the same ARP request?

    2) Can ASA0 and ASA1 both use the same IP address (for instance 172.16.0.10) as a NATTED IP for the internal hosts located behind them on different ports? [for instance, in ASA0 some internal IPs(10.0.0.1-10.0.010) are taking traffic on 172.16.0.10 on port 80 and in ASA1 some internal IPs(10.10.0.1-10.10.0.10) are taking traffic on the same IP 172.16.0.10 on port 443] ?

    Thank you so much in advance.

  3. Hi @kayoutoure,

    With the ip nat inside source static command, you’ll need an inside local + inside global address. The inside local can be any address that is routable on the inside. For the inside global address, you can pick any IP address that falls within the network of any of your interfaces that has the ip nat outside command. Usually, you’ll pick the IP address on your outside interface, but this is not really required. For example, this also works:

    Let’s create a new loopback:

    R2(config)#interface loopback 0
    R2(config-if)#ip nat outside 
    R2(config-if)#ip address 2.2.2.2 255.255.255.0
    
    R2(config)#ip nat inside source static 192.168.12.1 2.2.2.1 
    

    2.2.2.1 belongs to the 2.2.2.0/24 network on loopback 0. Let’s enable a debug on R1:

    R1#debug ip packet 
    IP packet debugging is on
    

    And do a quick ping:

    R3#ping 2.2.2.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/9 ms
    

    Which works:

    R1#
    IP: s=192.168.23.3 (GigabitEthernet0/1), d=192.168.12.1, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

17 more replies! Ask a question or join the discussion by visiting our Community Forum