Cisco Systems CL-28826-01 Disabling the Payload Option for Overlapping Networks

23-9

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter2 3 Configuring Network Address Translation

NAT Policies on Cisco IOS Routers

Disabling the Payload Option for Overlapping Networks

Overlapping networks result when you assign an IP address to a device on your network that is already

legally owned and assigned to a different device on the Internet or outside network. Overlapping

networks can also result after the merger of two companies using RFC 1918 IP addresses in their

networks. These two networks need to communicate, preferably without your having to re-address all

their devices.

This communication is achieved as follows. The outside device cannot use the IP address of the inside

device because it is the same as the address assigned to itself (the outside device). Instead, the outside

device sends a Domain Name System (DNS) query for the inside device’s domain name. The source of

this query is the IP address of the outside device, which is translated to an address from a designated

address pool. The DNS server located on the inside network replies with the IP address associated with

the inside device’s domain name in the data portion of the packet. The destination address of the reply

packet is translated back to the outside device’s address, and the address in the data portion of the reply

packet is translated to an address from a different address pool. In this way, the outside device learns that

Advanced This section contains optional, advanced translation options.

Note The Advanced options are available only when the Specify IP option

is the selected method for defining the translated address(es).

•No Alias – When selected, disables automatic aliasing for the global IP

address translation.

If the NAT pool used as an inside global pool consists of addresses on

an attached subnet, an alias is generated for that address so that the

router can answer Address Resolution Protocol (ARP) requests for those

addresses.

When deselected, global address aliases are permitted.

•No Payload – When selected, prohibits an embedded address or port in

the payload from being translated.

The payload option performs NAT between devices on overlapping

networks that share the same IP address. When an outside device sends

a DNS query to reach an inside device, the local address inside the

payload of the DNS reply is translated to a global address according to

the relevant NAT rule.

You can disable this feature by selecting the No Payload option.

Otherwise, embedded addresses and ports in the payload may be

translated. See Disabling the Payload Option for Overlapping Networks,

page 23-9 for more information.

•Create Extended Translation Entry – When checked, extended

translation entries (addresses and ports) are created in the translation

table. This lets you associate multiple global addresses with a single

local address. This is the default.

When this option is deselected, simple translation entries are created,

allowing association of a single global address with the local address.

Note This option is not available when Static Port is the chosen rule type.

Table23-2 Add/Edit NAT Static Rule Dialog Boxes (Continued)

Element Description