Home » » sarlok's blog

I'm Bound to Pack it Up

No image toolkit is currently enabled. Without one the image module will not be able to resize your images. You can select one from the image toolkit settings page.

Well over-due for a new entry I suppose.

Let's see... haven't post anything networky for a while. Found out how to abuse NVI's recently while trying to find a way to make NAT TCP hairpinning work - aka tromboning, aka RFC5382, sec 7.2 - on an IOS router. Read: NOT an ASA or Pix-based-hellbox.
After doing the standard Route-Map, NAT-via-loopback-ala-NAT-on-a-stick-based-thing, I found it's ridiculously easy to do if your router supports NAT Virtual Interfaces (NVI).
That said, I can't say I understand what's actually happening or why this works. Documentation on what happens when you use NVI in this sort of a scenario, sans-VRF, is quite slim.

The scenario:
PAT on 172.16.0.1 for some TCP ports - say 80, 110, 443 goto 192.168.0.250
192.168.0.10 needs to get to said TCP services at 192.168.0.250 via the external 172.16.0.1 address
NAT overload on fa0/0 for any other 192.168.0.0/24 hosts to the internets

Queue visual aid:

Queue pseudo code:

int fa0/0
ip address 172.16.0.1 255.255.255.0
ip nat enable
!
int fa0/1
ip address 192.168.0.254 255.255.255.0
ip nat enable
no ip redirects
!
ip nat source static tcp 192.168.0.250 80 int fa0/0 80
ip nat source static tcp 192.168.0.250 443 int fa0/0 443
!
access-list 10 permit 192.168.0.0 0.0.0.255
!
ip nat source list 10 int fa0/0 overload
!

Bam, instant hairpinning. Still need to work out exactly what's going on behind the scenes here. It makes some modicum of sense visualizing the resulting NVI interface as a fancy loopback, but there's certainly more to it than that. Either way, I'm sure it can't be good for a busy production network, but the further R&D will have to wait.
However, if your router doesn't support NVI's... yeah.

Yay, networky stuff out of the way.

Context for the following conversation: Solarwinds Orion Network Performance Monitor. Atlas is the tool provided to create said maps.

Co-Worker says:
That's some pretty fancy shit for maps
You say:
eh?
Co-Worker says:
The BULK stuff that kinda looks like the visio diagrams
You say:
oh, yeah. makes it easier to follow if they're close to same-y
could be better, but Atlas is a peach.
Co-Worker says:
A peach?
You say:
top gear reference. supposedly albanian for a word that rhymes with blunt
more accurately... piçkë
kar would also suffice

Image courtesy CampinZz... Granted I was only shooting from just shy of 20 yards.

I both love and hate this song. Also, the video reminds me too much of Survivor which I despise.