Re: NAT scenario problem

From: li jian hua (jasonli@xxxxxxxxx)
Date: Wed Jun 26 2002 - 07:11:19 GMT-3

• Next message: ccie spoon: "RE: software upgrades.."
• Previous message: Carlos G Mendioroz: "Re: multiple BRI to PRI"
• Maybe in reply to: Ng, Kim Seng David (David): "NAT scenario problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
About NAT,Routing TCP/IP V2 has a good chapter to cover,such as NAT with
route-map,etc.
it is worth reading the book:BGP,NAT,MULTICAST,IOS Feature,IPV6 etc.
rgds
jason
At 06:42 2002-6-26 -0300, Carlos G Mendioroz wrote:
>David,
>watch it. There's no second phase routing involved...
>
>The inside to outside is like this :
>
> If IPSec then check input Access list
> decryption - for CET (Cisco Encryption Technology) or IPSec
> check input access list
> check input rate limits
> input accounting
> inspect
> policy routing
> routing
> redirect to web cache
> NAT inside to outside (local to global translation)
> crypto (check map and mark for encryption)
> check output access list
> inspect
> tcp intercept
> encryption
>
>
>"Ng, Kim Seng David (David)" wrote:
> >
> > You are right. It works with a static to 197.7.6.0/24. I guess this is
> what the flow for packets going from inside-to-outside interface:
> >
> > 1) Routing (based on outside local)
> > 2) Translate outside local to outside global
> > 3) Routing (again based on outside global)
> >
> > Thanks
> > David
> >
> > -----Original Message-----
> > From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
> > Sent: Wednesday, June 26, 2002 1:17 AM
> > To: Ng, Kim Seng David (David)
> > Cc: ccielab@groupstudy.com
> > Subject: Re: NAT scenario problem
> >
> > I think the problem lies in that you have no route to 197.7.6.0/24 at
> > R2.
> > And the inside to outside NAT happens after route determination.
> > Just try a static at R2 pointing to to0 and see...
> >
> > Check http://www.cisco.com/warp/public/5Carlos,56/5.html
> >
> > "Ng, Kim Seng David (David)" wrote:
> > >
> > > Hi Group,
> > >
> > > I tried some NAT scenarios today and one part did not work as I
> expected. I
> > > hope someone can help to verify. This is the config:
> > >
> > >
> R1-e0----------e0-R2-To0--------To0-R3-S0------------S0-R4-S1------------S0-R
> > > 5
> > >
> > > R1 & R2 on 10.1.0.0/16 network. On the same interface to R1, R2 has a
> > > secondary address of 197.7.9.0/24
> > >
> > > R2 & R3 on 197.7.8.0/24 network
> > >
> > > R3 & R4 on 197.7.7.0/24 network
> > >
> > > R4 & R5 on 10.2.0.0/16 network
> > >
> > > Routing protocol:
> > > - All except R1 is running EIGRP. On R2, EIGRP is also activated on
> secondary
> > > address 197.7.9.0 but we passive this interface which is to R1.
> > > - R1 has a static route to 197.7.0.0 via e0 of R2
> > >
> > > NAT config:
> > > All NAT are done on R2:
> > >
> > > ip nat inside source static 10.1.1.6 197.7.9.5 -> 10.1.1.6
> is IP add on R1's
> > > e0 interface
> > > ip nat outside source static 10.2.2.4 197.7.6.2 ->10.2.2.4 is
> IP add on R5's
> > > s0 interface
> > >
> > > R2 e0 is configured "ip nat inside"
> > > R2 To0 is configured "ip nat outside"
> > >
> > > Testing:
> > >
> > > From R1, I ping R4 s0 interface with no problem. The following is the
> debug ip
> > > nat.
> > >
> > > 08:18:26: NAT*: s=10.1.1.6->197.7.9.5, d=197.7.7.3 [1786]
> > > 08:18:26: NAT*: s=197.7.7.3, d=197.7.9.5->10.1.1.6 [1786]
> > > 08:18:26: NAT*: s=10.1.1.6->197.7.9.5, d=197.7.7.3 [1787]
> > > 08:18:26: NAT*: s=197.7.7.3, d=197.7.9.5->10.1.1.6 [1787]
> > > 08:18:27: NAT*: s=10.1.1.6->197.7.9.5, d=197.7.7.3 [1788]
> > >
> > > However, when I tried to ping 197.7.6.2 (outside local address) from
> R1, R2
> > > did not does not translate the address from 197.7.6.2 to 10.2.2.4
> even though
> > > I already specified it to translate to 10.2.2.4 as stated above. R1 will
> > > report "unreachable" in it's ping result as R2 does not have
> 197.7.6.0 in it's
> > > routing table. My question is why R2 does not translate that address?? Is
> > > there a missing command?
> > >
> > > Next I ping 197.7.9.5 which is the inside-global of R1's e0 interface
> from R5.
> > > The following is the debug ip NAT translation as well as IP packet at R2.
> > >
> > > 08:28:39: NAT*: s=10.2.2.4->197.7.6.2, d=197.7.9.5 [1023]
> > > 08:28:39: NAT*: s=197.7.6.2, d=197.7.9.5->10.1.1.6 [1023]
> > > 08:28:39: IP: NAT enab = 1 trans = 0 flags = 80
> > > 08:28:39: IP: s=10.1.1.6 (Serial1), d=197.7.6.2, len 100, unroutable
> > > 08:28:39: IP: s=10.1.1.2 (local), d=10.1.1.6 (Serial1), len 56, sending
> > > 08:28:41: NAT*: s=10.2.2.4->197.7.6.2, d=197.7.9.5 [1024]
> > > 08:28:41: NAT*: s=197.7.6.2, d=197.7.9.5->10.1.1.6 [1024]
> > > 08:28:41: IP: NAT enab = 1 trans = 0 flags = 80
> > > 08:28:41: IP: s=10.1.1.6 (Serial1), d=197.7.6.2, len 100, unroutable
> > > 08:28:41: IP: s=10.1.1.2 (local), d=10.1.1.6 (Serial1), len 56, sending
> > >
> > > It showed that 10.2.2.4 got translated only one way. R2 did not
> translate the
> > > 197.7.6.2 to 10.2.2.4 in the return path even though it did in the
> forward
> > > path.
> > >
> > > Hope someone can advice where I may have gone wrong.
> > >
> > > Thanks
> > > David

• Next message: ccie spoon: "RE: software upgrades.."
• Previous message: Carlos G Mendioroz: "Re: multiple BRI to PRI"
• Maybe in reply to: Ng, Kim Seng David (David): "NAT scenario problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:42 GMT-3