From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Fri Nov 01 2002 - 19:12:00 GMT-3
Hunt, Allen:
I've just labbed this and I think he (we?) have met a bug.
The thing "working" sometimes just got my attention (and yours, Allen)
because I've run some times into this kind of problems.
Facts:
-problem happens when "next-hop" is used in route-map
and cisco says this is supported at
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm
-it works the first time, and continues to work until translation
invalidation
-it then does not work, but you can make it work again by
"clear ip cache"
But:
-it behaves the same even after turning "no ip route-cache" on
the ethernet !?!?
(This is strange for me, last time I run into something similar,
no ip route-cache solved it.)
FTR, I'm using c2600-jk9o3s-mz.122-10b.bin in the hub.
McClure, Allen wrote:
> Try entering "no ip route-cache" on the interfaces with policy routing.
> It's possible that you are fast switching packets and your policy
> routing isn't seeing them. By process switching them, you take insure
> that policy is applied.
>
> Alternatively, you may be able to enable fast-switched policy routing,
> but be aware that it doesn't work for set next-hop or set default.
>
> Just a guess. Hope this helps.
>
> Allen McClure
> MCSE, CCNP, CCDP
> YUM! Brands, Inc.
> Sr. Network Analyst
> NEW E-Mail - mailto:allen.mcclure@yum.com
> 972-338-7494
>
>
> -----Original Message-----
> From: Hunt Lee [mailto:ciscoforme3@yahoo.com.au]
> Sent: Friday, November 01, 2002 5:19 AM
> To: Deepesh Chouhan
> Cc: ccielab@groupstudy.com
> Subject: RE: NAT translation problem
>
>
> Hi Deepesh,
>
> That's what I thought too. According to CCO
> http://www.cisco.com/warp/public/556/5.html , for inside to outside,
> routing should always take place before NAT.
>
> However, from my test lab, it seems that if I use "match ip next-hop",
> only the first try got successfull NAT, but any subsequest try are not
> working. But if I power cycle all the routers, it would work again for
> another try.
>
> Please see below...
>
> I have a router called testrouter on the inside network (with IP
> 10.1.1.12
>
> testrouter#ping 207.36.65.254
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 207.36.65.254, timeout is 2 seconds:
> !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
> 32/32/36 ms testrouter#
>
>
> RTA#sh ip nat translations
> Pro Inside global Inside local Outside local Outside global
> icmp 207.36.76.2:4643 10.1.1.12:4643 207.36.65.254:4643
> 207.36.65.254:4643 RTA#
>
>
> ******** so the first go works, now wait for the NAT translation timeout
> *****
>
> *Mar 1 00:15:09.927 UTC: NAT: expiring 207.36.76.2 (10.1.1.12) icmp
> 4643(4643)
>
>
> ******** and if I try again from testrouter to initate packets to
> outside ****
>
> testrouter#ping 207.36.65.254
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 207.36.65.254, timeout is 2 seconds:
> !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
> 32/33/36 ms testrouter#
>
>
>
> RTA#sh ip nat translations
>
> RTA#
>
> ************* It is not getting translated anymore... **********
>
>
> Cheers,
> H.
>
>
> --- Deepesh Chouhan <deepesh@cisco.com> wrote: > Hi
>
>>For inside : NAT always routes the packet and then NATS them. So i
>>guess match ip next hop will work for every packet
>>
>>thanks
>>deepesh
>>
>>
>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
>>>Of Hunt Lee
>>>Sent: Thursday, October 31, 2002 7:57 PM
>>>To: 'David C Prall'
>>>Cc: 'ccielab@groupstudy.com'
>>>Subject: RE: NAT translation problem
>>>
>>>
>>>Then if the requirement says that I can't use "match ip address" nor
>>
>
>>>"match interface", then does any one know how to achieve this ??
>>>
>>>The only one I can think of is "match ip next-hop", yet NAT only
>>>works on the first few packets (which I couldn't understand). Has
>>>anybody else had this problem before??
>>>
>>>br2.offline(config-route-map)#match ip next-hop ?
>>> <1-99> IP access-list number
>>> <1300-1999> IP access-list number (expanded range)
>>> WORD IP standard access-list name
>>> prefix-list Match entries of prefix-lists
>>> <cr>
>>>
>>>Hunt
>>>
>>>
>>>-----Original Message-----
>>>From: David C Prall [mailto:dcp@dcptech.com]
>>>Sent: Friday, 1 November 2002 12:49 PM
>>>To: CCIE Lab Groupstudy.Com
>>>Subject: RE: NAT translation problem
>>>
>>>
>>>You need to use an extended access-list within your route-map that
>>>defines the destination addresses. And you'll only need the match ip
>>
>
>>>address.
