NAT again - I'm confused

[pmesjar]

As I said in my previous post, I'm new to NAT. I have this lab scenario set up:

Two routers connected together on 130.0.0.0/8 network. One router is doing NAT (s0 ip address 130.0.0.1, e0 ip address 192.100.30.0/24, treated as private and nat inside), the second is not (s0 ip address 130.0.0.2) and is treated as public conection. Here are their configurations:

Current configuration for router doing NAT:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router_nat
!
!
no ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Ethernet0
ip address 192.100.30.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
no mop enabled
!
interface Ethernet1
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Serial0
ip address 130.0.0.1 255.0.0.0
ip access-group 100 out
no ip directed-broadcast
ip nat outside
no ip mroute-cache
!
interface Serial1
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
router eigrp 100
network 130.0.0.0
network 192.100.30.0
!
ip nat pool local 130.0.0.3 130.0.0.3 netmask 255.0.0.0
ip nat inside source list 1 pool local overload
no ip http server
ip classless
!
access-list 1 permit 192.100.30.0 0.0.0.255
!
line con 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
end


Current configuration for router not doing nat and treated as public network:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router_nonat
!
!
no ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 194.100.30.1 255.255.255.0
no ip directed-broadcast
!
interface Serial0
ip address 130.0.0.2 255.0.0.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
clockrate 250000
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
router eigrp 100
network 130.0.0.0
network 194.100.30.0
!
no ip http server
ip classless
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
end

Now - I know that when packets are travelling inside to outside, first routing table is checked for destination and then translation occurs. When packets are travelling outside to inside, it is the other way (first translate, then route). The problem is maybe not with configuration of NAT, but I'm able to ping from my "public" router and public hosts to hosts behind the router doing NAT, connected to e0 (nat inside). I think they should not be able to ping, only inside host should (and they can) - is there something wrong with my config? I know I have dynamic routing configured, so my outside "public" router knows about my private routes. But when I turn to static routing, such as "ip route 0.0.0.0 0.0.0.0 s0" on both routers, it is the same effect as when I will leave dynamic routing on. Or maybe it should be working this way, but to block my outside "public" hosts from accessing inside, I would need to configure ACLs. This way it will be possible but it is necessary? Isn't just configuring NAT supposed to be enough? Or there is completely different solution to my problem?

I'm starting to think that I'm missing something small, but very important here. Please I'll be very glad if you can help me. Peter Mesjar
CCNA, A+ certified
pmesjar@centrum.sk

 

[hexn]

I ran into same problem a few months ago. I fixed it with this:
-------------------------
router eigrp 100
passive-interface serial0
-------------------------

 

[pmesjar]

Thanks for refreshing memory inikis. I knew I had to disable updates somehow and forgot about this command. Will it work also with ACLs? I'm asking because something is telling me it will not - but maybe I'm wrong. Peter Mesjar
CCNA, A+ certified
pmesjar@centrum.sk

 

[baddos]

Why do both routers advertise network 192.100.30.0? Router2 shouldn't know the existance of the 192.100.30.0 network because of NAT.

Normally setting the ser0/0 interface to passive means that that interface will not annouce routes over that interface, but it will listen. This is not necessarily the case for EGIRP though. Look at this cisco doc.

http://www.cisco.com/warp/public/103/16.html

 

[hexn]

passive-interface will be unnaffected by your access-lists

 

[pmesjar]

Inikis, I know that passive interface will be unaffected by my access-list, I just want to know if I can achieve the same effect of passive interface command with the use of access-list. Something is telling me it cannot be done this way.

Baddos, I know my outside router should not know about my inside network (and thats what confused me about NA) because of NAT, but it knows and I it knows it because of EIGRP. And when checking Cisco pages about NAT all they say that your NAT router should not advertise inside networks to outside. However, they do not say how to do this on their routers. One way is using passive interfaces, other might be using access-lists and restricting the contents of routing updates. But for know I do not know how to do the other way. Maybe it is just slight modoficatio of ACL syntax. Peter Mesjar
CCNA, A+ certified
pmesjar@centrum.sk

 

[hexn]

Yes, you can achieve the same with an access-list.

----------------------------------
access-list 101 deny eigrp any any
----------------------------------

 

[pmesjar]

Thank you inikis, I'll try doing it both ways. But I think I've tried it with access-lists and it did not work. I have also put the ACL in the "out" direction on my serial interface (router nat outside). Then I read something about distribute lists, but don't have time rigt now to try those on my routers. Once again thank you all Peter Mesjar
CCNA, A+ certified
pmesjar@centrum.sk

 

[baddos]

If you remove the "network 192.100.30.0" statement from your router that should work too.