NAT Basic question

satishtech

In dynamic NAT , the NAT Pool must match the IP subnet of the
Router exit interface.This is mandatory as the packets cannot flow
am I correct ?


Host-PC----(inside interface)Router(exit interface)193.100.10.1

---

[ Internet]

The NAT Pool or the translated IP's must match the 193.100.10.0/24 subnet.
Am I correct ?

TechGuru80

Here is a good writeup on NAT with configs.

Configuring Network Address Translation: Getting Started - Cisco

theodoxa

satishtech wrote: »

The NAT Pool or the translated IP's must match the 193.100.10.0/24 subnet.
Am I correct ?

For it to work, yes, but that doesn't mean you couldn't configure it differently. Routing is generally (Policy Routing being the exception) destination-based, while NAT is generally (Policy NAT being the exception) source-based. I ran into a case where someone had configured static routes to direct traffic to Destination X out Interface B, but NAT was configured to translate traffic from Host C (who was trying to reach Destination X) to an address off Interface A. Traffic was not getting to Destination X until the static routes were removed.

satishtech

ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24

Thank you techguru , both overload pool and dynamic pool stay
within the outside serial interface subnet range.

Theodoxa : So there are scenarios where the translated packet's source IP's
need not match the exit subnet range ?

theodoxa

satishtech wrote: »

Theodoxa : So there are scenarios where the translated packet's source IP's
need not match the exit subnet range ?

They need to match or the traffic might be seen as a spoofing attack. If it somehow made it through (I've seen packets with RFC 1918 source IP Addresses make it across 3 different ISPs/ASes only to get dropped at the destination because there was no return route, so it is certainly possible), you would have asymmetric routing as the return traffic would be sent to the source IP listed in the packet.

satishtech

For a connection to work, the IP subnets of the translated IP packets and the
external interface IP subnet need to match.In situations where the subnets
do not match, we should use static routes and route redistribution(to add routes).

This video by Mr Keith CCIE illustrates this scenario.
https://www.youtube.com/watch?v=qqEquf07fqY

Would it be correct to add the translated inside global ip subnet to the
OSPF networks and have OSPF advertise them ? Would this be correct ?

networker050184

No, the NAT pool does not have to come out of the same subnet on the outside interface.

Magic Johnson

theodoxa wrote: »

For it to work, yes, but that doesn't mean you couldn't configure it differently. Routing is generally (Policy Routing being the exception) destination-based, while NAT is generally (Policy NAT being the exception) source-based. I ran into a case where someone had configured static routes to direct traffic to Destination X out Interface B, but NAT was configured to translate traffic from Host C (who was trying to reach Destination X) to an address off Interface A. Traffic was not getting to Destination X until the static routes were removed.

This is a very good post with a very good example. Highlighted is a great little quick reminder for the exams (CCNA level).

satishtech

Well if the NAT Pool subnet does not match the outside interface subnet,
a routing configuration, such as static routes with maybe route redistribution
is required. This was done in the youtube video link I posted above.I hope I
am correct.
In Packet tracer configurations without some routing protocol/configuration configured for the NAT Pool subnet , communications ends at the outside
interface of the Router doing the NATing,that is Ping does not work.This
would be a routing problem.