>>>
>>>http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note
>>>09186a0080
>>>093fca.shtml
>>>
>>>--
>>>David C Prall dcp@dcptech.com http://dcp.dcptech.com
>>>
>>>
>>>>-----Original Message-----
>>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>>>>Behalf Of Hunt Lee
>>>>Sent: Thursday, October 31, 2002 9:14 PM
>>>>To: 'ccielab@groupstudy.com'
>>>>Subject: NAT translation problem
>>>>
>>>>
>>>>I have configured a 3 routers EBGP (see picture below). What I
>>>
>>>am trying
>>>
>>>>to achieve is that when a packet is forwarded to RTB, the packet
>>>>will have a sournce address from 205.113.50.0/23; when a packet is
>>>
>
>>>>forwarded to RTC, the packet must have a source address of
>>>>207.36.76.0/23.
>>>>
>>>>For going to RTB, I based this on saying if the outgoing interface
>>>
>
>>>>for the packet is s0/0 (the int to RTB), then this packet must be
>>>>for RTB (hence NAT range 205.113.50.0/23).
>>>>
>>>>As for going to RTC, I based this on if the Next-Hop IP for the
>>>>packet is 207.36.65.254, then this packet destination must be for
>>>>RTC, hence NAT range 207.36.76.0/23).
>>>>
>>>>RTB RTC
>>>> \ /
>>>> RTA
>>>> |
>>>>10.0.0.0/8 (Inside network)
>>>>
>>>>The thing is, for the packets towards RTB, the NAT works fine.
>>>>
>>>>But for the packets towards RTC, it works for the first few
>>>>packets (i.e. I could see it on "show ip nat translations" & debug
>>>
>
>>>>messages, but anytime after
>>>>that (even when the NAT entries have expired, it would not be
>>>>able to be NAT
>>>>again.
>>>>
>>>>here's RTA config...
>>>>
>>>>interface FastEthernet0/0
>>>> description Inside NAT
>>>> ip address 10.1.1.1 255.255.0.0
>>>> ip nat inside
>>>> duplex auto
>>>> speed auto
>>>>
>>>>interface Serial0/0
>>>> description to Outside ISP 1 - RTB
>>>> ip address 205.113.49.253 255.255.255.252
>>>> ip nat outside
>>>> clockrate 64000
>>>>
>>>>interface Serial0/1
>>>> description to Outside ISP 2 - RTC
>>>> ip address 207.36.65.253 255.255.255.252
>>>> ip nat outside
>>>> clockrate 64000
>>>>
>>>>ip nat pool PoolOne 205.113.50.1 205.113.51.254 netmask
>>>
>>>255.255.254.0 type
>>>
>>>>match-host
>>>>ip nat pool PoolTwo 207.36.76.1 207.36.76.254 netmask
>>>>255.255.254.0 type match-host ip nat inside source route-map ISP1
>>>>pool PoolOne ip nat inside source route-map ISP2 pool PoolTwo
>>>>
>>>>access-list 1 permit 10.0.0.0 0.255.255.255
>>>>access-list 3 permit 207.36.65.254
>>>>
>>>>route-map ISP2 permit 10
>>>> match ip address 1
>>>> match ip next-hop 3
>>>>!
>>>>route-map ISP1 permit 10
>>>> match ip address 1
>>>> match interface Serial0/0
>>>>
>>>>
>>>>RTA#sh ip route
>>>>Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B
>>>
> -BGP
>
>>>> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
>>>
> area
>
>>>> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
>>>
> type 2
>
>>>> E1 - OSPF external type 1, E2 - OSPF external type 2, E -
>>>
> EGP
>
>>>> i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
>>>
>>>IS-IS inter
>>>
>>>>area
>>>> * - candidate default, U - per-user static route, o - ODR
>>>> P - periodic downloaded static route
>>>>
>>>>Gateway of last resort is not set
>>>>
>>>> 1.0.0.0/32 is subnetted, 1 subnets
>>>>B 1.1.1.1 [20/0] via 205.113.49.254, 00:04:12
>>>> 2.0.0.0/32 is subnetted, 1 subnets
>>>>B 2.2.2.2 [20/0] via 207.36.65.254, 00:04:12
>>>> 3.0.0.0/32 is subnetted, 1 subnets
>>>>C 3.3.3.3 is directly connected, Loopback0
>>>> 205.113.49.0/30 is subnetted, 1 subnets
>>>>C 205.113.49.252 is directly connected, Serial0/0
>>>> 207.36.65.0/30 is subnetted, 1 subnets
>>>>C 207.36.65.252 is directly connected, Serial0/1
>>>> 10.0.0.0/16 is subnetted, 1 subnets
>>>>C 10.1.0.0 is directly connected, FastEthernet0/0
>>>>RTA#
>>>>
>>>>Any help will be greatly appreciated.
>>>>
>>>>Regards,
>>>>H.
>>>
>
> http://careers.yahoo.com.au - Yahoo! Careers
> - 1,000's of jobs waiting online for you!
>
>
> This communication is confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, (ii) please notify the sender by reply mail, and (iii) please delete this communication from your system. Failure to follow this process may be unlawful. Thank you for your cooperation.
>
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:51 GMT-3