From: Deepesh Chouhan (deepesh@cisco.com)
Date: Tue Nov 05 2002 - 22:54:37 GMT-3
Hi
Can you try
After it timesout and pings (without NAT translation) can you do show inter
<intf> stat
Which counters are getting incremented (route-cache - ?? )
Alternatively, turn cache off using no ip route-cache on interface
thanks
deepesh
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Hunt Lee
> Sent: Friday, November 01, 2002 3:19 AM
> To: Deepesh Chouhan
> Cc: ccielab@groupstudy.com
> Subject: RE: NAT translation problem
>
>
> Hi Deepesh,
>
> That's what I thought too. According to CCO
> http://www.cisco.com/warp/public/556/5.html , for inside to
> outside, routing
> should always take place before NAT.
>
> However, from my test lab, it seems that if I use "match ip
> next-hop", only the
> first try got successfull NAT, but any subsequest try are not
> working. But if I
> power cycle all the routers, it would work again for another try.
>
> Please see below...
>
> I have a router called testrouter on the inside network (with IP 10.1.1.12
>
> testrouter#ping 207.36.65.254
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 207.36.65.254, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/36 ms
> testrouter#
>
>
> RTA#sh ip nat translations
> Pro Inside global Inside local Outside local Outside global
> icmp 207.36.76.2:4643 10.1.1.12:4643 207.36.65.254:4643 207.36.65.254:4643
> RTA#
>
>
> ******** so the first go works, now wait for the NAT translation
> timeout *****
>
> *Mar 1 00:15:09.927 UTC: NAT: expiring 207.36.76.2 (10.1.1.12)
> icmp 4643(4643)
>
>
> ******** and if I try again from testrouter to initate packets to
> outside ****
>
> testrouter#ping 207.36.65.254
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 207.36.65.254, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 ms
> testrouter#
>
>
>
> RTA#sh ip nat translations
>
> RTA#
>
> ************* It is not getting translated anymore... **********
>
>
> Cheers,
> H.
>
>
> --- Deepesh Chouhan <deepesh@cisco.com> wrote: > Hi
> >
> > For inside : NAT always routes the packet and then NATS them. So i guess
> > match ip next hop will work for every packet
> >
> > thanks
> > deepesh
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Hunt Lee
> > > Sent: Thursday, October 31, 2002 7:57 PM
> > > To: 'David C Prall'
> > > Cc: 'ccielab@groupstudy.com'
> > > Subject: RE: NAT translation problem
> > >
> > >
> > > Then if the requirement says that I can't use "match ip address"
> > > nor "match
> > > interface", then does any one know how to achieve this ??
> > >
> > > The only one I can think of is "match ip next-hop", yet NAT
> only works on
> > > the first few packets (which I couldn't understand). Has
> anybody else had
> > > this problem before??
> > >
> > > br2.offline(config-route-map)#match ip next-hop ?
> > > <1-99> IP access-list number
> > > <1300-1999> IP access-list number (expanded range)
> > > WORD IP standard access-list name
> > > prefix-list Match entries of prefix-lists
> > > <cr>
> > >
> > > Hunt
> > >
> > >
> > > -----Original Message-----
> > > From: David C Prall [mailto:dcp@dcptech.com]
> > > Sent: Friday, 1 November 2002 12:49 PM
> > > To: CCIE Lab Groupstudy.Com
> > > Subject: RE: NAT translation problem
> > >
> > >
> > > You need to use an extended access-list within your route-map
> that defines
> > > the destination addresses. And you'll only need the match ip address.
> > >
> > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note
> > > 09186a0080
> > > 093fca.shtml
> > >
> > > --
> > > David C Prall dcp@dcptech.com http://dcp.dcptech.com
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> > > > Hunt Lee
> > > > Sent: Thursday, October 31, 2002 9:14 PM
> > > > To: 'ccielab@groupstudy.com'
> > > > Subject: NAT translation problem
> > > >
> > > >
> > > > I have configured a 3 routers EBGP (see picture below). What I
> > > am trying
> > > > to achieve is that when a packet is forwarded to RTB, the packet
> > > > will have a
> > > > sournce address from 205.113.50.0/23; when a packet is forwarded to
> > > > RTC, the packet must have a source address of 207.36.76.0/23.
