Skip to main content

Nat question on Cisco Routers

More
18 years 2 months ago #17519 by Smurf
Kewl, sort of clicking now.

Basically, you can have the subnets on the S0 interface aslong as the ISP is routing the second subnet through the other subnet.

Like you said, the ISP would route the 192.168.2.2 through the 172.16.2.0/24 subnet which is on the router. I'm guessing then the router just knows its on the same interface and just does some internal routing.

Thanx very much for everyones help, i didn't realise you could do that, suppose this would get around the issue of having multiple subnets on one interface then :)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 2 months ago #17520 by Dove
I dont understand why you are confuesed on this.

In the NAT command you have mentioned as

ip nat inside source static 10.1.1.1 192.168.2.2


this command only doing that mapping process. Its the static NATing. It referes whenever the packets coming from the static IP 10.1.1.1 (Source) the router will change the source IP to 192.168.2.2(this is only for the outside world not for the internal communication. So you need not to worry about the subnet) in that packet header then as usual the packet will passed to the internet via the serial interface. In this case the NAT will applied when the packets are fired out from the router Serial port.


If any of the traffics coming from any other source then this nat will not work for that packets because of the static nat.

Still you haven't cleared in this please let me know I'll try to answer in different way.


Dove
More
18 years 2 months ago #17562 by Dove
Smurf, Are you cleared on this....? or still in confusion..?


Dove
More
18 years 2 months ago #17565 by Smurf

this command only doing that mapping process. Its the static NATing. It referes whenever the packets coming from the static IP 10.1.1.1 (Source) the router will change the source IP to 192.168.2.2(this is only for the outside world not for the internal communication. So you need not to worry about the subnet) in that packet header then as usual the packet will passed to the internet via the serial interface. In this case the NAT will applied when the packets are fired out from the router Serial port.


Hi Dove,

The command is simple enough and the natting isn't the issue i am having. The thing i am struggling in understanding is the basic routing around this. If you have a subnet (or ip address) of 192.168.2.2 how on earth is the packets routing because the serial interface is on a different network ? The way i think it is working now is that the ISP will route to the Serial interface for the addres 192.168.2.2 and then the router will know that its physically attached.

I think i understand it all now, i was just struggling with the router not having any interface on the 192.168.2.0/24 network to route to, but makes sense if it does infact just route off the serial interface inside the router to 192.168.2.2.

Cheers for your time in answering this.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 2 months ago #17566 by Dove
Smurf,
What I understood when I read for CCNA is,

let we take an example

Comp1
>E0(*Router*)S0
>internet
[code:1]
Comp IP : 10.1.1.1 ; MAC: xx.xx.xx.xx
E0 IP : 10.1.1.10; MAC : yy.yy.yy.yy
S0 IP : 172.16.2.1 MAC : zz.zz.zz.zz[/code:1]
While Comp1 kick off the packet to internet the packet will have the
[code:1]Source IP : 10.1.1.1 MAC:xx.xx.xx.xx
Dest IP : a.b.c.d MAC : yy.yy.yy.yy[/code:1]
Once the Packet reached the router E0 it will read the packet header (dest IP) and search in routing table based on the routing table router will decide that this packet as to go to internet and it will forward the packet to WAN / S0 port and it will change the Dest MAC address
[code:1]Old Dest MAC : yy.yy.yy.yy
New Dest MAC : zz.zz.zz.zz[/code:1]
Before forwarding it will check for any Access list / NAT is applied. If so it will be applied.

Here the NAT will be applied because the condition given on NAT is statisfying. The Source IP : 10.1.1.1, now it will change the source IP as
[code:1]Old Source IP : 10.1.1.1
NATed Source IP : 192.168.2.2[/code:1]

Now the Packet header will contain the following data
[code:1]Source IP : 192.168.2.2
Dest IP : a.b.c.d
Dest MAC : zz.zz.zz.zz[/code:1]
So router works with IP only on externaly but it will use the MAC address to select the routing ports. Hence the Dest MAC points to S0. Now the packet will be routed thr S0.

This what I understood. If its wrong Please advice me.

Hope this will give some more idea.


Dove
More
18 years 2 months ago #17570 by Smurf
Hi Dove,

I am not sure thats quite right. NAT doesn't get involved in MAC addresses as this is at layer 2 of the OSI model. Everytime a packet leaves a router, it needs to change the MAC address so that it can talk to either the computer or a further gateway for routing.

The thing that threw me with this NAT example in the Cisco Press book was where the new 192.168.2.2 address was coming from ? I couldn't understand how that address routed since the router didn't have any physical interfaces on that ip subnet (if you take a look at the Cisco Config in the original post).

It only makes sense if somehow the router gets packets for this host address routed to its S0 interface and then the router just knows that a packet from that host on the internet going to that 192.186.2.2 address needs translating as it says in the NAT Table :oops: Lol, just clicked now, if the S) interfaces receives the packet on the 172.16.2.1 interface, the router sees the Source/Dest Address in its NAT table and just knows that the packet is destined for 10.1.1.1 and NAT's it back.

Ooooh, clever stuff, i was getting into too much details about having to route to that subnet when it didn't need to as long as the routers at the ISP knows to send traffics to that subnet to 172.16.2.1.

Thanks veryone but i get it now.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.143 seconds