Help with my Nat statements and the routing interface?

Hi guys, okay here are my question. This is on a vpn edge router
and I am rusty on my NAT understanding some what. I know how to use NAT
but in my questions below I need understanding. Thanks
1. I was told we are routing the NAT pool so we can hide it from public?
is this true why do you use a ip route to a null0? what does that do?
and why use the nat pool address space for null0?
2. okay. The nat address is using dynamic routing protocol below but
the i want to say the inside 192.158.250.0 has no routing anywhere?
i mean no interface on the router at all not a physical nor logical interface.
but what is more confusing is sometimes it does match an ip nat inside interface ip subnet
but sometimes there is not trace of the ip nat inside ip subnet range on the router.
how can this be. I always thought the ip nat inside and outside had to have a logical or physical
reference. but the nat pool has only BGP routing eenabled but NO interface.
how can you have an ip subnet range and subnets without a actual interface.
but what is weird to me is sometimes the LAN side (ip nat inside) does match the
static 192.158.250.0 address type why is this?
thanks guys. and any good labs and reading reference would help me thank you.

Router 1 Type Cisco
ip nat pool CUST_POOL 165.25.128.193 165.25.128.254 netmask 255.255.255.192
ip nat inside source list nat-list pool CUST_POOL
ip nat inside source static 192.158.250 165.17.128.193
ip nat inside source static 192.158.103 165.17.128.194
ip nat inside source static 192.158.100 165.17.128.195

ip route 165.17.128.192 255.255.255.224 Null0
ip route 165.25.128.192 255.255.255.192 Null0
router bgp 65111
network 165.17.128.192 0.0.0.31
network 165.25.128.192 0.0.0.63

Find more posts tagged with

Comments

Fitzi

I am not sure I totally understand both parts of your question but for number 1 the static route to null0 is there to allow bgp to advertise the network. This would be because these networks are not being learned from an IGP and are not directly connected to the router so I assume that they are being added to the RIB with these static routes, BGP won't advertise a network that is not in the routing table.

For your second question, NAT has nothing specifically to do with a routing protocol, in your example you are confusing the networks being advertised by BGP with the static NAT assignments. Here the static NAT just says the 192.158.x.x addresses are the inside addresses being translated to the 165.17.x.x outside addresses.

From my understanding (like you said) the config would have an inside and outside address assigned to a physical or logical interface to determine where to apply the NAT. You did mention that this is part of a VPN configuration I am taking this to mean that this is probably translating the subnet on the other end of the VPN so maybe the NAT config is attached to the crypto map for the VPN? It's been a while since I configured any sort of NAT on a VPN and I don't remember exactly how this is done.

Heero

The static routes to null0 are just there to allow you to redistribute the routes into BGP.

You don't need a physical interface reference in the actual NAT statement. As long as you put "ip nat inside" and "ip nat outside" on the correct interfaces, the router will know when a packet traversing the router needs NAT, and then it looks at the configured NAT entries to decide how to NAT it (if at all).

itdaddy

so hero you don't need the exact IP subnet on the inside interface? just the words (ip nat inside) referencing the nat statement? that is what bothered me. I would see it on some routers and on some there was only a ip route to Null0 and it was also in the BGP network statement but no local interface on the router logical or physical to reference it. Kind of threw me off??? but it did have the ip nat inside/ip nat outside statements.. like this no actual reference to the inside anywhere but many do have same subnet on the inside LAN side same subnet but some don't and I don't understand how that works my question is where is 192.158.250.x network interface normally it is on the inside LAN but many times it is not so where is it?and where is the 165.25.128.x network interface? how can you put into BGP these networks if there is no interface?

ip nat pool CUST_POOL 165.25.128.193 165.25.128.254 netmask 255.255.255.192
ip nat inside source list nat-list pool CUST_POOL
ip nat inside source static 192.158.250 165.17.128.193
ip nat inside source static 192.158.103 165.17.128.194
ip nat inside source static 192.158.100 165.17.128.195
ip route 165.17.128.192 255.255.255.224 Null0
ip route 165.25.128.192 255.255.255.192 Null0
router bgp 65111
network 165.17.128.192 0.0.0.31
network 165.25.128.192 0.0.0.63
interface Serial0/0/0
description AT&T AVPN - XYZbooboo
bandwidth 1536
ip address 10.14.8.85 255.255.255.252
ip accounting output-packets
ip nat outside
ip virtual-reassembly
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl both

Fitzi

You don't need a subnet on a connected interface to advertise it via BGP, the route just needs to be in the routing table. The static route to null0 puts the route into the routing table, this allows BGP to advertise it.

As Heero said for the NAT part you need to have ip nat inside/outside on an interface to tell the router which interfaces to enable translation on. If there is no inside/outside statement is it possible that the NAT pool and static NAT entries are just old configuration that was never removed?

itdaddy

thanks Fitzi, but what is the network statements for in BGP I thought that put the route into the BGP system?
no these are live interfaces, just why isn't the source inside IP the same subnet subnet as the ip nat inside? can that be possible?

Fitzi

The network statement in the BGP config is there to tell BGP to advertise the route, but only if it is present in the routing table.

I just noticed that your Serial0/0/0 interface has the ip nat outside command on it so that looks like the outside interface. What is the inside interface? I think you said that there wasn't one? What output do you get if you do a "sh run | i ip nat inside" or a "sh run | i ip nat" ?