> > > >
> > > > For going to RTB, I based this on saying if the outgoing
> interface for
> > > > the packet is s0/0 (the int to RTB), then this packet must
> be for RTB
> > > > (hence NAT range 205.113.50.0/23).
> > > >
> > > > As for going to RTC, I based this on if the Next-Hop IP for
> the packet
> > > > is 207.36.65.254, then this packet destination must be for
> RTC, hence
> > > > NAT range 207.36.76.0/23).
> > > >
> > > > RTB RTC
> > > > \ /
> > > > RTA
> > > > |
> > > > 10.0.0.0/8 (Inside network)
> > > >
> > > > The thing is, for the packets towards RTB, the NAT works fine.
> > > >
> > > > But for the packets towards RTC, it works for the first few
> > > > packets (i.e. I
> > > > could see it on "show ip nat translations" & debug
> messages, but anytime
> > > > after
> > > > that (even when the NAT entries have expired, it would not be
> > > > able to be NAT
> > > > again.
> > > >
> > > > here's RTA config...
> > > >
> > > > interface FastEthernet0/0
> > > > description Inside NAT
> > > > ip address 10.1.1.1 255.255.0.0
> > > > ip nat inside
> > > > duplex auto
> > > > speed auto
> > > >
> > > > interface Serial0/0
> > > > description to Outside ISP 1 - RTB
> > > > ip address 205.113.49.253 255.255.255.252
> > > > ip nat outside
> > > > clockrate 64000
> > > >
> > > > interface Serial0/1
> > > > description to Outside ISP 2 - RTC
> > > > ip address 207.36.65.253 255.255.255.252
> > > > ip nat outside
> > > > clockrate 64000
> > > >
> > > > ip nat pool PoolOne 205.113.50.1 205.113.51.254 netmask
> > > 255.255.254.0 type
> > > > match-host
> > > > ip nat pool PoolTwo 207.36.76.1 207.36.76.254 netmask
> 255.255.254.0 type
> > > > match-host
> > > > ip nat inside source route-map ISP1 pool PoolOne
> > > > ip nat inside source route-map ISP2 pool PoolTwo
> > > >
> > > > access-list 1 permit 10.0.0.0 0.255.255.255
> > > > access-list 3 permit 207.36.65.254
> > > >
> > > > route-map ISP2 permit 10
> > > > match ip address 1
> > > > match ip next-hop 3
> > > > !
> > > > route-map ISP1 permit 10
> > > > match ip address 1
> > > > match interface Serial0/0
> > > >
> > > >
> > > > RTA#sh ip route
> > > > Codes: C - connected, S - static, I - IGRP, R - RIP, M -
> mobile, B -BGP
> > > > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
> inter area
> > > > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
> external type 2
> > > > E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
> > > > i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
> > > IS-IS inter
> > > > area
> > > > * - candidate default, U - per-user static route, o - ODR
> > > > P - periodic downloaded static route
> > > >
> > > > Gateway of last resort is not set
> > > >
> > > > 1.0.0.0/32 is subnetted, 1 subnets
> > > > B 1.1.1.1 [20/0] via 205.113.49.254, 00:04:12
> > > > 2.0.0.0/32 is subnetted, 1 subnets
> > > > B 2.2.2.2 [20/0] via 207.36.65.254, 00:04:12
> > > > 3.0.0.0/32 is subnetted, 1 subnets
> > > > C 3.3.3.3 is directly connected, Loopback0
> > > > 205.113.49.0/30 is subnetted, 1 subnets
> > > > C 205.113.49.252 is directly connected, Serial0/0
> > > > 207.36.65.0/30 is subnetted, 1 subnets
> > > > C 207.36.65.252 is directly connected, Serial0/1
> > > > 10.0.0.0/16 is subnetted, 1 subnets
> > > > C 10.1.0.0 is directly connected, FastEthernet0/0
> > > > RTA#
> > > >
> > > > Any help will be greatly appreciated.
> > > >
> > > > Regards,
> > > > H.
>
> http://careers.yahoo.com.au - Yahoo! Careers
> - 1,000's of jobs waiting online for you!
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:53 GMT-3