Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2865
Views
0
Helpful
4
Replies

NAT and Proxy ARP (?) on IOS

mpervere
Level 1
Level 1

‎03-25-2005 07:42 PM - edited ‎03-02-2019 10:16 PM

Hello -

I'm using a 831 to provide mixed static/dynamic NAT. As long as I use full dynamic NAT on the Interface IP address, I can pass traffic to the outside upstream router and beyond just fine. But, I need to provide a couple of static entries for specific hosts. When I create the statics, I see entries in the local ARP table for each of the hosts, but nothing upstream (on the outside) can find the static hosts. I see the NAT translations happening properly, so it would appear to be an ARP issue on the outside/upstream router.

Is there something specific I need to be doing to allow the router to proxy for these static entries? The outside router is part of a managed service, so I'm trying to avoid the need to add static routes to point those specific entries at the 831. But it seems IOS should be able to proxy ARP for them on the outside to avoid that being necessary.

Ideas?

Thanks in advance...

Mike

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎03-26-2005 01:52 PM

Mike

If you think it is a problem with proxy ARP one thing that you can do is to verify that proxy ARP is enabled on the outside interface. (show ip interface and look for the line about proxy ARP)

From the description I am not convinced that it is a problem about proxy ARP. If I understand correctly your dynamic NAT is working ok and devices from your inside network have connectivity to the outside. But devices for which you static NAT do not have connectivity. Could you give us some specifics about how you have set up dynamic NAT and static NAT?

I am particularly interested in the addresses that you are translating into. Are the addresses for static NAT part of the same subnet that you are using for dynamic NAT? If they are not part of the same subnet, then is there something that tells the upstream devices where these addresses are located (that the upstream devices should forward to you to get to these addresses)?

HTH

Rick

HTH

Rick
0 Helpful

mpervere
Level 1
Level 1
In response to Richard Burts

‎03-26-2005 02:17 PM

Hi Rick -

I'm not convinced it's a proxy ARP issue either, as I've played with a lot of different permutations of interface, NAT and ARP configs trying to get it to work.

Basically what I've got is a physical interface on 192.168.255.9 (/24). I'm using that for the dynamic NAT ("ip nat inside source XXX interface XXX"). That part works cool.

Then I'm trying to set up a couple of static NAT's on 192.168.255.12, 192.168.255.13 and 192.168.255.14. Whatever I do though, it seems the upstream router at 192.168.255.254 and local hosts at 192.168.255.10 and 192.168.255.11 don't want to recognize those static NATs. Everything looks good in my local ARP and NAT translation tables, so I know it's not something as stupid as having the NAT's backward or something.

As I write this, I'm wondering if it might be something unique to the "interface" keyword or something along that line. When I feel like going back in there, maybe I'll try to move the dynamic NAT off the Interface onto a separate address.

Am I fundamentally missing something here, in thinking this SHOULD work?

Mike

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mpervere

‎03-27-2005 04:35 AM

Mike

I would probably look at the question of local hosts and the upstream router as potentially two different questions.

Are there local hosts that do recognize the static NAT? I would really expect that local hosts would more likely access by the local (untranslated) address.

You are defining 192.168.255.9 as a /24, are you sure that the upstream router is also defining it as /24? Do you have any access to the upstream router? If so the output of show ip route 192.168.255.12 might be interesting.

It might be helpful if you could post the appropriate parts of your router config.

HTH

Rick

HTH

Rick
0 Helpful

mpervere
Level 1
Level 1
In response to Richard Burts

‎03-27-2005 10:42 AM

Well I got it to work, and it would indeed appear to be an ARP issue (didn't matter whether local host or upstream router). I tried switching the dynamic NAT's off the interface, and even tried just putting a static NAT on the Interface. The only time the statics worked was if indeed they were static'ed to the interface address itself.

What did work, as much as I hate to do it that way, was adding each of the statics as a secondary IP address on the outside interface.

Oh well, I guess you can't argue with working...

Thanks!

Mike

0 Helpful
Customers Also Viewed These Support Documents