Options

NAT question

BennyLavaBennyLava Member Posts: 60 ■■□□□□□□□□
in CCNP
I've noticed that IOS enabled virtual fragmentation reassembly ('ip virtual-reassembly') on an interface whenever you enter 'ip nat inside' or 'ip nat outside'. My initial guess was that this was because with PAT, non-initial fragments wouldn't be able to be translated without 'ip virtual-reassembly' because layer 4 information isn't available. After testing it out a bit I found that non-initial fragments seem to be translated correctly even if I disable fragmentation reassembly based on comparing the identification and protocol fields in the non-initial fragment to the initial fragment. Even if I delayed the initial fragment so that the non-initial arrived first the PAT router would hold the non-initial fragment and wait to make the translation for both until the initial arrived:

*Jun 1 10:09:05.746: NAT: s=10.1.1.4->10.0.23.2, d=10.0.23.3 [0]
*Jun 1 10:09:05.866: NAT: s=10.0.23.3, d=10.0.23.2->10.1.1.4 [0]
*Jun 1 10:09:06.178: NAT: queued the packet s=10.1.1.4 d=10.0.23.3
*Jun 1 10:09:11.938: NAT: creating fragment 10.1.1.4 10.0.23.3 0 17 -- 4444 4444
*Jun 1 10:09:11.938: NAT: s=10.1.1.4->10.0.23.2, d=10.0.23.3 [0]
*Jun 1 10:09:11.946: NAT: fo 47, looking for fragment 10.1.1.4 10.0.23.3 0 17
*Jun 1 10:09:11.946: NAT: found fragment 10.1.1.4 10.0.23.3 0 17 -- 4444 4444
*Jun 1 10:09:11.946: NAT: s=10.1.1.4->10.0.23.2, d=10.0.23.3 [0]

What's the purpose of 'ip virtual-reassembly' with PAT if it seems to work fine without it and can anyone give an example of where it is useful?
Blog: http://cisconinja.wordpress.com/
· Share on FacebookShare on Twitter
Sign In or Register to comment.