EBGP connectivity problem

From: Hunt Lee (huntl@webcentral.com.au)
Date: Thu Nov 07 2002 - 20:24:54 GMT-3

• Next message: Tony Ng: "Re: Multiple Compnay Connections to Internet Via ADSL"
• Previous message: jim.phillipo@guardent.com: "RE: OSPF redistribute connected issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Team:

PC --- RTR1----ISP1
          | \ /
       HostA \/
          | /\
          | / \
        RTR2---ISP2

PC's IP - 172.16.2.2/24
RTR1 Eth0 - 172.16.2.1/24

RTR1 & RTR2 - AS3
ISP1 - AS1
ISP2 - AS2

I bummed into another problem last nite. After I put the Loopback
interfaces on both RTR1 & RTR2 for the External NAT Pools (so I could use
"network x.x.x.x mask y.y.y.y" under BGP to advertise the External NAT range
to ISP1 & ISP2), I activate "bgp maximum-path <2>" on ISP1 & ISP2.

But then I found that although both RTR1 & RTR2 can see & ping fine directly
to ISP1 & ISP2. the PC & internal (OSPF) routers hanging off RTR1 & RTR2
can't, only half of their packets managed to get thru.

The PC's Internal Local IP is supposed to be NAT to a Global IP based on the
criteria of the route-maps on RTR1:- (these two NAT pools also existed on
RTR2, apart from the difference in the Route-map)

At RTR1:-

ip nat pool PoolOne prefix-length 24
 address 201.50.13.2 201.50.13.2
 address 201.50.13.4 201.50.13.254

ip nat pool PoolTwo prefix-length 24
 address 200.100.30.1 200.100.30.49
 address 200.100.30.51 200.100.30.253

ip nat inside source route-map Pool1 pool PoolOne
ip nat inside source route-map Pool2 pool PoolTwo

access-list 1 deny 172.16.100.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.255.255

access-list 4 permit 201.50.26.14
access-list 5 permit 200.100.29.138

route-map Pool1 permit 10
 match ip address 1
 match ip next-hop 4
!
route-map Pool2 permit 10
 match ip address 1
 match ip next-hop 5

********* Pings works for RTR1 to ISP1 & ISP2 ********************

RTR1#ping 201.50.26.14 <---- Interface IPs of ISP1 to RTR1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.50.26.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms
RTR1#

RTR1#ping 200.100.29.138 <----- Interface IPs of ISP2 to RTR1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.100.29.138, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms
RTR1#

*******But if I try to ping ISP1 & ISP2 from PC, only half the packets would
get thru *********

C:\>ping 201.50.26.14

Pinging 201.50.26.14 with 32 bytes of data:

Request timed out.
Reply from 201.50.26.14: bytes=32 time=23ms TTL=254
Request timed out.
Reply from 201.50.26.14: bytes=32 time=22ms TTL=254

Ping statistics for 201.50.26.14:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 23ms, Average = 22ms

C:\>

RTR1#
*Mar 1 00:39:37.803 UTC: NAT: s=172.16.2.2->201.50.13.4, d=201.50.26.14
[2128]
*Mar 1 00:39:43.247 UTC: NAT: s=172.16.2.2->201.50.13.4, d=201.50.26.14
[2129]
*Mar 1 00:39:43.267 UTC: NAT*: s=201.50.26.14,
d=201.50.13.4->172.16.2.2[2129]
*Mar 1 00:39:44.247 UTC: NAT: s=172.16.2.2->201.50.13.4, d=201.50.26.14
[2130]
*Mar 1 00:39:49.255 UTC: NAT: s=172.16.2.2->201.50.13.4, d=201.50.26.14
[2131]
*Mar 1 00:39:49.275 UTC: NAT*: s=201.50.26.14,
d=201.50.13.4->172.16.2.2[2131]
*Mar 1 00:40:49.275 UTC: NAT: expiring 201.50.13.4 (172.16.2.2) icmp 512
(512)

C:\>ping 200.100.29.138

Pinging 200.100.29.138 with 32 bytes of data:

Request timed out.
Reply from 200.100.29.138: bytes=32 time=22ms TTL=254
Request timed out.
Reply from 200.100.29.138: bytes=32 time=22ms TTL=254

Ping statistics for 200.100.29.138:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 22ms, Average = 22ms

C:\>

*Mar 1 00:42:53.987 UTC: NAT: s=172.16.2.2->200.100.30.51,
d=200.100.29.138[2147]
*Mar 1 00:42:59.023 UTC: NAT: s=172.16.2.2->200.100.30.51, d=200.100.29.138
[2148]
*Mar 1 00:42:59.043 UTC: NAT*: s=200.100.29.138,
d=200.100.30.51->172.16.2.2 [2148]
*Mar 1 00:43:00.023 UTC: NAT: s=172.16.2.2->200.100.30.51, d=200.100.29.138
[2149]
*Mar 1 00:43:05.031 UTC: NAT: s=172.16.2.2->200.100.30.51, d=200.100.29.138
[2150]
*Mar 1 00:43:05.051 UTC: NAT*: s=200.100.29.138,
d=200.100.30.51->172.16.2.2 [2150]

Any help will be greatly appreciated.

Regards,
H.

--
WebCentral Pty Ltd          Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road.          Network Operations - Systems Engineer
PO Box 4169, East Brisbane.              email: huntl@webcentral.com.au
Queensland, Australia.                  phone: +61 7 3249 2553

• Next message: Tony Ng: "Re: Multiple Compnay Connections to Internet Via ADSL"
• Previous message: jim.phillipo@guardent.com: "RE: OSPF redistribute connected issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:55 GMT-3