GroupStudy.com GroupStudy.com - A virtual community of network engineers
Home BookStore StudyNotes Links Archives StudyRooms HelpWanted Discounts Login
Re: BGP with NAT posted 09/15/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next] 
"Any" does works. What does not work is "any any" in the last line of the
access-list .

Cannnot explain why though ...

Here it is labbed:

access-list 104 deny   tcp host 192.168.14.1 eq bgp host 192.168.14.2
access-list 104 deny   tcp host 192.168.14.2 eq bgp host 192.168.14.1
access-list 104 permit ip 192.168.15.0 0.0.0.255 any


(192.168.14.1 and 192.168.14.2 are the ebgp hosts, 192.168.15.0/24 is a
subnet in the inside network)

Doing a ping from the inside subnet:

r4#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.14.1:174  192.168.15.1:174   150.1.2.2:174      150.1.2.2:174
icmp 192.168.14.1:175  192.168.15.1:175   150.1.2.2:175      150.1.2.2:175
icmp 192.168.14.1:176  192.168.15.1:176   150.1.2.2:176      150.1.2.2:176
icmp 192.168.14.1:177  192.168.15.1:177   150.1.2.2:177      150.1.2.2:177
icmp 192.168.14.1:178  192.168.15.1:178   150.1.2.2:178      150.1.2.2:178

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down
State/PfxRcd
192.168.14.2    4   200      30      31        6    0    0 00:09:05
    1   ---------------> UP for 9 minutes

NB: if you use "any any" in the last line of the access-list you get

r4#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.14.1:1030  192.168.14.1:45549 192.168.14.2:179
192.168.14.2:179

and then

r4#
*Mar  1 02:52:43.512: BGP: 192.168.14.2 open active, local address
192.168.14.1
*Mar  1 02:52:43.520: BGP: 192.168.14.2 open failed: Connection refused by
remote host






----- Original Message ----- From: "shha" <shha77@xxxxxxxxx>
To: "xprtofnet" <xprtofnet@xxxxxxxxx>
Cc: "Brian Dennis" <bdennis@xxxxxxxxxxxxxxxxxxxxxx>; "ccielab"
<ccielab@xxxxxxxxxxxxxx>
Sent: Friday, September 15, 2006 1:17 AM
Subject: Re: BGP with NAT


or add
ip nat inside source static tcp x.x.x.x 179 x.x.x.x 179



On 9/14/06, shha <shha77@xxxxxxxxx> wrote: 

change access-list point to inside netwok, don't use any to solve the
problem


On 9/14/06, xprtofnet <xprtofnet@xxxxxxxxx> wrote:
>
> this is also working..
>
> !
> ip nat pool a 220.0.0.1 220.0.0.1 netmask
> 255.255.255.0
> ip nat inside source list 1 pool a
> !
> access-list 1 permit any
>
>
>
> --- Brian Dennis < bdennis@xxxxxxxxxxxxxxxxxxxxxx>
> wrote:
>
> > What does your ACL look like?
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@xxxxxxxxxxxxxxxxxxxxxx
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > -----Original Message-----
> > From: nobody@xxxxxxxxxxxxxx
> > [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
> > xprtofnet
> > Sent: Thursday, September 14, 2006 1:50 PM
> > To: xprtofnet; ccielab
> > Subject: Re: BGP with NAT
> >
> > got it---overload was doing port translation.
> >
> > following works---any other inputs are welcome
> >
> > on R1
> >
> > ip nat pool a 220.0.0.1 220.0.0.1 netmask
> > 255.255.255.0 type rotary ip
> > nat inside source list 1 pool a
> >
> > --- xprtofnet <xprtofnet@xxxxxxxxx> wrote:
> >
> > > Folks,
> > >
> > > here is the scenario..
> > >
> > > Back-Bone_OUTSIDE_e0/2_R1-e0/0--INSIDE network
> > >
> > > R1 and BackBone has eBGP connection
> > >
> > > Inside Networks are NOT advertised to BackBone
> > >
> > > But communication needs to happen with Backbone
> > and INSIDE network
> > >
> > > when i do this on R1 the eBGP session drops
> > >
> > > R1
> > >  ip nat inside source list 1 interface e0/2
> > overload
> > >
> > > e0/2
> > >  ip nat outside
> > >
> > > e0/1
> > >  ip nat inside
> > >
> > > Any tips on how to keep BGP UP ? and have NAT
> > working ?
> > >
> > > Thank you,
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> > >
> >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > http://mail.yahoo.com
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html


_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.3/447 - Release Date: 9/13/2006