From: McClure, Allen (Allen.McClure@Tricon-Yum.Com)
Date: Fri Nov 01 2002 - 17:41:16 GMT-3
Try entering "no ip route-cache" on the interfaces with policy routing.
It's possible that you are fast switching packets and your policy
routing isn't seeing them. By process switching them, you take insure
that policy is applied.
Alternatively, you may be able to enable fast-switched policy routing,
but be aware that it doesn't work for set next-hop or set default.
Just a guess. Hope this helps.
Allen McClure
MCSE, CCNP, CCDP
YUM! Brands, Inc.
Sr. Network Analyst
NEW E-Mail - mailto:allen.mcclure@yum.com
972-338-7494
-----Original Message-----
From: Hunt Lee [mailto:ciscoforme3@yahoo.com.au]
Sent: Friday, November 01, 2002 5:19 AM
To: Deepesh Chouhan
Cc: ccielab@groupstudy.com
Subject: RE: NAT translation problem
Hi Deepesh,
That's what I thought too. According to CCO
http://www.cisco.com/warp/public/556/5.html , for inside to outside,
routing should always take place before NAT.
However, from my test lab, it seems that if I use "match ip next-hop",
only the first try got successfull NAT, but any subsequest try are not
working. But if I power cycle all the routers, it would work again for
another try.
Please see below...
I have a router called testrouter on the inside network (with IP
10.1.1.12
testrouter#ping 207.36.65.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 207.36.65.254, timeout is 2 seconds:
!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
32/32/36 ms testrouter#
RTA#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 207.36.76.2:4643 10.1.1.12:4643 207.36.65.254:4643
207.36.65.254:4643 RTA#
******** so the first go works, now wait for the NAT translation timeout
*****
*Mar 1 00:15:09.927 UTC: NAT: expiring 207.36.76.2 (10.1.1.12) icmp
4643(4643)
******** and if I try again from testrouter to initate packets to
outside ****
testrouter#ping 207.36.65.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 207.36.65.254, timeout is 2 seconds:
!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
32/33/36 ms testrouter#
RTA#sh ip nat translations
RTA#
************* It is not getting translated anymore... **********
Cheers,
H.
--- Deepesh Chouhan <deepesh@cisco.com> wrote: > Hi
>
> For inside : NAT always routes the packet and then NATS them. So i
> guess match ip next hop will work for every packet
>
> thanks
> deepesh
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > Of Hunt Lee
> > Sent: Thursday, October 31, 2002 7:57 PM
> > To: 'David C Prall'
> > Cc: 'ccielab@groupstudy.com'
> > Subject: RE: NAT translation problem
> >
> >
> > Then if the requirement says that I can't use "match ip address" nor
> > "match interface", then does any one know how to achieve this ??
> >
> > The only one I can think of is "match ip next-hop", yet NAT only
> > works on the first few packets (which I couldn't understand). Has
> > anybody else had this problem before??
> >
> > br2.offline(config-route-map)#match ip next-hop ?
> > <1-99> IP access-list number
> > <1300-1999> IP access-list number (expanded range)
> > WORD IP standard access-list name
> > prefix-list Match entries of prefix-lists
> > <cr>
> >
> > Hunt
> >
> >
> > -----Original Message-----
> > From: David C Prall [mailto:dcp@dcptech.com]
> > Sent: Friday, 1 November 2002 12:49 PM
> > To: CCIE Lab Groupstudy.Com
> > Subject: RE: NAT translation problem
> >
> >
> > You need to use an extended access-list within your route-map that
> > defines the destination addresses. And you'll only need the match ip
> > address.
> >
> > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note
> > 09186a0080
> > 093fca.shtml
> >
> > --
> > David C Prall dcp@dcptech.com http://dcp.dcptech.com
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> > > Behalf Of Hunt Lee
> > > Sent: Thursday, October 31, 2002 9:14 PM
> > > To: 'ccielab@groupstudy.com'
> > > Subject: NAT translation problem
> > >
> > >
> > > I have configured a 3 routers EBGP (see picture below). What I
> > am trying
> > > to achieve is that when a packet is forwarded to RTB, the packet
> > > will have a sournce address from 205.113.50.0/23; when a packet is
> > > forwarded to RTC, the packet must have a source address of
> > > 207.36.76.0/23.
