Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
6
Replies

Strange NAT PAT problem

Go to solution
draganskundric
Level 1
Level 1

‎09-09-2015 01:58 AM - edited ‎03-05-2019 02:15 AM

I have following basic configuration of NAT

 

ip nat inside source static tcp 5.5.5.5 80 15.15.15.15 80 extendable
ip nat inside source static tcp 5.5.5.5 443 15.15.15.15 443 extendable

 

 

enda everything is wotking fine with these ports. Server is available on these two ports from outside interface. But .... what I try to connect to 5.5.5.5 using SNMP (udp/161), ROUTER REPLIES. So ... is this normal? That router responds to this?

 

thanks

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin Hruby
Level 1
Level 1
In response to draganskundric

‎09-09-2015 05:36 AM

Hello

And you are trying to connect via SNMP to 5.5.5.5 or 15.15.15.15 ?

I'm asking because by default the router will install the outside global address into the routing table as a directly connected (L /32) route on the NAT outside interface, if the outside global address is in the IP range of the outside NAT interface. This so called "alias" is used to answer ARP queries to the outside global address with the routers outside NAT interface's MAC address, and you can see it in the output of show ip alias and show arp. As a consequence then when you connect to this outside global IP 15.15.15.15 and the packet doesn't match a translation rule, the NAT router will handle it as destined to himself because the destination IP is directly connected according to the routing table and the destination MAC address is the outside NAT interface.

You can disable this behavior by using the no-alias keyword with your NAT translation rule, but then the router will not respond to ARP queries for 15.15.15.15.

I recommend you use an outside global address which is not in the IP range of your outside NAT interface.

Best regards,
Martin

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Martin Hruby
Level 1
Level 1

‎09-09-2015 04:55 AM

Hello

We need more information to be able to answer your question.

I assume 5.5.5.5 belongs to your server on the inside of the LAN.
Is the IP 15.15.15.15 configured on an interface of the router?
Are you trying to connect via SNMP from the router itself or from a device on the outside?
How does the router reach 5.5.5.5 (e.g. static route, or directly attached)?

Best regards,
Martin

0 Helpful

Go to solution
draganskundric
Level 1
Level 1
In response to Martin Hruby

‎09-09-2015 05:00 AM

Of course I do not have none of these IPs configured on router itself, and of course I am doing this SNMP test from outside

0 Helpful

Go to solution
Martin Hruby
Level 1
Level 1
In response to draganskundric

‎09-09-2015 05:36 AM

Hello

And you are trying to connect via SNMP to 5.5.5.5 or 15.15.15.15 ?

I'm asking because by default the router will install the outside global address into the routing table as a directly connected (L /32) route on the NAT outside interface, if the outside global address is in the IP range of the outside NAT interface. This so called "alias" is used to answer ARP queries to the outside global address with the routers outside NAT interface's MAC address, and you can see it in the output of show ip alias and show arp. As a consequence then when you connect to this outside global IP 15.15.15.15 and the packet doesn't match a translation rule, the NAT router will handle it as destined to himself because the destination IP is directly connected according to the routing table and the destination MAC address is the outside NAT interface.

You can disable this behavior by using the no-alias keyword with your NAT translation rule, but then the router will not respond to ARP queries for 15.15.15.15.

I recommend you use an outside global address which is not in the IP range of your outside NAT interface.

Best regards,
Martin

0 Helpful

Go to solution
draganskundric
Level 1
Level 1
In response to Martin Hruby

‎09-09-2015 05:41 AM

as I said in first post ... I am trying to connect to 5.5.5.5, this is outside IP. My router have loopback interface in this range, in this case for example 5.5.5.1

0 Helpful

Go to solution
draganskundric
Level 1
Level 1
In response to Martin Hruby

‎09-09-2015 05:48 AM

but ... this "alias" thing could be solution, will try it .... I do not arp on outside interface since it is point to pint wan link and router receives traffic as a router for outside network.

 

thanks

0 Helpful

Go to solution
alcidio.tembe1
Level 1
Level 1
In response to Martin Hruby

‎03-04-2016 12:49 AM

Dears

Greetings

I have almost the same problem but in my case I want to permit SNMP traffic but it only open to other ports, 80, 443, etc.

ip nat inside source static tcp 192.168.71.18 161 187.131.16.122 161 route-map SAITEC_STATIC extendable
ip nat inside source static udp 192.168.71.18 161 187.131.16.122 161 route-map SAITEC_STATIC extendable

Best Regards

Alcidio Tembe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card