Re: NAT scenario problem

From: Carlos G Mendioroz (tron@xxxxxxxxxxx)
Date: Wed Jun 26 2002 - 06:42:03 GMT-3

• Next message: Ademola Osindero: "Re: DLSW+ traffic mapping"
• Previous message: Donny MATEO: "Re: multiple BRI to PRI"
• Maybe in reply to: Ng, Kim Seng David (David): "NAT scenario problem"
• Next in thread: li jian hua: "Re: NAT scenario problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
David,
watch it. There's no second phase routing involved...

The inside to outside is like this :

 If IPSec then check input Access list
 decryption - for CET (Cisco Encryption Technology) or IPSec
 check input access list
 check input rate limits
 input accounting
 inspect
 policy routing
 routing
 redirect to web cache
 NAT inside to outside (local to global translation)
 crypto (check map and mark for encryption)
 check output access list
 inspect
 tcp intercept
 encryption

"Ng, Kim Seng David (David)" wrote:
>
> You are right. It works with a static to 197.7.6.0/24. I guess this is what t
he flow for packets going from inside-to-outside interface:
>
> 1) Routing (based on outside local)
> 2) Translate outside local to outside global
> 3) Routing (again based on outside global)
>
> Thanks
> David
>
> -----Original Message-----
> From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
> Sent: Wednesday, June 26, 2002 1:17 AM
> To: Ng, Kim Seng David (David)
> Cc: ccielab@groupstudy.com
> Subject: Re: NAT scenario problem
>
> I think the problem lies in that you have no route to 197.7.6.0/24 at
> R2.
> And the inside to outside NAT happens after route determination.
> Just try a static at R2 pointing to to0 and see...
>
> Check http://www.cisco.com/warp/public/5Carlos,56/5.html
>
> "Ng, Kim Seng David (David)" wrote:
> >
> > Hi Group,
> >
> > I tried some NAT scenarios today and one part did not work as I expected. I
> > hope someone can help to verify. This is the config:
> >
> > R1-e0----------e0-R2-To0--------To0-R3-S0------------S0-R4-S1------------S0
-R
> > 5
> >
> > R1 & R2 on 10.1.0.0/16 network. On the same interface to R1, R2 has a
> > secondary address of 197.7.9.0/24
> >
> > R2 & R3 on 197.7.8.0/24 network
> >
> > R3 & R4 on 197.7.7.0/24 network
> >
> > R4 & R5 on 10.2.0.0/16 network
> >
> > Routing protocol:
> > - All except R1 is running EIGRP. On R2, EIGRP is also activated on seconda
ry
> > address 197.7.9.0 but we passive this interface which is to R1.
> > - R1 has a static route to 197.7.0.0 via e0 of R2
> >
> > NAT config:
> > All NAT are done on R2:
> >
> > ip nat inside source static 10.1.1.6 197.7.9.5 -> 10.1.1.6 is IP a
dd on R1's
> > e0 interface
> > ip nat outside source static 10.2.2.4 197.7.6.2 ->10.2.2.4 is IP ad
d on R5's
> > s0 interface
> >
> > R2 e0 is configured "ip nat inside"
> > R2 To0 is configured "ip nat outside"
> >
> > Testing:
> >
> > From R1, I ping R4 s0 interface with no problem. The following is the debug
 ip
> > nat.
> >
> > 08:18:26: NAT*: s=10.1.1.6->197.7.9.5, d=197.7.7.3 [1786]
> > 08:18:26: NAT*: s=197.7.7.3, d=197.7.9.5->10.1.1.6 [1786]
> > 08:18:26: NAT*: s=10.1.1.6->197.7.9.5, d=197.7.7.3 [1787]
> > 08:18:26: NAT*: s=197.7.7.3, d=197.7.9.5->10.1.1.6 [1787]
> > 08:18:27: NAT*: s=10.1.1.6->197.7.9.5, d=197.7.7.3 [1788]
> >
> > However, when I tried to ping 197.7.6.2 (outside local address) from R1, R2
> > did not does not translate the address from 197.7.6.2 to 10.2.2.4 even thou
gh
> > I already specified it to translate to 10.2.2.4 as stated above. R1 will
> > report "unreachable" in it's ping result as R2 does not have 197.7.6.0 in i
t's
> > routing table. My question is why R2 does not translate that address?? Is
> > there a missing command?
> >
> > Next I ping 197.7.9.5 which is the inside-global of R1's e0 interface from
R5.
> > The following is the debug ip NAT translation as well as IP packet at R2.
> >
> > 08:28:39: NAT*: s=10.2.2.4->197.7.6.2, d=197.7.9.5 [1023]
> > 08:28:39: NAT*: s=197.7.6.2, d=197.7.9.5->10.1.1.6 [1023]
> > 08:28:39: IP: NAT enab = 1 trans = 0 flags = 80
> > 08:28:39: IP: s=10.1.1.6 (Serial1), d=197.7.6.2, len 100, unroutable
> > 08:28:39: IP: s=10.1.1.2 (local), d=10.1.1.6 (Serial1), len 56, sending
> > 08:28:41: NAT*: s=10.2.2.4->197.7.6.2, d=197.7.9.5 [1024]
> > 08:28:41: NAT*: s=197.7.6.2, d=197.7.9.5->10.1.1.6 [1024]
> > 08:28:41: IP: NAT enab = 1 trans = 0 flags = 80
> > 08:28:41: IP: s=10.1.1.6 (Serial1), d=197.7.6.2, len 100, unroutable
> > 08:28:41: IP: s=10.1.1.2 (local), d=10.1.1.6 (Serial1), len 56, sending
> >
> > It showed that 10.2.2.4 got translated only one way. R2 did not translate t
he
> > 197.7.6.2 to 10.2.2.4 in the return path even though it did in the forward
> > path.
> >
> > Hope someone can advice where I may have gone wrong.
> >
> > Thanks
> > David

• Next message: Ademola Osindero: "Re: DLSW+ traffic mapping"
• Previous message: Donny MATEO: "Re: multiple BRI to PRI"
• Maybe in reply to: Ng, Kim Seng David (David): "NAT scenario problem"
• Next in thread: li jian hua: "Re: NAT scenario problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:42 GMT-3