> > >
> > > For going to RTB, I based this on saying if the outgoing interface
> > > for the packet is s0/0 (the int to RTB), then this packet must be
> > > for RTB (hence NAT range 205.113.50.0/23).
> > >
> > > As for going to RTC, I based this on if the Next-Hop IP for the
> > > packet is 207.36.65.254, then this packet destination must be for
> > > RTC, hence NAT range 207.36.76.0/23).
> > >
> > > RTB RTC
> > > \ /
> > > RTA
> > > |
> > > 10.0.0.0/8 (Inside network)
> > >
> > > The thing is, for the packets towards RTB, the NAT works fine.
> > >
> > > But for the packets towards RTC, it works for the first few
> > > packets (i.e. I could see it on "show ip nat translations" & debug
> > > messages, but anytime after
> > > that (even when the NAT entries have expired, it would not be
> > > able to be NAT
> > > again.
> > >
> > > here's RTA config...
> > >
> > > interface FastEthernet0/0
> > > description Inside NAT
> > > ip address 10.1.1.1 255.255.0.0
> > > ip nat inside
> > > duplex auto
> > > speed auto
> > >
> > > interface Serial0/0
> > > description to Outside ISP 1 - RTB
> > > ip address 205.113.49.253 255.255.255.252
> > > ip nat outside
> > > clockrate 64000
> > >
> > > interface Serial0/1
> > > description to Outside ISP 2 - RTC
> > > ip address 207.36.65.253 255.255.255.252
> > > ip nat outside
> > > clockrate 64000
> > >
> > > ip nat pool PoolOne 205.113.50.1 205.113.51.254 netmask
> > 255.255.254.0 type
> > > match-host
> > > ip nat pool PoolTwo 207.36.76.1 207.36.76.254 netmask
> > > 255.255.254.0 type match-host ip nat inside source route-map ISP1
> > > pool PoolOne ip nat inside source route-map ISP2 pool PoolTwo
> > >
> > > access-list 1 permit 10.0.0.0 0.255.255.255
> > > access-list 3 permit 207.36.65.254
> > >
> > > route-map ISP2 permit 10
> > > match ip address 1
> > > match ip next-hop 3
> > > !
> > > route-map ISP1 permit 10
> > > match ip address 1
> > > match interface Serial0/0
> > >
> > >
> > > RTA#sh ip route
> > > Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B
-BGP
> > > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
> > > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
> > > E1 - OSPF external type 1, E2 - OSPF external type 2, E -
EGP
> > > i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
> > IS-IS inter
> > > area
> > > * - candidate default, U - per-user static route, o - ODR
> > > P - periodic downloaded static route
> > >
> > > Gateway of last resort is not set
> > >
> > > 1.0.0.0/32 is subnetted, 1 subnets
> > > B 1.1.1.1 [20/0] via 205.113.49.254, 00:04:12
> > > 2.0.0.0/32 is subnetted, 1 subnets
> > > B 2.2.2.2 [20/0] via 207.36.65.254, 00:04:12
> > > 3.0.0.0/32 is subnetted, 1 subnets
> > > C 3.3.3.3 is directly connected, Loopback0
> > > 205.113.49.0/30 is subnetted, 1 subnets
> > > C 205.113.49.252 is directly connected, Serial0/0
> > > 207.36.65.0/30 is subnetted, 1 subnets
> > > C 207.36.65.252 is directly connected, Serial0/1
> > > 10.0.0.0/16 is subnetted, 1 subnets
> > > C 10.1.0.0 is directly connected, FastEthernet0/0
> > > RTA#
> > >
> > > Any help will be greatly appreciated.
> > >
> > > Regards,
> > > H.
http://careers.yahoo.com.au - Yahoo! Careers
- 1,000's of jobs waiting online for you!
This communication is confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, (ii) please notify the sender by reply mail, and (iii) please delete this communication from your system. Failure to follow this process may be unlawful. Thank you for your cooperation.
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:51 GMT-3