Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
5
Replies

Why is NAT needed between interfaces.

dave.clark
Level 1
Level 1

‎08-04-2017 08:58 AM - edited ‎03-12-2019 02:46 AM

- Running version 9.6.1

- Have 2 interfaces called internal (10.1.1.x) and server -(192.168.1.x) both security level 100. 

Have ACL to allow port 22 traffic from 192.168.1.15 to 10.1.1.47

Packet tracer phase 6 fails with this error:

Phase: 6

Type: NAT    

Subtype: rpf-check

Result: DROP

Config:

nat (internal,server) source dynamic Private-address-space-RFC1918 interface

Additional Information:

Why is a NAT required?

I can fix it with a nat between the 2 where all traffic stays with original IP's....but my question is why is NAT even required? NAT-control is not longer required, and I thought nat statements where no longer required.

Thx

Dave

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎08-04-2017 09:38 AM

NAT is not required and in situations like these normally not used.

Did you configure "same-security permit inter-interface"? And what was your packet-tracer command?

0 Helpful

dave.clark
Level 1
Level 1
In response to Karsten Iwen

‎08-04-2017 09:49 AM

Did you configure "same-security permit inter-interface"? = yes

packet tracer input server tcp 192.168.1.15 12345 10.1.1.47 524

0 Helpful

Karsten Iwen
VIP
VIP
In response to dave.clark

‎08-04-2017 09:54 AM

With that given NAT command you can't access the internal device without an additional static NAT. Remove the NAT and make sure your packet-tracer matches your access-control (you say you have allowed port 22 but tested with 524).

0 Helpful

dave.clark
Level 1
Level 1
In response to Karsten Iwen

‎08-04-2017 09:59 AM

it was port 22 in packet tracer....mis typed. Are you talking about this nat command :nat (internal,server) source dynamic Private-address-space-RFC1918 interface

Are you saying since that is there, I need to have a nat command for the return traffic? That where it seems to fail, the traffic coming back....

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-04-2017 09:55 AM

Hi,

You already have a NAT on these two interfaces so you need one to allow this traffic.

The issue is that the traffic is allowed to go out to the server interface but when it comes back it is matching the nat (internal,server) source dynamic Private-address-space-RFC1918 interface which it is not supposed to.

So to overcome that you need to create another NAT statement or modify the existing NAT if configured already.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card