Hello,

I actually have 2 questions that are kinda related.

Where I work we have several buildings joined together via metro ethernet. Each building has a 10,x ip address on the metro ethernet interface. The issue is I have noticed every single building is behind NAT even though the ip addresses are all private. The network administrator no longer works there and for now ( and hopefully for later too ) I'm taking over. We have had issues in the past with packets being randomly dropped etc and I wonder if this could have something to do with it.

So my question is...

Is NAT (by NAT I mean srcnat on the metro ethernet interface) even needed on metro ethernet? I have always been taught to avoid it if possible. Also, there are zero firewall rules on these routers. everything is wide open. This leads me to my next question.

I always thought srcnat would hide everything behind it but I can ping all computers on the network behind the NAT. Why is this possible? I thought I should have to set up a dstnat for each computer I wanted to be reachable.


Thanks for the help!

There is no generic answer to the question. Whether NAT is appropriate/desirable/to be avoided and what firewall rules should be in place depend on many details which have not been provided.

I suggest that you break the questions/problems down into discrete chunks and provide more background.

Ok, let me just rephrase the questions then:

1. How is it possible to be able to ping specific ip addresses behind a srcnat with masquerade enabled?

2. Supposing we have the most basic network in the world with no security needed, will metro ethernet work without using NAT assuming the ip addresses they give us are all private?

thanks for the help!

Upload the IP Firewall config so that we can see what is actually configured. Metro Ethernet covers a broad range of implementations so details are vendor specific but there are many implementations in which it would be perfectly possible not to use NAT. At is core, Metro Ethernet is as the name suggests providing a layer 2 network so you can use all sorts of layer 3 (IP) configurations over it.