Re: OT:Nat on destination address

From: Christopher Van Heuveln (cvanheuv@xxxxxxxxx)
Date: Sun Sep 03 2000 - 19:25:23 GMT-3

• Next message: Sheref Mohamed: "Re: Brazilian labs"
• Previous message: Vijay Venkatesh: "Brazilian labs"
• Maybe in reply to: Johnny Dedon: "OT:Nat on destination address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Johnny,

I think I figured it out. The problem is apparently the packet
processing order, ie it's trying to route the packet before
translating it. There are roughly 18 steps that occur when a
packet enters a router; here are the ones affecting this problem:

Step 4 = inside to outside nat translation
Step 11 = IP forward setup and look for outbound interface
Step 14 = outside to inside nat translation

A typical NAT setup is going to translate inside source addresses
(Step 4), then determine how to forward the packet (Step 11).

Our setup is atypical because we're translating outside source
addresses. In this case it looks like a routing decision is going to
have to be made before the outside source address (actually the
destination address from rtrA's perspective) is translated, and since
rtrB doesn't have a route to 3.3.3.3 the packet is "unroutable" and
is dropped before it makes it to step 14.

I got it to work by adding a default route on rtrB:

ip route 0.0.0.0 0.0.0.0 10.10.10.2

<or>

ip route 3.3.3.3 255.255.255.255 10.10.10.2

...without one of these you'll see the packet being dropped on rtrB before
it's even translated:

00:21:19: IP: s=192.168.0.1 (Ethernet0), d=3.3.3.3, len 100, unroutable

After I added the def route:

00:20:39: NAT: s=192.168.0.1, d=3.3.3.3->2.2.2.2 [353]
00:20:39: IP: s=192.168.0.1 (Ethernet0), d=2.2.2.2 (Ethernet1), g=10.10.10.2, l
en 100, forward
00:20:39: NAT*: s=2.2.2.2->3.3.3.3, d=192.168.0.1 [353]
00:20:39: IP: s=3.3.3.3 (Ethernet1), d=192.168.0.1 (Ethernet0), g=192.168.0.1,
len 100, forward

Hope this helped. I think the reason I haven't run into this problem before
is because I used it in live networks that already had default routes
pointing to outside interfaces.

Chris

On Fri, Sep 01, 2000 at 03:35:26PM -0500, Johnny Dedon wrote:
> Chris
> Thanks for the help but I can't get it to work.
> I have the following in the lab:
>
> rtrA e0 ---------e0 rtrB s1--------s1rtrC
>
> rtrA has no ip routing with default-gateway set to rtrB's e0 address.
> rtrB has ip nat inside on e0
> ip nat outside on s1
> ip nat outside source static 2.2.2.2 3.3.3.3
> rtrC has looback with address 2.2.2.2
> rtrB can ping 2.2.2.2. but can't ping 3.3.3.3 even if I source from the
> ethernet(inside). rtrA can ping the s1 address on rtrC but not the loopback
> with either 2.2.2.2 or 3.3.3.3
> Here are the configs
> rtrA
> no ip routing
> interface Ethernet0
> ip address 192.168.0.1 255.255.255.128
> ip default-gateway 192.168.0.2
>
>
> rtrB
> ip nat outside source static 2.2.2.2 3.3.3.3
> interface Ethernet0
> ip address 192.168.0.2 255.255.255.128
> ip nat inside
> interface Serial1
> ip address 10.10.10.1 255.255.255.0
> ip nat outside
> clockrate 56000
> router ospf 1
> network 10.10.10.0 0.0.0.255 area 0
> network 192.168.0.0 0.0.255.255 area 0
>
> rtrC
> interface Loopback0
> ip address 2.2.2.2
> interface Serial1
> ip address 10.10.10.2 255.255.255.0
> router ospf 1
> network 10.10.10.0 0.0.0.255 area 0
> network 2.2.2.2 0.0.0.0 area 0
> ip route 0.0.0.0 0.0.0.0 10.10.10.1
>
> Any ideas on what I am missing?
>
> All work and no play...
>
> Johnny Dedon
> Senior Staff Consultant
> Exodus Professional Services
> johnny.dedon@exodus.net
> www.exodus.net
> ----- Original Message -----
> From: "Christopher Van Heuveln" <cvanheuv@cisco.com>
> To: "Johnny Dedon" <jdedon@cohesive.com>
> Cc: "Groupstudy" <ccielab@groupstudy.com>
> Sent: Friday, September 01, 2000 11:52 AM
> Subject: Re: OT:Nat on destination address
>
>
> >
> > Yes. Use nat outside static. Here's an example from some
> > of my old notes:
> >
> >
> > * Remote server address used to be 3.3.3.3 but has changed to
> > 2.2.2.2
> >
> >
> > client 1.1.1.1 -- e0 rtrA s0 --------- s0 rtrB e0 2.2.2.2 server
> >
> > rtrA
> > ====
> > int e0
> > ip nat inside
> >
> > int s0
> > ip nat outside
> >
> > ip nat outside source static 2.2.2.2 3.3.3.3
> >
> >
> >
> > Now, when a client telnets to 3.3.3.3, rtrA will translate the *DST*
> address
> > to 2.2.2.2 and forward it out s0. Note that the local (inside) SRC address
> is
> > not translated.
> >
> >
> > Chris
> >
> >
> >
> > On Fri, Sep 01, 2000 at 10:56:51AM -0500, Johnny Dedon wrote:
> > > Guys,
> > > This is sort of off topic. Does anyone know if it is possible to Nat a
> > > destination address. Let me explain. I have workstations that have a
> proxy
> > > address hardcoded in their browser and now the proxy is gone and a new
> proxy
> > > on a different network should be used. I would like to advertise a
> route
> > > for the old proxy and then Nat the connections to the new address as
> they
> > > come in. Does anyone have any ideas on doing this or is it even
> possible?
> > >
> > > Johnny Dedon
> > > Senior Staff Consultant
> > > Exodus Professional Services
> > > johnny.dedon@exodus.net
> > > www.exodus.net
> > >

• Next message: Sheref Mohamed: "Re: Brazilian labs"
• Previous message: Vijay Venkatesh: "Brazilian labs"
• Maybe in reply to: Johnny Dedon: "OT:Nat on destination address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:52 GMT-3